Copyright 2008 ISACA. All rights reserved. www.isaca.org.

E-business: Trust Inhibitors

By Ramanan R. Ramanathan, Ph.D., CISSP
nformation assurance experts, standards bodies and economists have long been striving to highlight the impact and risks associated with the lack of secure information systems and practices in the industry. Currently, the state of assurance offered by enterprise computing infrastructure and the challenges in improving it affect not just the commercial business, but also national security and individuals identities, as more classes of systems are becoming web-enabled. When citizens private information is lost, the inherent delay in the detection of the breach and the remediation compounds the problem. A classic example is the infamous Hotels.coms web site breach, which was discovered in 2006 but had taken place during 2002-2004.1 This is just one of countless reported incidents. Undoubtedly, such incidents result in a trust gap in the e-business community toward information systems. Reports also confirm that online banking is not keeping pace with the growth of Internet use.2 The term trust inhibitors is used in this article to identify some of the most predominant threats prevalent today and analyze possible countermeasures.

understand the degree of impact and scale. The surveys also reveal that outside threats are primarily from viruses, spam, phishing and other malicious agents, and result largely in identity theft and customer data loss. Similarly, insiders influence intellectual property theft and exposure of a companys sensitive information. Almost all of these surveys conclude that there is a steady growth in threats across the globe that directly weakens economies, national security and privacy. Thus, the promises of advancement resulting from e-commerce to global business growth are challenged not by the hacker community alone, but also by the flaws in underlying technology and current e-business practices. Information Flow Controls Deeper analysis of the nature of threats revealed in those industry surveys shows that the e-business communities can gain better control of the threats and improve customer confidence if the problem is analyzed in the following way and addressed appropriately: What are the mechanisms the e-business portals have in place to bring the customers to their portal without becoming the victim of threats such as phishing? What are the controls the business has in place to ensure that the user can complete an initiated e-transaction successfully without the session being hijacked or spoofed in the middle of an ongoing transaction? If the above two potential issues are addressed, subsequently: What infrastructure controls does the organization have in place to guarantee customers their privacy? Does the organization have practices in place that assure users that their personal data are removed at their request from the organizations control? Outsider Attacks The sophistication of attacks that originate outside the corporate boundary has been increasing over the years, as has the sophistication of security controls. Julia Allen5 has elegantly represented the trend, which is reproduced here in figure 2. In the early 1990s, attacks such as traffic-sniffing and session hijacking were the predominant threats. In recent years, however, the threat sources, their nature and sophistication have changed considerably. Today, Trojans, worms and blended viruses are the major threats; these, along with new modes of spreading (e.g., instant messaging [IM], mobile devices) and social engineering exploitations, have introduced considerable vulnerability in the e-business user environment. Phishing combined with pharming has taken advantage of the situation. The combination of vulnerabilities
1

Major Threats and Targets

Cyber Security Industry Alliance (CSIA), an advocacy group dedicated to ensuring the privacy, reliability and integrity of information systems,3 created the Digital Confidence Index (DCI) as a means for tracking public confidence in key elements of various networks. The relative movement of the DCI over recent years indicates that the market is very sensitive to security breaches and, as a consequence, consumers degree of trust toward information systems fades. A recent report from an independent survey groupInfoSentry Services Inc.has corroborated this observation.4 Figure 1 lists recent industry surveys. These surveys cover global audiences, cross-sections of industries and various revenue groups and, thus, reflect the global trend. The objective here is not to offer a comprehensive listing, but to provide the reader the necessary information to

Figure 1Recent Industry Surveys

2006 Australian Computer Crime and Security Survey Enterprise Security Survey, APANI, 2006 2006 Global Security Survey, Deloitte Touche Tohmatsu Consumer Perspectives of Online Banking Security: Entrust Internet Security Survey, October 2005, Entrust Inc. E-Crime Watch Survey, CSO magazine, 2006 Phishing Activity Trends Report, Anti-Phishing Working Group, 2006, www.antiphishing.org US Survey: Confidential Data at Risk, Ponemon Institute LLC, 2006 Utility IT Executives Expect Breach of Critical SCADA Systems, Pipeline & Gas Journal, 2006, www.pipelineandgasjournal.com JOURNALONLINE

