ISSN 1361-3723/14 © 2014 Elsevier Ltd. All rights reservedThis journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:PhotocopyingSingle photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWSUK citizens hit hard by cybercrime says Government 1

Retailers under sustained attack 3

FEATURES

The dark side of advertising 5Most commercial web-based services and many mobile applications rely on advertising for their main sources of income. But while we’re all accustomed to seeing ads embedded in web pages and apps, this constant stream of advertising has also become a source of serious threats to our security. Malicious advertising – or ‘malvertising’ – is an increasingly common way for cyber-criminals to either spread malware or lure victims to sites where malware and other scams lurk. Steve Mansfield-Devine examines the nature of the problem and the (so far) limited responses to it.

Embedding dependability attributes into component-based software development 8In order to save costs, increase speed of development and improve reliability, many organisations have turned to reusing software components. However, this approach also makes it hard to be confident about the security of the resulting software. Hasan Kahtan, Nordin Abu Bakar, Rosmawati Nordin and Mansoor Abdullateef Abdulgabber of Universiti Teknologi MARA discuss an implementation process that overcomes the lack of security during component-based software development and show how it’s implemented via a case study involving an industrial software application.

The quantified self: a threat to enterprise security? 16Soon a large proportion of the population will be wearing computing devices in the workplace, if the pundits are to be believed. Wearable technology is getting smarter and has been given a boost in popularity following the launch of the Apple Watch. The ‘quantified self’ trend has already driven massive uptake of personal devices that measure heart rate and activity and connect to health and fitness apps, which in turn link with entire communities of people comparing and contrasting their activity. This sector is likely to grow much bigger very fast and will have an impact beyond the strictly personal, as it has the potential to threaten enterprise security. Tracey Caldwell reports.

FEATURES

Editorial 2

News in brief 4

Calendar 20

Contents

computer FRAUD & SECURITYISSN 1361-3723 November 2014 www.computerfraudandsecurity.com

Featured in this issue:The dark side of advertising

Advertising is pervasive on the Internet these days. It’s usually the

primary income stream for many of the services, such as Facebook and Google, that we take for granted. But it’s also a source of serious threats to our security.

Malicious advertising – or ‘malvertis-

ing’ – is an increasingly common way for cyber-criminals to either spread malware or lure victims to sites where malware and other scams lurk. Steve Mansfield-Devine examines the nature of the problem and the (so far) limited responses to it.

Full story on page 5…

Embedding dependability attributes into component-based software development

Many industries have turned to reusing software components

during development because this makes applications cheaper, faster and more reliable. However, it also makes them hard to secure.

Hasan Kahtan, Nordin Abu Bakar, Rosmawati Nordin and Mansoor

Abdullateef Abdulgabber of Universiti Teknologi MARA discuss an implementa-tion process that overcomes the lack of security during component-based software development and show how it’s imple-mented via an industrial software applica-tion case study.

Full story on page 8…

The quantified self: a threat to enterprise security?

Wearable technology is getting smarter and pundits predict

that the launch of the Apple Watch will propel wearable technology into the mainstream in 2015.

The ‘quantified self ’ trend has already driven massive uptake of personal devices that measure heart rate and activity and link to health and fitness

apps, which in turn link with entire communities of people comparing and contrasting their activity. This sector is likely to grow much bigger very fast and will have an impact beyond the strictly personal, as it has the potential to threaten enterprise security. Tracey Caldwell reports.

Full story on page 16…

Come and visit us at:

www.computerfraudandsecurity.com

8

UK citizens hit hard by cybercrime says Government

Half of the UK’s citizens have fall-en victim to cybercrime, and half

of those victims were traumatised by the experience, according to research by the Government.

As part of Get Safe Online Week in late October 2014, the Cabinet Office issued the results of two surveys. The first, by Vision Critical, which was

undertaken specifically to tie in with the event, found that of those people who had been victims of cybercrime – defined as: online fraud or cases resulting in eco-nomic loss; ID theft; hacking or deliber-ate distribution of viruses; and online abuse – half felt they were ‘very’ or ‘extremely violated’ by the experience.

Continued on page 3…

Editorial Office: Elsevier LtdThe Boulevard, Langford Lane, Kidlington,

Oxford, OX5 1GB, United KingdomFax: +44 (0)1865 843973

E-mail: cfseditor@elsevier.comWeb: www.computerfraudandsecurity.com

Publisher: Greg ValeroE-mail: g.valero@elsevier.com

Editor: Steve Mansfield-Devine E-mail: smd@contrarisk.com

Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK;

Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany;

Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA;

Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark;

Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia

Production Support Manager: Lin LucasE-mail: l.lucas@elsevier.com

Subscription InformationAn annual subscription to Computer Fraud & Security includes 12 issues and online access for up to 5 users.Prices: E1139 for all European countries & Iran US$1237 for all countries except Europe and Japan ¥151 620 for Japan (Prices valid until 31 December 2011)To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971Email: commsales@elsevier.com, or via www.computerfraudandsecurity.com. Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA

Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: permissions@elsevier.com. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments.Derivative WorksSubscribers may reproduce tables of contents or prepare lists of arti-cles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations.Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above.NoticeNo responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any meth-ods, products, instructions or ideas contained in the material herein. Because of rapid advan ces in the medical sciences, in particular, inde-pendent verification of diagnoses and drug dosages should be made.Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

02065Pre-press/Printed by Mayfield Press (Oxford) Limited

EDIToRIAL

2Computer Fraud & Security November 2014

Editorial Office: Elsevier LtdThe Boulevard, Langford Lane, Kidlington,

Oxford, OX5 1GB, United KingdomFax: +44 (0)1865 843973

E-mail: cfseditor@elsevier.comWeb: www.computerfraudandsecurity.com

Publisher: David Hopwood

Editor: Steve Mansfield-Devine E-mail: smd@contrarisk.com

Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK;

Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany;

Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA;

Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark;

Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia

Production Support Manager: Lin LucasE-mail: l.lucas@elsevier.com

Subscription InformationAn annual subscription to Computer Fraud & Security includes 12 issues and online access for up to 5 users.Prices: E1314 for all European countries & Iran US$1426 for all countries except Europe and Japan ¥174 800 for Japan (Prices valid until 31 December 2014)To subscribe send payment to the address above. Tel: +44 (0)1865 843687or via www.computerfraudandsecurity.com Subscriptions run for 12 months, from the date payment is received.

Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: permissions@elsevier.com. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments.Derivative WorksSubscribers may reproduce tables of contents or prepare lists of arti-cles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations.Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above.NoticeNo responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any meth-ods, products, instructions or ideas contained in the material herein. Because of rapid advan ces in the medical sciences, in particular, inde-pendent verification of diagnoses and drug dosages should be made.Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

12986Digitally Produced by Mayfield Press (Oxford) Ltd

EditorialWhatever side you stand

on the Edward Snowden debate, it’s clear that his leaks of government secrets and dis-closures about mass surveillance programmes have certainly raised awareness about privacy – or rather, the lack of it – on the Internet.

It’s probable that before the stories about the likes of PRISM broke, the vast majority of people hadn’t given privacy a second thought. Just witness how eager people have been to spill their lives onto the likes of Facebook and Twitter.

Of course, they still do. There is something of a disconnect here. There’s a sizeable portion of the population that will complain about government snooping while pasting on to social networking sites precisely the kind of information that the intel-ligence services are being castigated for hoovering up.

But then, I guess that’s their choice. And that’s the nub of the matter – whether we should be able to use the Internet while still choosing to be private. This would be the same kind of expectation we have with the phone system. We all know that our conversations are going down wires and through exchanges operated by private companies and to which law enforcement and other bodies can have access in certain circumstances. But we have a reasonable expectation that the privacy of our communica-tions will be not breached without good cause and due process of law. In other words, if you want to listen in, get a warrant.

Things become more difficult for those who like to add a bit more cer-tainty about their privacy. For most people, telephone scramblers have always been exotically out of reach. In terms of our Internet privacy, there are technologies out there that can help – such as Tor – but they are often tricky to use if you are not an IT expert. And, as we’re discovering, they’re often

not as effective as they seem. Only recently it was discovered that rogue Tor exit nodes had been inserting mal-ware into people’s communications. And, as we know from Snowden, US and UK intelligence agencies have been working hard to undermine the technology used by Tor.

You’ll hear people say that if you have nothing to hide, you have noth-ing to fear. Normally, this platitude is spouted by those living in (relatively) safe (more or less) democracies like the US and UK. For those living under more repressive regimes it’s a lot harder to be quite so smug.

The problem with having both those who are supposed to be protecting us (the intelligence agencies) and the bad guys (cyber-criminals) undermining technologies like Tor is that it weakens privacy for those who need it most – those whose very lives might depend on it.

There are some highly knowledge-able and influential people taking up the banner of privacy. Next year will see the launch of a new think-tank and campaigning group, Code Red (see News in Brief, pg.4). With any luck, this will help dispel the idea that those seeking to be private on the Internet are paranoid, weird or dubious. It’s something we should all consider a right and expect, perhaps, as a default condition.

The problem that will remain, however, is how to achieve it techni-cally. The Internet’s many protocols were never designed with privacy or security in mind. And that’s prob-ably a good thing as it helped fos-ter the notion of the Internet as a medium for connecting and sharing. Of course, the likes of Vint Cerf and Bob Kahn (creators of the Internet) and Sir Tim Berners-Lee (father of the web) couldn’t have foreseen the many dark directions their inven-tions would follow. We can only hope similarly gifted people will be able to retro-fit their progeny with technolo-gies that make it safe for everyone.

