This action might not be possible to undo. Are you sure you want to continue?
E-business: Trust Inhibitors
By Ramanan R. Ramanathan, Ph.D., CISSP
nformation assurance experts, standards bodies and economists have long been striving to highlight the impact and risks associated with the lack of secure information systems and practices in the industry. Currently, the state of assurance offered by enterprise computing infrastructure and the challenges in improving it affect not just the commercial business, but also national security and individuals’ identities, as more classes of systems are becoming web-enabled. When citizens’ private information is lost, the inherent delay in the detection of the breach and the remediation compounds the problem. A classic example is the infamous Hotels.com’s web site breach, which was discovered in 2006 but had taken place during 2002-2004.1 This is just one of countless reported incidents. Undoubtedly, such incidents result in a “trust gap” in the e-business community toward information systems. Reports also confirm that online banking is not keeping pace with the growth of Internet use.2 The term “trust inhibitors” is used in this article to identify some of the most predominant threats prevalent today and analyze possible countermeasures.
understand the degree of impact and scale. The surveys also reveal that outside threats are primarily from viruses, spam, phishing and other malicious agents, and result largely in identity theft and customer data loss. Similarly, insiders influence intellectual property theft and exposure of a company’s sensitive information. Almost all of these surveys conclude that there is a steady growth in threats across the globe that directly weakens economies, national security and privacy. Thus, the promises of advancement resulting from e-commerce to global business growth are challenged not by the hacker community alone, but also by the flaws in underlying technology and current e-business practices. Information Flow Controls Deeper analysis of the nature of threats revealed in those industry surveys shows that the e-business communities can gain better control of the threats and improve customer confidence if the problem is analyzed in the following way and addressed appropriately: • What are the mechanisms the e-business portals have in place to bring the customers to their portal without becoming the victim of threats such as phishing? • What are the controls the business has in place to ensure that the user can complete an initiated e-transaction successfully without the session being hijacked or spoofed in the middle of an ongoing transaction? • If the above two “potential issues” are addressed, subsequently: – What infrastructure controls does the organization have in place to guarantee customers their privacy? – Does the organization have practices in place that assure users that their personal data are removed at their request from the organization’s control? Outsider Attacks The sophistication of attacks that originate outside the corporate boundary has been increasing over the years, as has the sophistication of security controls. Julia Allen5 has elegantly represented the trend, which is reproduced here in figure 2. In the early 1990s, attacks such as traffic-sniffing and session hijacking were the predominant threats. In recent years, however, the threat sources, their nature and sophistication have changed considerably. Today, Trojans, worms and blended viruses are the major threats; these, along with new modes of spreading (e.g., instant messaging [IM], mobile devices) and social engineering exploitations, have introduced considerable vulnerability in the e-business user environment. Phishing combined with pharming has taken advantage of the situation. The combination of vulnerabilities
Major Threats and Targets
Cyber Security Industry Alliance (CSIA), an advocacy group dedicated to ensuring the privacy, reliability and integrity of information systems,3 created the Digital Confidence Index (DCI) as a means for tracking public confidence in key elements of various networks. The relative movement of the DCI over recent years indicates that the market is very sensitive to security breaches and, as a consequence, consumers’ degree of trust toward information systems fades. A recent report from an independent survey group—InfoSentry Services Inc.—has corroborated this observation.4 Figure 1 lists recent industry surveys. These surveys cover global audiences, cross-sections of industries and various revenue groups and, thus, reflect the global trend. The objective here is not to offer a comprehensive listing, but to provide the reader the necessary information to
Figure 1—Recent Industry Surveys
• 2006 Australian Computer Crime and Security Survey • Enterprise Security Survey, APANI, 2006 • 2006 Global Security Survey, Deloitte Touche Tohmatsu • Consumer Perspectives of Online Banking Security: Entrust Internet Security Survey, October 2005, Entrust Inc. • E-Crime Watch Survey, CSO magazine, 2006 • “Phishing Activity Trends Report,” Anti-Phishing Working Group, 2006, www.antiphishing.org • US Survey: Confidential Data at Risk, Ponemon Institute LLC, 2006 • “Utility IT Executives Expect Breach of Critical SCADA Systems,” Pipeline & Gas Journal, 2006, www.pipelineandgasjournal.com JOURNALONLINE
