Happy with your ?

Transcription

1 Happy with your ? Answers on a postcard please Dean Adams Trustis Limited Copyright Trustis Limited 2001 All rights reserved.

2 Happy with your ? Answers on a postcard please Dean Adams, Trustis Limited is all-pervasive nowadays, it s difficult to imagine how we would ever cope without it. Until recently, the vast majority of discussions relating to important company matters might have been conducted face-to-face, in some company meeting room. These days however, employees are far more likely to discuss such topics over than through any other means. Imagine that the only way you could communicate with your clients, colleagues, partners and suppliers was through the picture postcard. Would that affect what you put down in writing? It should! Why is it then that most organisations, in all likelihood including your own, continue to communicate sensitive and sometimes critical information via ? Of course we all want the benefits of the ability to communicate swiftly, cheaply and without regard to location or time zone. But can we afford to bet our business on the chance that the might be read or forged by others? Journalist Maryfran Johnson reported the following on 4th March 2000, In a show of instructive mischief, a reader not too long ago sent me that arrived from myself. I'd been spoofed. This fellow (clearly a man with time on his hands and a mission in his heart) intended me no harm. But he wanted to show me how pitifully easy it was to slip into my system and borrow my online identity. Late last year, Alibris, an online rare bookseller was charged with intercepting a competitor s traffic. The competitor in question was Amazon.com and Alibris agreed to pay $250,000 to settle criminal claims. These two examples and hundreds of incidents like them, demonstrate that can be subverted and compromised by those in the know, or by those with desktop tools provided by those in the know. accounts for around 70 per cent of all network traffic, yet despite its very prevalent and everincreasing use as an integral part of business transactions, the degree to which it is protected by security measures seriously lags behind other corporate resources. This, of course, leaves it wide open to forgery, tampering and simple snooping, amongst other threats. However, when we look at the sort of information that routinely gets transmitted through our systems, it is easy to come to the conclusion that is the single largest unprotected application that exists in the corporate world right now. The lack of security associated with our use of is not necessarily the result of apathy. Many people are simply not aware of the threats and risks that is exposed-to, and there is a widespread underlying assumption that the sheer volume of on the Internet somehow protects them. A simple search for press coverage of security incidents involving would quickly show however that breeches of security involving occur with alarming regularity. If you and your organisation don t want to be the subject of yet another press report, you need to take steps to protect yourselves when using . My organisation uses am I at risk? In order to answer that question, we need to understand what and where are the common threats to . To protect our usage effectively, we must know what it is that we are protecting from. Only then can we make sensible judgements on what sort of protective measures to take, where they should be taken, and when. Where are the threats internal or external? If you were to ask most IT managers where they had most concerns regarding , they would probably cite all sorts of Internet-based hacking activities. Make no mistake about it, these certainly do 2

3 occur, and have the potential to trigger the sort of publicity that can be highly damaging to a company, as well as being directly responsible for financial and other losses. However, between fifty and eighty per cent of security incidents are due to causes that are internal to the organisation and can range from simple and honest mistakes made by staff, to deliberate and malicious behaviour, (see Security Its not just about keeping the bad guys out at Typically, an insider has much more knowledge about the organisation s information assets and much more opportunity to access them than anyone outside the company. Anyone who is serious about securing their organisation s usage should not forget this, and should ensure that adequate protective measures are taken inside the company, as well as on the outside. The threats arising from internal causes are not entirely concerned with confidentiality. As we shall see, many other worrying and damaging incidents can originate from within the company as well as from the outside. What are the threats? Breach of Confidentiality - How damaging would it be if conversations on such subjects as reorganisation plans, staff appraisals and salaries, the future of project X were to become common knowledge within the company? Would it be more damaging for that information to be seen by someone outside the company? Normal is essentially transmitted in the clear. It s almost equivalent to writing on a postcard. For those operating under the jurisdiction of the European Directive on Data Protection, if you re sending that contains information relating to some person and considered to be of a personal nature, then unless you have taken adequate steps to protect that information from unauthorised disclosure, you are at risk of prosecution. Lack of Integrity s can be intercepted, modified, and then sent on their way. Normal has no protection from such a threat, and the recipients have no idea that they may be acting on false information. Imagine the chaos that could be caused with minor modifications like the insertion or removal of the word not, changes to figures, delivery addresses or dates, etc. Unverified Identity It is relatively easy to forge an to make it appear to come from someone else, with potentially dramatic consequences. Even within the company this is a problem. For example, most people would unquestioningly and immediately act on an that purported to come from their manager, or the CEO. By the time the forgery has been discovered, in all likelihood the damage has already been done. According to the Associated Press, 24 th March 2000, Dozens of electronic messages racing across the Internet this week carried what's believed to be an unprecedented payload--a subpoena and other documents approved by a judge, warning that the recipient's Web site may be violating a federal court order. Supporters applaud the idea, saying it allows attorneys to respond in accelerated "Internet time" to new issues of law and technology. Critics say it's unworkable because can be falsified or forged so easily. Virus Infection These have the ability to render a company completely unable to conduct business if not checked. According to the ICSA Labs 1999 Computer Virus Prevalence Survey, infections from attachments increased from 32 per cent in 1998 to 56 per cent in 1999, and as a result, topped the list of the sources of viral infections. Unsuitable Content This is a source of great concern to almost all companies now, especially since quite a large number of companies have fallen foul of this particular issue, and as a result have been taken to court with expensive and publicly damaging consequences. On 16 th March 2000, SACA, the South African Certification Agency reported Management at Tongaat-Hulett must have cringed when they listened to President Mbeki s State of the Nation address to parliament. The vitriolic racism spewed by their chief engineer; Odendaal in an instantly became a topic of conversation throughout South Africa. In an attempt to distance themselves from his offensive attitudes, Tongaat- 3

