SPECIALISTS IN INFORMATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)
YOU ARE IN GAMMA’S RESEARCH ARCHIVES — THIS PAGE IS OF HISTORIC INTEREST ONLY — EXIT
Guaranteeing Secure Transactions
In common with all other forms of trading, e-Commerce is predicated on trust. Companies seek to establish and project the trustworthiness of their e-Commerce services to the market, as an important step in the process of forging sound business relationships with their customers. Failure to deliver a service is traditionally associated with the payment of some form of compensation to the customer, for example a money back guarantee. However, whilst this approach supports the trust relationship, too many incidents will damage the relationship and may have a grave the financial impact on the company. In this sense, the process of establishing and projecting trust is accompanied by a risk that must be managed in order for the company to profit. This article explores the role that information security has to play to quantify and manage that risk. It challenges old traditions of information security and invites companies to regard information security as a business enabling technology rather than a business arresting technology. It takes a fresh look at BS7799:1999, the emerging international standard for information security management and the role it has to play in projecting trust. The article concludes with an example of quantifying the risk in an e-Commerce service using different IT configurations involving firewall and PKI technology.
Projecting Trust in e-Commerce
An essential element in all forms of commerce is the customer/supplier relationship and its dependence on trust. As reported in the EU "SEDUCER" study on trust in e-Commerce (itself founded on a DTI study to examine market expectations of trustworthiness), there are a variety of generic consumer-facing risks to overcome (such as failure to deliver the service). The study recognised the duality of trust and risk, and the need to project trustworthiness. Indeed, one international service provider expressed this succinctly by saying "I will deliver; there are processes in place to assure you that I will, I will pay if I fail and my insurers will pay if I cannot".
Security provides an answer to these issues in three ways:
However, to be successful companies need to cast of old opinions and approaches to security.
Computer systems are vulnerable to attack. They do not always behave, as people would like.
Figure 1 shows a graph showing the relative damage of known vulnerabilities to a lone NT4.0 laptop, which may be used to access the Internet, including WWW site maintenance and dial-up access to a corporate network. There are over 100 vulnerabilities. Top of the scale are vulnerabilities that give root access as in a UNIX system, next are those that can increase privileges, cause denial of service, or allow access to security data. Next, the viewing of any other files and then the browsing of directories.
Figure 1: NT workstation vulnerabilities (arbitrary damage scale)
Once a graph such as this has been produced, it is likely to soon be out of date. The problem is that people often upgrade their software to take advantage of new functionality and other people are finding more vulnerabilities.
There are many ways of solving security problems. Information Security Exhibitions, typical of the late 1990s show off a wide variety of security devices, such as firewalls, content checkers, PKI, access control systems, security policies, all clambering to take pole position in the eyes of the unwary purchaser. In many ways, such exhibitions can be quite intimidating.
Unfortunately, as the graph of Figure 2 shows, some safeguards are more effective than others, and, as security features continue to be added, a point of nil return is soon reached. However, performance and the ability to conduct business will degrade, and security will have once again become a "business arresting" technology. This is the primary characteristic of all risk avoidance strategies.
In a risk avoidance strategy, a company will try to build an IT "castle" to stand the test of time over many centuries. The company will try to think of everything that could go wrong and deploy every conceivable security measure "just in case". The execution is usually limited in terms of expenditure on security features and the need to balance it with business needs. Figure 2 shows the weakness of this strategy demonstrably. In the absence of any alternative, arresting the prosecution of a risk avoidance strategy in mid-stream, may well leave a company unknowingly and gravely exposed. The raison dêtre of a risk avoidance strategy is to apply all possible safeguards; there is therefore no requirement to apply the most effective safeguards, (e.g., as shown in Figure 2) first. Thus, in the extreme case, by the time the security budget is cut, only the least effective safeguards will have been applied.
Figure 2: The risk reducing effect of the successive application of safeguards (most effective safeguards first) (arbitrary risk scale)
The alternative is to build a "castle" with just the right defensive strength for the business needs today, but with the ability to increase or relax that strength as the need arises. Key to the success of this alternate strategy is the ability to measure risk.
A useful definition of risk, particularly in the IT context is "the combination of a threat exploiting some vulnerability that could cause harm to some asset". Figure 3 illustrates this concept by representing risk as the volume of a cube.
