There are numerous consequences of mismanaging Internet risks. Missed business and professional opportunities, failure to capitalise on the potential for developing business opportunities, and an inability to compete adequately for market share are all potentially incidental consequences. Consumers and clients need confidence that organisations deploy, manage and operate Internet technologies with the skill, care and expertise that offer assurance of good practice in the conduct of their business.
Technology risks arise from the deployment, use and operation of technology systems. Typical technology risks arise from insecure messaging systems and inadequate security in the management of data; insufficient business continuity and disaster recovery systems to confront the threat of hackers and other types of intruder; and insecure electronic payment systems. They are referred to as technology risks because they arise primarily from the use of Internet technologies.
The principal technology risks arise from the handling of communications and information. In both respects, security and confidentiality are key concerns for any organisation.
Internally, concerns arise from the way in which confidential and sensitive data is managed, for instance the loss of one or more CD-ROMs containing confidential databases. Externally, similar concerns arise over the exchange of communication and data with consumers and those with whom the organisation may have formed strategic alliances, such as those introducing work or collaborating with the organisation in the provision of goods and services. Here, the principal threat is from external hostile sources interfering with communications and misappropriating confidential data.
The complaint is often heard from senior managers that security is a ‘hard sell’ to boards of directors and partners because it provides no tangible return on investment in terms of greater profitability or the attraction of more business. Commercially, this is an unacceptably short-term view. There are now two major considerations for any organisation in the global marketplace:
1 The need to assure consumers of the security and confidentiality of data in accordance with the provisions of the DPA.
2 The increasing tendency of potential consumers to require organisations to specify what security measures are in place for the secure management and confidentiality of their data before entering into a contract for the supply of goods and services.
The various technology risks will be considered in the general categories of:
• communications risk;
• information security risk;
• business continuity;
• IT outsourcing;
• social networks.
Although there are competing methods of communication, such as instant messaging and VoIP, e-mail remains the principal Internet communication technology.
There are four key risks to be addressed in achieving adequate security and confidentiality in respect of e-mail communications:
• privacy: e-mail must be transmitted, so that only the intended recipient can read it;
• integrity: e-mail must be sent with the confidence of both sender and recipient that there is no opportunity for interference with, or alteration to, its content;
• authenticity: e-mail must be sent with the confidence that the recipient can be certain of the person by whom it was sent;
• reliability: e-mail must be sufficiently reliable for the recipient to be able to act upon it with confidence that the sender cannot repudiate it at a future date.
These communication risks apply to both internal and external e-mail.
However, e-mail also carries additional risks that go beyond confidentiality and security between sender and recipient:
• Attachments may include malware in the form of viruses, such as Netsky. When the attachment is opened, the virus infects the user’s computer and proliferates by automatically despatching itself to addresses in the user’s e-mail address book.
• ‘Phishing’ is a term assigned to e-mail which purports to originate from a source that is well recognised by the user, or from a source that is of high repute, and on which the user acts to his or her detriment. Most frequently, users are persuaded to click on a link to a bogus website resembling a financial institution and to enter personal (security) details which are collected by the website hosts and used to obtain access to the user’s account.
• Social engineering is a term to denote the response of a recipient of an e-mail inviting the recipient to react to an e-mail for his or her benefit. Frequently, the user is persuaded to release user names and passwords or, in other cases, to part with money in response to a request to contribute to a ‘good cause’. In other situations, the result can be that the user downloads a virus.
• Storage and archiving of e-mail is subject to various legal and compliance provisions and is also required for the purposes of electronic discovery of legal documents in legal proceedings.
The risks of using e-mail arise from both the use of the technology and the failure of personnel to be properly trained and educated in the risks.
Instant messaging (IM) comprises text-based electronic communications sent in real time, as opposed to e-mail which is not necessarily sent contemporaneously. Its most useful function is to communicate short messages to large numbers of personnel, for example urgent departmental instructions.
