|
Guaranteeing
Secure Transactions
Abstract
In common with all other forms of
trading, e-Commerce is predicated on trust. Companies seek to
establish and project the trustworthiness of their e-Commerce
services to the market, as an important step in the process of
forging sound business relationships with their customers.
Failure to deliver a service is traditionally associated with the
payment of some form of compensation to the customer, for example
a money back guarantee. However, whilst this approach supports
the trust relationship, too many incidents will damage the
relationship and may have a grave the financial impact on the
company. In this sense, the process of establishing and
projecting trust is accompanied by a risk that must be managed in
order for the company to profit. This article explores the role
that information security has to play to quantify and manage that
risk. It challenges old traditions of information security and
invites companies to regard information security as a business
enabling technology rather than a business arresting technology.
It takes a fresh look at BS7799:1999, the emerging international
standard for information security management and the role it has
to play in projecting trust. The article concludes with an
example of quantifying the risk in an e-Commerce service using
different IT configurations involving firewall and PKI
technology.
Projecting
Trust in e-Commerce
An essential element in all forms of
commerce is the customer/supplier relationship and its dependence
on trust. As reported in the EU "SEDUCER" study on
trust in e-Commerce (itself founded on a DTI study to examine
market expectations of trustworthiness), there are a variety of
generic consumer-facing risks to overcome (such as failure to
deliver the service). The study recognised the duality of trust
and risk, and the need to project trustworthiness. Indeed, one
international service provider expressed this succinctly by
saying "I will deliver; there are processes in place to
assure you that I will, I will pay if I fail and my insurers will
pay if I cannot".
Security provides an answer to these
issues in three ways:
- the ability to establish the truth
of something (e.g. that it was Company A’s banking
instruction), in addition to its traditional role of
resisting something bad (e.g. fraud);
- the means to determine risk and how
effective safeguards are in practice and
- a way to demonstrate the management
of risk to others, for example Company A’s trading
partners.
However, to be successful companies need
to cast of old opinions and approaches to security.
Technology
Challenges
Computer systems are vulnerable to
attack. They do not always behave, as people would like.
Figure 1 shows a graph showing the
relative damage of known vulnerabilities to a lone NT4.0 laptop,
which may be used to access the Internet, including WWW site
maintenance and dial-up access to a corporate network. There are
over 100 vulnerabilities. Top of the scale are vulnerabilities
that give root access as in a UNIX system, next are those that
can increase privileges, cause denial of service, or allow access
to security data. Next, the viewing of any other files and then
the browsing of directories.
Figure 1: NT
workstation vulnerabilities (arbitrary damage scale)
Once a graph such as this has been
produced, it is likely to soon be out of date. The problem is
that people often upgrade their software to take advantage of new
functionality and other people are finding more vulnerabilities.
There are many ways of solving security
problems. Information Security Exhibitions, typical of the late
1990s show off a wide variety of security devices, such as
firewalls, content checkers, PKI, access control systems,
security policies, all clambering to take pole position in the
eyes of the unwary purchaser. In many ways, such exhibitions can
be quite intimidating.
Unfortunately, as the graph of Figure 2
shows, some safeguards are more effective than others, and, as
security features continue to be added, a point of nil return is
soon reached. However, performance and the ability to conduct
business will degrade, and security will have once again become a
"business arresting" technology. This is the primary
characteristic of all risk avoidance strategies.
In a risk avoidance strategy, a company
will try to build an IT "castle" to stand the test of
time over many centuries. The company will try to think of
everything that could go wrong and deploy every conceivable
security measure "just in case". The execution is
usually limited in terms of expenditure on security features and
the need to balance it with business needs. Figure 2 shows the
weakness of this strategy demonstrably. In the absence of any
alternative, arresting the prosecution of a risk avoidance
strategy in mid-stream, may well leave a company unknowingly and
gravely exposed. The raison d’être of a risk avoidance
strategy is to apply all possible safeguards; there is therefore
no requirement to apply the most effective safeguards, (e.g., as
shown in Figure 2) first. Thus, in the extreme case, by the time
the security budget is cut, only the least effective safeguards
will have been applied.
Figure 2: The risk
reducing effect of the successive application of safeguards (most
effective safeguards first) (arbitrary risk scale)
The alternative is to build a
"castle" with just the right defensive strength for the
business needs today, but with the ability to increase or relax
that strength as the need arises. Key to the success of this
alternate strategy is the ability to measure risk.
Risk
Measurement
A useful definition of risk,
particularly in the IT context is "the combination of a
threat exploiting some vulnerability that could cause harm to
some asset". Figure 3 illustrates this concept by
representing risk as the volume of a cube.
