ebusiness trust inhibitors

7/29/2019 eBusiness Trust Inhibitors

1/7

Information assurance experts, standards bodies and

economists have long been striving to highlight the impact

and risks associated with the lack of secure information

systems and practices in the industry. Currently, the state of

assurance offered by enterprise computing infrastructure and the

challenges in improving it affect not just the commercial business,

but also national security and individuals identities, as more

classes of systems are becoming web-enabled. When citizens

private information is lost, the inherent delay in the detection of

the breach and the remediation compounds the problem. A classic

example is the infamous Hotels.coms web site breach, which was

discovered in 2006 but had taken place during 2002-2004.

1

This isjust one of countless reported incidents.

Undoubtedly, such incidents result in a trust gap in the

e-business community toward information systems. Reports

also confirm that online banking is not keeping pace with the

growth of Internet use.2 The term trust inhibitors is used in

this article to identify some of the most predominant threats

prevalent today and analyze possible countermeasures.

Major Threats and TargetsCyber Security Industry Alliance (CSIA), an advocacy

group dedicated to ensuring the privacy, reliability and integrity

of information systems,3 created the Digital Confidence Index

(DCI) as a means for tracking public confidence in keyelements of various networks. The relative movement of the

DCI over recent years indicates that the market is very sensitive

to security breaches and, as a consequence, consumers degree

of trust toward information systems fades. A recent report from

an independent survey groupInfoSentry Services Inc.has

corroborated this observation.4 Figure 1 lists recent industry

surveys. These surveys cover global audiences, cross-sections

of industries and various revenue groups and, thus, reflect the

global trend. The objective here is not to offer a comprehensive

listing, but to provide the reader the necessary information to

understand the degree of impact and scale.

The surveys also reveal that outside threats are primarily

from viruses, spam, phishing and other malicious agents, and

result largely in identity theft and customer data loss. Similarly,

insiders influence intellectual property theft and exposure of a

companys sensitive information. Almost all of these surveys

conclude that there is a steady growth in threats across the globe

that directly weakens economies, national security and privacy.

Thus, the promises of advancement resulting from e-commerce

to global business growth are challenged not by the hacker

community alone, but also by the flaws in underlying

technology and current e-business practices.

Information Flow Controls

Deeper analysis of the nature of threats revealed in those

industry surveys shows that the e-business communities can

gain better control of the threats and improve customer

confidence if the problem is analyzed in the following way

and addressed appropriately:

What are the mechanisms the e-business portals have in

place to bring the customers to their portal without

becoming the victim of threats such as phishing?

What are the controls the business has in place to ensure that

the user can complete an initiated e-transaction successfully

without the session being hijacked or spoofed in the middleof an ongoing transaction?

If the above two potential issues are addressed,

subsequently:

What infrastructure controls does the organization have in

place to guarantee customers their privacy?

Does the organization have practices in place that assure

users that their personal data are removed at their request

from the organizations control?

Outsider Attacks

The sophistication of attacks that originate outside the

corporate boundary has been increasing over the years, as has

the sophistication of security controls. Julia Allen5 haselegantly represented the trend, which is reproduced here in

figure 2. In the early 1990s, attacks such as traffic-sniffing

and session hijacking were the predominant threats. In recent

years, however, the threat sources, their nature and

sophistication have changed considerably. Today, Trojans,

worms and blended viruses are the major threats; these, along

with new modes of spreading (e.g., instant messaging [IM],

mobile devices) and social engineering exploitations, have

introduced considerable vulnerability in the e-business user

environment. Phishing combined with pharming has taken

advantage of the situation. The combination of vulnerabilities

E-business: Trust InhibitorsBy Ramanan R. Ramanathan, Ph.D., CISSP

Figure 1Recent Industry Surveys

2006 Australian Computer Crime and Security Survey Enterprise Security Survey, APANI, 2006 2006 Global Security Survey, Deloitte Touche Tohmatsu Consumer Perspectives of Online Banking Security: Entrust Internet

Security Survey, October 2005, Entrust Inc. E-Crime Watch Survey, CSOmagazine, 2006 Phishing Activity Trends Report,Anti-Phishing Working Group, 2006,

www.antiphishing.org US Survey: Confidential Data at Risk, Ponemon Institute LLC, 2006 Utility IT Executives Expect Breach of Critical SCADA Systems,

Pipeline & Gas Journal, 2006, www.pipelineandgasjournal.com

Copyright 2008 ISACA. All rights reserved. www.isaca.org.