Usually the phishing sites are shut down once they are detected.com%01 [string of ~ 60 “%01” elided]@ 207. a legitimate user can be redirected to a hacker’s site by vulnerabilities such as Domain Name System (DNS) cache poisoning and URL obfuscation. however. despite various countermeasures. On the other hand. are also not spared. Figure 3 schematically shows a typical business user-toportal communication path in a phishing attack. the attack lifetime (time from an attack’s appearance to its shutdown) has been estimated to be 5. such as a one-time password and two-factor authentication implemented by secure e-sites.183. In an unpatched Internet Explorer (IE) browser. hence.3 days or 127 hours. he/she can obtain the authentication credentials. such as Secure Sockets Layer (SSL). and make them available to the hacker for 2 impersonation.172.10 JOURNALONLINE . either actively (online) or passively (offline). Stronger conventional authentication mechanisms. Complexity in the Internet model and sophisticated socialengineering tactics deceive even more security-wary customers. one can anticipate severe impacts in the coming years. Reports reveal that there is a 5 percent success rate due to the new phishing attack tactics. as the fake site has a near-identical look and feel as a legitimate site. deserve a deeper analysis. Trojans or a virus in an infected computer at the client side. For example.20/f/ can still take a user to a phishing site. This form of threat has two independent entry channels: social engineering and technology vulnerability.9 Recommendations from the US Federal Trade Commission (FTC) about use of SSL have not proven effective in thwarting these attacks. as of 2005.7 The major hurdles to achieving a near-zero lifetime are the lack of cross-border cyberlaws and the use of hacked servers as origins of phishing. A user (Alice) who is the recipient of a fraudulent e-mail initiates a request and arrives at an unintended portal.paypal. such as an e-mail message or a web page access. With increased reliance on e-financial transactions across the globe and growing participation from countries that lack appropriate cyberlaws. if a user is successful in connecting to the intended site via end-to-end secured channels.8 Lessadvanced countries increasingly are becoming users of the information highway. a usage similar to https://www.Figure 2—External Attack Trend exploited in phishing-based attacks make them very successful and. Internet usage has been growing at a rate of more than 180 percent globally. Customers of Citibank were recent victims of two-factor authentication. Attackers keep up their success level by constantly shifting their attack channel. According to an Internet survey report taken for the span of 1995-2005. Phishing is a semantic attack. wherein a successful attack depends on a discrepancy between the ways a user perceives a communication.6 Mass e-mailing (spam) is one of the ways this attack spreads. and the communication’s actual effect. too.
Various potential data leak channels have started appearing. in the face of new user-friendly technologies. procedures). Research efforts have shown that measures such as digitally signing e-mails.Figure 3—Phishing and Pharming Outsider Threats This threat will continue to be a major trust inhibitor in the e-commerce space unless the market moves toward more endto-end secure and robust e-business practices. personal digital assistants). They are discussed in the following sections.. As part of the layered security approach. could improve resistance against such attacks. technical (e.g.g. policies. the subsequent major challenge rests with the business owners who own the customer information. new channels of data flowing in and out of enterprises have made the enterprises porous and vulnerable. establish and preserve a secure communication with the intended business portal. large organizations have bolstered their network and infrastructure considerably. and modes of communication such as instant messaging (IM).. automated phone message.g. especially small and medium enterprises (SMEs).g.. USB drives and Bluetooth devices on personal computers are not adequately controlled. such as Bluetoothenabled and mobile devices for communication (e. However. mobile devices such as laptops. firewalls. they have implemented layered security to some degree.11 The security state at which an e-user transaction is carried out should be dependent on both the client environment and the nature or value of the transaction itself. USB. Insider Threats Assuming that the e-business owners have taken the required steps to guarantee a legitimate user with mechanisms to initiate. Mobile Devices Figure 4 presents a logical view of the security posture attained by most enterprises as a result of conventional security practices. mature organizations deploy physical. Methods such as out-of-band verification (confirmation via SMS. etc. MP3 players. as most do not have appropriate processes in place within their corporate JOURNALONLINE boundaries. storage devices (e.. iPods. As of today. forcing browser toolbar usage at desk-top levels and securing the path for capturing user credentials as part of the authentication process itself. flash drives). intrusion systems. However. On the other hand.12 These devices have become carriers of Trojans and malware into a “secured” enterprise and contribute to confidential data leaks 3 .) and intermittent but limited reauthentications can prevent fraudulent transactions and enable faster detection of breaches. in attempts to comply with various regulations. not all businesses can guarantee confidentiality and privacy of customer data. middleware security controls) and other administrative controls (e. even these large enterprises face challenges.