Figure 3: Representing
risk as a function of threat, vulnerability and asset value.
Threats can be evaluated in terms of the
severity and likelihood of an attack being made. The evaluation
would take account of the motivation of the attacker, their
capability (in terms of expertise and equipment) and whether the
attack is focussed upon particular assets or not. The evaluation
would also take account of whether the attacker has physical
access to the IT equipment, as would be the case of an attack
made by an insider, or electronic access, as would invariably be
the case if the attack was made by a hacker. Different parameter
values allow a wide range of threats to be modelled including the
threat of human error and the hostile premeditated actions of the
organised criminal. Indeed, the standard threat profile includes
external and internal risks, premeditated and opportunistic
attacks, errors and accidents, malicious intentions and pranks.
Companies can vary this profile, for example to reflect the
potential increase in internal threat when a take over or merger
is announced.
Vulnerabilities can be evaluated in
terms of the amount a damage that would be caused were they to be
exploited as illustrated in Figure 1. Vulnerabilities can also be
evaluated in terms of the amount of information that is publicly
available about them and how old that information is. It is also
necessary to know whether the vulnerability can be exploited
remotely across a network, or whether the attacker must have
physical access to the network.
Assets should ideally be ranked in
accordance with the business consequence that would result should
an attack on them result in them being made unavailable, lost
forever, corrupted, improperly modified or improperly disclosed.
The evaluation can take account of the time that an asset is
rendered unavailable (e.g., seconds, minutes, days, weeks). It
may take account of the degree of corruption or improper
modification (e.g. just some or the majority of records in a
database). It may also take account of to whom the information is
improperly disclosed (e.g. a competitor or an unauthorised but
otherwise trustworthy employee).
Safeguards can be modelled the same
parameters as used to measure, threats, vulnerabilities and
assets. Their effect is to reduce the size of the cube, leading
to the concept of residual risk. In practice, there is one risk
cube for every combination of threat, vulnerability and asset.
Thus, for the case of the NT laptop with 100 vulnerabilities, say
8 threats and 5 assets, there would be 4,000 risk cube. For a
network, this number (and hence the number of risk calculations
that need to be made) is significantly higher, making it
essential to use computers to perform the calculations.
Choosing
Safeguards – BS 7799:1999
British Standard (BS) 7799 is the
emerging international standard for security management. It
addresses the standardisation of "Information Security
Management". First published in 1995, BS 7799 is now used in
the UK, South Africa, the Netherlands, Brazil, Australia and New
Zealand. Norway has translated the standard into Norwegian, with
the intention of adopting it as a national standard. Other
countries, such as Denmark, Eire, Sweden the US and Japan, are
considering adopting BS 7799 as a standard. Indeed, the revised
version of the standard BS 7799:1999 has just been formally
proposed as an ISO standard.
There are two parts to BS 7799 and also
a certification scheme for public and private organisations. The
certification scheme has been designed to be strong enough and
consistent enough with BS 7799 to be accepted reciprocally by
different countries.
The two BS 7799 parts are:
- BS 7799-1:1999 (Part 1) is a standard
code of practice and provides guidance on how to
secure an Information System (IS).
- BS 7799-2:1999 (Part 2) is a standard
specification and specifies the management framework,
objectives and control requirements for an Information
Security Management System (ISMS).
The certification scheme works like ISO
9000. Indeed there are many parallels between ISO 9000 and BS
7799. For example, instead of having a quality policy and a
quality management system, there is an information security
policy and an ISMS.
Part 1 is a "catalogue" of
good security practice. The new standard stresses that not every
one of its 127 controls are applicable to all businesses and
indeed should be selected as a result of performing a risk
assessment. Moreover, BS 7799:1999 recognises that other
controls, not identified in Part 1, may be required. There exists
a special provision in the standard to "import" such
additional controls, should the need arise. Nevertheless, Part 1
embraces a wide range of controls suited to e-Commerce and the
demands of modern day working practices, including outsourcing,
mobile computing and teleworking. In addition the standard
addresses physical security, personnel security, recruitment
practices, contractual issues and legal issues. In particular the
standard recognises that information assets may exist in
different forms and may be processed and communicated using
technology ranging from the quill pen to satellites, palmtop
computers and mobile phones.
In practice there are two types of
safeguard: threat-safeguards and vulnerability safeguards.
Threat-safeguards reduce the ability of a threat to exploit a
vulnerability. Examples are physical barriers (which reduce
physical access) and firewalls (which reduce electronic access).