4 Hulett not only struck the sender of the off their employee list but also threatened to seek out like-minded people. What can we do? First and foremost, define an policy! All good security starts with policies, and the security of is no exception. Ideally the policy should be a part of a wider ranging set of security policies addressing all facets of day to day operations. There is a great temptation to purchase and deploy any number of security products that are available in the marketplace and which are designed to combat one or more of the threats we ve just discussed. However, without an security policy, any technical protective measures will be applied in an undirected manner, without clearly defined common goals that stem from a business perspective, not a technical one. Technology led approaches will very likely result in inadequate use of non-technical means of reducing the risks associated with and recovery from situations where the technology fails to protect. Education should play a key role when forming these policies. Employees need to know what should and should not be ed, to whom and under what circumstances. Employees should also be involved in the creation of the policy. If its content is something that is merely commanded from on high, without any involvement from staff, it may not be enforced so easily. However, the premise that there shall be security and security in general, from a policy perspective, is something that needs to mandated and fully supported from on high. Upper-level management has to state clearly that the policy is important that this is what we want people to do, and that these are the consequences of not following the policy. Assuming that we ve defined an policy and we have the full and active support of senior management, we should now be looking to support that policy through the use of appropriate technology and procedures. Protection through technology There are several very effective and well-used technologies that we can use to protect ourselves from the threats to . What will become obvious however, is that the decision to deploy one or more of these techniques cannot be taken in isolation. The decision to deploy one safeguard and how it is to be deployed will affect whether or how another can be deployed. Secure We need to protect ourselves from threats to the confidentiality, integrity and authenticity of our as it transits a potentially hostile environment like the Internet, and for that we need to make use of what is commonly described as Secure . Secure uses cryptographic techniques to strongly protect an conversation from anything considered external to the direct conversation between the originator and the recipient. This is normally called end-to-end security between the originator and the recipient, and ensures that is sent in a self-contained and secured envelope, which cannot be breached by any person or software as it travels from the sender to the recipient. By using Secure , we can protect our from being read by anyone except the person to whom it is being sent. Used properly, the cryptographic technology upon which it is based can enable us to not only keep our conversations private, but also be confident in it origin and ensure that its contents cannot be tampered with without our knowledge. The confidentiality of the message is achieved by encrypting it, whilst the protection against tampering and the proof of authenticity is achieved through another cryptographic technique called a digital signature. One does not have to be an expert in cryptography to use these facilities. They are normally supplied as a part of normal desktop programs, or if not, are readily available as additional plug-in components to existing programs. In normal use, just one or two clicks of the mouse encrypts and/or digitally signs the . 4