– Steve Mansfield-Devine

NEWS

November 2014 Computer Fraud & Security3

…Continued from front pageFigures issued by the National Fraud

Intelligence Bureau (NFIB) to tie in with Get Safe Online Week put the amount lost to the top 10 Internet-enabled frauds at more than £670m for the year end-ing 31 Aug 2014. This includes all fraud where the initial contact was via an online function. However, the NFIB pointed out that a high percentage of Internet frauds probably go unreported, so the real figure is likely to be much higher. The research suggests that only around a third (32%) of victims actually report the crime.

More than half (53%) of the people sur-veyed now regard cybercrime to be as seri-ous as ‘physical world’ crimes, and many are now adapting their behaviour accordingly. For example, 45% say they have adopted stronger passwords and 42% claim to be ‘extra vigilant’ when shopping online.

However, not all changes are for the better. When it comes to protecting their personal devices with a PIN or password, more than half have failed to do this with their mobile phones (54%) or PCs (59%), and two-thirds (67%) haven’t done this with their tablets. Laptop own-ers are slightly better – only 37% have failed to use a password.

“It’s sad but not surprising that 53% of British people have fallen victim to cyber-crime,” said George Anderson, director of product marketing at Webroot. “The Internet has become assimilated into our daily lives, from banking to retail, to the point where it’s easy to forget how haz-ardous it is if the proper security measures aren’t taken. They key to making the UK a safe Internet user zone is education. As a country, as communities and as indi-viduals we should be actively promoting awareness of Internet safety and security issues. The government’s research should not scare people away from online activi-ties, but rather start serious and continu-ous conversations whereby we evaluate the online precautions we take both at home and at work. Education should start young, with parents and education bodies working to ensure security savvy future generations.”

However, the rise in security awareness might have less to do with fraud than with other high-profile incidents, said Chris Boyd, malware intelligence analyst

at Malwarebytes: “While there have been many notable attempts to place the threat of hacking and data breaches in the public eye, it’s possible that the recent celebrity iCloud hacks have had more of an impact on public perception than any cyber-security awareness week ever could. There is a significant amount of apathy among the average person when it comes to pro-tecting themselves online, which is com-pounded by the ever-evolving complexity and success of cybercrime; so while educa-tion is important, it’s also difficult.”

The Get Safe Online public-private ini-tiative has guidelines that individuals can follow to protect themselves. There’s more information here: www.getsafeonline.org.

Retailers under sustained attack

The publicity surrounding the high-profile breach of US retailer

Target’s point of sale (PoS) systems has done nothing to prevent the rise of such attacks, according to research by security firm Damballa.

Infections involving the Backoff mal-ware used to breach Target’s systems – and those of other big-name victims such as Supervalu and UPS – are still rising. Damballa says it recorded a 57% rise in Backoff detections in August 2014, and according to US Secret Service estimates, this has resulted in 1,000 US firms being hit. Damballa also saw another 27% rise in September. Typically, infections are achieved by brute-forcing weak passwords on remote desktop (RDP) applications in order to drop the malware onto the PoS systems.

“In many cases, the PoS systems are free-standing from the corporate network,” said Brian Foster, CTO at Damballa. “They connect to local net-works, which have limited security. Without this visibility, it’s impossible to discover the device is communicating with criminal command and control.”

Any business that uses RDP protocols to enable remote support on PoS solu-tions needs to implement much stronger security now, according to Curt Wilson, senior research analyst for Arbor Networks’ ASERT team. “If a PoS provider is com-promised, the attackers typically obtain access to all their customer deployments

via remote access capabilities, leading to complex, distributed compromise,” he said. “Strong authentication may provide an extra layer of defence in such a case, unless the strong authentication process is also compromised. Organisations, espe-cially smaller to mid-sized organisations, should be aware of the potential of remote support being compromised.”

Meanwhile, researcher Brian Krebs has reported that there are continuing repercus-sions of the Home Depot breach. US banks have logged a large number of fraudulent transactions related to payment card details stolen from the firm. Most of these fraudu-lent transactions are coming from Brazil.

An interesting twist is that the transac-tions claim to be chip-based ones, even though the affected banks have only just started rolling out EMV cards to their customers. It’s currently not clear how the fraudsters have managed to make the transactions appear as though they are EMV-based payments. One theory is that they have a payment terminal and are using encrypted data from a genuine EMV card and injecting other data using stolen card details into the data stream. There is more information here: http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/.

One consequence of this is that the banks are probably liable for the fraudu-lent payments: if they weren’t EMV-based, the liability would more likely have fallen on their insurers.

According to Luther Martin, chief secu-rity architect at Voltage Security: “The possibility of fraud resulting from hackers exploiting a flaw in the implementation of the EMV protocol demonstrates a few interesting points,” he said. “First, it was a flaw in the implementation of cryptography that was apparently exploited by hackers, not the cryptography itself. Cryptography can provide essentially unbreakable security for sensitive information, but it’s very hard to implement correctly. Even a fairly simple flaw in an otherwise-secure implementation can provide hackers all that they need to exploit a system.”

He added: “Next, it demonstrates that EMV is not proof against all payment fraud. While it may reduce card-present fraud by a considerable amount, EMV is not a ‘silver bullet’.”

NEWS

4Computer Fraud & Security November 2014

New venture to boost privacySome of the top names in encryption and security are banding together to promote pri-vacy. Security guru Bruce Schneier, Tor devel-oper Jacob Appelbaum (who was involved in the Edward Snowden disclosures) and public key cryptology pioneer Whitfield Diffie are joining forces with a number of privacy advo-cates to create the Code Red project. Starting in January, this aims to become a “strategic think tank and campaign clearinghouse to provide new resources and tactical advice to human rights groups across the world”. As well as promoting privacy at an individual level, it will also offer resources for whistleblowers and activist groups. According to a blog post by Privacy International founder Simon Davies: “The initiative will be committed to a range of objectives, but foremost among these is to mentor the development of new and innova-tive projects that directly engage the surveil-lance menace.” The project’s steering group includes MI5 whistleblower Annie Machon, former US Congress member and presiden-tial candidate Cynthia McKinney, former Wikimedia general counsel Mike Godwin, the Electronic Frontier Foundation’s international rights director Katitza Rodriguez and the former editor of Index on Censorship Judith Vidal-Hall. There’s more information here: www.privacysurgeon.org/blog/incision/one-of-the-worlds-most-ambitious-privacy-initiatives-launches-in-january/.

Industrial infectionsFor the past three years, a number of industrial control systems (ICSs) have been infected via the BlackEnergy malware toolkit, and the attack is said to be both “ongoing” and sophisticated. The ICS solutions that have been compromised – from GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC – all have Internet-facing interfaces. The malware delivered by BlackEnergy is modular, and the exploits that have been deliv-ered vary from system to system, according to US CERT. BlackEnergy was first identified in 2007 by Arbor Networks, and in September 2014, Finnish malware researchers noted that it was being used by the Quedagh political hacking group.

Image hides Android malwareResearchers Axelle Apvrille of Fortinet and Ange Albertini of Corkami have discovered that malware can be sneaked on to Android systems disguised as images. In what they’ve dubbed the AngeCrypt attack, a malicious APK file can be made to look like a perfectly normal PNG image – and other image formats can be used too. The technique was presented at Black Hat and more information is available here: http://bit.ly/201411angecrypt.

UK citizens dislike snoopsResearch by F-Secure shows that UK citizens are becoming increasingly concerned about state surveillance. It says that 86% of people do not agree with the way intelligence agen-cies are indulging in mass surveillance, such as snooping on the general populace, includ-ing their emails, phone calls, web searches, social media interactions and geo-location data. With the future use of the collected data uncertain, people are showing their concerns, said F-Secure. The research suggests that 78% of respondents are worried about the conse-quences of having their data tracked. There is more information here: http://safeandsavvy.f-secure.com/.

Firms failing auditsResearch by Axway and Ovum suggests that many organisations are failing to meet data security and governance requirements. In fact, 23% of organisations have failed a security audit in the past three years and 17% lack con-fidence in their ability to pass a security com-pliance audit today. The study also revealed that the average cost of a data breach was $3m. At the heart of the problem is the grow-ing complexity of governance and compliance initiatives. The top priorities for CIOs, CISOs and chief risk officers are business continuity and disaster recovery (87%), protecting against cyber-threats (85%), managing insider threats (84%) and compliance monitoring (83%). The research also found that the majority of organisations (71%) have little synergy between integration strategy and data security, privacy and governance frameworks and poli-cies. And more than half (56%) reported a fragmented integration infrastructure. Nearly half (46%) expressed frustration with their existing Enterprise Service Bus (ESB) stating it offered less flexibility than expected and is difficult to maintain. And there are concerns about existing file transfer solutions, with reli-ability (84%), compliance (77%), visibility and monitoring (75%), and integration (74%) ranking as the top issues. There’s more infor-mation available here: http://www2.axway.com/PR-Ovum-report-en.