Figure 3: Representing risk as a function of threat, vulnerability and asset value.
Threats can be evaluated in terms of the severity and likelihood of an attack being made. The evaluation would take account of the motivation of the attacker, their capability (in terms of expertise and equipment) and whether the attack is focussed upon particular assets or not. The evaluation would also take account of whether the attacker has physical access to the IT equipment, as would be the case of an attack made by an insider, or electronic access, as would invariably be the case if the attack was made by a hacker. Different parameter values allow a wide range of threats to be modelled including the threat of human error and the hostile premeditated actions of the organised criminal. Indeed, the standard threat profile includes external and internal risks, premeditated and opportunistic attacks, errors and accidents, malicious intentions and pranks. Companies can vary this profile, for example to reflect the potential increase in internal threat when a take over or merger is announced.
Vulnerabilities can be evaluated in terms of the amount a damage that would be caused were they to be exploited as illustrated in Figure 1. Vulnerabilities can also be evaluated in terms of the amount of information that is publicly available about them and how old that information is. It is also necessary to know whether the vulnerability can be exploited remotely across a network, or whether the attacker must have physical access to the network.
Assets should ideally be ranked in accordance with the business consequence that would result should an attack on them result in them being made unavailable, lost forever, corrupted, improperly modified or improperly disclosed. The evaluation can take account of the time that an asset is rendered unavailable (e.g., seconds, minutes, days, weeks). It may take account of the degree of corruption or improper modification (e.g. just some or the majority of records in a database). It may also take account of to whom the information is improperly disclosed (e.g. a competitor or an unauthorised but otherwise trustworthy employee).
Safeguards can be modelled the same parameters as used to measure, threats, vulnerabilities and assets. Their effect is to reduce the size of the cube, leading to the concept of residual risk. In practice, there is one risk cube for every combination of threat, vulnerability and asset. Thus, for the case of the NT laptop with 100 vulnerabilities, say 8 threats and 5 assets, there would be 4,000 risk cube. For a network, this number (and hence the number of risk calculations that need to be made) is significantly higher, making it essential to use computers to perform the calculations.
Choosing Safeguards BS 7799:1999
British Standard (BS) 7799 is the emerging international standard for security management. It addresses the standardisation of "Information Security Management". First published in 1995, BS 7799 is now used in the UK, South Africa, the Netherlands, Brazil, Australia and New Zealand. Norway has translated the standard into Norwegian, with the intention of adopting it as a national standard. Other countries, such as Denmark, Eire, Sweden the US and Japan, are considering adopting BS 7799 as a standard. Indeed, the revised version of the standard BS 7799:1999 has just been formally proposed as an ISO standard.
There are two parts to BS 7799 and also a certification scheme for public and private organisations. The certification scheme has been designed to be strong enough and consistent enough with BS 7799 to be accepted reciprocally by different countries.
The two BS 7799 parts are:
The certification scheme works like ISO 9000. Indeed there are many parallels between ISO 9000 and BS 7799. For example, instead of having a quality policy and a quality management system, there is an information security policy and an ISMS.
Part 1 is a "catalogue" of good security practice. The new standard stresses that not every one of its 127 controls are applicable to all businesses and indeed should be selected as a result of performing a risk assessment. Moreover, BS 7799:1999 recognises that other controls, not identified in Part 1, may be required. There exists a special provision in the standard to "import" such additional controls, should the need arise. Nevertheless, Part 1 embraces a wide range of controls suited to e-Commerce and the demands of modern day working practices, including outsourcing, mobile computing and teleworking. In addition the standard addresses physical security, personnel security, recruitment practices, contractual issues and legal issues. In particular the standard recognises that information assets may exist in different forms and may be processed and communicated using technology ranging from the quill pen to satellites, palmtop computers and mobile phones.
In practice there are two types of safeguard: threat-safeguards and vulnerability safeguards. Threat-safeguards reduce the ability of a threat to exploit a vulnerability. Examples are physical barriers (which reduce physical access) and firewalls (which reduce electronic access). Vulnerability-safeguards will either eradicate the vulnerability totally, or limit the damage that would result if it were exploited. Of these two types of safeguard, the threat-safeguard has the most dramatic effects as it will reduce the risk due to all vulnerabilities that could be exploited by that threat. In contrast the vulnerability-safeguard only mitigates the risk due to individual vulnerabilities.