Data flow is generally internal and may, therefore, not be protected by firewalls, filters and URL (website) blockers. Risks from the use of instant messaging technology arise in a number of situations such as:
• the distribution of pornographic or copyright material;
• vulnerability from the free-flow unencrypted data which may be exposed to hackers, interception of communications and network insecurity;
• the infiltration of viruses and similar malware;
• the assumption of false identities through the uncontrolled use of screen names;
• the emergence of ‘spim’, the equivalent of e-mail spam, which can in turn lead to ‘phishing’ attacks and social engineering exploits;
• lack of knowledge within organisations as to who is using internal messaging systems;
• failure to maintain formal records of IM communications for the purposes of relevant legal and compliance provisions.
This is a network telephony protocol used for the transfer of voice data over the Internet. Rather than using a dedicated telephone network, voice calls are sent over existing digital networks using the Internet.
Skype (www.skype.com) is an example of telephony technology which enables users to make calls using Internet technology. Calls to other users are generally free, unless made to landline or mobile telephones.
As a result, many organisations are now using converged communication networks for voice and data, commonly referred to as unified communications. Some of the benefits include free calls between departmental offices; lower maintenance costs for the use of one network; and flexibility for remotely located personnel.
Potential risks from the use of VoIP communications may arise in a number of situations:
• since VoIP involves the use of the Internet, the same potential vulnerabilities arise as in the case of e-mail and IM;
• potential vulnerabilities arise in respect of hackers, denial-of-service attackers and eavesdroppers;
• VoIP calls can be decoded and calls can be intercepted and redirected;
• ‘phishing’ attacks can emerge, where an intruder poses as an institution or other trusted body and obtains confidential data;
• spam over Internet telephony can arise, otherwise referred to as ‘spit’, in the same way as applies to e-mail.
In any organisation, communications are contained within a network. Networks link all personnel internally and may also link external agencies, such as other stakeholders, suppliers, introducers and strategic allies.
Most importantly, it is now common for networked communications to be extended to include consumers and clients. The most common mechanism for this is the secure extranet. This enables consumers and clients to interact with the organisation over business in hand and to track and supervise how the transaction is conducted.
Networks are protected by firewalls, which are dedicated computers governing the entry and departure of data from the organisation’s network. In other words, a firewall is software configured to prevent the entry of unwanted communications, and which can also prevent the sending of certain material.
However, in recent years, the proliferation of mobile devices, such as laptop computers, mobile phones, iPods and the Blackberry as well as removable storage devices, such as the CD-ROM and memory sticks means that increasing amounts of data are now passing beyond the corporate network and, therefore, beyond the control and management of the corporate firewall. This trend for data to be removed beyond the traditional network is called deperimeterisation. The volume of mobile communications makes deperimeterisation a business necessity.
Business is now conducted globally and mobile workforces operate all over the world, connected to the organisation’s network through mobile devices. Data no longer remains under the protection of the corporate firewall; it is stored in numerous portable devices owned and managed by a wide variety of personnel, each of whom is connected to the network.
An example of the vulnerability of organisations in this respect is the recent loss of a CD-ROM which contained data relating to approximately 25 million individuals who were in receipt of child allowance.
A more frequent example is that of laptop computers being left in taxis or otherwise mislaid, without any form of data encryption being applied to the hard drive.
Portable storage media present a particular danger. A disgruntled employee with access to the corporate network can download and save valuable corporate data on a memory stick in a matter of seconds and pass the contents to a competitor. Such storage devices are also capable of being used to spread viruses, which can enter the network and cause significant periods of down time.
The risks from the deperimeterised environment raise some difficult issues, such as:
• the need to develop policies to ensure remotely working personnel protect the organisation’s data;
• the need to identify and apply technologies that will secure the different types of mobile communications and storage devices;
• the prevention of loss of data;
• the need for additional security procedures for the performance of the organisation and its personnel;
• the need to develop a security infrastructure beyond the network at proportionate cost.
Firewalls offer adequate protection within a closed and defined network, but cannot be applied to individual types of mobile device. Encryption of data is a partial solution, but there is nothing to stop the owner of, say, a company laptop computer from transferring an unencrypted version of the data to another computer or memory stick.
Hackers are a threat to any network. Their prime objective is to obtain access to a corporate network through breaching security. Some hackers are ‘professionals’ while others are bored or disaffected employees or even youths.
