|
|
|
EURIM – IPPR E-Crime Study
Partnership Policing for the Information Society |
Draft Document
For Discussion:
|
Working Paper 2: V0.5Reducing Opportunities for E-crime |
Background |
|
The need for crime prevention, and to minimise the opportunities for criminals is familiar in the real world. Local communities operate neighbourhood watch schemes; insurance companies encourage security in the home and in business; the police provide crime prevention advice. People understand the risks as they perceive them – even if they might not be able to assess the true risk accurately. The familiar “it can’t happen to me” excuse is still common where insurance has not been taken out, for example. In the emerging electronic world there is a similar need for crime prevention to minimise the opportunities for criminals. This is not helped by the fact that most users have no practical basis upon which to judge risk in the digital world and therefore no familiar real world experience. Meanwhile, many ICT professionals lack crime prevention experience and are focussed on technical solutions. This can cause both communities to exaggerate some risks, and seriously under-estimate others. The impact of crime in the digital world is also often seen as less personal than crime in the real world, with no obvious material damage. This makes it harder to get people to understand the real risks of working in the digital world. Organisations are increasingly suffering attacks on their information systems from both inside and outside, resulting in financial loss, damage and loss of business. Equally, growth in availability and use of on-line services is inhibited by lack of confidence in the perceived safety of such services, often fuelled by ill-informed publicity. While there are too many opportunities for misuse of information systems people and businesses using them do not comprehend the true risks they face. Surveys have shown that smaller businesses in particular do not recognise the importance of information systems to their profitability. As noted by the Audit Commission in 2001 “…the majority of breaches of IT security are still caused by a lack of the basic fundamental controls and safeguards.” The Office of National Statistics (ONS) Internet usage survey also shows that a significant number of people do not exploit the potential of the Internet because of concern about its safety. It is these underlying concerns that need to be addressed. There is a danger that only technical or legislative solutions are considered in addressing these concerns but, in truth, a holistic approach must be taken if we are to reduce the opportunities for e-crime and establish confidence in the Internet. To be successful, such an approach needs also to address both the perception and reality of e-crime in different communities. Reducing opportunities for e-crime is not a simple task. It will require co-operation between many players and fundamental changes in common attitudes and practices as well as to current products and services. While there are “quick wins”, actions which can be taken at little cost to give immediate benefits, there are other actions that will only show real benefit over the medium to long term. Reducing opportunities for e-crime will require significant long-term commitment from key players including the government. |
Issues and Remedies |
|
At a high level the issues to be addressed are relatively simple: |
|
· People and organisations need access to material and expert advice, presented in terms they can relate to, to help them understand the true risks, and how to manage their products and services to best address those risks. · Systems and services need to be made more resistant to misuse by those using them as part of their normal routine – whether employees, customers, or other authorised users. They also need to be made more resistant to misuse by those not authorised to access them. · People and organisations need to manage better the real risks involved in using information systems. · Products need to be made simpler to install and to configure so that non-technical people, in particular, can reduce to acceptable levels the risks identified in their systems. |
|
Unfortunately, achieving these simple objectives is complex, involving co-operation across many Government Departments and industry bodies. Those on the receiving end need to perceive a consistent image emerging from the many players. |
Education and Awareness |
|
Underlying much of the work needed to reduce opportunities for e-crime is the need to educate people to be aware of the risks and of their responsibilities. Although a new generation is growing up that is computer literate and technology aware, even they are not being taught about the responsibilities that come with that technology. There is a spectrum of activities that need to be considered some of which can be quick wins, but others of which may take years to show real benefit. The EURIM-IPPR paper on Addressing the needs of Small Firms addresses the issues faced in getting appropriate information on the need for information security to the right communities in a form relevant to them. That paper includes specific recommendations covering: |
|
· The need to develop a core set of information that can be used as the basis for specific guidance to small firms and others through a variety of channels. · The need to develop and distribute widely a “Green Cross Code”, based on this core set of information, containing basic advice and guidance on risks to systems and how to minimise them. · The need to identify and exploit many and varied channels for getting this guidance in its different forms to different communities. · The need to include relevant sections on information security in existing ICT-related qualifications and training – such as the ECDL (European Computer Driving Licence) syllabus. |
|