Poor passwords cost a fortuneIt’s hardly news that poor password practices put organisations at risk, but according to Centrify Corporation they also impose a direct cost on businesses. According to its research in the UK, the average employee wastes £261 a year in company time on trying to manage multiple passwords, which for a company with 500 staff is a loss of more than £130,000 annually. The security risks may be greater than many firms realise, too. While around half of employees (47%) use their personal mobile devices for business purposes, one in

three (34%) admit they do not actually use passwords on these devices even though they keep office email, confidential documents, customer contact information and budget information on them. The research also shows that more than a third of workers (38%) have accounts they cannot get into any more because they cannot remember the password, 28% get locked out at least once a month due to multiple incorrect password entries, one in five change their passwords at least once a month and 8% change them every week. Only 15% believe their passwords are ‘very secure’. There’s more information here: www.centrify.com/Password-Survey.

Outdated systems fail to detect fraudDespite a rise in global fraud, two-thirds of European insurers saw the volume of detected fraud increase by less than 4%, according to new research from SAS. Those insurers that do not use automated detection, or only use ‘business rules’, saw significantly lower lev-els of detected fraud than their peers using advanced analytics. Among insurers using business analytics, 57% had seen the amount of fraud they detected year-on-year increase by more than 4%. In contrast, only 16% of those with no solution, or using only a business rules based approach, saw a similar increase. Almost 20% of insurers stated that they did not use any technology to assist with fraud detection, relying on manual review of thousands of claims. In the face of widespread organised fraud, such as ‘cash for crash’ schemes, automation can help rapidly alert insurers to suspicious claims or networks of claims. Some 81% of insurers surveyed say they are using some form of automated detection technologies with 49% in total using advanced analytics. When it comes to organised fraud, over a quarter of respond-ents confirmed they already have detection systems in place, or are in the process of implementing a solution. An additional third do not currently have a solution but have a project set up. However, a significant propor-tion of European insurance providers (40%) have no detection systems in place or imme-diate plans for such a solution. Results for opportunistic fraud were similar but imple-mentation of solutions to tackle this type of fraud tracked slightly behind organised fraud (10%). Worryingly, 28% of insurers indicated that they do not have precise metrics around detecting fraud within their organisation. Also concerning is that only 21% of insur-ers are currently monitoring fraud levels in real-time while 64% are only measuring these levels on a monthly or quarterly basis. The report is available here: www.sas.com/en_gb/offers/14q4/insurance-companies-combat-fraud.html.

In brief

FEATURE

November 2014 Computer Fraud & Security5

The dark side of advertising

How it works

For the cyber-criminals, malvertising has the advantage that no website needs to be hacked or compromised in any way. The attack is delivered in the same way as legitimate ads, without the knowledge of the host site and with the site having little in the way of defences. This means that the malware operates within a trusted context.

“It can be impossible to know where or when the infection occurred. It could be at any point in their recent browsing history”

In some cases, the adverts themselves deliver the malware – or at least the first stage of an infection. This is most commonly achieved through the use of maliciously crafted Flash (.swf ) files. Adobe claims that at least one bil-lion Internet users have a Flash plugin installed in their browsers. Given that most malvertising simply performs redirects – which is normal behaviour – there is no malicious activity to detect at that stage.

Alternatively, the adverts may simply contain links to other websites that con-tain malware-laden pages, often using drive-by exploit techniques, or may host other forms of exploit, the least offensive and dangerous of which are simply sur-veys for which the attackers receive pay-ment for each one completed.

Given that many victims will be infect-ed just as part of their normal browsing activities, it can be impossible for them – or any forensic analyst – to know where or when the infection occurred. It could be at any point in their recent browsing history. And because ads are ephemeral, even examining previously visited pages won’t help because the ads shown on them will be different, such is the nature of how these ad networks operate.

Flash in action

Security firm Bromium recently presented a report at the Virus Bulletin 2014 event that showed how YouTube, Yahoo and several top-ranking websites had been tricked into running malicious banner adverts through obfuscated JavaScript code carried by Flash-based ads.1

“Bypassing ad network defences provides the perfect opportunity for attackers to target millions of users, so it is no coincidence that there has been an uptick in the number of malvertise-ments,” said Rahul Kashyap, chief secu-rity architect, Bromium. “The scale of this problem is as large as the Internet itself.”

According to the report, the procedure used by the attack was:1. Detect which browser is in use.2. If the browser is Microsoft Internet

Explorer or Opera, continue.3. Add obfuscated redirect JavaScript

code to an obfuscated URL.

4. Call Flash’s ExternalInterface() func-tion, passing it a parameter consisting of a call to deobfuscate() which itself has a parameter of the obfuscated URL and JavaScript code.

5. This codes adds an iframe to the Document Object Model (DOM) of the web page containing a URL point-ing to an instance of the Styx exploit kit.

According to Bromium: “All the exploit kits to date rely on JavaScript to perform such tasks as browser/plugin fingerprinting, exploit selection and data obfuscation. Flash is used either to exploit a vulnerability in the Adobe Flash Player or to support other exploits in building ROP shellcode. However in the banner networks Flash movies are the most popular media and security policies for SWF files are pretty loose.”

In other words, Adobe has provided exactly the tools malicious advertisers need, including the ability to carefully check the environment and run arbitrary JavaScript code.

Genuine sites

The really pernicious aspect of all this is that the site the victim first visits is likely to be entirely genuine and even well-known and popular. The adverts are delivered via a third-party optimiser or advertising network. The host sites employ these kinds of services to gen-erate revenue by simply placing some source code (typically JavaScript) within a page. The best known of these kinds of network is Google’s AdSense and Google’s subsidiary DoubleClick.net, although there are many others, some with less than perfect reputations.

Steve Mansfield-Devine, editor, Computer Fraud & Security Advertising is pervasive on the Internet these days. It’s usually the primary income stream for many of the services, such as Facebook and Google, that we take for granted. But it’s also a source of serious threats to our security. Malicious adver-tising – or ‘malvertising’ – is an increasingly common way for cyber-criminals to either spread malware or lure victims to sites where malware and other scams lurk. And the shift to mobile platforms is only making this problem worse.

Steve Mansfield-Devine

FEATURE

Computer Fraud & Security November 20146

Too many advertising networks fail to fully analyse the ads that are dis-tributed through them. As long as the banner advertisement appears to look and behave like a normal ad, it will be distributed.

Even the most professional and trusted ad networks can be exploited. DoubleClick has been misused this way on numerous occasions. For exam-ple, in September 2014, security firm Malwarebytes warned that ads sup-plied by major advertising agency Zedo and distributed by DoubleClick were delivering the Zemot malware.2 The Jerusalem Post and The Times of Israel were the most high-profile websites tar-geted by the campaign.

The host sites don’t directly control the content of the ads – that’s usually handled dynamically every time the page is loaded and depends as much on the user as the website. This means even big names can be subverted, as revealed recently by Proofpoint.3 The campaign detailed by the security firm used malvertising to infect victims with the CryptoWall 2.0 ransomware via the FlashPack Exploit Kit. Proofpoint found the malicious adverts being run on sites run by Yahoo, AOL, The Atlantic, Match.com, The Sydney Morning Herald and at least a dozen other firms. According to Proofpoint, the attackers may have made as much as $25,000 a day. The three advertising networks that were carrying the ads were The Rubicon Project, Right Media/Yahoo Advertising and OpenX. Even though the ads had to pass through several stages – includ-ing exchanges, optimisers, ad networks and the host networks – they were never detected as malware.

Ransomware is a common type of infection. Malvertising played a major role in the spread of the notorious CryptoLocker malware. And in the first half of 2014, Cisco tracked the use of a new exploit kit, RIG, to perform drive-by infections of CryptoWall ransomware on a number of legitimate websites. This was documented in the firm’s ‘Cisco

2014 Midyear Security Report’, which explained that the exploit kit was able to use flaws in Java, Flash and Silverlight to perform its infections.4

Mobile exploits

The problem is, in many ways, even worse on mobile platforms. On iOS, Apple allows the use of only one adver-tising network – its own – which it polices very thoroughly. Although it would be possible to slip malicious ads into the network, the cost of setting up accounts to do so – which would neces-sitate creating fake identities – makes the prospect unattractive to cyber-criminals. That’s because a malvertising campaign may run for only a short time before being discovered, at which point Apple could quickly shut it down.

However, on Android, developers – many with a poor grasp of security issues – can embed advertising from any one of a number of third-party advertising networks, not all of which are rigorous

about the provenance or reliability of the ads they accept. And on a mobile platform, unlike with a desktop browser, you can’t hover a mouse pointer over a link to see where you’re going to be redi-rected should you click (not that enough people do that anyway).

Brand damage

The people whose computers are infected are not the only victims. Many malvertising campaigns, such as the one detected by Proofpoint, use stolen ‘creatives’ – the images and text – from legitimate adverts. In this case, firms like Microsoft Bing and Case Logic found their adverts being exploited in this way and were therefore in danger of having their brands damaged.

The Cisco report notes that advertis-ing online now outstrips all other media in terms of spend, but that this industry could be threatened by the potential dam-age to users’ trust caused by malvertising. It also highlights the fact that, just as

Malvertising inserted on a Yahoo page. Source: Proofpoint.

FEATURE

November 2014 Computer Fraud & Security7

advertising is usually targeted to specific portions of the population, so is malver-tising. “A malvertiser who wants to target a specific population at a certain time – for example, soccer fans in Germany watching a World Cup match – can turn to a legitimate ad exchange to meet their objective,” says the report. The cyber-criminals also often show great confidence in the effectiveness of their campaigns by paying up-front for their ads – $2,000 per ad run is not uncommon.

