COMP3123 COMP3123 Internet SecurityInternet Security

Richard HensonRichard Henson

University of WorcesterUniversity of Worcester

DecemberDecember 20102010

Week 10: Risks, Response, Week 10: Risks, Response, Recovery, ROIRecovery, ROI

Objectives:Objectives: Relate B2B and B2C hesitancy over use of the Relate B2B and B2C hesitancy over use of the

www to ignorance about the PKIwww to ignorance about the PKI Develop Information Security procedures for use Develop Information Security procedures for use

in an organisationin an organisation Develop a strategy to sell a security policy to the Develop a strategy to sell a security policy to the

work forcework force Explain the complexity of decision-making on Explain the complexity of decision-making on

whether, or whether not, to spend on securitywhether, or whether not, to spend on security

Global Use of SSL/PKIGlobal Use of SSL/PKI According to recent figures, nearly all top According to recent figures, nearly all top

companies in the US are now using SSL/PKI companies in the US are now using SSL/PKI for secure communications:for secure communications: top 40 e-commerce sitestop 40 e-commerce sites all Fortune 500 companies with a web presenceall Fortune 500 companies with a web presence

Conclusion: this technology is tried and Conclusion: this technology is tried and tested, and has become industry-standardtested, and has become industry-standard

Yet, according to another study:Yet, according to another study: eighty-five percent of Web users reported that a eighty-five percent of Web users reported that a

lack of security made them uncomfortable sending lack of security made them uncomfortable sending credit card numbers over the Internetcredit card numbers over the Internet

huge difference between perception and reality!huge difference between perception and reality!

The Real Picture on Security The Real Picture on Security and Online tradingand Online trading

Research Research has has showshownn that fears of online that fears of online fraud are more common than fraud itselffraud are more common than fraud itself

Example quotes:Example quotes: "Online shopping gets a bad rap in the press, but most of the "Online shopping gets a bad rap in the press, but most of the

stories reported are anecdotal tales of companies that stories reported are anecdotal tales of companies that haven't put successful defensive measures in place"haven't put successful defensive measures in place"

"Web businesses running proper screening of customer "Web businesses running proper screening of customer information are suffering very little, with average fraud information are suffering very little, with average fraud losses held to just over 1%losses held to just over 1%.”.”

““Fraud control is clearly possible online, although many Fraud control is clearly possible online, although many companies do not implement stringent screening and companies do not implement stringent screening and prevention measures.prevention measures.””

Why are security problems Why are security problems STILL arising?STILL arising?

Repeating research findings:Repeating research findings: SSL/PKI reliableSSL/PKI reliable About 1% cases of fraud on sites using SSL/PKI – About 1% cases of fraud on sites using SSL/PKI –

still too much, but nothing like the problem that still too much, but nothing like the problem that headlines suggestheadlines suggest

However…However… Many companies Many companies notnot applying strict security applying strict security

measures such as SSL/PKI are:measures such as SSL/PKI are:» being defraudedbeing defrauded» skewing the statistics for more responsible online skewing the statistics for more responsible online

traderstraders

Security Communications with Security Communications with the would-be on-line shopperthe would-be on-line shopper

As the main issues for users are encryption As the main issues for users are encryption and authentication, both are well catered for and authentication, both are well catered for in the browserin the browser

Communications involving these features Communications involving these features through pop ups and error messages should through pop ups and error messages should warn a savvy customer off from using the warn a savvy customer off from using the online traderonline trader

However, what about the “first time buyer?” However, what about the “first time buyer?” who probably knows nothing of the ways in who probably knows nothing of the ways in which security could be safeguarded through which security could be safeguarded through the browser…the browser…

Reassurances about Reassurances about EncryptionEncryption

Most users can understand the implications of Most users can understand the implications of encrypting dataencrypting data

How can they KNOW that the data they are How can they KNOW that the data they are sending really is being encrypted before it sending really is being encrypted before it goes onto the www?goes onto the www?

How can they know that when the data is How can they know that when the data is decrypted again at its destination that it decrypted again at its destination that it doesn’t get abused?doesn’t get abused?

Something more than mere encryption is Something more than mere encryption is needed to convince the sceptic!needed to convince the sceptic!

Encryption alone is Encryption alone is not enough!not enough!