5 Sounds too good to be true, and to a certain extent it is. There is a multiplicity of choices facing any organisation wishing to take up Secure . There is the question of the underlying technology upon which the Secure product is based; for instance, S/MIME and PGP amongst others. There are differences in exactly where and how digital signatures and encryption are applied to the message. S/MIME (Secure/Multipurpose Internet Mail Extensions) is an industry standard that has gained ground in recent years to become the predominant method of securing . Products that follow this standard make use of what are known as a Public Key Infrastructure (PKI) to manage the large number of keys that accompany the high volume of secure s, whether digitally signed or encrypted or both. These keys are contained within what are known as Digital Certificates, or industry standard X.509v3 certificates to be more precise. In simple terms, an X.509v3 digital certificate is the electronic commerce world s analogue of the passport. It is issued by a trusted authority and binds you as an individual to an identity that can be recognised and verified by other agencies. It confers certain rights and obligations on you according to policies exercised by the issuing authority. Because it includes cryptographic keys, it provides you with the ability to digitally sign messages, documents or transactions, or to verify the signatures of others. It enables you to make messages, documents or transactions only readable by those that you designate. Traditionally, one of two basic choices typically has to be made with regard to the PKI used to support Secure to build the complete infrastructure in-house or to purchase all-encompassing contract services (outsource). However, recent developments have seen product and service offerings with a much higher degree of flexibility and adaptability to the customer organisation s needs than was previously available. In essence, what was a take it or leave it all-embracing approach to PKI has now been broken down into individual roles and components from which customer organisations can elect to take ownership, or contract out, as they see fit (see Secure E-commerce A Competitive Advantage at This type of approach has several important benefits to the customer organisation. Firstly, the policy under which certificates are issued and used can be entirely under the control of the customer organisation. Thus the rights, obligations and liabilities associated with the use of Secure can be clearly defined and tailored to the needs of the organisation. Secondly, appropriate business-led decisions can be taken with regard to functions that impact on trust, performance and recovery from outages. One final point that should be noted is that a PKI, once established for the support of Secure , can also be reused for the support of a variety of other applications such as secure web access, secure payments, virtual private networks, and many others. S/MIME is not perfect in the sense that the standard leaves some details open to possibly divergent interpretation by software suppliers and hence complete interoperability cannot be guaranteed. However, an organisation that bases its Secure on the use of S/MIME compliant products with the underlying support of a standards compliant PKI, will certainly have greater confidence that it can successfully exchange secure with others than through any other method. Industry interoperability trials with feedback from advanced user organisations are helping to improve the level of interoperability between different products. A critical option available to customer organisations deploying Secure is where the encryption, decryption and signing should take place; should it be done at each individual desktop, or should be done centrally at the mail server? There are pros and cons for both approaches. If carried out at the desktop, then each user must be issued with his or her own digital certificates for encryption and signatures. To have separate certificates (with separate keys) for encrypting/decrypting and for signing purposes is generally regarded to be good security practice. Most reputable packages will support this separation, and the certificates themselves can be encoded to identify which operations they may be used with. However not all Certificate Issuing Authorities support this encoding, and instead supply all-purpose certificates. On the pro side, by allowing each individual user 5

6 to hold their own certificates, individuals can sign messages, documents and transactions, as they would do in real life; as themselves. Accountability for actions is assured down to the level of a single individual. Messages can be encrypted so that only the identified individuals can read them, and thus messages are protected from threats that may exist within the corporate network as well as from the outside. On the con side, the customer organisation is engaged in the issuance and management of a potentially large set of certificates. Some Secure products and services adopt the approach of applying encryption/decryption and signatures at a central location such as the customer organisation s server. On the pro side, this type of approach will require just a few certificates, issued to the customer organisation itself as a named entity, thus certificate management problems are greatly reduced in scope. On the con side, individual accountability is not supported, any messages are simply signed as coming from the customer organisation. In addition, because messages are encrypted/decrypted as they pass through the server, they are essentially stored and forwarded in the clear and hence unprotected on the internal corporate network. Given that experience has shown the majority of security threats to originate from within the organisation, this may give some managers pause for thought. Virus Protection Most people are familiar with the existence and function of anti-virus software, even if they don t use it themselves. Given that is one of the prime source of viral infections, it makes sense to deploy anti-virus software that is capable of detecting viruses carried by and effectively dealing with them before the can be opened by an unsuspecting user, potentially unleashing the damaging virus on the internal corporate network. A great many companies use central server-based anti-virus technology. In general, these work by scanning s and their attachments as they pass through the server, and before they are delivered to the end-user desktop. The benefits of this approach are that since virus detection and elimination is done centrally at one place for everyone in the company, only this one central facility needs to be kept updated with the most current virus definitions and anti-virus software. Typically, end-users cannot be relied upon to diligently keep their desktop anti-virus protection up to date, and so a centrally managed facility ensures that the company is always protected by the most up to date measures. The problem with this approach arises when used in conjunction with Secure where for the reasons explained earlier, the encryption/decryption and signing are performed at the end-users desktops. If the s are encrypted/decrypted at the desktop, then the central anti-virus facility will not be able to scan the messages for viruses as they pass through the server. After all, if the anti-virus facility were somehow able to decrypt the messages in order to scan them, then it should also be possible for some other software (possibly malicious) to do the same thing. A solution to this problem lies in the deployment of anti-virus software that is managed centrally for updates and anti-virus policy, but is actually executed locally at each individual desktop when the message is decrypted for opening by the end-user. In this way, the benefits of central ant-virus management and update are retained, whilst allowing for the end-to-end security protection and individual accountability afforded by Secure . There are a number of anti-virus products that support this type of approach. Unfortunately, some central anti-virus facilities have still not recognised that end-to-end Secure is a growing trend, and consequently have not upgraded their products to deal with this scenario. Typically and defensively, these anti-virus product suppliers will recommend to their customers that they do not adopt end-to-end Secure , but instead use a centrally operated approach as discussed earlier, where the encryption/decryption is applied at the server. If you decide that end-to-end Secure is what you need, then choose anti-virus technology that is capable of working with it. One final note on anti-virus strategies; viruses can come from a variety of sources apart from via the corporate server, such as web, floppies, CD-ROMs, and modem access to the Internet 6