Figure 2External Attack Trend

exploited in phishing-based attacks make them very successful and, hence, deserve a deeper analysis. Phishing is a semantic attack, wherein a successful attack depends on a discrepancy between the ways a user perceives a communication, such as an e-mail message or a web page access, and the communications actual effect.6 Mass e-mailing (spam) is one of the ways this attack spreads. Figure 3 schematically shows a typical business user-toportal communication path in a phishing attack. A user (Alice) who is the recipient of a fraudulent e-mail initiates a request and arrives at an unintended portal, as the fake site has a near-identical look and feel as a legitimate site. Complexity in the Internet model and sophisticated socialengineering tactics deceive even more security-wary customers. This form of threat has two independent entry channels: social engineering and technology vulnerability. Attackers keep up their success level by constantly shifting their attack channel. For example, a legitimate user can be redirected to a hackers site by vulnerabilities such as Domain Name System (DNS) cache poisoning and URL obfuscation. On the other hand, if a user is successful in connecting to the intended site via end-to-end secured channels, such as Secure Sockets Layer (SSL), Trojans or a virus in an infected computer at the client side, he/she can obtain the authentication credentials, either actively (online) or passively (offline), and make them available to the hacker for
2

impersonation. Usually the phishing sites are shut down once they are detected; however, as of 2005, the attack lifetime (time from an attacks appearance to its shutdown) has been estimated to be 5.3 days or 127 hours.7 The major hurdles to achieving a near-zero lifetime are the lack of cross-border cyberlaws and the use of hacked servers as origins of phishing. According to an Internet survey report taken for the span of 1995-2005, Internet usage has been growing at a rate of more than 180 percent globally.8 Lessadvanced countries increasingly are becoming users of the information highway. With increased reliance on e-financial transactions across the globe and growing participation from countries that lack appropriate cyberlaws, one can anticipate severe impacts in the coming years. Reports reveal that there is a 5 percent success rate due to the new phishing attack tactics, despite various countermeasures.9 Recommendations from the US Federal Trade Commission (FTC) about use of SSL have not proven effective in thwarting these attacks. In an unpatched Internet Explorer (IE) browser, a usage similar to https://www.paypal.com%01 [string of ~ 60 %01 elided]@ 207.172.183.20/f/ can still take a user to a phishing site. Stronger conventional authentication mechanisms, such as a one-time password and two-factor authentication implemented by secure e-sites, are also not spared. Customers of Citibank were recent victims of two-factor authentication, too.10
JOURNALONLINE

Figure 3Phishing and Pharming Outsider Threats

This threat will continue to be a major trust inhibitor in the e-commerce space unless the market moves toward more endto-end secure and robust e-business practices. Research efforts have shown that measures such as digitally signing e-mails, forcing browser toolbar usage at desk-top levels and securing the path for capturing user credentials as part of the authentication process itself, could improve resistance against such attacks.11 The security state at which an e-user transaction is carried out should be dependent on both the client environment and the nature or value of the transaction itself. Methods such as out-of-band verification (confirmation via SMS, automated phone message, etc.) and intermittent but limited reauthentications can prevent fraudulent transactions and enable faster detection of breaches. Insider Threats Assuming that the e-business owners have taken the required steps to guarantee a legitimate user with mechanisms to initiate, establish and preserve a secure communication with the intended business portal, the subsequent major challenge rests with the business owners who own the customer information. As of today, not all businesses can guarantee confidentiality and privacy of customer data, especially small and medium enterprises (SMEs), as most do not have appropriate processes in place within their corporate
JOURNALONLINE