There is also a need for mainstream education to cover the ethics, dangers and basic protection measures related to the use of information systems and the Internet. This should form part of the “good citizenship” element of the national curriculum, but will take some time to have any appreciable effect. There is a specific Recommendation in Addressing the needs of Small Firms. At least equally important, those responsible for specifying, designing, implementing, maintaining and supporting information systems, including technical and surrounding non-technical aspects, need to be taught to anticipate the ways in which those systems could be misused and to include proportionate controls to reduce opportunities for misuse to acceptable levels. At the heart of that process needs to be a consideration of the criminogenic (attractive to criminals) features of Internet and E-commerce and the application of approaches akin to those used to reduce opportunities and temptations in the physical world when products are CRAVED (concealable, removable, available, valuable, enjoyable and disposable). The features that make the Internet so attractive to criminals have been summarised as SCAREM[1]: |
|
· opportunities for stealth · an intellectual climate of challenge · ability to remain anonymous ·
automated tools for reconnaissance · tools and routines not only to escape but to cover one’s tracks · the opportunity to automate and organise multiple crimes |
|
The need is therefore to develop disciplines akin to those used for planning the design and layout of “real world” operations offering comparable criminal opportunities, plus the implications of shared vulnerability were all locations to use the same layout and security system - as opposed to mixing and matching components with common standard interfaces to fit the premises. |
|
The biggest single difference is probably that the Internet offers massive economies of scale to the criminal. This can change the nature of the risks that need to be assessed, as shown by the million (or so) of fraudulent claims on the DfES Individual Learning Accounts. Part of the awareness process should be mechanisms to keep people informed of emerging threats and the ways in which they can be minimised. This also needs to be tailored for different audiences. Large organisations will expect significant intelligence on a broad range of threats, while home PC users will only relate to specific threats to their PCs and use of the Internet. The EURIM-IPPR paper on Reporting Methods and Structures includes a Recommendation that the WARP (Warning, Advice and Reporting Point) scheme being developed by NISCC (national Infrastructure Security co-ordination Centre) be considered as a model for a broader scheme to encourage local sharing of information within and between communities – much like Neighbourhood Watch schemes in the real world. |
More Robust Products and Systems |
|
Products need to be more robust with fewer software bugs that can be exploited for unauthorised purposes. They also need security features that can easily be used by non-technical people and to be installed with most of those features turned on as the default option. There are some signs that this is beginning to happen but not that those doing it are receiving the necessary support and publicity from the rest of the ICT industry. Many widely used current products need regular patching to correct security flaws. This process can destabilise systems, is expensive in user time and resource and may be impractical, e.g. for small firms with neither reliable high-speed connections nor in-house expertise. It is doubtful that more than a fraction of small firms or home users maintain the patch levels on their systems. There is also growing evidence that the patching routines of even major organisations (both public and private) are neither rapid nor comprehensive enough to cope with the problems caused by newer viruses such as MSBlaster and SOBIG. Market pressure is causing major product suppliers to improve the security of their products - witness the Microsoft trusted computing initiative announced over a year ago. However, it will take some years for this to work through, and there will be old insecure products in homes and small businesses for many years to come. An associated issue is that of the growth of open-source software, and the disaggregation, or unbundling, of products and services. Conflicting claims are made as to whether such offerings improve or impede security. There is a need for an open, constructive debate on this issue – recognising that there are strong commercial and other interests involved that can distort the arguments. Until recently the commercial incentives to improve security in services were not strong but the impact of the recent worms has been such that several major ISPs have now installed filtering software as part of their standard offerings - i.e. customers may have to ask for it to be turned off if they wish to send or receive certain types of traffic. Others are now using automated blacklisting of the sources from which they received the problem traffic. There may be a case for government moves to encourage such initiatives – for example by being seen only to purchase products and services that provide adequate security. There are parallels here with car safety and security: Government eventually legislated on use of seat belts, but successfully worked informally with the car industry to make cars more secure from theft, albeit after publishing analyses of theft by make and model. There may need to be similar action, as recommended in the EURIM-IPPR paper on Addressing the needs of Small Firms, to persuade people to use the more secure ISPs, products and services, upgrade their systems and install suitable security products. Most of these ideas will take time to implement, and to have any appreciable effect on the great bulk of computer users. As a short term measure, incentives could be created for those supplying PCs and communication services to small businesses and to the public at large to include suitable security products in all delivered systems. These need to be complemented by simple guides on the installation, configuration and maintenance of products to increase security which do not rely on access to the Internet (which may not be available until after the system has been successfully installed) and packages providing technical support. For example, BT already do this as an option when installing broadband capability and have just announced a low cost add-on service for existing users. It has also been suggested that people should be encouraged to submit their PC for an “annual check-up”(c.f. the MOT for their car) where security systems could be checked and updated as necessary. This approach is discussed in the EURIM-IPPR paper on Addressing the needs of Small Firms where specific Recommendations are put forward. |