7 through local ISPs by laptops whilst away from the office. To defend against these sources of viruses, the protection must be on the desktop itself. Anti-virus product manufacturers would recommend however, that you should not necessarily throw away your centralised server based anti-virus technology. Their recommendation is to continue to use it as a second tier of defence for the large number of s that will not need encryption, and for protecting against viruses that can be sourced from the web via corporate gateways. Content Scanning While offensive is the most obvious concern, you can also scan for certain key words in going out to your competitors, to ensure that no company secrets are being divulged. Once you have devised a realistic messaging policy the next step is to actually put the tools in place that will track and manage incoming and outgoing traffic. There are many products available in the marketplace that will perform content scanning on s according to a corporate policy, and then perform defined actions such as blocking and alerting. However, as with anti-virus products, there are decisions to be made concerning the placement of such facilities; on a central server or at each desktop. Similar considerations to those involved in anti-virus technologies and placement apply when end-to-end Secure is used. Luckily, as with anti-virus, there exist content scanning products that can be configured and administered centrally, by the IT department for example, yet are executed locally on each desktop. Under such a scheme, the protection afforded by this type of technology is still operative when a laptop is used outside the internal corporate network. It is notable that as recently as 30 th April 2000, the front page of the Sunday Times reported MI5 is building a new 25m surveillance centre that will have the power to monitor all s and Internet messages sent in Britain. Of course, in an ideal world, this should not concern law-abiding individuals and organisations. However, there has been quite some concern in the past over alleged commercial espionage activities associated with various security agencies since the ending of the cold war. Your s could already be being monitored as they transit between your offices in different parts of the world, or between you and your customers, partners or suppliers. Servers A common way for unauthorised people to get at your is by compromise of your server. By gaining access to this central facility, from or to anyone can be accessed. Of course, end-toend secure can protect against this, but the fact remains that some s that should have been encrypted and or signed, will not have been and are thus exposed to attack from both outside and inside the company. Consequently, great care should be taken to install and configure servers in a secure manner, as advised by the manufacturer, and on operating systems that also have been similarly carefully installed and configured. Where necessary, and as indicated by a risk analysis, appropriate use can be made of firewalls and intrusion detection technology to provide additional layers of protection. Persistent Protection What happens after an has been delivered, even if it has been secured? Are you confident that the other party will protect its contents as well as you? Perhaps, the has some content that you only wish to make available to the recipient until such time as you decide otherwise, for whatever reason. Admittedly for most organisations who have merely replaced their paper-based messaging with , this is probably not an issue, since this degree of control did not previously exist, except in the Mission Impossible style tape that self-destructs in five seconds 7

8 However if your organisation does indeed have a requirement for this degree of control over Secure sent out to others, then there are products available in the marketplace that will attempt to provide a solution. Mostly these will require the message information (including attachments) to be converted to some non-revisable format, such as postscript or portable document format (PDF), and then require that the recipient download a special viewer plug-in. The plug-in does three things: firstly it requires the recipient to request a decryption key from a persistent protection server that is run from your premises. Secondly it uses the key (which is never exposed to local caching) to decrypt the content. Thirdly, it prepares and makes available for display and printing, a pixel-only based representation of the content, so that electronic text-based copying and saving cannot be used to subvert the protection. What will you do? Of course if you re not happy adopting any of the protective measures discussed here, you may as well use postcards instead of . You may even be more secure after all, people are less likely to write offensive or sensitive material on something they know will be in plain view to everyone, and a postcard is less likely to be copied and archived in other places to bite you at some later time. Lastly, postcards don t carry computer viruses. Happy with your ? Now you know you can do something about it! 8