JO U R N A L ON L I N E


2/7

exploited in phishing-based attacks make them very

successful and, hence, deserve a deeper analysis.

Phishing is a semantic attack, wherein a successful

attack depends on a discrepancy between the ways a user

perceives a communication, such as an e-mail message

or a web page access, and the communications actual effect.6

Mass e-mailing (spam) is one of the ways this attack spreads.

Figure 3 schematically shows a typical business user-to-

portal communication path in a phishing attack. A user

(Alice) who is the recipient of a fraudulent e-mail initiates a

request and arrives at an unintended portal, as the fake site

has a near-identical look and feel as a legitimate site.

Complexity in the Internet model and sophisticated social-

engineering tactics deceive even more security-wary

customers. This form of threat has two independent entrychannels: social engineering and technology vulnerability.

Attackers keep up their success level by constantly shifting

their attack channel. For example, a legitimate user can be

redirected to a hackers site by vulnerabilities such as Domain

Name System (DNS) cache poisoning and URL obfuscation.

On the other hand, if a user is successful in connecting to the

intended site via end-to-end secured channels, such as Secure

Sockets Layer (SSL), Trojans or a virus in an infected

computer at the client side, he/she can obtain the

authentication credentials, either actively (online) or passively

(offline), and make them available to the hacker for

impersonation. Usually the phishing sites are shut down once

they are detected; however, as of 2005, the attack lifetime

(time from an attacks appearance to its shutdown) has been

estimated to be 5.3 days or 127 hours.7

The major hurdles to achieving a near-zero lifetime are the

lack of cross-border cyberlaws and the use of hacked servers

as origins of phishing. According to an Internet survey report

taken for the span of 1995-2005, Internet usage has been

growing at a rate of more than 180 percent globally.8 Less-

advanced countries increasingly are becoming users of the

information highway. With increased reliance on e-financial

transactions across the globe and growing participation from

countries that lack appropriate cyberlaws, one can anticipate

severe impacts in the coming years. Reports reveal that there

is a 5 percent success rate due to the new phishing attacktactics, despite various countermeasures.9

Recommendations from the US Federal Trade Commission

(FTC) about use of SSL have not proven effective in

thwarting these attacks. In an unpatched Internet Explorer

(IE) browser, a usage similar to https://www.paypal.com%01

[string of ~ 60 %01 elided]@ 207.172.183.20/f/can still

take a user to a phishing site.

Stronger conventional authentication mechanisms, such as a

one-time password and two-factor authentication implemented

by secure e-sites, are also not spared. Customers of Citibank

were recent victims of two-factor authentication, too.10

Figure 2External Attack Trend

JO U R N A L ON L I N E2


3/7

This threat will continue to be a major trust inhibitor in the

e-commerce space unless the market moves toward more end-to-end secure and robust e-business practices. Research

efforts have shown that measures such as digitally signing

e-mails, forcing browser toolbar usage at desk-top levels and

securing the path for capturing user credentials as part of the

authentication process itself, could improve resistance against

such attacks.11 The security state at which an e-user

transaction is carried out should be dependent on both the

client environment and the nature or value of the transaction

itself. Methods such as out-of-band verification (confirmation

via SMS, automated phone message, etc.) and intermittent but

limited reauthentications can prevent fraudulent transactions

and enable faster detection of breaches.

Insider Threats

Assuming that the e-business owners have taken the

required steps to guarantee a legitimate user with mechanisms

to initiate, establish and preserve a secure communication

with the intended business portal, the subsequent major

challenge rests with the business owners who own the

customer information. As of today, not all businesses can

guarantee confidentiality and privacy of customer data,

especially small and medium enterprises (SMEs), as most do

not have appropriate processes in place within their corporate

boundaries. On the other hand, in attempts to comply with

various regulations, large organizations have bolstered theirnetwork and infrastructure considerably; they have

implemented layered security to some degree. However, in the

face of new user-friendly technologies, such as Bluetooth-

enabled and mobile devices for communication (e.g., personal

digital assistants), storage devices (e.g., USB, flash drives),

and modes of communication such as instant messaging (IM),

even these large enterprises face challenges.

