Agencies are advancing toward the promised land of electronic commerce - but not without hitting security potholes.
The increasing use of the World Wide Web has created a push for government agencies to offer services online. The benefits are many but only by performing properly scoped threat and risk assessments can organisations be sure they are prepared for any risks that e-commerce may bring.
Online delivery of services carries benefits such as streamlining agency interaction and savings in costs. However, in terms of security risks, delivering services over the Internet differs significantly from the use of traditional private networks. The number of potential attackers mushrooms, and they are no longer only in the category of disaffected staff. Attackers may in fact range from corporate or national agents to miscreant kids looking for some fun.
There are other elements that also increase the risks in online commerce. Firstly, users are anonymous until authentication is completed. Identification of a person based upon their network address, though technically possible, is logistically improbable - especially when the (possibly compromised) computer may be located in a foreign country. This means, in cases of fraudulent activity, that financial restitution or prosecution is unlikely to be an option. Secondly, attackers can now work in ways that were difficult, or impossible, in yesterday's tightly controlled networks. Thirdly, e-commerce systems development remains immature. Many organisations use inexperienced developers who lack secure-programming skills exposing companies' IT assets to high levels of risk. In many cases, security takes second place while the battle for functionality is fought out.
Assessing the Risk
Threat and risk assessment can play a vital part by quantifying the level of risk and helping the organisation to plan the most effective strategy for its reduction. Such assessments of information systems typically follow a methodology of asset identification, threat and vulnerability analysis, and risk analysis.
During the identification stage, assets are divided into categories of information, service, intangibles and monetary. In a typical e-commerce system, information assets would be found in databases. The hardware running the database and the networks enabling access would be considered service assets. The goodwill of customers using the services would be an example of an intangible asset. But assessors should also consider monetary assets, since these are likely to be affected - directly or indirectly - by any compromise of other assets. Identifying an organisation's most valuable assets lets experts fine-tune security measures to provide maximum risk reduction.
The next stage is threat and vulnerability analysis. At this point possible goals and the likelihood of various attacks are considered through attacker profiling. Consequence analysis is used to identify the impact of threats on assets. The last step is to explore possible attack methods an invader may use by building attack "trees".
Attacker profiling identifies the type of attackers who might try to compromise a system and attempts to guess their goals and motivation. On one end of the spectrum may be an attacker whose goal is simply to deface a site motivated by the desire for "hacker" notoriety. At the other end may be a foreign agent whose goal is to steal national secrets and whose motivation is nationalism or financial gain. The size and prominence of an organisation may well determine the likely goal of an attack. Smaller organisations may be targeted simply as bases for launching further attacks against bigger ones. The profiles and goals of attackers are a good indication of their skill level. An attacker seeking notoriety is likely to have fewer skills than a professional attacker engaging in industrial or political espionage. As skill and inside knowledge increases so does the likelihood of compromise while the likelihood of detection decreases.
Consequence analysis is used to determine the likely result of an attack on an asset; the degree to which an asset is threatened depends on the asset itself. There are four threats to a company's information systems: disclosure, modification, denial of availability, and destruction. Disclosure, in the case of an already publicly available list of prices, would have no consequence. However, if it were information about clients or suppliers, disclosure may have a financial or even legal consequence. With the introduction of privacy legislation, organisations may find that, after a compromise, they could be legally culpable for having inadequate privacy protections.
The last part of the threat and vulnerability analysis is the construction of attack trees. These show the steps that are necessary in order for a threat to occur. Firstly the end goal is determined, then each sub-goal that would need to be accomplished is identified, and so on. When complete, the attack trees should show all the possible ways any attack on any asset could be performed.
For example, if the goal of an attacker was to read from database files, two possible paths suggest themselves. The first is that the attacker gains access to the computer containing the database and is able to read directly from the local disks. In the second, the attacker accesses the database using the database service. This requires that the attacker be able to connect to the database service, and have obtained a username and password for authentication. Many methods may be used to obtain usernames and passwords. They range from low-tech methods like "dumpster diving" (literally wading through garbage for carelessly discarded usernames and passwords) or pretending to be somebody else on a telephone, to high-tech methods like tapping a network wire, or compromising a machine that has access to the database.
Finally, data gathered during the initial asset identification and threat and vulnerability evaluation stages is analysed and the likelihood of the various attacks considered. Counter measures are then proposed to best reduce the risk to an organisation.
Short of a technological jihad as envisaged in Frank Herbert's Dune, the use of the Internet for delivering electronic services is here to stay. Accordingly, the prudent organisation will be risk aware and therefore better prepared to thwart cyber sabotage.
Daniel Bradley is research scientist and security consultant, DSTC Security Group, CRC for Enterprise Distributed Systems Technology