Managing Risk and Trust |
|
While large organisations may have the resource and the knowledge to decide on the risks to their business and possible countermeasures, the vast majority of SMEs and individuals have neither the knowledge nor the time to be able to identify the threats to their systems, and to decide on and implement appropriate security measures. While this can be mitigated to some extent by awareness campaigns and by better security products and security in products, this will all take time to work through. There are indirect incentives emerging that will encourage businesses to include better risk assessment as part of good business governance. However, these will take time to have any appreciable effect, and currently affect only larger organisations. |
|
· The Turnbull Guidance[2] requires companies to identify, evaluate and manage their significant risks, and assess the effectiveness of related control systems. This should include appropriate information security measures but that guidance document currently lacks clarity in this area, could be improved and applies only to larger listed organisations. · There is increasing demand for business insurance to include cover for losses associated with intangible assets and associated liability claims, and the insurance industry is in a position to encourage good security practice as part of their policy underwriting. · The new Central Service for Information Assurance (CSIA) within the Office of the E-Envoy is developing assurance requirements for government systems that could be used in the private sector, as could other initiatives such as certification against BS 7799 Part 2. |
|
People using remote services (such as those offered over the Internet) need to trust that they will not be defrauded. The recent Which WebTrader scheme was a good example of a scheme to certify that providers met certain standards, but failed through an inadequate business model. Unless and until a critical mass of players put realistic resources behind the promotion of shared and credible certification and accreditation schemes these cannot succeed. Hopefully, the recently announced replacement to the WebTrader scheme will be more successful in attracting the necessary support. To be successful such schemes need to demonstrate: |
|
· that those administering such a scheme are reputable, competent and resourced to verify that those certified conform to the scheme, both on application and afterwards and that any abuse is adequately (in the eyes of the majority of customers and suppliers) remedied and rectified. · that on-line customers know and understand the schemes and use them to help select suppliers, confident that the scheme is effective and that there are effective remedies if things do go wrong. |
Installation and Support |
|
Only large organisations and solution providers actually develop business systems. Individuals and SMEs usually buy such solutions off the shelf – usually from product suppliers. They do not have the capability to judge how robust a system or package is. They need easy ways of deciding if it does address the particular threats from their environment. This suggests the need for schemes to indicate whether packages and products can be shown to conform to a declared security profile - possibly using a more commercially oriented variant of the Common Criteria certification scheme that relates to the needs of SMEs and the like. The sheer variety and complexity of information systems and business solutions makes it impossible to define standard “one size fits all” security settings for even common ICT products. Some degree of tailoring will almost inevitably be required. Most security products, including many firewalls and much anti-virus software, are too complex for the average non-technical user to install and maintain. Major anti-virus software usually includes simple install and update mechanisms, but still requires the user to configure it to scan emails, etc. Moreover the guidance to handle anything beyond the most simple queries or problems is unsuitable for those without a level of technical expertise well beyond that of the average user. Many product suppliers also provide information about the security of their products on their web sites, including information on how to configure security features. However, this is rarely written in a way that is comprehensible to non-technical people, and the existence of such information on-line is not known to most. Product suppliers need to work on ways in which robust security products can be simply configured and maintained by non-technical users. A short term action could be to encourage users to use independent consultants or other sources of relevant expertise at reasonable cost. However, those using such services need to have confidence that the persons offering them are competent and trustworthy. They also need to know what to ask for, the likely cost and how to judge that the task has been completed correctly. This is discussed further in the EURIM-IPPR paper on Addressing the needs of Small Firms, which includes specific Recommendations. There is a broad range of skills involved in the design, development, maintenance and support of security within business systems. There are organisations such as SANS and CompTIA that offer qualifications at the technical level on information security. Many product suppliers also offer certification in their products, including relevant security expertise. The Security Industry Authority (SIA) could establish minimum standards for qualifications in specific information security competencies but, at present, there is no generally understood segmentation of information security so this could take years to achieve. The success of such schemes will depend heavily on awareness of the need to use suitably qualified people when seeking advice or support for securing systems and services, and of the availability of those people at a reasonable cost to the customer. The need for better skills training is discussed in the EURIM-IPPR paper on Growing the Necessary Skills, which includes Recommendations on the need for recognised training and qualifications across a range of information security disciplines. |
|
© Copyright EURIM 2003 |