Various potential data leak channels have started

appearing. They are discussed in the following sections.

Mobile Devices

Figure 4presents a logical view of the security posture

attained by most enterprises as a result of conventional securitypractices. As part of the layered security approach, mature

organizations deploy physical, technical (e.g., firewalls,

intrusion systems, middleware security controls) and other

administrative controls (e.g., policies, procedures). However,

new channels of data flowing in and out of enterprises have

made the enterprises porous and vulnerable; mobile devices

such as laptops, MP3 players, iPods, USB drives and Bluetooth

devices on personal computers are not adequately controlled.12

These devices have become carriers of Trojans and malware into

a secured enterprise and contribute to confidential data leaks

JO U R N A L ON L I N E 3

Figure 3Phishing and Pharming Outsider Threats


4/7

out of the corporate boundary. For example, with a USB 2.0

device, data transfer rates can go up to 480 megabits per second.

At these rates, it takes less than five minutes to move up to 60

gigabytes of data. Active Directory Server (ADS)-based group

policies are traditionally implemented across corporate intranets

to enforce security baselines and control employeesWindows

desktop environments. Unfortunately, these are incapable of

controlling the use of end point devices. Furthermore, the user-

friendly plug and play capability in operating systems

facilitates instantaneous use of such devices in any corporate

computer. Security products such as DeviceLock and

SecureWaves Sanctuary are gaining popularity to prevent

unauthorized use of such devices and audit the data flow across

the end points. However, the lack of widespread use of such

controls in the e-business intranet boundary is still a majorconcern that will contribute to e-user distrust.

A recent survey of more than 240 respondents shows that

only 9 percent of enterprises have deployed a comprehensive

security architecture that includes mobile device access.13

Kaspersky Lab (usa.kaspersky.com) has done extensive

analysis on the mobile device vulnerabilities and threats, and

a listing of various mobile device viruses is available from

viruslist.com.

Organizations need to evolve security policies that cover

end point device use and implement security controls to

prevent data leakage through this channel.

Enterprise Digital Rights Management

Organizations store company and customer data in

repositories such as directory servers, legacy systems and

other relational data systems. Various breeds of applications

are used to mine the data and derive value from them for

business needs (figure 4).

As a starting point of a due-diligence information security

exercise, data classification is performed within organizations.

Security policies are evolved to outline how data need to be

handled by the users. Corporate users are provided access to

data assets, based on the access control policies.

However, the control ceases when most of the confidential

data in the intranet domain is translated into documents and

spreadsheets for business purposes. A legitimate user of

confidential data can store the data locally in the hard drive ormobile device, or trigger the risk of instantaneously sharing

the same with someone unknown via an IM application.

As of today, no widespread technical mechanism is in

place within the industry to prevent any intentional or

inadvertent sharing or copying of such data or documents.

Frameworks such as enterprise rights management (ERM) or

information rights management (IRM) offer promise to raise

the security barrier on this vulnerable channel.

With ERM capability, enterprises have the potential to tie

the security to the information itself, wherever it travels.14


Figure 4Enterprise Data Flow Channels (Logical View)


5/7

Surveys show that IP and confidential data theft amounts

to millions of US dollars globally; yet enterprises seem to

have left this channel porous. With the increased use of

remote access to corporate networks (via mobile devices and

corporate laptops), the data are subject to new exposure

scenarios that enable a hacker to gain access to corporate data

in home PCs more easily. Survey results show that nearly80 percent of home computer users do not have appropriate

forms of security solutions in their PCs.15 Thus, unless

enterprises tie security to data by some form of data life cycle

management mechanisms or frameworks, such as ERM, this

channel will continue to inhibit user confidence.

Instant Messaging

Surveys show that there is tremendous growth in IM use

over recent years. A recent AOL survey revealed that

70 percent of Internet users use IM forms of communication;

49 percent use it for major business decisions and 26 percent

use it to transfer f iles in the workplace.16 This means that

sensitive corporate or personal data are potentially transmittedthrough untrusted third-party servers. Surveys have indicated

this as a major evolving threat.