Wireless networks pose considerable risks to organisations whose employees use this technology. Increasingly, wireless-enabled mobile technology is employed with users having little understanding of the security implications. Critical for adequate network protection are the security settings on routers. Default settings from the manufacturer are not necessarily sufficient. The highest level security protocol, WPA2, should be applied.
Hacking is an offence under the Computer Misuse Act 1990. Section 1 makes it an offence to access computer material without authority; Section 2 makes it an offence to access material intending to commit further offences; and Section 3 makes it an offence to modify data, for instance by the introduction of a computer virus.
This Act was amended by the Police and Justice Act 2006: Section 35 extends the definition of accessing a computer without authority; Section 36 extends the scope of committing acts with intent to impair the operation of a computer; and Section 37 addresses the making, supplying or obtaining articles for computer misuse offences.
Typical hacking activities might include:
• defacement of a website;
• obtaining access to and stealing information;
• corrupting data;
• the illicit use of credit cards in corporate payment systems.
Data is a highly valued corporate asset. The numerous types of Internet technology mean that data is stored in a wide range of sources within in an organisation. Examples are hard drives, memory sticks, mobile devices, intranets and extranets, and storage area networks.
Not only must an organisation protect its data from external intruders and hackers, it must also ensure that personnel are trained and educated in appropriate data-handling procedures, usually through acceptable-use policies.
The wide range of data sources and storage devices combined with the need to impose and manage internal and external technological and operational controls make a consistent approach to data management a significant problem for any organisation.
Apart from data leakage and the direct theft of data by external parties, such as hackers, there are other issues that arise in which the organisation does not necessarily suffer a loss of data but, instead, data is in some way compromised.
Website ‘scraping’ can be a potential risk to valuable data, if performed illegally or without authority. This involves the extraction, collation, harvesting and retention of data from websites; a practice which may potentially be in breach of the terms of use of many websites.
Websites and their data are also at risk of Structured Query Language (SQL) attacks, involving the injection of infected code that exploits vulnerability in the sites’ incorrect or inadequate programming or scripting language. This presents the opportunity for hackers to gain access to sensitive data and even to hijack databases.
Both externally and internally, individuals can manipulate and change passwords and their settings to gain access and entry to network systems. A determined intruder can always employ software to identify passwords.
Even today, passwords remain a highly popular method of verifying identity. Yet individuals can be remarkably casual over protecting passwords, and where passwords are created for access to numerous sources, they are frequently lost or forgotten. Passwords create a number of problems:
• they offer only limited proof of identity;
• they have no legal validity;
• they cannot be verified;
• they are difficult to remember;
• they need continual updating.
As an example of a casual approach to passwords, some users write them on Post-it® Notes, which can then be found stuck to the computer monitor!
Viruses are one of the most common and serious threats to data integrity and security. A Google™ search reveals several hundred different types of known computer virus and more continue to emerge. A computer virus is difficult to define, but fundamentally it is a computer program which:
• infects a computer;
• might remain dormant;
• remains dormant until triggered by a host computer;
• causes a computer or network system to fail;
• damages or distorts data; or
• infiltrates other computers on a network.
A virus may be activated on booting up a computer, or by opening an infected attachment, or even visiting an infected website. The most common virus types are:
• a malicious virus, which is spread by opening infected e-mail attachments or documents;
• a Trojan Horse, where malicious code is concealed beneath an apparently harmless program;
• a worm, which develops and insinuates itself throughout a network.
Most virus attacks are general in nature, but an emerging threat is the targeted Trojan. This delivers a malicious attack to a specific recipient or group of recipients, most commonly involved with organisations handling high-value data. Furthermore, these attacks are frequently directed at those holding positions of the highest seniority.
One recent, highly damaging virus is now circulating, the Conficker virus, which attacks operating systems. Having infected one computer, it then proceeds to infect other networked computers, connecting them in such a way that the ‘network’ of infected computers falls under the control of the virus writers. Some sources suggest that the virus has spread worldwide and it is now considered by many to be one of the most widespread virus infections in computer history.