Bromium’s report also showed how cyber-criminals can exploit the otherwise legitimate targeting abilities of ad networks and the information supplied by users’ browsers to focus their campaigns on people in certain territories or countries, running specific browsers or operating sys-tems, using specific languages or devices, or according to the topic of a web search or page. This greatly enhances their chanc-es of achieving a successful infection.

Malvertising campaigns often show trends towards specific subjects or tech-niques. It’s common to see malicious adverts focusing on significant events, such as sports tournaments (World Cup, Olympics) or news stories (the Ebola outbreak and other major disasters). Among the trends spotted this year have been fake technical support and phony weight loss products, although these were mainly fraudulent products rather than attempts at malware infections.5,6

There was also an interesting case recently where malvertising appears to have been targeted at three firms in the military/defence sector in the US.7 Security firm Invincea said it spotted a campaign that it believed was intended to steal military secrets and intellectual property. In one two-week period alone, the firm said it tracked six campaigns targeting a single aerospace contractor. And these may have been mounted by someone more sinister than mere cyber-criminals.

“In the past, we have seen organised cybercrime learn attack techniques from advanced nation state actors,” the firm’s chief executive Anup Ghosh told Reuters. “This is a case where advanced state

actors would be learning from cybercrime in terms of methods and tactics.”

Industry response

One organisation that keeps a careful eye on trends is Trust in Ads, estab-lished by Google, AOL and Yahoo in an attempt to maintain the reputation of online advertising.8 This is one of several responses by the industry to the problem of malvertising.

“Cyber-criminals can exploit the otherwise legitimate targeting abilities of ad net-works and the information supplied by users’ browsers to focus their campaigns”

Not surprisingly, Google is taking this threat very seriously. While many people still view Google as a search service, it is primarily an online advertising company. Its business model depends on website operators embedding its advertising services such as AdSense on their sites. Anything that discourages sites from using third-party ad services is clearly not in Google’s interest.

The company has also set up the site Anti-Malvertising.com, a small, simple website that offers advice to website operators, advertising networks and the general public on the dangers of malware and what to do if you’re affected by it.9

In addition, the Online Trust Alliance (OTA) was established by Epsilon Interactive, Email Senders and Provider Coalition (ESPC), The Direct Marketing Association, Microsoft, Symantec and Sendmail to fight the scourge of spam. But it has extended its brief to include malver-tising and offers a brief ‘Malicious Ads & Content Response & Remediation Guide’ aimed primarily at the advertising and marketing communities.10

Mitigations

Bromium’s report suggests that malver-tising can’t be tackled through conven-

tional means, and it gives three main reasons for this:1. The web advertising business is just

too big for every item of media to be checked.

2. It’s impossible to ‘prove’ that an item of media is definitively clean (an example of the classic Halting Problem).

3. It would be easy for content to hide its malicious behaviour under test conditions (some traditional malware already does this), and perform its intended actions only when triggered by certain conditions in the wild.

Normal endpoint security is ineffective because the malicious nature is hidden from the user’s machine by things like the obfuscation capabilities of Flash’s Action Script.

As mentioned earlier, Google’s Anti-Malvertising.com site does offer some advice, although little that deals direct-ly with protection. For advertising distributors, for example, the best practices outlined on the site revolve largely around how to respond to malvertising once it is discovered on the network.

For website operators, Google’s advice is to pay close attention to the adver-tising networks you use. However, it’s virtually impossible for site owners to audit or monitor the networks in any meaningful way. And given that Google itself has been know to carry malvertis-ing, it’s unclear how useful this advice really is. It also suggests carrying out “comprehensive QA” on all creatives. But again, given that much advertising content is dynamically delivered, this advice is of limited usefulness.

Finally, for end users, the site basically offers the same advice you’d give for any kind of malware threat – that is, keep all your software up to date and use an anti-malware product.

Conclusion

With such poor defences against this threat, we can expect malvertising to increase. It has proved to be extremely

FEATURE

Computer Fraud & Security November 20148

effective for cyber-criminals. And it is hard to track and even harder to pros-ecute. For the time being, it seems, our protection lies largely in the common sense of individual web users.

About the authorSteve Mansfield-Devine is a freelance journalist specialising in information security. He is the editor of Computer Fraud & Security and its sister publica-tion Network Security. And he blogs and podcasts on information security issues at Contrarisk.com.

References1. ‘Optimized Mal-Ops: Hack the ads

network like a boss’. Bromium, Sep 2014. Accessed Oct 2014. www.bro-mium.com/sites/default/files/bromi-um-report-optimized-mal-ops.pdf.

2. ‘Large malvertising campaign under way involving DoubleClick and Zedo’. MalwareBytes blog, 18 Sep

2014. Accessed Oct 2014. http://blog.malwarebytes.org/malvertis-ing-2/2014/09/large-malvertising-campaign-under-way-involving-dou-bleclick-and-zedo/.

3. ‘Malware in Ad Networks Infects Visitors and Jeopardizes Brands’. Proofpoint, 22 Oct 2014. Accessed Oct 2014. www.proofpoint.com/threatinsight/posts/malware-in-ad-networks-infects-visitors-and-jeopard-izes-brands.php.

4. ‘Cisco 2014 Midyear Security Report’. Cisco, Aug 2014. Accessed Oct 2014. www.cisco.com/web/offer/grs/190720/SecurityReport_Cisco_v4.pdf.

5. ‘Bads Ads Trend Alert: Shining a light on tech support advertising scams’. Trust in Ads, May 2014. Accessed Oct 2014. http://trustinads.org/wp-content/uploads/2014/08/Bad_Ads_Trend_Alert_Tech_Support_Scams.pdf.

6. ‘Bad Ads Trend Alert: False claims in online weight loss advertisements’. Trust in Ads, June 2014. Accessed Oct 2014. http://trustinads.org/wp-content/uploads/2014/08/Bad_Ads_Trend_Alert_Weight_Loss_Scams.pdf.

7. ‘Malvertising’ targets U.S. mili-tary firms in new twist on old web threat’. Reuters, 16 Oct 2014. Accessed Oct 2014. www.reuters.com/article/2014/10/16/us-cyber-security-military-idUSKC-N0I529H20141016.

8. TrustInAds.org home page. Accessed Oct 2014. http://TrustInAds.org.

9. Anti-Malvertising.com home page. Accessed Oct 2014. http://Anti-Malvertising.com.

10. ‘Malicious Ads & Content Response & Remediation Guide’. Online Trust Alliance. Accessed Oct 2014. https://otalliance.org/system/files/files/best-practices/documents/malvertisingre-mediation_guide.pdf.

Embedding dependability attributes into component-based software development

Component-Based Software Development (CBSD) is a software development approach that focuses on the use of existing software code. Hence, the method of constructing software applications from scratch is replaced by integrating reusable software code. This

method simplifies software development to fit time and budget constraints. The CBSD approach has been successfully applied in many domains.1

However, the ability of CBSD to develop secure software applications remains inferior. Previous studies have

stated that CBSD products face security issues. The central problem lies in the lack of standards to ensure the security and other non-functional requirements of the components, thereby making CSBD incapable of assuring specific applica-tion attributes.2 Several software security attributes have been identified as the key factors in solving the problem of the lack of security in the CBSD process. These attributes are dependability, trustworthi-ness and survivability.3,4,5 However, the extant literature shows that dependabil-ity attributes are essential in addressing

Hasan Kahtan, Nordin Abu Bakar, Rosmawati Nordin, Mansoor Abdullateef Abdulgabber, Universiti Teknologi MARA

An increasing competition among companies specialising in software production and services has emerged over the years. Today, companies compete even on trivial matters, aiming to produce dependable, reliable and affordable software applica-tions. To achieve this goal, the software application must either be developed more efficiently or large portions must be reused. The component approach leads to the production of cheaper, faster and more reliable software. Consequently, many industries have begun to focus on software development using the reuse approach.

FEATURE

November 2014 Computer Fraud & Security9

security threats, abnormal behaviour and untrustworthiness issues in a software system.6,7 Moreover, the dependability attributes should be considered to over-come the lack of poor software develop-ment, which leads to security issues in current web application systems.8 Indeed, dependability attributes should be embed-ded into the process to solve the problem involving the lack of security.9

“The objective is to dem-onstrate the embedding of dependability attributes into the four phases of the CBSD process – namely, require-ments, design, implementa-tion and testing”

Our previous work introduced a guide-line for embedding dependability attrib-utes into CBSD.10 Created with the assis-tance of expert software developers and security consultants from a local industry in Malaysia, the guideline is designed to overcome the lack of security trust in the CBSD process. The guideline consists of a set of best practices that are designed to embed dependability attributes into the CBSD process. The objective is to dem-onstrate the embedding of dependability attributes into the four phases of the CBSD process – namely, requirements, design, implementation and testing. The guideline also specifies a set of techniques for the design phase, which requires developers to compose dependability attributes in every code line written.

Another issue addressed by the guide-line is a well-defined coding standard that can help developers ensure that a large number of dependability attribute bugs are avoided as the code is being written. The guideline details for embedding dependability attributes into the CBSD process are summarised in Figure 1.

To implement the guideline, we per-formed a case study to test the process, with the aim of developing an industrial web application. The implementation process should involve the embedding of dependability attributes into the CBSD

phases. This article presents the guideline implementation process by demonstrat-ing the development of an information and communications technology (ICT) portal that follows the guideline and uses a CBSD approach.