9 About the Author Dean Adams Dean Adams is a principal consultant with the secure e-commerce specialists, Trustis. As such, Dean has been responsible for the deployment of a number of live PKI deployments and for advising clients in their strategies. Prior to this, Dean spent 9 years with The Open Group, where he was The Open Group's Director of Security and Electronic Commerce and was responsible for all aspects of The Open Group's security program, from market research and business planning, through technical development and certification to commercial product release. Dean is editor of The Open Group's book, "Security Survival - An Indispensable Guide To Securing Your Business" and a contributor to "CDSA Explained". Dean has also been responsible for several other technical development areas within The Open Group including operating systems, internationalisation, relational database, and was a Director of the SQL Access Group on behalf of what was then X/Open, prior to its acquisition by X/Open. Dean has been active in the IT industry for over 18 years. Educated as a physicist, he then worked on several spacecraft projects, involving both hardware and software design. This was followed by several years in a UNIX development environment where he led various teams on both systems and applications development for commercial deployment, and also advanced research and development projects. Prior to joining The Open Group, Dean spent a year as an independent consultant, working primarily with the design of graphics software and with systems integrators, and with both the UK and European governments. Previously to this, he led several teams in the development of advanced document image processing technologies, and other related technologies, for the Racal Group of companies in the UK. Dean holds a BSc with honours in Physics from the University of Manchester and a Master of Science in Atomic and Molecular Physics (Thesis on Electron Scattering) from the University of Manchester. Dean was responsible for the joint development by a wide range of well-known companies, of the Single Common Architecture for Public Key Infrastructures, (APKI), which has been adopted and published both by The Open Group and by the Internet Engineering Task Force. He was also responsible for a key component of this Architecture, the Common Data Security Architecture (CDSA), which provides cryptographic, certificate management, trust policy management, and key recovery services amongst others, and which is now available internationally in products from over 20 companies. Dean is a regular speaker at both national and international conferences, and has written articles for various journals. 9

10 About Trustis Trustis is based in the City of London and specialises in secure e-commerce solutions. It provides secure e-business consulting and a range of related applications and trust services through its Trust Service Centre. Trustis has a world-class team of experts and offers truly independent advice. The company has no allegiance to any technology vendor and is able to help clients develop strategies to suit their business, guide them through the complex technology selection process and ensure that the implementation and deployment of e-business solutions is commercially sensible, cost effective and timely. The Trustis team is made up of e-business security engineers, business specialists, lawyers and consultants to ensure that every aspect of a client s e-business needs can be met. Only the very highest calibre consultants are deployed, with previous experience and skills in government, commercial and military applications, and from technical, business strategy and legal perspectives. This approach ensures the very best quality delivery, which is essential to maintaining the Trustis brand and reputation. Consultants are kept up-to-date by continual research and are underpinned by the Trustis Technical Committee, described by a technology journalist as an e-business brains trust. Members of the committee are eminent international experts in the field of secure e-business, many of who advise governments and the international community on how policy, regulation and technology should evolve. Trustis consultants are regularly sought after as speakers at international conferences and seminars, and frequently contribute papers to industry publications. Technology is only a part of the solution, and Trustis has widely recognised and respected expertise in integrating the technology with appropriate policies, practices and procedures, to ensure that the technology works for the business, not the other way around. Trustis works with a wide variety of client organisations for which trust in their supplier is paramount. These include organisations in the following sectors: Local and Central Government EU Banking and other Financial Services Insurance Healthcare Law Broadcasting Dot Coms in areas as diverse as secure , web-based payments, e-tendering, business-business transactions, secure access to sensitive data, etc. In each case, Trustis has demonstrated its integrity, confidentiality, and trustworthiness, as well as its capability to deliver, time after time. Unlike many companies that purport to offer security services, Trustis has the breadth and depth of experience to be able to continue to support organisations as their own needs grow and evolve and as the environment in which they operate becomes ever more challenging and open to threats. Trustis Limited 49 Whitehall London SW1A 2BX Copyright Trustis Limited All Rights Reserved. Tel: +44 (0) Fax: +44 (0) info@trustis.com Web: 10