the userfriendly “plug and play” capability in operating systems facilitates instantaneous use of such devices in any corporate computer. data transfer rates can go up to 480 megabits per second. However. A legitimate user of confidential data can store the data locally in the hard drive or mobile device. Corporate users are provided access to data assets. At these rates. or trigger the risk of instantaneously sharing the same with someone unknown via an IM application. Active Directory Server (ADS)-based group policies are traditionally implemented across corporate intranets to enforce security baselines and control employees’ Windows desktop environments. 4 Enterprise Digital Rights Management Organizations store company and customer data in repositories such as directory servers. based on the access control policies.kaspersky. As of today. For example.com. Unfortunately. Security policies are evolved to outline how data need to be handled by the users. Various breeds of applications are used to mine the data and derive value from them for business needs (figure 4). A recent survey of more than 240 respondents shows that only 9 percent of enterprises have deployed a comprehensive security architecture that includes mobile device access. Furthermore.com) has done extensive analysis on the mobile device vulnerabilities and threats. However. With ERM capability. it takes less than five minutes to move up to 60 gigabytes of data. data classification is performed within organizations. enterprises have the potential to tie the security to the information itself.0 device. with a USB 2. these are incapable of controlling the use of end point devices. no widespread technical mechanism is in place within the industry to prevent any intentional or inadvertent sharing or copying of such data or documents. Frameworks such as enterprise rights management (ERM) or information rights management (IRM) offer promise to raise the security barrier on this vulnerable channel.14 JOURNALONLINE . Security products such as DeviceLock® and SecureWave’s Sanctuary® are gaining popularity to prevent unauthorized use of such devices and audit the data flow across the end points. legacy systems and other relational data systems. the lack of widespread use of such controls in the e-business intranet boundary is still a major concern that will contribute to e-user distrust. Organizations need to evolve security policies that cover end point device use and implement security controls to prevent data leakage through this channel. the control ceases when most of the confidential data in the intranet domain is translated into documents and spreadsheets for business purposes. As a starting point of a due-diligence information security exercise. and a listing of various mobile device viruses is available from viruslist.Figure 4—Enterprise Data Flow Channels (Logical View) out of the corporate boundary. wherever it travels.13 Kaspersky Lab (usa.
Survey results show that nearly 80 percent of home computer users do not have appropriate forms of security solutions in their PCs. etc. such as improving the e-user experience to expedite e-transactions. Controls: tamper-resistant ERM. Search engines collect and store records of a user’s search queries.18 Enterprises collect user information for a variety of reasons. yet enterprises seem to have left this channel porous. audit controls Data in motion: Router. if search companies (business owners) proactively limit their data retention and make the logging practices more transparent to the public. in the 5 Sto rag Sto eP oin t e . palm pilots.17 The closed and proprietary nature of the protocols makes it difficult for enterprises to tackle this threat by traditional technical controls at the corporate perimeter level. switches. controls. end-point security devices. 49 percent use it for major business decisions and 26 percent use it to transfer files in the workplace. Data in rest and motion: tapes. Websense® and SurfControl®). Instant Messaging Surveys show that there is tremendous growth in IM use over recent years. A recent AOL survey revealed that 70 percent of Internet users use IM forms of communication. AOL published 650. mobile phones Controls: ERM. access controls Data in rest: USBs. flash drive. Surveys have indicated this as a major evolving threat. IM applications are still vulnerable to attacks such as buffer overflow and denial-of-service. the data are subject to new exposure scenarios that enable a hacker to gain access to corporate data in home PCs more easily. the privacy statements and disclosures do not offer the required confidence to the users. in August 2006.15 Thus. Also. encryption technologies Co Ac ce Data in rest & motion: PCs. Expiration ERM Surveys show that IP and confidential data theft amounts to millions of US dollars