There are a number of other types of computer infiltration:
• Botnets: this is an abbreviation of ‘robot networks’, whereby a hacker infiltrates one computer and is able to control it remotely. The infected computer is referred to as a ‘zombie’ and forms part of a network of robot computers. Often, the computer user is quite unaware of the infection.
• Cookies: these are small programs ‘collected’ by a computer on visiting a website. They record the computer’s visit, so that it is recognised on any subsequent visit, and track details of the user’s interests. They are essentially a commercial device to enable the website host to market its goods and services more effectively to site visitors. The problem with cookies is that confidential details are released, which are then stored by the website host without the user’s knowledge or consent.
• Spam: this is unsolicited commercial e-mail and is effectively the electronic equivalent of the junk mail delivered by the traditional postal service. Most spam is sent from infected computers and, despite its name, can yield significant profits for senders. Spam creates a number of problems:
significant quantities of spam e-mail can bring down an e-mail system, sometimes referred to as a ‘denial-of-service’ attack;
it can take a considerable amount of time for users to filter spam from genuine e-mail;
spam can infect receiving computers with viruses and similar programs.
Some users are now being exposed to spam through social networking sites on which they reveal their identities and contact details, and then become targets for spam e-mail:
• ‘Pharming’: essentially involves an attack on an organisation’s website which results in visitors being directed to a bogus website operated by the attacker. This is usually perpetrated by exploiting vulnerability on an organisation’s web server.
• ‘Phishing’: is an increasingly common form of attack by which the perpetrator invites the user to provide personal or organisational details through manipulative activities, such as verification of online banking security details as part of an auditing exercise. This is commonly expressed to be ‘social engineering’. Once confidential information is divulged, the perpetrator exploits this accordingly.
• Drive-by attacks: involve the user downloading material from the Internet which subsequently is found to contain malware of some description. This may occur when downloading legitimate software which is later found to be infected, or may arise when the user is duped into downloading spyware or other infected code without their knowledge, such as by answering an advertisement.
• Spyware: is a program that is ‘collected’ by a computer without the user’s knowledge when visiting certain websites – or when the user complies with a request to download apparently harmless software. Spyware tracks users’ activities without their knowledge. Linked to this is the practice of ‘keylogging’, where software is downloaded to a user’s computer which enables the user’s keystrokes to be tracked and used to obtain confidential details of, for instance, passwords and credit cards.
• Website vulnerabilities: can arise in a number of ways, including the presence of malicious code; leakage of confidential data; insufficiently protective architecture; and inadequately deployed defensive measures.
Electronic service delivery is now a routine process but nonetheless still carries serious risks. Consumers now make online purchases in the expectation that the systems and networks employed will retain credit-card data safely and securely.
Two principal risk areas arise in online transactions:
• the confidentiality of the identity of the consumer who is conducting the transaction;
• the potential for criminals to gain access to the merchant’s system and obtain details of consumers’ credit cards.
In all such transactions, there must be some assurance that the identity of the consumer is accurately verified and that the transaction is conducted securely and confidentially.
In late 2006 and early 2007, considerable publicity surrounded the infiltration of the systems of a major retailer in which intruders accessed systems which processed and stored consumer information collected in the use of credit cards, debit cards and related transactions.
The payment card industry (PCI) has developed a set of standards with which providers of payment services are expected to comply and these are considered later.
The seriousness of the risk to an organisation’s business continuity arising from Internet technology ‘failure’ is frequently underestimated.
Many organisations either have no viable business continuity plan in place, or have a plan which remains untested, or have a plan which has been tested and found to be inadequate yet where the inadequacies remain to be addressed.
Business continuity and disaster recovery plans are frequently not a priority on an information security budget because their incidence is a relative rarity. However, Internet technologies introduce an environment in which consumers expect service 24 hours a day, 7 days a week, 365 days a year. System failure which results, for instance, in the suspension of an organisation’s website can considerably damage the reputation and credibility of an organisation in the eyes of consumers.
