There are two sides to security risks—threats and vulnerabilities. It is not until a threat meets a vulnerability that a security incident occurs. Threats will always be out there, somewhere. They can be discouraged through deterrence mecha-nisms, such as the possibility of punishment or retaliation, or they can be avoided by not engaging in activities that are threatened. Protective and defen-sive measures can be installed that will attempt to prevent attacks or ward off an attack when it occurs. Or vulnerabilities can be fixed so that an attacker pene-trating defenses cannot perpetrate damage. In what follows, we shall list the more common IT-related threats and vulnerabilities and indicate how out-sourcing affects them and how they affect outout-sourcing.
Threats
That the greatest threats to an organization reside within the organization itself is a commonly held belief by information security professionals and, by the press, although reporters emphasize external threats.
From Internal Sources
A number of categories of insiders present threats to the integrity and availability of an organization’s computer networks and systems and to the confidentiality of the information that traverse over them and resides in them, respectively.
11
The Disgruntled Employee
The typical disgruntled employee might have been fired or still be on staff and is often from the IT department. He or she has all the qualities needed for wreak-ing havoc—intimate knowledge of the firm’s computer applications, networks, systems, and procedures; physical access to the premises; logical access to appli-cations and systems; and the desire to do harm.1
The Insider
The insider is an employee, contractor, or consultant who is very familiar with the organization’s applications, systems, and procedures and who is able to use that knowledge for personal gain, through fraud, embezzlement, money laun-dering, and other methods.
The Opportunist
The opportunist is either an insider or an outsider who comes across a flaw or
“hole” in a computer application or system, often by chance, and, rather than reporting the flaw to the appropriate authorities, decides to exploit it for per-sonal gain.
The opportunist is just as guilty of committing a crime as someone who intentionally gains illegal entry into a system. Because of the risks relating to opportunism, many computer systems display a message or banner screen, as a deterrent, stating that information available through the system is proprietary or confidential. This notice might also state that the organization will take action—disciplinary and/or legal—should anyone steal or misuse the informa-tion that they are able to access.
Inadvertent Destroyer
The inadvertent destroyer is probably responsible for much computer system compromise and damage. Such a person can be an employee or contractor with legitimate access to various systems, or a customer who is entitled to access applications and information and to perform a variety of tasks. He or she might also be a support person or an administrator who is unfamiliar with a system and its nuances.
The inadvertent destroyer might be following normal procedures and then, either accidentally or mistakenly, issue a command or series of commands
12 Outsourcing Information Security
1. There have been cases where an employee has been fired and the guards, particularly those on nights and weekends, not have been informed. The ex-employee will come to the facility, pretend to have lost his or her ID card and, because the guard knows him or her, be allowed onto the premises. If the ex-employee’s system access has not been terminated, he or she has free reign of the systems. The company may not wish to pursue the matter as it would pub-licly disclose deficiencies in its controls.
outside the range of standard operations. The new command(s) might trigger inappropriate system responses or cause the system to fail. Since the culprit did not intend to intrude or cause an error, he or she is likely to report the incident, request official assistance, or simply not repeat the action, as opposed to exploit-ing it, which the opportunist would do. Such situations might come to light only if they create a severe error or breakdown.
The main concern for the organization is a reduction in confidence, because the system has exhibited a vulnerability that might be exploited by less well-intentioned individuals.
From External Sources
A number of types of individuals having very different motivations will attack or try to infiltrate an organization’s networks and computer systems.
The Hacker (aka the Cracker)2
In the public’s mind, the hacker—an evildoer who attacks systems—poses the greatest threat. Such a person might deface Web sites, steal credit card numbers (and sell them, hold them for ransom, or use them fraudulently), or put smart-aleck remarks on workstation screens. The hacker generally does damage to the system, commits fraud, and creates a publicity nightmare for affected organizations. To some extent, this notoriety is a result of the hyped reporting of an enthralled press.
The hacker has been generally depicted as a teenager playing with his com-puter in his bedroom, as shown in the movieWar Games. The problem with this movie is that the hacker is made into a hero by saving the day and preventing the destruction of the world—a possibility that he created himself.
Information Security Risks 13
2. Some people feel very strongly about what they consider the misuse of the term “hacker.”
Originally, this term applied to a very bright, competent computer programmer and/or sys-tems expert who would try to break into syssys-tems to reveal their deficiencies and vulnerabili-ties. The purpose of these ventures was to point out weaknesses in the systems so that the systems’ builders could repair them and produce better quality work. The vindictive, destruc-tive fellow, who is intent on breaking a system for the fun of it and to show his peers how smart he is, was termed a “cracker.” Today, common usage is to apply the word “hacker” to anyone attempting to break into a system. Just to make things more complicated, the term
“ethical hacker” arose to distinguish between the good guys or “white hats” and the bad ones, the “black hats.” The distinction is fuzzy and difficult to deal with in real situations. The question arises as to whether or not one should hire a “reformed hacker,” or a firm that em-ploys such, to do one’s security work. In this case, the person may be a known renegade, and may even have served jail time, but someone who has apparently seen the light and now only works on the right side of the law.