The other aspect of SSL/PKI is the The other aspect of SSL/PKI is the establishment of trust between online vendors establishment of trust between online vendors and customers and customers usually achieved by providing a digital certificate usually achieved by providing a digital certificate

system:system:» verifies the identity at each end of the verifies the identity at each end of the

communication linkcommunication link» thereby authenticating the server/userthereby authenticating the server/user

Again, the savvy user will know about digital Again, the savvy user will know about digital certificates and expect to be able to view them certificates and expect to be able to view them onlineonline

Security Differences between Security Differences between B2B and B2CB2B and B2C

Normally, a business will set themselves Normally, a business will set themselves up properly for online tradingup properly for online tradinguse server certificates for their serversuse server certificates for their serversuse SSL to ensure data is encrypteduse SSL to ensure data is encryptedtrain users to become aware of the danger train users to become aware of the danger

signssigns B2B trading is therefore generally secureB2B trading is therefore generally secure A B2B customer using the web will A B2B customer using the web will

(SHOULD!!!) understand implications of (SHOULD!!!) understand implications of security messages from the browsersecurity messages from the browser

An Organisational Data An Organisational Data Security Strategy: Where to Security Strategy: Where to

start?start? Strategy can’t START with technologyStrategy can’t START with technology

needs to start with ISSUES that need addressingneeds to start with ISSUES that need addressing Should be primarily “top down”Should be primarily “top down”

concerned with policies, not technical matters…concerned with policies, not technical matters… can be supplemented by “bottom up” approachcan be supplemented by “bottom up” approach

Technologies can be used to put policies into Technologies can be used to put policies into practicepractice degree of success in the latter depends on:degree of success in the latter depends on:

» communication of policiescommunication of policies» understanding of technologiesunderstanding of technologies

Information Security StrategyInformation Security Strategy

Identify and quantify ALL potential security Identify and quantify ALL potential security threat:threat: BOTH internalBOTH internal

» Policy should already exist!Policy should already exist!» Most likely will need updatingMost likely will need updating

AND externalAND external» May have been neglected as the Internet creeped May have been neglected as the Internet creeped

into the network!into the network!

Need to set out a policy that, if implemented Need to set out a policy that, if implemented correctly, WILL effectively secure datacorrectly, WILL effectively secure data

Typical Information Security Typical Information Security PolicyPolicy

Who will quantify the threats?Who will quantify the threats?Head of IT?Head of IT?External Consultant?External Consultant?Both?Both?

Who will suggest strategies to mitigate Who will suggest strategies to mitigate against those threats?against those threats?As above?As above?

Who will make the policies?Who will make the policies?Senior ManagementSenior Management

Creating a PolicyCreating a Policy The same principles apply as with the The same principles apply as with the

introduction of ANY change in organisational introduction of ANY change in organisational policypolicy It MUST come from the top!!!It MUST come from the top!!!

Problem with any IT policy change is that Problem with any IT policy change is that senior management often don’t understand senior management often don’t understand IT… IT…

Big responsibility on the IT manager to Big responsibility on the IT manager to convince senior management:convince senior management: that policy change is necessary!that policy change is necessary! that the organisation won’t suffer financiallythat the organisation won’t suffer financially the consequences of NOT implementing such a the consequences of NOT implementing such a

changechange

Going beyond a Going beyond a Creating a Policy…Creating a Policy…

According to the latest BERR figures, the According to the latest BERR figures, the majority of businesses say they have an majority of businesses say they have an information security policyinformation security policy

But is it implemented???But is it implemented??? One possible approach to making sure policy One possible approach to making sure policy

gets through to all parts of an organisation is gets through to all parts of an organisation is to implement a quality standardto implement a quality standard standard for information security is ISO27001standard for information security is ISO27001

What is ISO27001?What is ISO27001?

A set of procedures and standards on A set of procedures and standards on Information Security for organisationsInformation Security for organisations evolved from BS7799evolved from BS7799

Does give an organisation credibility in terms Does give an organisation credibility in terms of providing evidence that it has procedures of providing evidence that it has procedures in place to appropriately manage its in place to appropriately manage its informationinformation

But quite an extensive “to do” list, and But quite an extensive “to do” list, and achievement of the kitemark can be a lengthy achievement of the kitemark can be a lengthy process…process…

Role of the Adviser/ConsultantRole of the Adviser/Consultant Will have specialist knowledge of Information Will have specialist knowledge of Information

Security in organisationsSecurity in organisations Likely to be aware of the need to convince Likely to be aware of the need to convince

senior management that the cost involved in senior management that the cost involved in obtaining ISO27001 is worthwhileobtaining ISO27001 is worthwhile