The reasons for this emerging challenge are very obvious:

the IM architecture is insecure by design and has not changed

over the years. IM applications are still vulnerable to attacks

such as buffer overflow and denial-of-service.17 The closed

and proprietary nature of the protocols makes it difficult for

enterprises to tackle this threat by traditional technical

controls at the corporate perimeter level. For a hacker,

spreading the attack via IM does not require scanning

unknown IP addresses; it is as simple as choosing the target

from an updated directory of any IM user.

To thwart these threats, enterprises need to implement

comprehensive security suites consisting of perimeter- and

protocol-aware, signature-based filtering tools (such as

solutions from IMLogic, Websense and SurfControl).

However, surveys indicate such adoptions are in their infancy.

Thus, this remains another potential source of threat, whichbusinesses will continue to deal with in sustaining

e-user confidence.

Personal Data Collection

Privacy concerns remain another major impediment (trust

inhibitor) for current e-business growth. Sixty-four percent of

consumers say they decided not to buy a companys product

or service because they did not know how the company would

use their personal information.18

Enterprises collect user information for a variety of

reasons, such as improving the e-user experience to expedite

e-transactions. Privacy policies on how the user data are

handled are generally stated on the companys web site;however, with increased reports on breaches through the

channels discussed in this paper, the privacy statements and

disclosures do not offer the required confidence to the users.

Search engines collect and store records of a users search

queries. This carries huge potential of revealing a users

personal history. For example, in August 2006, AOL published

650,000 users search histories on its web site.19

In the absence of appropriate government regulation, if

search companies (business owners) proactively limit their

data retention and make the logging practices more

transparent to the public, trust could be regained. Also, in the


Data

Storag

e

Communic

ation

Devic

es

Storag

eP

oint

Acce

ssand

De

livery

Points

ERM

Data in rest:

Database, legacysystems, LDAP, etc.

Controls:

Access

controls, TPM,encryption, audit

controls

Data in rest & motion:

PCs, laptop, PDAs,palm pilots, mobilephones

Controls:

ERM, TPM, end-pointsecurity devices, accesscontrols

Data in rest and motion:

WebServer, e-mail server,printer, scanner

Controls:ERM, TPM, dataExpiration

Data in rest:

USBs, flash drive,tapes, etc.

Controls:

Crypt, control

s,tamper-resistant

hardware.

Data in motion:

Router, switches,bridges wireless accesspoints

Controls:IPv6, SSL, encryptiontechnologies

Figure 5Enterprise Data States (Rest and Motion and Required Controls


6/7

case of online transactions, confidence can be enhanced if

companies resort to more trustworthy online practices. For

instance, as of now there is no notion of credential

expiration offered by e-business portals, as noted by security

expert Bruce Schneier.20 Even for a one-time transaction,

many portals demand personal information from consumers,

and users are not provided with the opportunity to opt out if

they choose to terminate their association with the business at

any later point.

Better e-business practices need to be adopted by businessproviders to promote e-user confidence.

Data Are the KeyIt is clear that various challenges faced in securing data are

caused by the way the security is associated with data in their

various states. In the current computing model, data (as

chunks of bits and bytes) and their security are viewed and

related independently. An enterprise system is as secure as its

weakest link. Similarly, in an enterprise, data are as secure as

their weakest state in their life cycle. Figure 5 shows that data

in an organization can reside in a relational database or legacy

system, can be transmitted by wired or wireless media, can bemade accessible via web server or e-mail systems, can be

distributed as documents or spreadsheet, and finally can be

persisted/maintained in any kind of storage devices. The state

of data fundamentally is either at rest or in motion. The

combination of technologies used could vary based on an

enterprises security posture and maturity.

However, the critical data-and-security link must be

preserved. Irrespective of the state and nature of technologies

in use, if data owners can guarantee and get assurance that the

security level of data is not compromised by their state, there

is a tremendous potential for e-business growth. The risks

surrounding personal computers or laptops and mobile

devices, as data access and data storage points, can bemitigated by use of hardware-based security technologies,

such as Trusted Platform Module (TPM) and IBMs

SecureBlue.21 These technologies allow the information to be

bound to the platform by cryptographic means and help to

thwart threats triggered by rootkits and Trojans. The data

secured with these technologies cannot be accessed if data

migrate (copied) to different platform or binding conditions

on the same platform are not met. Vendors such as Dell, IBM,

HP, Sony and Intel Inc. have already started providing this

capability to their PCs and laptops; however, the TPM is

generally not activated. Enterprises, especially financial

sectors and government agencies, can offer more secure

operating conditions against the threats highlighted in thisarticle if systems are forced to activate these features across

the organizations.