globally. PDAs. printer.16 This means that sensitive corporate or personal data are potentially transmitted through untrusted third-party servers. The reasons for this emerging challenge are very obvious: the IM architecture is insecure by design and has not changed over the years. scanner Controls: Crypt.000 users’ search histories on its web site. which businesses will continue to deal with in sustaining e-user confidence. however. LDAP. Sixty-four percent of consumers say they decided not to buy a company’s product or service because they did not know how the company would use their personal information. this channel will continue to inhibit user confidence. signature-based filtering tools (such as solutions from IMLogic®. With the increased use of remote access to corporate networks (via mobile devices and corporate laptops). etc. laptop. For a hacker. Controls: Access controls. encryption. spreading the attack via IM does not require scanning unknown IP addresses. However. WebServer. Thus. data hardware. TPM. TPM. e-mail server. this remains another potential source of threat. with increased reports on breaches through the channels discussed in this paper.Figure 5—Enterprise Data States (Rest and Motion and Required Controls mm un ica tio nD evi ces ss a Po nd D int eli s ver y rag Da ta Data in rest: Database. SSL. For example.19 In the absence of appropriate government regulation. enterprises need to implement comprehensive security suites consisting of perimeter. This carries huge potential of revealing a user’s personal history. surveys indicate such adoptions are in their infancy. unless enterprises tie security to data by some form of data life cycle management mechanisms or frameworks. TPM. bridges wireless access points Controls: IPv6. trust could be regained. Privacy policies on how the user data are handled are generally stated on the company’s web site.and protocol-aware. To thwart these threats. Personal Data Collection Privacy concerns remain another major impediment (trust inhibitor) for current e-business growth. it is as simple as choosing the target JOURNALONLINE from an updated directory of any IM user. legacy systems. such as ERM.
. Enterprises. www.3.htm. Alan F. “IM Instant Messaging Security.” August 2006. “Americans’ Confidence Drops in Information Security Capabilities of Large Corporations and the Federal Government. Implementing technologies (such as ERM). May 2006 America Online and the National Cyber Security Alliance. as data access and data storage points. the critical data-and-security link must be preserved.com/news/show Article. Shauna. many portals demand personal information from consumers.org/Privacy/AOL Schneier. Similarly. Figure 5 shows that data in an organization can reside in a relational database or legacy system.” June 2005.. can be mitigated by use of hardware-based security technologies. the TPM is generally not activated. Vendors such as Dell. data are as secure as their weakest state in their life cycle. “AOL/NCSA Online Safety Study.” January 2007.htm Allen. “AOL Massive Data ’s Leak. F. can be made accessible via web server or e-mail systems. The data secured with these technologies cannot be accessed if data migrate (copied) to different platform or binding conditions on the same platform are not met. “Security & Privacy Made Simpler. “Dealing With Phishing Attacks.” Better Business Bureau. can offer more secure operating conditions against the threats highlighted in this article if systems are forced to activate these features across the organizations.” Enterprise Strategy Group Inc. have already started providing this capability to their PCs and laptops. users cannot expect bulletproof safety if they continue to adopt new technologies on the fly. the dataand-security link strongly depends on data state. T.. March 2006 Electronic Frontier Foundation. Johnson. www. January 2006. www. www. Julia H. Jon.org Infosentry Services Inc. www. “Social Phishing. Gregg. Since this link is vulnerable.jhtml?articleID=191600006 Network Endpoint Security News. especially financial sectors and government agencies. John. https://www. www. as noted by security expert Bruce Schneier. February 2006 JOURNALONLINE . 2006. HP.” no.com breach.infosentry. “Hotels.” About. 2005 Westinand. The risks surrounding personal computers or laptops and mobile devices. hardware-based 6 19 20 21 Koernerm. Op cit.com/resources/download. 