The scenario is exacerbated where an organisation relies on a network of strategic allies for the supply of its goods or services. Imagine the reputational damage to a firm offering professional services through a network involving lenders, surveyors, estate agents and local authorities in which transactions are brought to a halt through the absence of a business continuity plan.
Examples of the principal threats to business continuity have already been considered. They include:
• the entry of hackers into the corporate network;
• the infiltration of viruses;
• the receipt of spam e-mail in such quantities that the organisation’s system is unable to cope.
Another agent for damaging business continuity is the denial-of-service attack. In this situation, a hacker infiltrates corporate systems and overloads the system in such a way as to interrupt their normal operation. Most frequently, the targets are websites and servers as these are essential technologies for almost all organisations.
One of the most popular methods of inflicting a denial-of-service attack is by a launch from each computer in a network of robot computers, so that the organisation sustains multiple attacks. This is termed a distributed denial-of-service attack (often referred to as a DDoS).
A significant threat to information security is that of cybercrime. This is criminal activity most commonly designed to secure financial reward through criminal exploitation of Internet technologies. ‘Hacking’ into the website of a large organisation and misappropriating critical and confidential data is a common form of cybercrime.
Typical examples of this type of crime involve the distribution of malware, the spreading of virus-infected code, or attacks which threaten the ability of an organisation to operate – sometimes referred to as a ‘denial-of-service’ attack and often perpetrated through the distribution of vast quantities of spam e-mail.
The motivation for cybercrime, however, is not confined to purely commercial motives. Financial gain can be obtained through other means, such as the distribution of obscene or pornographic material; drug trafficking; fraudulent activities such as altering, deleting or manipulating data; abusing software and operating a variety of ‘scams’; and even terrorism.
In extreme, if rather unlikely, circumstances, an organisation may find its information security compromised in cyberwarfare activities. Espionage, website hacking, data theft, denial-of-service attacks and infrastructure attacks are common examples of such activities. Emily Freeman, Executive Director, Technology Risks, Lockton International, says:
The emergence of ‘cyberwar’ in the context of attacks on organisations’ critical infrastructures; the increase of espionage (whether by individuals, entities or countries); and the vulnerability of critical infrastructure systems are some of the key current concerns of corporate clients. Cyber risk insurers are very concerned about the worldwide exposure to disclosure or theft of high-value data, especially non-public financial or medical information.
The damage to an organisation as a result of either cybercrime or cyberwarfare attacks, even if rare, should not be underestimated. Loss of confidential data, damage to reputation and professional integrity, and breaches of professional obligations are all potential risks to business professionals.
Cloud Computing, also referred to as ‘software as a service’ (SaaS), is an emerging model of computing in which an organisation’s software requirements are outsourced to a specialist supplier who provides these services over the Internet – hence reference to the ‘Cloud’.
It is effectively a subscriber-based hosting service, universally available and scalable for single (single-tenanted, dedicated or private Cloud) or multiple (multi-tenanted or public Cloud) organisations. It is provided as an on-demand facility in the same way as traditional utility services.
Cloud services are frequently provided from farms of virtualised servers, each holding vast amounts of data belonging to organisations using the service.
There are some obvious attractions for outsourcing the management of information security technology to an experienced supplier. The organisation may benefit from the economies of scale that a specialist supplier of security services can bring as against the total cost of ownership and management of a full-scale dedicated in-house information security department. A supplier may be able to provide security upgrades faster, less expensively and more regularly, and provide a swifter and more comprehensive response to incidents and generally manage the organisation’s security technology strategy more efficiently and effectively.
As with all emerging Internet technologies, Cloud Computing presents a number of risks which have yet to be addressed satisfactorily:
• Service interruption: this is the risk of the supplier being unable to maintain its service to the organisation which, in turn, affects the organisation’s service to its end-users.
• Availability of data: an organisation must be guaranteed access to its data at all times; any interruption or periods of sustained down time will prevent this.
• Virus infection: while under the management of the supplier, the organisation is exposed to the risk of data contamination, especially in the case of multi-tenanted servers with the potential for cross-contamination.
• Deperimeterisation: in the Cloud model, the supplier operates outside the organisation’s corporate firewall and the organisation’s data suffers a corresponding reduction in levels of protection.