boundaries. On the other hand, in attempts to comply with various regulations, large organizations have bolstered their network and infrastructure considerably; they have implemented layered security to some degree. However, in the face of new user-friendly technologies, such as Bluetoothenabled and mobile devices for communication (e.g., personal digital assistants), storage devices (e.g., USB, flash drives), and modes of communication such as instant messaging (IM), even these large enterprises face challenges. Various potential data leak channels have started appearing. They are discussed in the following sections. Mobile Devices Figure 4 presents a logical view of the security posture attained by most enterprises as a result of conventional security practices. As part of the layered security approach, mature organizations deploy physical, technical (e.g., firewalls, intrusion systems, middleware security controls) and other administrative controls (e.g., policies, procedures). However, new channels of data flowing in and out of enterprises have made the enterprises porous and vulnerable; mobile devices such as laptops, MP3 players, iPods, USB drives and Bluetooth devices on personal computers are not adequately controlled.12 These devices have become carriers of Trojans and malware into a secured enterprise and contribute to confidential data leaks
3

Figure 4Enterprise Data Flow Channels (Logical View)

out of the corporate boundary. For example, with a USB 2.0 device, data transfer rates can go up to 480 megabits per second. At these rates, it takes less than five minutes to move up to 60 gigabytes of data. Active Directory Server (ADS)-based group policies are traditionally implemented across corporate intranets to enforce security baselines and control employees Windows desktop environments. Unfortunately, these are incapable of controlling the use of end point devices. Furthermore, the userfriendly plug and play capability in operating systems facilitates instantaneous use of such devices in any corporate computer. Security products such as DeviceLock and SecureWaves Sanctuary are gaining popularity to prevent unauthorized use of such devices and audit the data flow across the end points. However, the lack of widespread use of such controls in the e-business intranet boundary is still a major concern that will contribute to e-user distrust. A recent survey of more than 240 respondents shows that only 9 percent of enterprises have deployed a comprehensive security architecture that includes mobile device access.13 Kaspersky Lab (usa.kaspersky.com) has done extensive analysis on the mobile device vulnerabilities and threats, and a listing of various mobile device viruses is available from viruslist.com. Organizations need to evolve security policies that cover end point device use and implement security controls to prevent data leakage through this channel.
4

Enterprise Digital Rights Management Organizations store company and customer data in repositories such as directory servers, legacy systems and other relational data systems. Various breeds of applications are used to mine the data and derive value from them for business needs (figure 4). As a starting point of a due-diligence information security exercise, data classification is performed within organizations. Security policies are evolved to outline how data need to be handled by the users. Corporate users are provided access to data assets, based on the access control policies. However, the control ceases when most of the confidential data in the intranet domain is translated into documents and spreadsheets for business purposes. A legitimate user of confidential data can store the data locally in the hard drive or mobile device, or trigger the risk of instantaneously sharing the same with someone unknown via an IM application. As of today, no widespread technical mechanism is in place within the industry to prevent any intentional or inadvertent sharing or copying of such data or documents. Frameworks such as enterprise rights management (ERM) or information rights management (IRM) offer promise to raise the security barrier on this vulnerable channel. With ERM capability, enterprises have the potential to tie the security to the information itself, wherever it travels.14
JOURNALONLINE

Figure 5Enterprise Data States (Rest and Motion and Required Controls

mm un ica tio nD evi ces

ss a Po nd D int eli s ver y

rag

Da ta

Data in rest: Database, legacy systems, LDAP, etc. Controls: Access controls, TPM, encryption, audit controls

Data in motion: Router, switches, bridges wireless access points Controls: IPv6, SSL, encryption technologies

Co

Ac ce

Data in rest & motion: PCs, laptop, PDAs, palm pilots, mobile phones Controls: ERM, TPM, end-point security devices, access controls

Data in rest: USBs, flash drive, Data in rest and motion: tapes, etc. WebServer, e-mail server, printer, scanner Controls: Crypt, controls, Controls: tamper-resistant ERM, TPM, data hardware. Expiration