In an SME:In an SME: the adviser can provide moral, intellectual, and the adviser can provide moral, intellectual, and

evidential support for the IT manager’s positionevidential support for the IT manager’s position In a microbusiness:In a microbusiness:

there is no IT manager…there is no IT manager… adviser will usually be supporting the most IT-adviser will usually be supporting the most IT-

literate employee against a sceptical senior mgt…literate employee against a sceptical senior mgt…

How achieving ISO27001 could How achieving ISO27001 could help with business strategyhelp with business strategy

Whatever the business:Whatever the business: any new work will have a costany new work will have a cost That cost needs to be qualifiedThat cost needs to be qualified

More cost means less profit…More cost means less profit… What is the ROI of achieving a high level of What is the ROI of achieving a high level of

information security (assurance)?information security (assurance)?

Senior management have to be convinced Senior management have to be convinced that this is a price worth paying…that this is a price worth paying…

Potential Financial Benefits Potential Financial Benefits of ISO27001of ISO27001

These need to be sold to senior mgt…These need to be sold to senior mgt… Less risk of losing valuable (even strategically Less risk of losing valuable (even strategically

important…) dataimportant…) data» less likely to get embarrassing leaks, which could less likely to get embarrassing leaks, which could

even get to the mediaeven get to the media» less likely to fall foul of the lawless likely to fall foul of the law

An ever growing set of examples of businesses An ever growing set of examples of businesses who have done both of the abovewho have done both of the above» evidence that they lost customers and share price evidence that they lost customers and share price

dropped…dropped…

Role of Adviser/ConsultantRole of Adviser/Consultant Needs to have good credentials to be Needs to have good credentials to be

credible:credible: plenty of experience in this areaplenty of experience in this area contacts in the industrycontacts in the industry a good track record for:a good track record for:

» knowledgabilityknowledgability» keeping up to datekeeping up to date» communication of knowledgecommunication of knowledge

needs to be able to put technical problems into needs to be able to put technical problems into terms that non-technologists can understand….terms that non-technologists can understand….» very many technical “solutions” available that very many technical “solutions” available that

would be unnecessary if systems and procedures would be unnecessary if systems and procedures were properly implementedwere properly implemented

Role of Adviser/Consultant for Role of Adviser/Consultant for Implementation of PolicyImplementation of Policy

Role doesn’t stop once policy has been Role doesn’t stop once policy has been agreedagreed

Enforcement of policy is essentialEnforcement of policy is essentialneeds procedures needs procedures

» agreed at institutional levelagreed at institutional level» implemented by departmentsimplemented by departments

The processes involved in getting The processes involved in getting ISO27001 will ensure that policy ISO27001 will ensure that policy implementation processes are in placeimplementation processes are in place

Implementation of Policy Implementation of Policy (Technical)(Technical)

Technical aspects of implementation of policy Technical aspects of implementation of policy is a matter of operationalising the agreed is a matter of operationalising the agreed technologies that will CURRENTLY combat technologies that will CURRENTLY combat that threatthat threat e.g. make sure that W2K network users only have e.g. make sure that W2K network users only have

access to files & services they need through access to files & services they need through careful choice of parameters in GROUP careful choice of parameters in GROUP POLICIESPOLICIES

e.g. authenticate a secure site for buying online – e.g. authenticate a secure site for buying online – check, read, approve server certificatecheck, read, approve server certificate

Adviser’s knowledge and experience will be Adviser’s knowledge and experience will be crucial to the organisation when they select crucial to the organisation when they select actual products and engage in actual actual products and engage in actual implementationimplementation

Implementation of Policy Implementation of Policy (Technical) (Technical)

Furthermore, a good consultant will be Furthermore, a good consultant will be able to offer useful advice regarding;able to offer useful advice regarding;embedding the new technologies into embedding the new technologies into

existing systems as seamlessly and existing systems as seamlessly and transparently as possible!transparently as possible!

bring about a set of procedures from the bring about a set of procedures from the agreed “tools for the job” that should cover agreed “tools for the job” that should cover all eventualities…all eventualities…

Implementation of Procedures Implementation of Procedures (People)(People)

Not all security procedures will be Not all security procedures will be implemented by IT/networking staff:implemented by IT/networking staff: may apply such procedures to ensure security of may apply such procedures to ensure security of

servers and data coming into/leaving the servers and data coming into/leaving the organisationorganisation

but… only limited control on user behaviourbut… only limited control on user behaviour Client end security procedures have to be Client end security procedures have to be

implemented by ALL staffimplemented by ALL staff In order to implement such procedures, they In order to implement such procedures, they

must UNDERSTAND these procedures and must UNDERSTAND these procedures and their crucial importance to the organisationtheir crucial importance to the organisation