• Criminal activity: the storage of large quantities of data in server farms is potentially a considerable attraction for cybercriminals, who may be able to bypass identity management procedures.
• Data management: the remote storage of data has a number of implications for an organisation, such as:
loss of control;
securing access to the data, for instance for the purpose of legal proceedings;
securing the safe return of data at the end of the outsourcing contract;
ensuring the supplier adopts safe and compliant data management procedures;
the risk of data leakage;
the safety of data should the supplier become insolvent;
ensuring the security and confidentiality of data.
• Jurisdiction: a Cloud supplier may be based in a foreign country, raising jurisdictional and applicable law issues.
• Certification: the absence of any reliable standards of certification of the performance of Cloud suppliers.
Dennis Farm, Enterprise Infrastructure Audit Manager at Morgan Stanley, comments:
A current problem is the potential for hacking into networks and systems by external parties. With the current tendency for network perimeters to extend significantly through the use of mobile technologies and remotely situated personnel, it is almost impossible to remain incident-free in this respect.
It is clear from the range and type of issues listed that Cloud Computing presents some significant risks for organisations choosing to adopt this model for managing its technology. As with all Internet technologies, development of new solutions presents potentially attractive business possibilities which are accompanied by new risks to which there are no obvious solutions.
Social networking is now commonly referred to as Web 2.0 technology. Whereas Web 1.0 technologies tended to involve business models that ‘pushed’ goods, services and information to prospective consumers, Web 2.0 technologies are based upon collaboration and information sharing.
Social networking has resulted in the emergence of a number of dedicated websites, most notably MySpace, FaceBook and Twitter. These sites invite visitors to share information, thoughts and ideas about themselves and issues of interest. Typical activities and facilities include:
• posting blogs;
• file sharing, information sharing and the exchange of videos and photographs;
• shared resources for user information and exchange;
• wikis – in the form of data and information resources;
• online communities for networking opportunities.
Social networking remains primarily at a ‘social’ level at present, but is surely likely to develop into a culture that embraces the commercial environment, where consumers who are accustomed to informal online information sharing and collaboration will expect commercial enterprises to adopt a similar approach.
Dennis Farm comments:
Probably the most significant emerging risk is that posed by social media and networks. The development of wiki leaks, in particular, means that organisations’ sensitive data can be posted on the Internet for all to see. One reason for this is the perception of young people, most of whom use social media routinely. They tend not to distinguish between personal and corporate, or commercial, information and often post derogatory remarks or allegations concerning employers.
As will be seen later, social networking presents a number of legal compliance and operational risks. As far as technology is concerned, the risks are no less critical.
The obvious risks surrounding this free exchange of information are:
• the opportunity for viruses to infiltrate systems and networks as communications are exchanged;
• the potential for insecure data to be transferred with the risk of loss, contamination or corruption;
• the assumption of false identities without any proper system of identity-checking procedures.
However, as social networking sites develop into communities with no regulation or supervision, it is unlikely to be long before other risks emerge. These could include:
• the transmission of bugs and general malware, leading to the creation of botnets;
• the cracking and reuse of passwords;
• the harvesting of e-mail addresses;
• data and information harvesting;
• spam e-mail marketing;
• the downloading of illegal software;
• wasted bandwidth.
Andrew Rose, Global IT Risk Manager at Clifford Chance, says:
Once data is posted on the Internet, it is extremely difficult to ensure it is deleted and not replicated or promulgated without permission. Social media, such as blogs and informal networked communities, make this a particular problem.
This sentiment is echoed by Robert Jackson, Security and Infrastructure Consultant at Capgemini:
Abuse of social networks can severely impact on the profitability of an organisation. It is very difficult to detect, for instance, defamatory content and commerce and industry has yet to get to grips with it.
At first glance, social networking sites may not appear to present a significant risk to business enterprises. However, in the absence of any sound policies governing access to such sites, organisations are likely to find personnel visiting them in business hours in the same way as they might send personal e-mail in the workplace. In such circumstances, any organisation may be exposed to many of the risks identified previously.
18.227.79.253