Methodology

A rigorous implementation of a guideline requires its application despite the actual demands of real software applications. Ideally, a guideline would be applied to numerous systems; however, this ideal situation is not a feasible experimental method. Therefore, addressing these problems requires the application of such a guideline in a case study.

This case study aims to construct an industrially feasible software application system using the CBSD approach. The guideline implementation process high-lights the industrial practicality to ensure that the dependability attributes of the software components are applied in the experimental context. Developing a web application system using the CBSD approach is possible. The question lies in whether a guideline can significantly contribute to resolving the lack of secu-rity trust in the web application system production using the CBSD approach. Demonstrating the ICT portal develop-ment, which follows our guideline and

uses the CBSD approach, can ensure the proper integration of the dependability attributes and the generalisation of the results of a single-point case study.

Collaboration with a local company in Malaysia was established for the appli-cation of the ICT portal development guideline. Due to the competitive envi-ronment among software development companies, the company name was kept confidential for commercial reasons. Therefore, we refer to the company as the Software Development Company (SDC). The ICT portal was developed by a soft-ware development team, which consists of six members currently working at the SDC. The SDC is a leader in ICT inno-vations in Malaysia, and has pioneered new market creation for partners through patentable technologies for economic growth. With over 25 years of experience, the SDC contributes its core technologi-cal competencies to the industry towards raising Malaysia’s local, regional and inter-national market competitiveness.

Figure 2 presents the methodology diagram for the guideline implementa-tion process. First, related industries were identified and a list of software develop-ment companies was created. Then, a formal letter to the companies was sub-mitted to request collaboration. Upon receiving feedback from the companies, an agreement was made with one

Figure 1: Embedding dependability attributes into the CBSD process.

FEATURE

Computer Fraud & Security November 201410

software company, which was chosen due to its position as the industry leader. Then, a kick-off meeting was conducted with the head of the software development department, during which the priorities of academic institutions and company poli-cies were discussed. Subsequently, the cur-rently planned projects were discussed with the company representatives.

Next, the creation of an ICT portal for the guideline implementation was proposed, and then a team was assigned to develop this portal based on the guideline. The guideline’s process was discussed, after which the reliability of the guideline’s implementation was discussed. If the investigation reveals a

positive response, the guideline’s process was finalised; otherwise, the approach was refined. Afterwards, the guideline was implemented by developing an ICT portal using the CBSD approach. The implementation involved embedding the dependability attributes into four phases (requirements, design, implementation and testing). The functionality of the developed system was evaluated using Vulnerability Assessment Tools (VATs), and then the evaluation’s report was generated. In addition, on-going consul-tations and supervision were conducted with representatives of the academic institutions and the industry for the pur-pose of monitoring the results.

The developed ICT portal provides var-ious applications and related information, which enable the users to improve their social community life. Moreover, the ICT portal is equipped with an intelligent ser-vice delivery platform (ISDP). This was constructed based on the CBSD approach and organised by SDC to help members of the community obtain useful informa-tion related to science, technology and innovation. Apart from providing access to government online services, the portal also serves as an online advisory centre for information on new technologies, such as agricultural, industrial, e-commerce, and e-services.

The ICT portal facility aims to develop and educate members of the community, specifically rural youngsters, and help them become skilled ICT vol-unteers. Consequently, these youngsters become assets to community develop-ment by contributing in the improve-ment of social and economic life. The ICT portal facility emphasises the use of ICT as an important foundation in the development of society. Note that the guideline implementation process is performed by the software development team, which works at the SDC.

Guideline implementation processThe guideline implementation process involves embedding the dependability attributes into four CBSD phases – name-ly, requirements, design, implementation and testing. The following sections present detailed discussions of the guideline imple-mentation by going through each develop-ment phase in the ICT portal.

Requirement phase

A thorough analysis of the requirements is the foundation of the ICT portal. A correctly executed requirement-gathering and analysis process provides a strong base for the rest of the development process. Each additional phase produces a negative effect when the requirements

Figure 2: Guideline implementation methodology.

FEATURE

November 2014 Computer Fraud & Security11

are not met, and this can jeopardise the production process. The dependability attributes in the CBSD are also affected; hence, these attributes were applied. The following points explain the require-ments analysis pertaining to the depend-ability attributes of the ICT portal.

To achieve the requirement of the dependability attributes, the software developer team defined and analysed the dependability attributes based on the ICT portal services. Moreover, the team identi-fied and finalised the methods of achieve-ment, along with the required tools associated with predefined dependability attributes. Figure 3 shows the analysed dependability attributes, methods and tools used to achieve specific dependabil-ity attributes.

General objectives: There are general objectives set for the analysis of depend-ability attributes. These objectives are as follows: • Toestablishandsustainaqualified

work environment that meets the dependability needs, and to gain a comprehensive understanding of the environment to support, or at least allow, specific design decisions.

• Toestablishandsustaintherequire-ments of the dependability attributes (eg, the integrity levels), as well as to design the products and services to meet them.

• Toestimate,determine,andmoni-tor the consequences of each risk associated with the dependability attributes, and to develop a risk miti-gation plan to attain an acceptable level of risk.

In addition, objectives of each depend-ability attribute are presented, and these are described below.

Availability and reliability objectives: Availability ensures that data and services are available when required by the author-ised entities, whereas reliability refers to the assurance of continued provision of services. The objectives of these attributes are as follows:• Tomeetthenon-repudiation

requirements, which specify that

a party within a transaction should not deny involvement in that particular transaction.

• Toidentifytheavailability requirements that must be met by the system.

• Toidentifytheperformancerequire-ments that must be met by the system.

• Toensurethatthesystemcanpro-vide information services for 99% of requests within one hour.

• Toidentifysystemservicesthatareconsidered extremely critical for a business enterprise.

• Todeterminehowthesesystemser-vices might be threatened.

• Todeterminetheminimalqualityofservice that must be sustained.

• Toensurethatthesystemcanrecoverquickly in case the services become unavailable.

Confidentiality objectives: This attribute ensures that information is accessible only to duly authorised enti-ties. Confidentiality applies to service components and interactions. The objec-tives of this attribute are as follows: • Toensurethatauthorisationrequire-

ments specify the access permissions

Figure 3: Methods and tools to achieve specific dependability attributes.

Figure 4: Risk analysis and assessment of the dependability attributes.

FEATURE

Computer Fraud & Security November 201412

and privileges of the identified users.

• Torequiretheidentificationofallsystem users through a personal pass-word and username.

• Toensurethattheprivilegesofusersshall be assigned based on user class.

• Toensurethatthesystemshallverifywhether the user has sufficient privi-leges to access and execute the com-mand prior to the execution of such command.

• Topreventusersfromhavingmulti-ple, simultaneous logins to the system.

• Toprotectprivateandconfiden-tial information, such as photos of minors and sermons, from exposure to the general public, and to ensure that such content shall only be avail-able to authenticated users.

• Toensurethatpasswordsarekeptconfidential by requiring the use of at least eight characters with the inclusion of one non-alphanumeric character.

• Toensurethattheprivacyrequire-ments are specified to the process, thus ensuring data privacy.

Integrity objectives: Integrity ensures that assets are not modified without authority, except for operations involving personnel information. The objectives of this attribute are as follows:• Toguaranteeinformationintegrity

by securing storage and protection and by restricting access to informa-tion distribution.

• Toprovidespecificinformationonhow to avoid data corruption.

• Toensurethatthepasswordsusedbyauthors are transmitted to the secure text editor in a manner that preserves integrity.

• Toprovideageneralhierarchyofauthorisation for administrators, mem-bers, and general public (anonymous).

• Tolimitthecapabilitiesofaccountcre-ation and role assignment to site admin-istrators and to ensure that changes to role assignment are made in real time.

• Toensurethatauthenticateduserscan access additional site content, pages and navigation.

• Toincludeanautomatedpasswordreset/‘forgot password’ capability in the system.

Safety objectives: This attribute refers to the absence of catastrophic consequences that affect the users and environment. The objectives of this attribute are as follows: • Tomonitor,reportandanalyse

safety incidents, as well as to identify potential corrective actions.

• Toplanandprovideforcontinuityofactivities while considering contingen-cies for vulnerabilities and hazards to the infrastructure and all related operations.

• Toidentifyrisksandtheirsources,which can be attributed to vulner-abilities and safety hazards.

• Toensurethatintrusiondetectionrequirements can specify which mech-anisms can detect system attacks.

• Toidentifyallsafety-criticaldatavariables and processing.

• Toensurethatchangesmadetoplansand requirements do not affect safety negatively.

• Toperformimmediatecorrectiveaction to address safety issues or problems as well as to improve safety processes throughout the life cycle.

Maintainability objectives: Maintainability refers to the ability to undergo repairs and modification. This attribute is related to business service continuity and reconfiguration. The objectives of this attribute are as follows: • Tospecifytheauditingrequirements

(ie, to determine how system usage can be audited and checked).

• Tospecifythesystem’smaintenancerequirements (ie, to determine how an application can be used to prevent accidentally defeating the dependability mechanisms from authorised changes).

• Toensurethatallvariablesareprop-erly defined and data types are sus-tained throughout the program.

• Toensurethatallcodedocumenta-tions (comments) are accurate.

• Toensurethatcodeanddatemodifi-cations identified in the requirements phase are performed.