Vulnerability-safeguards will either eradicate the vulnerability
totally, or limit the damage that would result if it were
exploited. Of these two types of safeguard, the threat-safeguard
has the most dramatic effects as it will reduce the risk due to all vulnerabilities that could be exploited by that threat. In
contrast the vulnerability-safeguard only mitigates the risk due
to individual vulnerabilities.
Figure 3 implies the existence of
asset-safeguards. Indeed, at first view, encryption may be
regarded as an asset-safeguard, as the encrypted form of the
asset ought to be of considerably lower value. However, the
original form of the asset will still exist and will still need
to be protected. Nevertheless the concept of an asset-safeguard
facilitates the normalisation of risk data, so that the risk for
different networks can be compared irrespective of the value of
the assets and the threat environment.
An
Example
Figure 4 shows a sketch of a make
believe e-Commerce site. It is realistic in the sense that the
analysis uses real hardware and software and takes account of
real vulnerabilities and safeguards. The Web server, for example
is running an Apache Web Server 1.1 and the internet router is a
Cisco 2514 Dual LAN router.
Figure 4: A candidate
e-Commerce system
Figure 5 shows the risk in different e-Commerce
environments. The "baseline risk" represents the risk
represents the risk in the absence of any safeguards. The absence
of safeguards literally implies that the whole network is readily
accessible to everyone in the world; there are no walls, doors,
reception areas or any form of physical security whatsoever.
Figure 5: Risk in
different e-Commerce environments
The baseline risk actually increases
when the firewall is introduced. This illustrates the danger of
using improperly configured firewalls.
The residual risk puts the IT in a
typical office environment, and applies electronic safeguards
such as ensuring that the routers are properly configured, and
UNIX traditional best practice advice, such as "changing the
UMASK value to a minimum of 027", is applied. The effect is
not that great. A properly configured firewall (e.g. Check Point
Fire-Wall-1 v2.0, with a "workaround", fully automated
anti-virus software, disabled GUEST account, etc.) does
substantially better. The overall residual risk goes down,
despite the increase in baseline risk with the introduction of
the firewall.
The purpose of introducing PKI (Public
Key Infrastructure) technology is to establish an effective VPN
between the e-Commerce site and its customers. This will allow
customers greater freedom of access and greater security to the
e-Commerce system, whilst still keeping intruders at bay. The
introduction of this solution has almost zero effect on the
baseline risk but an equally significant reduction in residual
risk.
Figure 5 also shows the levels of
acceptable risk dependent upon the asset value in accordance with
the "DTI Scale". This scale maps the DTI’s Unified
Classification Scheme, augmented by national security markings
(SECRET, TOP SECRET etc) on to a logarithmic scale. The Unified
Classification Scheme defines three levels:
- dtiSEC1 represents information which if
improperly disclosed, particularly outside an
organisation, lost or found fraudulent would be
inappropriate and inconvenient.
- dtiSEC2 represents information which any of
these things happen to it would cause significant harm to
the interests of the organisation. It includes personnel
information and therefore would be the asset value
relevant to European Data Protection Legislation.
- dtiSEC3 represents information which likewise
could prove fatal to an organisation.
dtiSEC2 maps directly onto the national security marking
termed RESTRICTED (OFFICIAL USE ONLY in the US) and dtiSEC3 maps
directly onto the national security marking termed SECRET. There
are higher markings.
The determination of acceptable risk rests upon the
assertion that there exists a "dtiSEC0" that represents information that companies do not mind being wrong,
given away or lost. The full assertion is that for the risk to
protect assets of value dtiSECn (n = 1 or
higher) to be acceptable:
Risk with safeguards [dtiSECn] £ Risk without safeguards [dtiSEC0]
i.e., the risk with the assets rated at their true value but
with the selected safeguards in place should be (just) less than
or equal to the risk that would occur if there were no safeguards
but the assets were all valued at dtiSEC0.
The horizontal lines in Figure 5 annotated with the DTI level
s ("dtiSEC4" = SECRET) identify the level
of acceptable risk corresponding to each DTI level. Thus, the firewall only solution is perfectly adequate for dtiSEC1 value assets. The PKI solution is required for dtiSEC2/3 value assets. For higher value assets the
PKI solution by itself is inadequate and requires further
safeguards to be deployed (e.g. "high grade" government
approved cryptography).
The ability to reason in this way would
not be possible without the ability to measure risk and normalise
the risk analysis results against a common scale. However, the
approach also allows companies to reappraise their risk posture
should anything concerning the network, threats or assets change
in anyway. Indeed, even the mere passage of time has an effect,
in that would-be attackers are likely to be better equipped to
make a successful attack. General knowledge of the vulnerability,
particularly of commercial of the shelf software will increase.