ERM
Surveys show that IP and confidential data theft amounts to millions of US dollars globally; yet enterprises seem to have left this channel porous. With the increased use of remote access to corporate networks (via mobile devices and corporate laptops), the data are subject to new exposure scenarios that enable a hacker to gain access to corporate data in home PCs more easily. Survey results show that nearly 80 percent of home computer users do not have appropriate forms of security solutions in their PCs.15 Thus, unless enterprises tie security to data by some form of data life cycle management mechanisms or frameworks, such as ERM, this channel will continue to inhibit user confidence. Instant Messaging Surveys show that there is tremendous growth in IM use over recent years. A recent AOL survey revealed that 70 percent of Internet users use IM forms of communication; 49 percent use it for major business decisions and 26 percent use it to transfer files in the workplace.16 This means that sensitive corporate or personal data are potentially transmitted through untrusted third-party servers. Surveys have indicated this as a major evolving threat. The reasons for this emerging challenge are very obvious: the IM architecture is insecure by design and has not changed over the years. IM applications are still vulnerable to attacks such as buffer overflow and denial-of-service.17 The closed and proprietary nature of the protocols makes it difficult for enterprises to tackle this threat by traditional technical controls at the corporate perimeter level. For a hacker, spreading the attack via IM does not require scanning unknown IP addresses; it is as simple as choosing the target
JOURNALONLINE

from an updated directory of any IM user. To thwart these threats, enterprises need to implement comprehensive security suites consisting of perimeter- and protocol-aware, signature-based filtering tools (such as solutions from IMLogic, Websense and SurfControl). However, surveys indicate such adoptions are in their infancy. Thus, this remains another potential source of threat, which businesses will continue to deal with in sustaining e-user confidence. Personal Data Collection Privacy concerns remain another major impediment (trust inhibitor) for current e-business growth. Sixty-four percent of consumers say they decided not to buy a companys product or service because they did not know how the company would use their personal information.18 Enterprises collect user information for a variety of reasons, such as improving the e-user experience to expedite e-transactions. Privacy policies on how the user data are handled are generally stated on the companys web site; however, with increased reports on breaches through the channels discussed in this paper, the privacy statements and disclosures do not offer the required confidence to the users. Search engines collect and store records of a users search queries. This carries huge potential of revealing a users personal history. For example, in August 2006, AOL published 650,000 users search histories on its web site.19 In the absence of appropriate government regulation, if search companies (business owners) proactively limit their data retention and make the logging practices more transparent to the public, trust could be regained. Also, in the
5

Sto

rag

Sto

eP oin t

case of online transactions, confidence can be enhanced if companies resort to more trustworthy online practices. For instance, as of now there is no notion of credential expiration offered by e-business portals, as noted by security expert Bruce Schneier.20 Even for a one-time transaction, many portals demand personal information from consumers, and users are not provided with the opportunity to opt out if they choose to terminate their association with the business at any later point. Better e-business practices need to be adopted by business providers to promote e-user confidence.

security and improved e-practices (such as context and client environment-centric authentication, transaction verification mechanisms, and credential expiration capabilities) at the enterprise level can help business owners and users to build confidence in the system. Considering the benefits of e-business, every legitimate beneficiary has an equal stake in improving trust in the systems.