ConclusionIn the existing computing and e-business models, the data-

and-security link strongly depends on data state. Since this

link is vulnerable, no business owner can guarantee

impregnable security; users cannot expect bulletproof safety if

they continue to adopt new technologies on the fly.

Implementing technologies (such as ERM), hardware-based

security and improved e-practices (such as context and client

environment-centric authentication, transaction verification

mechanisms, and credential expiration capabilities) at the

enterprise level can help business owners and users to build

confidence in the system.

Considering the benefits of e-business, every legitimate

beneficiary has an equal stake in improving trust in the systems.

Endnotes1 Koernerm, Brian; Hotels.com breach,About.com, 2006,

http://idtheft.about.com/od/2006/p/Hotels_com.htm2 Entrust, European Internet Security Survey, June 2005,

www.entrust.com/resources/download.cfm/22193/European

%20Internet%20Security%20Survey%20Overview1.pdf3 CSIA, Internet Security National Survey, no.3, CSIA

report, 2006, https://www.csialliance.org4 Infosentry Services Inc., Americans Confidence Drops in

Information Security Capabilities of Large Corporations

and the Federal Government, January 2007,

www.infosentry.com/InfoSENTRY_NewsRelease_Security-

Attitudes_20070129.htm5

Allen, Julia H; Information Security as an InstitutionalPriority, Carnegie Mellon University, 2005,

www.cert.org/work/organizational_security.html6 Jagatic, T.; N. Johnson; M. Jakobsson; F. Menczer; Social

Phishing, Communications of the ACM, 20067 Rivner, Uri; Dealing With Phishing Attacks, 2006,

www.out-law.com/page-69478 Internet World Stats, World Internet Usage and Population

Statistics, www.internetworldstats.com/stats.htm .9 Op cit., Jagatic

10 Ibid.11 Keizer, Gregg; Phishers Beat Citibanks Two-Factor

Authentication, July 2006, www.banktech.com/news/show

Article.jhtml?articleID=19160000612 Network Endpoint Security News, Endpoint Security

News and Information, www.watchyourend.com/category/

data-theft13 Symantec, Economist Intelligence Unit Survey Report,

The Economist, January 2006, www.symantec.com/content/

en/us/about/media/mobile-security_Full-Report.pdf14 Oltsik, Jon; Enterprise Rights Management: A Superior

Approach to Confidential Data Security, Enterprise

Strategy Group Inc., May 200615 America Online and the National Cyber Security Alliance,

AOL/NCSA Online Safety Study, December 200516 Ibid.17 Rittinghouse, John; James F. Ransome; IM Instant

Messaging Security, Digital Press Inc., USA, 200518 Westinand, Alan F.; Lance J. Hoffman; Security & Privacy

Made Simpler, Better Business Bureau, March 200619 Electronic Frontier Foundation, AOLs Massive Data

Leak, August 2006, www.eff.org/Privacy/AOL20 Schneier, Bruce; Authentication and Expiration,IEEE

Security and Privacy, January-February 200521 Rau, Shauna; Trusted Computing Platform Emerges as

Industries First Comprehensive Approach to IT Security,

IDC, February 2006



7/7

Ramanan R. Ramanathan, Ph.D., CISSP

is an information systems security specialist. He has done

extensive consulting for leading financial and insurance

corporations in the US, in the areas of enterprise security

architecture, Web-SSO, identity management and

infrastructure security. He regularly writes for leading security

journals and magazines. He can be reached at

[email protected].

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription tothe Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the ITGovernance Institute and their committees, and from opinions endorsed by authors employers, or the editors of thisJournal. Information Systems Control Journal does not attest to the originality ofauthors' content.

2008 ISACA.All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from theassociation. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articlesowned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expresslyprohibited.

www.isaca.org


ebusiness trust inhibitors

Documents