Too often this image of the playful prankster, who just happens to be smart or lucky enough to intrude into a supposedly well-protected computer system, prevails. Such a portrayal masks the criminal aspect of the deed. The crime of hacking is just as insidious and despicable as physically breaking into a building and smashing computer equipment or stealing secret files.
The Thief
While the hacker is interested in kicks and may be characterized by the teenager in his room, a more serious group of individuals intends to steal money or other valuable assets. This type of attacker is often well funded, highly committed to success, and not easily deterred or discouraged. The thief’s unassisted exploits are likely to be less frequent and less successful than those that feature collusion with current or former internal staff, because inside knowledge of the systems, their vulnerabilities, and their most lucrative assets is extremely helpful.
The thief differs from the opportunist only in that he is actively searching for a “hole” in the system, versus just coming across one by chance. The persis-tence of this type of perpetrator works against an organization’s defenses. Mostly the thief wants to leave as little evidence of the intrusion and missing assets as possible so as not to activate pursuit and capture. Such behavior contrasts with that of the hacker who wants his exploits to be noticed and publicized widely and who may, in some circumstances, notify authorities and the press of his be-ing responsible for the attack.
The Virus Creator and Distributor
Computer viruses or worms that spawn across the Internet in a matter of hours or, more recently, in minutes, are opportunistic, undirected forms of attack.
The person who generates the virus (or worm or Trojan horse) cannot be sure whom it will infect and who will spread the virus to others.
Individuals develop and spread viruses for a variety of reasons, such as to claim success to peers or to do damage for its own sake. The virus creator never knows for sure what the impact might be and, when caught, he often appears genuinely surprised that he was successful. The original Morris worm is a case in point—it was much more successful than its creator Robert T. Morris had anticipated [1]. There are perhaps hundreds, even thousands, of new viruses cre-ated every day and very few ever make it into “the wild.” Of those that do, very few spread globally and cause significant damage and cost.
Although the numbers are not known, one might expect that those hack-ers who have specific intentions and targets are much more successful than virus creators, since, even if specific targets are not sought out in advance, the general category of victims, such as banks, can be selected and targeted.
Organizations have different policies regarding employee activities.
Some organizations restrict e-mail and Internet access, some screen incoming
14 Outsourcing Information Security
and outgoing e-mails, some restrict access to certain Web sites, some allow standalone modems, and so on. When an organization engages a third party to provide IT services, their security standards and controls are almost certainly dif-ferent (either better or worse) than those of the outsourcing company. These differences generally increase the risk of hacking of the combined organizations.
The Spy
The industrial or national spy can be dangerous to the credibility and viability of an organization. Such a person, or group of individuals, attempts to steal secrets about networks, systems, operations, and data. Such information can lead to subsequent acts of theft or terrorism or can be used for direct financial or mili-tary gain, often through the selling of secrets to other interested parties.
The spy has been profiled as a male in his twenties or thirties, usually from Eastern Europe or Russia, well funded by competing companies or opposing governments, and highly sophisticated in the use of expensive technologies. This image differs from that of the hacker as a teenager or student with too much time on his hands.
While there are potential spies within one’s own organization and country, the possibility of providing access to spies increases dramatically when functions are outsourced to other companies. This is of special concern in countries where segments of the population are either equivocal or opposed to the client organi-zation’s own regime and sympathetic to other opposing philosophies.
The Cyber Terrorist
The cyber terrorist might be a combination spy and thief, but his motivation is generally destruction of, or major damage to, the “enemy.” His methods are very specific and are aimed against well-defined targets. He may be acting alone, but is more likely to be part of a group. The nation state or terrorist group for which he works pays for his activities and is likely to be well funded itself.
Instances of cyber terrorism include events such as when Chinese hackers broke into and defaced U.S. government Web sites in protest of the deaths of a group of students on a boat that was inadvertently capsized by an American sub-marine. Another example is the bombing of the Chinese embassy in Kosovo, which activated a spate of cyber attacks against U.S. sites. During the Bosnian war, the United States itself blocked telecommunications using hacking tech-niques—or “cyber warfare,” as such hacking is now known.
Because cyber terrorism involves specific targets, the organizations that are potential targets should understand their exposure, which may be due to their preeminence, popularity, or importance. Furthermore, they need take appropri-ate countermeasures.
Following the attack on the World Trade Center in 2001, it has become much more evident that the critical infrastructures that support a modern
Information Security Risks 15
economy—such as energy, telecommunications, and transportation—are highly interdependent and very vulnerable to attack, even an indirect attack.3
This fact is understood by nations with a desire to destroy U.S. political and economic systems. Ongoing evidence exists of scans being done on crucial systems in the infrastructure, which is clearly the type of research that can pre-cede terrorist attacks.