• Toensurethatprocessingloopsusethe correct criteria for starting and stopping (ie, indices or conditions).

Risk analysis and assessmentThe software developer team is concerned with six essential stages for risk assessment as shown in Figure 4. The first stage is the implementation of dependability attributes. The next stage involves identification and evaluation of assets value and risk. This is followed by the identification and assessment of exposure/consequence, and the final stage involves the identification of control.

Documentation of dependability requirements The software developer team included the requirements of the dependability attrib-

Figure 5: Use and misuse cases.

FEATURE

November 2014 Computer Fraud & Security13

utes found in the ICT portal requirement system documents. The team analysed the use and misuse cases, along with code standards and vulnerabilities of the ICT portal as presented in Figure 5.

Design phase

Most defects are developed during implementation; however, those defects in the design phase are considered as the most expensive ones. Following the guideline, the software development team implemented a proactive approach, which focused on dependability attrib-utes throughout the design phase to pre-vent costly redesign. The overall steps for the design process of the dependability attribute in the ICT portal are described below.

The software architecture choice can profoundly affect emergent system properties. An unsuitable architecture compromises the confidentiality and integrity of system information as well as the required level of system availability. Therefore, the software developer team followed two fundamental architecture design issues:• Protection:Whatarethewaysto

organise the system to protect critical assets against an external attack?

• Distribution:Whatarethewaystodistribute the system to minimise the effects of a successful attack?

The software development team designed an ICT portal with a layered architecture. In this design, the criti-cal protected assets at the lowest level of the ICT portal are surrounded by layers of protection that safeguard the records of individual system users, as illustrated in Figure 6. An attacker has to penetrate the three ICT portal layers to access and modify the user records. These layers are: • Platform-levelprotection:Thetop

level of protection restricts access to the platform on which the user record system runs. This level involves a user signing on from a computer. The platform also includes

a support system that sustains the integrity of the system’s files.

• Application-levelprotection:Thenext level of protection is built into the application itself. This level involves a user gaining access to the application, after which the user is authenticated and authorised to per-form certain actions, such as modi-fying or viewing data. Application-specific integrity management sup-port is available at this level.

• Record-levelprotection:Thislevelofprotection is invoked when a require-ment to access certain records is encountered. This level involves veri-fying whether a user is authorised to perform the requested operations on that record. At this level, the protec-tion involves encryption to prevent unauthorised entities from browsing through records using a file browser. Changes made outside the normal record update mechanisms can be detected by performing integrity check-ing through cryptographic checksums.

Design description

Several considerations were made in designing the system, including architec-tural issues at the system and individual component levels. At the system level, emphasis is given to the techniques that help reduce software attacks. This level

also analyses potential vulnerabilities that might affect the design choices. The component level focuses on the best means by which to implement each module. The general steps for the design process of the dependability attributes are addressed by the software developer team, as explained below.

Vulnerability analysis: The attack scenarios and vulnerability model of dependability attributes were analysed by the software developer team. The vulner-ability model of dependability attributes was created to determine what should be protected in particular cases.

Educating the development teams: The software developer team was instructed to operate with two primary goals – namely: 1) to perform the best practices for secure coding; and 2) to provide practical education in utilising the various security tools and services.

Design guidelines for dependability attributes: The guideline for the depend-ability attributes was implemented by the software developer team. For instance, Figure 7 presents the sequence diagram of the user actor.

Dependability design documentation: The software developer team produced a report on the architecture and design of the dependability attributes. This report describes the steps undertaken to mitigate vulnerability. The software developer team also included the architecture and

Figure 6: A layered protection architecture.

FEATURE

Computer Fraud & Security November 201414

design of the dependability attributes in the description of the software design.

Implementation phase

The user needs and business goals that need to be implemented must achieve specific operational goals. The soft-ware developer team implemented the dependability attributes (Figure 8) as discussed in the succeeding sections.

Coding standards: The software developer team considered the coding standards in writing the code for the dependability attributes. These stand-ards involve the methods for handling temporary files, authentication of code libraries, safe handling of strings and integer results, as well as proper error handling. The latter includes exception

management, input/data validation, authorisation, configuration manage-ment, authentication, session manage-ment, auditing and logging, cryptogra-phy and sensitive data.

Code reviews: A functional review focuses on functional issues, whereas a separate dependability attribute code review focuses only on the issues that involve dependability attributes. All code developed by the software devel-oper team was reviewed, considering the dependability attributes. The key objectives of the code review are as fol-lows: to achieve the design goals, meet the dependability attribute objectives, and ensure robust implementation. The code review techniques included automated and manual processes. The automated steps included code

scanning for the location of the usage of unchecked return values, non-constrained methods, methods without exception handling, and significant patterns.

Automatic static analysis: A static analysis process is implemented for the code of the dependability attributes. This process is performed to identify the problem, which is difficult to man-ually identify.

Defect management: The primary goal of conducting defect management is to ensure that all identified dependability attribute defects are prioritised, meas-ured and assigned to someone who can conduct repairs within a specified peri-od. The dependability attribute defects were tested again from the regression perspective using new test cases. These tests ensure that corrective measures are properly made, while any existing func-tionality is guaranteed to be unbroken.

Testing phase

The dependability attributes were embedded in the ICT portal develop-ment. This process was performed during the design and implementation phases. In the testing phase, the testers focused on the following processes dur-ing dependability attribute testing:• Efficiencyandadequacyofsystem

performance during workload testing on the developed ICT portal must meet the requirements.

• Vulnerabilityassessment(VATs)mustbe conducted to uncover and fix crit-ical vulnerabilities in the developed ICT portal.

The assessment was performed based on six dependability attributes – namely, availability, reliability, confidentiality, integrity, safety and maintainability. The assessment tools included Apache JMeter, OpenVAS, and RATS. Figure 9 summarises the vulnerability assessment pertaining to dependability attributes. The results of the vulnerability assess-ment of the developed ICT portal shall be discussed in our future work.

Figure 7: Sequence of the user actor.

FEATURE

15November 2014 Computer Fraud & Security

ConclusionToday, software applications are essen-tial in running the machines that help people perform their daily tasks smoothly. Software application can be found in most items used in daily lives, such as cars, cellphones and kitchen appliances. By using these items, people also gain access to financial services, fly around the world, monitor the weather, navigate the oceans, and accomplish virtually any task. Given the neces-sity of these items in living the 21st Century life, ensuring the reliability of these tools in processing transactions all over the world is important.

This paper presents our ongoing research on a guideline implementa-tion of the dependability attributes in CBSD. The guideline implementation process is demonstrated by develop-ing an ICT portal which follows our guideline and uses the CBSD approach. The implementation process involves embedding the dependability attributes into the phases of the CBSD process during the ICT portal devel-opment. Collaboration with a local company in Malaysia is established as a case study in applying the proposed guideline to ICT portal development. The collaboration allowed for greater exchange between the academic and the industrial partners.

“This process uses a well-defined coding standard, which helps developers ensure that a large number of dependability attribute bugs are avoided while the code is being written”

Furthermore, the collaboration assisted in initiating new research that would study the lack of security in the CBSD process, a problem faced by the industry. Additionally, new research may be trans-ferred from universities to the industry. In this manner, both the academic and the industrial participants can benefit

from the collaboration. Moreover, both can enhance long-term sustainability and innovative outputs.

The implementation process of the guideline is significant in providing key solutions to the problem of the lack of security in the CBSD process. This pro-cess accomplishes the aforementioned using a well-defined coding standard, which helps developers ensure that a large number of dependability attribute bugs are avoided while the code is being

written. In addition, a set of software testing tools is specified to determine whether the dependability attributes are attained. As a result, the implementation process of the guideline facilitates and encourages software developers to adopt the CBSD approach in software applica-tion development.

Future work involving vulnerability assessment on the developed ICT portal will be carried out. The objective of this follow up assessment is to examine the

Figure 8: Components with level protection.

Figure 9: VATs pertaining to dependability attributes.

FEATURE

Computer Fraud & Security November 201416

dependability attributes of the devel-oped ICT portal, and to verify whether the guideline is capable of mitigating the vulnerabilities in the developed ICT portal.

About the authorsHasan Kahtan , Nordin Abu Bakar, Rosmawati Nordin and Mansoor Abdullateef Abdulgabber are based at the Faculty of Computer and Mathematical Sciences, Universiti Teknologi MARA, Shah Alam, Selangor, Malaysia.

References 1. Kahtan, H; Bakar, NA; Nordin, R.

‘Reviewing the challenges of security features in component based software development models’. in E-Learning, E-Management and E-Services (IS3e), 2012 IEEE Symposium. 21-24 October 2012. Kuala Lumpur IEEE.

2. Kahtan, H; Bakar, NA; Nordin, R. ‘Dependability Attributes for Increased Security in Component-Based Software Development’.

Journal of Computer Science 2014. 10(8): p.1298-1306.

3. Gama, K; Rudametkin, W; Donsez, D. ‘Resilience in dynamic compo-nent-based applications’. In 26th Brazilian Symposium on Software Engineering (SBES), 2012. 23-28 Sept 2012. Natal, Brazil: IEEE.

4. Goertzel, KM. ‘Introduction to Software Security’. Build Security In, Department of Homeland Security, 2009. Accessed Oct 2014. https://buildsecurityin.us-cert.gov/introduc-tion-software-security.