Figure 3 implies the existence of asset-safeguards. Indeed, at first view, encryption may be regarded as an asset-safeguard, as the encrypted form of the asset ought to be of considerably lower value. However, the original form of the asset will still exist and will still need to be protected. Nevertheless the concept of an asset-safeguard facilitates the normalisation of risk data, so that the risk for different networks can be compared irrespective of the value of the assets and the threat environment.
Figure 4 shows a sketch of a make believe e-Commerce site. It is realistic in the sense that the analysis uses real hardware and software and takes account of real vulnerabilities and safeguards. The Web server, for example is running an Apache Web Server 1.1 and the internet router is a Cisco 2514 Dual LAN router.
Figure 4: A candidate e-Commerce system
Figure 5 shows the risk in different e-Commerce environments. The "baseline risk" represents the risk represents the risk in the absence of any safeguards. The absence of safeguards literally implies that the whole network is readily accessible to everyone in the world; there are no walls, doors, reception areas or any form of physical security whatsoever.
Figure 5: Risk in different e-Commerce environments
The baseline risk actually increases when the firewall is introduced. This illustrates the danger of using improperly configured firewalls.
The residual risk puts the IT in a typical office environment, and applies electronic safeguards such as ensuring that the routers are properly configured, and UNIX traditional best practice advice, such as "changing the UMASK value to a minimum of 027", is applied. The effect is not that great. A properly configured firewall (e.g. Check Point Fire-Wall-1 v2.0, with a "workaround", fully automated anti-virus software, disabled GUEST account, etc.) does substantially better. The overall residual risk goes down, despite the increase in baseline risk with the introduction of the firewall.
The purpose of introducing PKI (Public Key Infrastructure) technology is to establish an effective VPN between the e-Commerce site and its customers. This will allow customers greater freedom of access and greater security to the e-Commerce system, whilst still keeping intruders at bay. The introduction of this solution has almost zero effect on the baseline risk but an equally significant reduction in residual risk.
Figure 5 also shows the levels of acceptable risk dependent upon the asset value in accordance with the "DTI Scale". This scale maps the DTIs Unified Classification Scheme, augmented by national security markings (SECRET, TOP SECRET etc) on to a logarithmic scale. The Unified Classification Scheme defines three levels:
dtiSEC2 maps directly onto the national security marking termed RESTRICTED (OFFICIAL USE ONLY in the US) and dtiSEC3 maps directly onto the national security marking termed SECRET. There are higher markings.
The determination of acceptable risk rests upon the assertion that there exists a "dtiSEC0" that represents information that companies do not mind being wrong, given away or lost. The full assertion is that for the risk to protect assets of value dtiSECn (n = 1 or higher) to be acceptable:
Risk with safeguards [dtiSECn] £ Risk without safeguards [dtiSEC0]
i.e., the risk with the assets rated at their true value but with the selected safeguards in place should be (just) less than or equal to the risk that would occur if there were no safeguards but the assets were all valued at dtiSEC0.
The horizontal lines in Figure 5 annotated with the DTI level s ("dtiSEC4" = SECRET) identify the level of acceptable risk corresponding to each DTI level. Thus, the firewall only solution is perfectly adequate for dtiSEC1 value assets. The PKI solution is required for dtiSEC2/3 value assets. For higher value assets the PKI solution by itself is inadequate and requires further safeguards to be deployed (e.g. "high grade" government approved cryptography).
The ability to reason in this way would not be possible without the ability to measure risk and normalise the risk analysis results against a common scale. However, the approach also allows companies to reappraise their risk posture should anything concerning the network, threats or assets change in anyway. Indeed, even the mere passage of time has an effect, in that would-be attackers are likely to be better equipped to make a successful attack. General knowledge of the vulnerability, particularly of commercial of the shelf software will increase. Moreover, with advances in technology and decreases in cost, an attacker is better able to practice an attack before making it for real. It further makes sense to maintain a continual state of awareness as far as risk analysis is concerned. If a company is continuously aware of its risk posture it will be able to decide when to increase its defences and when it is safe to reduce them.