The fact that cyber terrorism has not become more prevalent to date is just a matter of preparedness and opportunity. Clearly, cyber terrorism is strongly indicated to become a preferred method as time goes by because it can be acti-vated remotely from outside the target country.
Outsourcing to third parties, both at home and abroad, might inadver-tently provide potential terrorists access to vulnerable infrastructure systems and networks.
Review of Threats
As can be seen from the above descriptions, threats of attack can come from sources that are internal or external, amateur or professional, motivated by per-sonal gain or political cause, supported on a shoestring or well funded, and so on. From a protection point of view, the source of an attack may or may not result in a different defense. Ideally, an organization will build defenses that can meet all types of attack, but this is neither physically or economically feasible.
Some middle-of-the-road approach is often taken, with everyday attacks being thwarted through regular methods, and with the more sophisticated and damag-ing attacks bedamag-ing addressed accorddamag-ing to their risk and the availability of cost-effective countermeasures.4
16 Outsourcing Information Security
3. The recognition of critical infrastructure interdependencies and the importance of protecting the critical infrastructure began in the United States in the early 1960s as a result of the Cu-ban missile crisis. However, the recent national plans and strategies emanated from the Presi-dential Decision Directive No. 63 (PDD-63) issued in May 1998 and escalated as Y2K approached. For an overview of initiatives relating to critical infrastructure and a description of the interdependencies, see [2].
4. Whereas it might seem reasonable to determine the level of security through economic risk analysis, laws and regulations reflect the risk appetites of legislators and regulators, which re-flect those of their constituents. Hence, certain threats, such as identity theft, are given greater prominence in laws and regulations because of the relative influence of individual vot-ers vvot-ersus corporate lobbies. The cost of protecting against such threats may well be much higher than the benefits perceived from the corporate standpoint, or even for society as a whole. However, the potential for very expensive and damaging actions by regulators, for ex-ample, will generally favor compliance at any cost. Of course, the cost is eventually borne by customers and taxpayers.
When an organization has reached what is considered an acceptable level of defense, then it must ensure that its business partners, particularly third-party service providers, match or exceed that standard. Otherwise, the quality of pro-tection is diminished by having less well-protected business partners introduce vulnerabilities into the overall infrastructure of the organization.
Vulnerabilities
A threat can do actual damage only if it comes up against vulnerable systems, processes, and procedures. There are many forms of vulnerability, ranging from technical to human, which need to be identified, evaluated, and mitigated.
Computer Systems and Networks
Modern computer systems and networks have all the characteristics that make for vulnerability. They are, among other things, generally accessible, ubiquitous, complex, written for features rather than security, and dependent on human beings, particularly in the handling of nonstandard situations.
The esoteric knowledge of computers and access to them, which were for a long time in the hands of a few specialists, are now broadly available. Millions of individuals around the world have been trained in application development, sys-tem programming, technical support, customer assistance, and syssys-tem admini-stration. Such skills are readily acquired by an educated population, easily transferable, and largely independent of location. These computer-savvy indi-viduals, along with the hundreds of millions who have become proficient with PCs, have created a huge body of technical knowledge that can be used either productively or destructively. Add to that the global access provided by the Internet and you have a formula for malicious activities with far-reaching consequences.
Adding another dimension to the already difficult problem, outsourcing requires the management and control of computer experts across additional organizations. By entering into an outsourcing partnership, one organization automatically exposes its networks and systems to a new set of individuals, many of whom will have high levels of expertise and some of whom might have evil intentions. However vulnerable an organization might be from the misdeeds of its own internal staff, it is much more so when it links up with other entities.
Software Development
Expectations about the capabilities of computer systems have always run ahead of the technology needed to manage and control them. This has created a culture in which, for the most part, application functionality precedes quality
Information Security Risks 17
and security. The fact of the matter is that applications and systems software have not in general been built to be secure, and as a result they usually contain many bugs or holes—vulnerabilities that can be exploited by evildoers.
Pressure from critics and customers has resulted in an emphasis on secu-rity, as in a recent pronouncement by Bill Gates that security is now the number one priority at Microsoft. However, it still remains to be seen whether this new concern with security is a knee-jerk reaction or a long-term commitment.5
Another area of concern regarding software, either commercial or home-grown, is the chance that someone will purposely inject malicious or exploitable code into a program. There have been several instances of computer viruses being put into shrink-wrapped software, intentionally or unintention-ally, without the knowledge of the manufacturer. Concern has been frequently expressed in regard to software developed or modified in foreign countries, where activist groups might be determined to undermine the recipient of the software.
When organizations partner in an outsourcing arrangement, the likeli-hood of significant differences in cultures, attitudes, and standards of excellence is high, particularly when it comes to security requirements. Objective standards are needed, against which the quality and security aspects of software can be measured. As discussed later, some standards do exist, but they are not univer-sally accepted.
Systemic Risks
Even if software or equipment is robust and carefully tested and scanned for
Even if software or equipment is robust and carefully tested and scanned for