Moreover, with advances in technology and decreases in cost, an
attacker is better able to practice an attack before making it
for real. It further makes sense to maintain a continual state of
awareness as far as risk analysis is concerned. If a company is
continuously aware of its risk posture it will be able to decide
when to increase its defences and when it is safe to reduce them.
Making
Timely Informed Decisions About Security
Risk management therefore concerns the
ability to make timely informed decisions about security. BS
7799-2:1999 provides a weak specification for a system that
facilitates this decision-making process. It is called an
Information Security Management System (ISMS). The specification
is weak because it only implies the existence of the feedback
loop shown in Figure 6.
Figure 6: The Risk
Management Process
Figure 6 presents the idealised
structure for an ISMS. It shows the traditional approach to risk
management augmented by the addition of the required feedback
loops. In scoping the problem, BS 7799 implies an
"information-centric" view of the world, to avoid the
trap of failing to take account of less obvious vulnerabilities,
such as people, cell phones and laptops. It further implies
information policies that clearly identify and explain the
business priorities concerning information. In addition,
BS 7799 calls for risk assessments that identify what
networks really are, not what people think they are! BS 7799
requires management to identify vulnerabilities and select the
safeguards with a priority that matches the business priorities
specified in the security policy. Reiteration is encouraged,
choosing alternate safeguards until management is satisfied with
the residual risks and costs involved. Once the chosen safeguards
have been implemented, the ideal ISMS monitors their
effectiveness. It does not assume that they will work as
intended. Management is invited to regularly re-appraise the
situation. Even if nothing is supposed to have changed, the risk
assessment should be regularly repeated (this is the most
important feedback loop). Management should assume, for example,
that their networks have changed - most networks do with time! In
any case, doubtless someone will have identified new
vulnerabilities. Of course, if the business requirements have
changed, there will be a need to re-scope the problem and revise
the security policy accordingly.
In practice, companies should
continually check that the safeguards that they deploy are
working as intended. In that sense the ISMS is self-healing. If
something does not work, management stands a good chance of
finding out before someone else does and can exploit the
vulnerability.
Projecting
Trust
Certification against BS 7799-2:1999
provides a ready made way for companies to project the
trustworthiness of their IT systems and e-Commerce services to
others. Certification demonstrates that a company has an
effective ISMS and is therefore able to make timely informed
decisions about security. The SEDUCER project recommends that
such certification is tightly coupled with a public statement of
how a company will assure its customers of its ability to deliver
its e-Commerce services, reliably and securely, and what it will
do if things go wrong. BS 7799’s ability to facilitate the
importation of additional controls not included in Part 1 of the
standard allows this idea of a public statement of assurance to
be brought within the scope of the certification. This means that
certification not only implies compliance with the standard and
the ability of a company’s management to make sensible
decision about security, but also an implied endorsement of that
public statement of assurance.
Conclusion
In conclusion, e-Commerce needs a
smarter approach to security. Companies cannot avoid risk. Risk
avoidance strategies are expensive and severely restrict a
company’s ability to conduct its business. In that sense, a
risk avoidance strategy does not make good business sense. If the
prosecution of a risk avoidance strategy is terminated
prematurely, then there is a real risk that the company will be
unknowingly and gravely exposed.
The best approach is for companies to
manage their risks and make that activity an integral part of
their approach to developing and sustaining customer trust. Risk
management requires the ability to measure risk. The technology
to do this is available and affordable, and is underpinned by BS
7799:1999. This standard has an international uptake and, via
certification, presents a way for companies to demonstrate the
trustworthiness of their IT systems and e-Commerce services to
others.
________________________________
Biography
Dr. David Brewer is an established
authority on computer and communications security. He is a member
of the British Standards Committee for the development of BS
7799, a past Vice Chairman of the CSSA Electronic Commerce
Special Interest Group, and Programme Secretary for AFCEA,
London. He assisted the UK National Security Authority to
establish its first security evaluation facilities, and played a
significant role in setting up the IT Security Evaluation and
Certification Scheme. He was a founder member of the UK
Department of Trade and Industry's Commercial Computer Security
Centre (CCSC), and an author of the European ITSEC and the ITSEM.
He is involved in an on-going programme
of international research to discover the meaning of
"trust" in Trust Services, and establish a framework to
co-ordinate the balanced application of standards to deliver
trustworthiness, predicated on risk management. He has lectured
on the subject of trust and its attainment in the Far East as
well as North America. He has provided consultancy to a wide
customer base on the issues concerning the trustworthiness of
information systems including defence and civil government,
banking, insurance, defence contractors and IT suppliers.
Note
This article is based on a presentation
given by Dr. Brewer at the Second Annual Conference of e-Commerce
and the supply chain revolution, June 1999.
|