Endnotes
1 2

Data Are the Key

It is clear that various challenges faced in securing data are caused by the way the security is associated with data in their various states. In the current computing model, data (as chunks of bits and bytes) and their security are viewed and related independently. An enterprise system is as secure as its weakest link. Similarly, in an enterprise, data are as secure as their weakest state in their life cycle. Figure 5 shows that data in an organization can reside in a relational database or legacy system, can be transmitted by wired or wireless media, can be made accessible via web server or e-mail systems, can be distributed as documents or spreadsheet, and finally can be persisted/maintained in any kind of storage devices. The state of data fundamentally is either at rest or in motion. The combination of technologies used could vary based on an enterprises security posture and maturity. However, the critical data-and-security link must be preserved. Irrespective of the state and nature of technologies in use, if data owners can guarantee and get assurance that the security level of data is not compromised by their state, there is a tremendous potential for e-business growth. The risks surrounding personal computers or laptops and mobile devices, as data access and data storage points, can be mitigated by use of hardware-based security technologies, such as Trusted Platform Module (TPM) and IBMs SecureBlue.21 These technologies allow the information to be bound to the platform by cryptographic means and help to thwart threats triggered by rootkits and Trojans. The data secured with these technologies cannot be accessed if data migrate (copied) to different platform or binding conditions on the same platform are not met. Vendors such as Dell, IBM, HP, Sony and Intel Inc. have already started providing this capability to their PCs and laptops; however, the TPM is generally not activated. Enterprises, especially financial sectors and government agencies, can offer more secure operating conditions against the threats highlighted in this article if systems are forced to activate these features across the organizations.
3

9 10 11

12

13

14

15

16 17

18

Conclusion
In the existing computing and e-business models, the dataand-security link strongly depends on data state. Since this link is vulnerable, no business owner can guarantee impregnable security; users cannot expect bulletproof safety if they continue to adopt new technologies on the fly. Implementing technologies (such as ERM), hardware-based
6

19

20

21

Koernerm, Brian; Hotels.com breach, About.com, 2006, http://idtheft.about.com/od/2006/p/Hotels_com.htm Entrust, European Internet Security Survey, June 2005, www.entrust.com/resources/download.cfm/22193/European %20Internet%20Security%20Survey%20Overview1.pdf CSIA, Internet Security National Survey, no.3, CSIA report, 2006, https://www.csialliance.org Infosentry Services Inc., Americans Confidence Drops in Information Security Capabilities of Large Corporations and the Federal Government, January 2007, www.infosentry.com/InfoSENTRY_NewsRelease_SecurityAttitudes_20070129.htm Allen, Julia H; Information Security as an Institutional Priority, Carnegie Mellon University, 2005, www.cert.org/work/organizational_security.html Jagatic, T.; N. Johnson; M. Jakobsson; F. Menczer; Social Phishing, Communications of the ACM, 2006 Rivner, Uri; Dealing With Phishing Attacks, 2006, www.out-law.com/page-6947 Internet World Stats, World Internet Usage and Population Statistics, www.internetworldstats.com/stats.htm. Op cit., Jagatic Ibid. Keizer, Gregg; Phishers Beat Citibanks Two-Factor Authentication, July 2006, www.banktech.com/news/show Article.jhtml?articleID=191600006 Network Endpoint Security News, Endpoint Security News and Information, www.watchyourend.com/category/ data-theft Symantec, Economist Intelligence Unit Survey Report, The Economist, January 2006, www.symantec.com/content/ en/us/about/media/mobile-security_Full-Report.pdf Oltsik, Jon; Enterprise Rights Management: A Superior Approach to Confidential Data Security, Enterprise Strategy Group Inc., May 2006 America Online and the National Cyber Security Alliance, AOL/NCSA Online Safety Study, December 2005 Ibid. Rittinghouse, John; James F. Ransome; IM Instant Messaging Security, Digital Press Inc., USA, 2005 Westinand, Alan F.; Lance J. Hoffman; Security & Privacy Made Simpler, Better Business Bureau, March 2006 Electronic Frontier Foundation, AOL Massive Data s Leak, August 2006, www.eff.org/Privacy/AOL Schneier, Bruce; Authentication and Expiration, IEEE Security and Privacy, January-February 2005 Rau, Shauna; Trusted Computing Platform Emerges as Industries First Comprehensive Approach to IT Security, IDC, February 2006
JOURNALONLINE

Ramanan R. Ramanathan, Ph.D., CISSP is an information systems security specialist. He has done extensive consulting for leading financial and insurance corporations in the US, in the areas of enterprise security architecture, Web-SSO, identity management and infrastructure security. He regularly writes for leading security journals and magazines. He can be reached at RR_Ramanan@yahoo.com.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. 2008 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

JOURNALONLINE