2006 Rivner. Rittinghouse. Sony and Intel Inc. ‘Authentication and Expiration. “European Internet Security Survey. James F. and users are not provided with the opportunity to opt out if they choose to terminate their association with the business at any later point. “Economist Intelligence Unit Survey Report.com/InfoSENTRY_NewsRelease_SecurityAttitudes_20070129. confidence can be enhanced if companies resort to more trustworthy online practices. data (as chunks of bits and bytes) and their security are viewed and related independently. “Phishers Beat Citibank’s Two-Factor Authentication.about.csialliance.org/work/organizational_security. Considering the benefits of e-business. every legitimate beneficiary has an equal stake in improving trust in the systems.. Menczer. “World Internet Usage and Population Statistics. can be transmitted by wired or wireless media.entrust. “Enterprise Rights Management: A Superior Approach to Confidential Data Security.internetworldstats.com/page-6947 Internet World Stats.com/stats. Lance J. M. “Trusted Computing Platform Emerges as Industries’ First Comprehensive Approach to IT Security.eff. as of now there is no notion of “credential expiration” offered by e-business portals.. N. “Information Security as an Institutional Priority.cert. IBM.” IDC.cfm/22193/European %20Internet%20Security%20Survey%20Overview1. however. and credential expiration capabilities) at the enterprise level can help business owners and users to build confidence in the system.” Digital Press Inc.” The Economist.20 Even for a one-time transaction.” www. there is a tremendous potential for e-business growth. CSIA report.” IEEE Security and Privacy. Bruce. http://idtheft. www. Jakobsson. in an enterprise. and finally can be persisted/maintained in any kind of storage devices.21 These technologies allow the information to be bound to the platform by cryptographic means and help to thwart threats triggered by rootkits and Trojans. security and improved e-practices (such as context and client environment-centric authentication. Ransome. Brian.” Communications of the ACM.” 2006. if data owners can guarantee and get assurance that the security level of data is not compromised by their state.out-law.banktech.html Jagatic. “Internet Security National Survey. However. An enterprise system is as secure as its weakest link.pdf CSIA. Uri.” www.symantec. “Endpoint Security News and Information. Irrespective of the state and nature of technologies in use.” July 2006.. Better e-business practices need to be adopted by business providers to promote e-user confidence. Endnotes 1 2 Data Are the Key It is clear that various challenges faced in securing data are caused by the way the security is associated with data in their various states. 2006.pdf Oltsik.com/category/ data-theft Symantec.com/content/ en/us/about/media/mobile-security_Full-Report.” Carnegie Mellon University. 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Conclusion In the existing computing and e-business models. Jagatic Ibid. transaction verification mechanisms. For instance.watchyourend.” December 2005 Ibid. In the current computing model. Keizer.case of online transactions. The combination of technologies used could vary based on an enterprise’s security posture and maturity. January-February 2005 Rau. The state of data fundamentally is either at rest or in motion. such as Trusted Platform Module (TPM) and IBM’s SecureBlue.com/od/2006/p/Hotels_com. Hoffman. can be distributed as documents or spreadsheet.com. 2005. no business owner can guarantee impregnable security. USA.htm Entrust.
Salem.com. Information Systems Control Journal is published by ISACA.Ramanan R. He has done extensive consulting for leading financial and insurance corporations in the US. for a flat fee of US $2.50 per article plus 25¢ per page.. Membership in the association. entitles one to receive an annual subscription to the Information Systems Control Journal. © 2008 ISACA.isaca. to photocopy articles owned by ISACA. Web-SSO. or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. Ramanathan. www. Information Systems Control Journal does not attest to the originality of authors' content. identity management and infrastructure security. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers.org JOURNALONLINE 7 . They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees. 01970. or the editors of this Journal.D. in the areas of enterprise security architecture. Where necessary. Send payment to the CCC stating the ISSN (1526-7407). For other copying. Ph. permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC). and from opinions endorsed by authors’ employers. reprint or republication. date. a voluntary organization serving IT governance professionals. He regularly writes for leading security journals and magazines. Copying for other than personal use or internal reference. and first and last page number of each article. He can be reached at RR_Ramanan@yahoo. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. volume. permission must be obtained in writing from the association. 27 Congress St. All rights reserved. CISSP is an information systems security specialist.. Mass.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.