Making Timely Informed Decisions About Security
Risk management therefore concerns the ability to make timely informed decisions about security. BS 7799-2:1999 provides a weak specification for a system that facilitates this decision-making process. It is called an Information Security Management System (ISMS). The specification is weak because it only implies the existence of the feedback loop shown in Figure 6.
Figure 6: The Risk Management Process
Figure 6 presents the idealised structure for an ISMS. It shows the traditional approach to risk management augmented by the addition of the required feedback loops. In scoping the problem, BS 7799 implies an "information-centric" view of the world, to avoid the trap of failing to take account of less obvious vulnerabilities, such as people, cell phones and laptops. It further implies information policies that clearly identify and explain the business priorities concerning information. In addition, BS 7799 calls for risk assessments that identify what networks really are, not what people think they are! BS 7799 requires management to identify vulnerabilities and select the safeguards with a priority that matches the business priorities specified in the security policy. Reiteration is encouraged, choosing alternate safeguards until management is satisfied with the residual risks and costs involved. Once the chosen safeguards have been implemented, the ideal ISMS monitors their effectiveness. It does not assume that they will work as intended. Management is invited to regularly re-appraise the situation. Even if nothing is supposed to have changed, the risk assessment should be regularly repeated (this is the most important feedback loop). Management should assume, for example, that their networks have changed - most networks do with time! In any case, doubtless someone will have identified new vulnerabilities. Of course, if the business requirements have changed, there will be a need to re-scope the problem and revise the security policy accordingly.
In practice, companies should continually check that the safeguards that they deploy are working as intended. In that sense the ISMS is self-healing. If something does not work, management stands a good chance of finding out before someone else does and can exploit the vulnerability.
Certification against BS 7799-2:1999 provides a ready made way for companies to project the trustworthiness of their IT systems and e-Commerce services to others. Certification demonstrates that a company has an effective ISMS and is therefore able to make timely informed decisions about security. The SEDUCER project recommends that such certification is tightly coupled with a public statement of how a company will assure its customers of its ability to deliver its e-Commerce services, reliably and securely, and what it will do if things go wrong. BS 7799s ability to facilitate the importation of additional controls not included in Part 1 of the standard allows this idea of a public statement of assurance to be brought within the scope of the certification. This means that certification not only implies compliance with the standard and the ability of a companys management to make sensible decision about security, but also an implied endorsement of that public statement of assurance.
In conclusion, e-Commerce needs a smarter approach to security. Companies cannot avoid risk. Risk avoidance strategies are expensive and severely restrict a companys ability to conduct its business. In that sense, a risk avoidance strategy does not make good business sense. If the prosecution of a risk avoidance strategy is terminated prematurely, then there is a real risk that the company will be unknowingly and gravely exposed.
The best approach is for companies to manage their risks and make that activity an integral part of their approach to developing and sustaining customer trust. Risk management requires the ability to measure risk. The technology to do this is available and affordable, and is underpinned by BS 7799:1999. This standard has an international uptake and, via certification, presents a way for companies to demonstrate the trustworthiness of their IT systems and e-Commerce services to others.
Dr. David Brewer is an established authority on computer and communications security. He is a member of the British Standards Committee for the development of BS 7799, a past Vice Chairman of the CSSA Electronic Commerce Special Interest Group, and Programme Secretary for AFCEA, London. He assisted the UK National Security Authority to establish its first security evaluation facilities, and played a significant role in setting up the IT Security Evaluation and Certification Scheme. He was a founder member of the UK Department of Trade and Industry's Commercial Computer Security Centre (CCSC), and an author of the European ITSEC and the ITSEM.
He is involved in an on-going programme of international research to discover the meaning of "trust" in Trust Services, and establish a framework to co-ordinate the balanced application of standards to deliver trustworthiness, predicated on risk management. He has lectured on the subject of trust and its attainment in the Far East as well as North America. He has provided consultancy to a wide customer base on the issues concerning the trustworthiness of information systems including defence and civil government, banking, insurance, defence contractors and IT suppliers.
This article is based on a presentation given by Dr. Brewer at the Second Annual Conference of e-Commerce and the supply chain revolution, June 1999.
|© Gamma Secure Systems Limited, 1999-2003|