Implementing of Procedures Implementing of Procedures (People)(People)

On its own, a set of procedures On its own, a set of procedures distributed to staff (perhaps by email!) distributed to staff (perhaps by email!) will therefore have little effect!will therefore have little effect!people will often carry on in their own sweet people will often carry on in their own sweet

way!way! Senior Management must also provide Senior Management must also provide

the means to enforce policy through the means to enforce policy through requiring adherence to proceduresrequiring adherence to proceduresNot just stick, but “carrot-and-stick”Not just stick, but “carrot-and-stick”

Impact at the Impact at the Operational LevelOperational Level

Imposing a new set of procedures may well Imposing a new set of procedures may well affect work practicesaffect work practices therefore the impact of each needs to be carefully therefore the impact of each needs to be carefully

consideredconsidered Pilot scheme firstPilot scheme first

carefully trialled at operational level…carefully trialled at operational level… time for retraining realistically assessedtime for retraining realistically assessed accurate capital costing for roll-outaccurate capital costing for roll-out

Only when lessons have been learned…Only when lessons have been learned… can it be positively sold to staff i.e:can it be positively sold to staff i.e:

» Does mean learning new proceduresDoes mean learning new procedures» BUT there’ll be no more viruses, pop-ups, etc. BUT there’ll be no more viruses, pop-ups, etc.

Testing the PolicyTesting the Policy

A wise manager will not impose A wise manager will not impose something new on employees without something new on employees without checking first that it is WORKABLEchecking first that it is WORKABLE

Pilot new procedures with a small group Pilot new procedures with a small group first…first…get feedback…get feedback…learn lessons…learn lessons…PLAN to roll out across the organisationPLAN to roll out across the organisation

Selling the PolicySelling the Policy

Most policies are usually implemented Most policies are usually implemented on a departmental basison a departmental basis

The job of enforcement may be through The job of enforcement may be through departmentsdepartments

Again… to enforce a policy, you must Again… to enforce a policy, you must be able to understand it!be able to understand it!

Therefore the first stage should be Therefore the first stage should be EDUCATIONEDUCATION

Selling the PolicySelling the Policy

Once the penny drops, everyone will be Once the penny drops, everyone will be aware that this will mean changes to aware that this will mean changes to working practices…working practices…need to assure about trainingneed to assure about trainingNeed to assure that it is worth doing:Need to assure that it is worth doing:

» for the individual employeefor the individual employee» for the departmentfor the department» for the whole organisationfor the whole organisation

Reviewing the Reviewing the Policy/ProceduresPolicy/Procedures

If the problem is understood at a conceptual If the problem is understood at a conceptual level…level… POLICY changes shouldn’t be necessaryPOLICY changes shouldn’t be necessary

However…However… security technology does not stand still!security technology does not stand still! procedures may need to be revised:procedures may need to be revised:

» every year? every year? » six months?six months?» whenever a new threat becomes apparent?whenever a new threat becomes apparent?

The Cost of Losing The Cost of Losing Organisational DataOrganisational Data

Plenty of data around to supporting the Plenty of data around to supporting the observation that organisations have been observation that organisations have been leaking data for yearsleaking data for years actual problem has to be worse… actual problem has to be worse… could be far worse…could be far worse… not all data losses ever get reported!not all data losses ever get reported!

Is there is a cost to the organisation of losing Is there is a cost to the organisation of losing their data?their data? can a figure be put on this cost?can a figure be put on this cost?

The Direct Cost of Losing The Direct Cost of Losing Personal DataPersonal Data

Same systemic failures and Same systemic failures and potential cover-ups as for potential cover-ups as for organisation data…organisation data…

Direct cost to the organisation Direct cost to the organisation probably regarded as very low?probably regarded as very low?why?why?public reaction to loss?public reaction to loss?is all personal data equal?is all personal data equal?