5. Yi, S; Li, D. ‘The Research of Component-based Dependable Encapsulation’. In Proceedings of the 13th International Conference on Mathematical Methods in Electrical Engineering and Computer Science. November 17-19, 2011. Angers, France: World Scientific and Engineering Academy and Society (WSEAS).

6. Avizienis, A et al. ‘Basic concepts and taxonomy of dependable and secure computing’. IEEE Transactions on

Dependable and Secure Computing, 2004. 1(1): p.11-33.

7. Redwine, S. ‘Software Assurance: A Curriculum Guide to the Common Body of Knowledge to Produce, Acquire and Sustain Secure Software’. 2007.

8. Kahtan, H et al. ‘Evaluation Dependability Attributes of Web Application using Vulnerability Assessments Tools’. Information Technology Journal, 2014. 13(14): p.2240-2249.

9. Kahtan, H; Bakar, NA; Nordin, R. ‘Awareness of Embedding Security Features into Component-Based Software Development Model: A Survey’. Journal of Computer Science 2014. 10(8): p.1411-1417.

10. Kahtan, H; Bakar, NA; Nordin, R. ‘Embedding Dependability Attributes Into Component-based Software Development Using the Best Practice Method: A Guideline’. Journal of Applied Security Research, 2014. 9(3).

Tracey Caldwell

The quantified self: a threat to enterprise security?

Deloitte predicted that the market for wearables would reach 10 million units in 2014 and generate $3bn in revenues. It is widely forecast that this sector is likely to grow much bigger and will have an impact beyond the quantified self that has the potential to threaten enterprise security.

Security firm MobileIron believes the smart watch will be the first wearable device to make headway in the enterprise. Ojas Rege, VP of strategy, says: “We think it’s a form factor that consumers are comfortable with, and bringing new capa-bilities will open a range of innovation.”

Rege expects to see strong early adop-tion among industries where individuals are working with their hands and in use cases where what he calls ‘snack-sized’ data would allow workers to do their jobs more efficiently. “Healthcare and field services are perfect examples,” he says. “It’s easy to imagine a scenario where a voice-activated device gives surgeons data while they are operating or a smart watch that a patient wears to monitor vital activities. This will fundamentally shift how healthcare can

Tracey Caldwell, freelance journalist

Wearable technology is getting smarter and pundits predict that the launch of the Apple Watch will propel wearable technology into the mainstream in 2015. The ‘quantified self ’ trend has already driven massive uptake of (generally) wrist-worn devices that measure heart rate and activity and link to health and fitness apps, which in turn link to entire communities of people comparing and contrasting their fitness.

FEATURE

November 2014 Computer Fraud & Security17

monitor a patient’s vitals and through these remote up-to-date statistics provide prompt care. Other examples are a wrist wrap that provides an electronic instruc-tion manual to a field service worker or battlefield logistics to a soldier.”

Wearables that in turn transmit data to other devices, such as other wearables or mobile phones, not only provide another vulnerability for CISOs to worry about but also transmit particularly sensitive personal data.

Catalin Cosoi, chief security strategist at Bitdefender, says: “In my opinion, the information collected by the wearable device is more sensitive than the user’s name and relationship status. Let’s not forget that most of these gadgets collect health and biorhythm-related informa-tion, they can assess health, show any traces of the onset of illness and so on.”

Apple Watch

The launch of the Apple Watch in September 2014 represented a shift from wearables being all about health and fit-ness to having wider capabilities, from sending and receiving emails to enabling NFC payments. The security industry was quick to point out the possible flaws.

Tim Erlin, director of IT risk and security strategy at Tripwire, says: “Near field communication, or NFC, isn’t as well tested from a security perspective as the more common wireless technologies. If the Apple Watch takes off in the mar-ket, it will quickly become an interesting target for attackers. We may see the rise of the modern-day pickpocket.”

There are real risks for enterprise sys-tems of data loss and privacy breaches from quantified self apps and wearable devices that sit uneasily with the trend for increased collection and sharing of very personal information. Paul Steiner, EMEA MD at enterprise solutions pro-vider, Accellion points out: “It is only a matter of time until wearable technology takes centre stage in the workplace and there’s no doubt that devices such as the Google Glass have the power to signifi-

cantly change the way we work. However, it won’t be plain sailing for organisations with employees who use these devices, and as adoption of as the number of Internet-connected devices increases, so will the associated security risks.”

BYOD to WYOD

Steiner adds: “Put simply, if IT depart-ments thought they had a struggle on their hands in getting to grips with BYOD [Bring Your Own Device], they haven’t seen anything yet. Wearable tech-nology will almost certainly give them an even bigger headache, as new wear-able devices will multiply the number of devices accessing a network. If you don’t have a WYOD (wear your own device) policy in place, you’ll need to take steps now to safeguard your data in order to minimise security risks.”

Jon Howes, technology director at Beecham Research, which specialises in analysing and researching the worldwide technology challenges of the M2M and Internet of Things markets, believes the potential for introducing vulnerabilities is increasing significantly beyond tradi-tional BYOD risks.

“One increasing area of risk is in understanding how such devices can be integrated securely into security mecha-nisms and procedures,” he says. “That is threatened by the typical enterprise secu-rity team’s lack of familiarity with these new access and input devices, and more so the lack of transparency and clarity by suppliers on the capabilities and protec-tions within these quantified self and wearable products.”

Howes adds: “Increasing potential for risk comes from the way these quantified self devices are considered both personal and required to be easy to access with minimal to zero authentication of the user. When integrated into an enterprise system, those features could be highly prejudicial to security. But even when quantified self and wearable capabilities are not integrated with the enterprise or its data, their nature brings new security issues. The new devices

can be used for insecure storage of enter-prise system access and user authentication information, for example.”

Multiple vulnerabilities

Many enterprises are only just getting to grips with security around mobile phone and tablet apps. Wearable devices meas-uring user data add a whole new layer of security concern. “In the case of quanti-fied self apps, M2M and wearable tech, the device network is widely distributed with low-cost data collection and com-munication systems. Consequently, security measures are likely to be both minimal, and inexpensive, and as a result any security breach would go unnoticed for a long time,” says Troy Fulton, global marketing and product leader at Tangoe.

Fulton points out that quantified apps and devices can pose a security threat to enterprise data and systems for a number of parties – the device manufacturer, the application vendor, the carrier (cel-lular and broadband), as well as the end user’s employer, if the app or device is communicating with and storing data locally to a work PC, as well as a tablet or smartphone used for work that lacks enterprise mobility management policy monitoring and enforcement.

Often, he says, there can be a failure of communication between device manufac-turers, app developers and cloud service provider around who is responsible for data security. This can lead to risks when data is not encrypted in transit. “There is a wider danger to the quantifiable self device manufacturer and/or application developers if a large number of devices and apps are compromised,” says Fulton.

Self quantification devices could also extend the personal information avail-able to criminals to include health and movement information that could be used for blackmail, scams and targeted spear-phishing emails.

David Calder, security managing director at IT consultancy and services provider ECS, says: “Apply this to the enterprise and the risks to employees and

FEATURE

Computer Fraud & Security November 201418

the business as a whole are considerable. Consider the scenario where health infor-mation on high-profile corporate leaders is available to criminal organisations. For example, early access to Steve Jobs’ health state could have allowed an external party to benefit by shorting Apple shares in advance of such information being released to the market as a whole.”

Location

Another risk is posed by wearables trans-mitting location information, as move-ment between locations is key to quanti-fied self apps. Wearable activity track-ing devices can be tracked or located through wireless protocol transmissions. Enterprises may have concern for the safety of employees whose whereabouts may be tracked and also for sensitive commercial information, such as which potential clients employees are visiting.

Symantec has found security risks in a large number of self-tracking devices and applications and found that all of the wearable activity-tracking devices it examined, including those from lead-ing brands, are vulnerable to location tracking.

Symantec points out that wearable devices are not designed for location tracking but data collected by these devices is generally synced to another device or computer usually via Bluetooth Low Energy. Symantec built some cheap and cheerful portable Bluetooth scan-ning devices using Raspberry Pi minia-ture computers and off-the-shelf compo-nents, which included a Bluetooth 4.0 adaptor, a battery pack and an SD card. It took the scanners to various busy pub-lic locations in Ireland and Switzerland where they scanned the airwaves for signals broadcast from devices. It found that all the devices encountered could be easily tracked using the unique hardware address that they transmit.

It also revealed that some devices, depending on configuration, may allow for remote querying, through which information such as the serial number or

a combination of characteristics of the device can be discovered by a third party from a short distance away without mak-ing any physical contact with the device.

Andrew Tang, service director of secu-rity at MTI comments that quantified self data may be synchronised with cloud storage, potentially via an enterprise wireless connection, with privacy reper-cussions for the enterprise.

“If the wireless connection is not secured sufficiently, then sensitive per-sonal information could be lost,” he says. “Organisations that use Internet gateway or web proxy solutions could be gathering the personal information of their employees, so there may be a need to not record this session information, or create a policy highlighting to the employee that their personal information will be recorded.”

Encryption lacking

Many quantified self apps are cloud-based and collect a wide range of per-sonal information. However, Symantec has blogged that an unacceptably large proportion of these apps and services do not handle sensitive user data securely.

It found that 20% of apps transmit-ted user credentials in clear text. Many quantified self apps and services have a cloud-based component where users upload and store password protected data collected from their apps and services that includes personal informa-tion such as date of birth, relationship status, addresses and photos. The prob-lem, Symantec observed, is that “many of them transmit user-generated data, including login credentials, through an unsecure medium such as the Internet without any attempt to protect it (eg, by encrypting it). Users often reuse the same passwords at home and at work and use personal email addresses to transmit corporate information”.

Symantec also highlighted the issue of unintentional data leakage as apps contact multiple Internet domains – for example, to carry out analytics. Weak

session management can be exploited by cyber-criminals to hijack sessions so that they can masquerade as other users. On average Symantec found that the apps contacted five different Internet domains. A significant number of apps contacted 10 or more different domains for vari-ous purposes, creating countless scenarios where personal data could be leaked unintentionally, such as through human error, social engineering or careless han-dling of data.

Weak session management during data sharing can be exploited by cyber-criminals to hijack sessions and Symantec’s research-ers encountered some sites that did not handle user sessions correctly: “In one example it was possible to browse personal data belonging to other users of the site. In another instance, it was possible for an attacker to upload SQL statements, such as commands to create tables in the database, to the server for execution.”

The law

Regulators across the globe have been weighing in on the issue of mobile app security but have yet to turn their atten-tion to wearables. Philip James, partner and Technology and Data Privacy practice lead at Sheridans, a UK media technology law explains: “One of the leading regula-tors in the field of mobile apps and pri-vacy is the US Federal Trade Commission (FTC). The FTC has been very active recently in issuing guidance on privacy in the context of mobile apps and has also held a specific event on Consumer Generated and Controlled Health Data in relation to the use of mobile apps.1,2

“In addition, the US Food and Drug Administration (FDA) issued a non-binding guidance document in relation to the use of mobile medical apps.3 Regulators in Canada and Europe have issued or are shortly due to issue similar guidance. What is clear, however, is that the primary focus has been on protecting consumer rights and privacy when data is collected via medical apps. Little or no consideration has been given to the

FEATURE

November 2014 Computer Fraud & Security19

A SUBSCRIPTIoN INCLUDES:• Onlineaccessfor5users• Anarchiveofbackissues

www.computerfraudandsecurity.com8

threats and risks posed to enterprise data and systems security by quantified self apps and wearable tech.”

Taking action

Organisations wondering how best to assess and address the risk from quanti-fied self apps and wearable devices might draw a useful analogy with their handling of social media in the enterprise.

Calder at ECS says: “Those organisa-tions who simply banned its use didn’t gain from the massive benefits that such technology may bring. A better approach may be to learn about the technologies, consider them and support or sponsor employee use with clear education and awareness. This will allow employees to benefit from the positive aspects of such devices without exposing the organisa-tion to unnecessary risk.”

The data collected by quantified self devices could be used to strengthen secu-rity, according to Trey Ford, global secu-rity strategist at Rapid7. “Quantified self applications are all about gathering specif-ic data points about how users live life,” he says. “As a security professional, I find myself asking why companies or applica-tion owners aren’t observing behavioural patterns and location data to make sure the human owner of an account is the only one using that account.”

He adds: “At a minimum, organisations need to be deploying technology in their environment that allows them to see what personal cloud services employees are using from the corporate network. They need to subscribe to breach data that will enable them to see if any of their employ-ees have been subject to a breach and whether they are using any of the same login names for enterprise use.”

Main threatsRege at MobileIron identifies three main threats from the quantified self trend around big data, privacy and spyware. “If the enterprise is collecting data through wearables, the sheer amount of data generating by an employee can increase dramatically – this becomes a ‘big data’ challenge for analytics and security,” he says. “The enterprise needs to evaluate where the data is being stored and how it is protected from unauthorised access from other applications on the device. The information should be securely trans-mitted regularly to back-end enterprise systems to ensure there isn’t a new, rapidly

expanding ‘honeypot’ of confidential information on the device.”

Even if the enterprise is not collecting data through wearables, the employee most certainly is through personal apps, even on corporate devices, so protecting the privacy of that data is critical, says Rege. “This means that the enterprise should never back up or store personal data and, when wiping a device, should wipe only the enterprise data automatically.”

While most quantified self apps are legitimate apps targeted at helping con-sumers live their lives, Rege highlights the threat from spyware apps focused on collecting information about an employ-ee’s behaviour for corporate espionage, adware or advertising data collection. Rege believes employee education must be at the core of a security programme.

Enterprises can also leverage an app reputation or app risk management ser-vice plugin to their enterprise mobile device management deployment. This can allow the enterprise to identify risky apps such as those with location-tracking, and trigger a quarantine of the device. This can be a simple alert to the user, block-ing their access to the enterprise network until they remove the app, or remov-ing the enterprise data from the mobile device through a selective wipe, to miti-gate a data breach.

“The path to security is a structured, layered security programme, not fear,” says Rege. “Each organisation should fol-low a layered security strategy for mobile. The enterprise apps on the device do not share data with personal apps. When the enterprise apps communicate to the server, those connections are secured by per-app VPN and identity is enforced through the use of certificates. This

Continued on page 20...

Four steps to prepare for wearablesMobileron recommends that enter-prises think of each future employee as a walking datacentre, with a phone, tablet and several networked wearable devices. The four steps to wearable pre-paredness are:• Settheexpectationthatenterprises

will face the question of whether to support some type of wearable devices in the future.

• Monitortheconsumermarketandemployee preferences, so you know which devices matter most to your end users.

• Establishalayeredsecuritymodelthat is based on user experience, trust and data accessibility. It should apply to wearable devices as well as smartphones and tablets.

• Establishamobilemanagementarchitecture that gives enterprises a centralised way to set policies and access for all these form factors.

EVENTS

FEATURE/CALENDAR

20Computer Fraud & Security November 2014

...Continued from page 19prevents man-in-the-middle attacks and ensures the session can’t be hijacked.”

Austin O’Malley, chief product officer at Ipswitch advises that, “Enterprises need to update their BYOD policies to cover wearables as a matter of priority. The policy should look at how much personal data devices collect, how it is used, stored and disclosed. At the same time, the IT department and employ-ees must be educated in wearables and potential liabilities.

“Enterprises don’t want to send wearables underground and under the radar of the IT department. But it is advisable to limit access of wearables, decide where employees can and can’t log on. It may be necessary for some IT departments to create a second network specifically for employee-owned devices, where large amounts of sensitive data is being dealt with.”

He adds: “IT departments should also make it a priority to track all devices on its network and what they are being used for. Continual monitoring will enable the IT team to assess any potential new risks entering the workplace.”

Threat level: low

Many of the risks presented by the move to quantified self and wearables are not new and some industry observers believe CISOs may have covered most of the security bases. “I don’t think the quanti-fied self adds any additional threat to enterprise data, but organisations that are providing quantified self products will have a massive responsibility for data pri-vacy,” says Adrian Davis, managing direc-tor EMEA, (ISC)2. “However, in terms of providing an additional attack vector, I don’t think it raises much of a threat. Most cyber-criminals would not go through the effort of hacking into a wear-able device when they could hack directly into a server via an Internet connection or just physically steal the device.”

Wearable quantified self technology may appear not to pose a great threat to some enterprises that have safely locked down

their mobile working security. However there is no doubt that it produces new use cases and threats that need to be addressed as a matter or urgency by those leading on security and risk in any organisation.

Sean Newman, security strategist at Cisco, advises: “Organisations should assume their employees will use per-sonal apps and other online systems that are inadequately secured. For this reason they should start by protecting themselves from the possible effects of that information being re-used to access corporate systems. Strong password poli-cies and two-factor authentication are an effective first layer of protection, but are definitely not going to stop determined attackers.”

About the authorTracey Caldwell is a freelance business tech-nology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier.

References1. ‘Mobile Privacy Disclosures: Building

Trust Through Transparency’. FTC Staff Report. February 2013. www.ftc.gov/sites/default/files/documents/reports/mobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission-staff-report/130201mobileprivacyreport.pdf. Accessed September 2014.

2. ‘FTC Announces Agenda, Panelists for Upcoming Seminar on Privacy Implications of Consumer Generated and Controlled Health Data’. FTC press release, 1 May 2014. www.ftc.gov/news-events/press-releas-es/2014/05/ftc-announces-agenda-panelists-upcoming-seminar-privacy. Accessed September 2014.

3. ‘Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff ’. FDA, 25 Sep 2013. www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf. Accessed September 2014.

8–10 December 2014(ISC)2 Security Congress EmeaLondon, UKhttp://emeacongress.isc2.org/

9 December 20145th Annual European Data Protection & Privacy ConferenceBrusselshttp://bit.ly/1zfyy4B

7–9 January 2015Real World Cryptography WorkshopLondon, UKhttp://www.realworldcrypto.com/rwc2015

12–15 January 2015FloCon 2015Portland, Oregon, UShttps://www.cert.org/flocon/

13–16 January 2015SCADA Security Scientific Symposium (S4)Miami Beach, Floridawww.digitalbond.com/s4/s4x15-call-for-papers

16–18 January 2015ShmooConWashington DC, UShttp://www.shmoocon.org/

26–28 January 2015AppSec CaliforniaSanta Monica, CA, UShttps://2015.appseccalifornia.org/

26–30 January 2015Financial Cryptography and Data SecurityIsla Verde, Puerto Ricohttp://fc15.ifca.ai/

26–27 February 2015International Conference on Cyber-security for Sustainable SocietyCoventry, UKhttp://sustainablesocietynetwork.net/th_event/cyber-security-event-1/