The Direct Cost of The Direct Cost of Tightening Up SecurityTightening Up Security

Human cost of completing new Human cost of completing new documentationdocumentation essential part of tightening up proceduresessential part of tightening up procedures Cost of re-educating and re-training staff to make Cost of re-educating and re-training staff to make

best use of new proceduresbest use of new procedures

Associated with employing new technologyAssociated with employing new technology cost of purchasecost of purchase cost of installationcost of installation cost of day-to-day managementcost of day-to-day management

Indirect Costs of Losing DataIndirect Costs of Losing Data Cost of falling foul of the law…Cost of falling foul of the law…

time spent in courttime spent in court finesfines

Cost of bad publicityCost of bad publicity public embarrassment & loss of credibilitypublic embarrassment & loss of credibility making statements explaining how it wasn’t as bad making statements explaining how it wasn’t as bad

as reportedas reported stock market price may fall…stock market price may fall…

Cost of losing respect of customersCost of losing respect of customers send their personal data (and custom) elsewheresend their personal data (and custom) elsewhere

Cost of business insuranceCost of business insurance perceived as higher riskperceived as higher risk premiums more expensivepremiums more expensive

Differences in Organisational Differences in Organisational Data between Public & Private Data between Public & Private

Enterprises?Enterprises? Is there a difference?Is there a difference?

If strategic business data is lost, with no back upIf strategic business data is lost, with no back up» cannot do new businesscannot do new business» cannot fulfil existing businesscannot fulfil existing business» the business will foldthe business will fold

If public organisation data is similarly lostIf public organisation data is similarly lost» service level drops or becomes zeroservice level drops or becomes zero» people get angry, write to mediapeople get angry, write to media» public sector body gets lots of bad publicitypublic sector body gets lots of bad publicity» system gets patched up and limps onsystem gets patched up and limps on» enquiry suggests deficiencies & changes to be enquiry suggests deficiencies & changes to be

made…made…

Differences in Personal Data Differences in Personal Data between Public & Private between Public & Private

EnterprisesEnterprises A business losing personal data usually does nothingA business losing personal data usually does nothing

if information leaked to the mediaif information leaked to the media» should have a “damage limitation exercise” in placeshould have a “damage limitation exercise” in place» can (e.g. Virgin media) be taken to courtcan (e.g. Virgin media) be taken to court

Public enterprises previously also adopted the above Public enterprises previously also adopted the above approachapproach media usually kept quiet on such mattersmedia usually kept quiet on such matters

HMRC’s huge (26 million) records loss changed all HMRC’s huge (26 million) records loss changed all that) that) result: media ALWAYS reports public sector data lossresult: media ALWAYS reports public sector data loss

The Concept of “Value” of DataThe Concept of “Value” of Data

People don’t look after what they People don’t look after what they perceive not to have any value…perceive not to have any value…

If organisational and personal data If organisational and personal data could be given an intrinsic monetary could be given an intrinsic monetary value, perhaps…value, perhaps…people might look after it better?people might look after it better?businesses might wish to protect data as a businesses might wish to protect data as a

monetary asset in its own right?monetary asset in its own right?

Economics of Economics of Information Security Information Security

New academic research areaNew academic research area Seeks to produce economic models for Seeks to produce economic models for

organisations to attribute value to dataorganisations to attribute value to data Back to basics of Information Security:Back to basics of Information Security:

Confidentiality – relationship between confidentiality Confidentiality – relationship between confidentiality & intrinsic value?& intrinsic value?

Integrity – very difficult to quantifyIntegrity – very difficult to quantify Availability – if loss of particular data:Availability – if loss of particular data:

» causes system failurecauses system failure» puts the business temporarily out of businessputs the business temporarily out of business» Must have intrinsic valueMust have intrinsic value

Value of Business DataValue of Business Data More success to date with organisational data More success to date with organisational data

that affects business availability than with that affects business availability than with personal data...personal data... can put a monetary value on loss to the organisation can put a monetary value on loss to the organisation

of e.g.of e.g.» a day’s lost productiona day’s lost production» a 10% fall in share pricea 10% fall in share price

If 10000 customer details are leaked, who cares???If 10000 customer details are leaked, who cares???» members of the public?members of the public?» The Information Commissioner… The Information Commissioner… » would this affect:would this affect:

the business’s availability in the market place the business’s availability in the market place the business’s share price?the business’s share price?

Further ResearchFurther Research Business-oriented recent white papers:Business-oriented recent white papers:

http://www.findwhitepapers.com/security/securityhttp://www.findwhitepapers.com/security/security What SHOULD have happened as the 1998 What SHOULD have happened as the 1998

DPA was implemented…:DPA was implemented…: http://management.silicon.com/government/0,3902http://management.silicon.com/government/0,3902

4677,11015799,00.htm4677,11015799,00.htm

Information Commissioner’s current website – Information Commissioner’s current website – huge collection of documents:huge collection of documents: http://www.ico.gov.ukhttp://www.ico.gov.uk