Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

Privacy Individual CW (Draft 1)

advertisement 
MN30281 – Privacy, Trust and Security in Information Systems
Are Hardware and Software
Security Key in Protecting the
Mobile Workforce?
Securing Information Assets in Organisations
Elliot Chapple
08
Table of Contents
Introduction: ........................................................................................................................................... 3
Security Vulnerabilities of Mobile Devices ............................................................................................. 4
Implications of Information Loss on Organisations ................................................................................ 5
Securing Information Assets from a Technical Perspective .................................................................... 7
Securing Information Assets from a Social Perspective........................................................................ 10
Conclusion ............................................................................................................................................. 12
Works Cited ........................................................................................................................................... 13
Appendices............................................................................................................................................ 15
2
Introduction:
In the past five years the workforces of many organisations has become increasingly dependent
on becoming mobile, allowing routine tasks to be undertaken in an out of office scenario this is so
that organisation can benefit from the possible advantages such as improved customer service,
higher productivity and the ability to respond to emerging markets quicker (Igbaria & Tan, 1998). In
addition as advances in pervasive and ubiquitous computing technology have taken place,
employees are able to easily access smaller technologies that have network connectivity and are
able to connect with their organisations corporate IT systems and information, including laptops,
smart phones and removable storage media such as USB disk drives. With this trend likely to
continue such that this year, 2008, it is estimated that there will be over 100 million portable or
media devices worldwide used within mobile workforces (Heikkila, 2007).
As this evolution of the methods people work is occurring, there a number of critical issues that
need to be addressed. Since the mobile workforce can now readily access sensitive or confidential
information on the move, this has caused security concerns across all industries, and with constant
reports of data loss from high exposure organisations or governments it poses the question can
hardware and software security on these mobile devices fully prevent data loss through theft or
through malicious practises?
3
Security Vulnerabilities of Mobile Devices
As mobile devices have increased in capabilities over the past few years so have the
vulnerabilities that they present to the modern mobile workforce. In the current hostile climate for
mobile devices connecting to central corporate IT systems there is a need to acknowledge the main
areas of weakness that organisations face when using such devices.
Studies have shown that for example that the main weakness in using mobile devices is accessing
the internet in public areas or through ad-hoc networks, where different nodes forward packets of
data between each other and to the internet. This is particularly critical in the forms of mobile
commerce or M-Commerce, for example the buying and selling of goods between organisations,
where the security risks are higher than within a standard office environment due to the nature of
information that is being sent in public areas. With a projected market value of $200 billion (Ghosh
& Swaminatha, 2001), it is vital that organisations understand the security implications where
contaminated nodes within an ad-hoc network and the continual changing of administrative or
security domains could cause large scale problems for information security.
Another increasing threat is the rise of social engineering, which is becoming more persistent
with the rise of mobile devices, and although currently only accounts for 2% of data breaches (Goss,
2008) is continuous threat to information security. Social engineering, where users are manipulated
into divulging important or confidential and performing actions, where the attacker never comes
face-to-face with the victim is a particular risk within mobile workforces. As the workforce becomes
more decentralised it becomes harder to differentiate between colleagues and potential fraudsters,
as there is less effect based trust within the workplace and assumptions are made, sometimes
leading to costly outcomes or compromised security, as justified by a study by InfoSecurity Europe
where 75% of employees gave their passwords immediately to a group conducting a survey outside
of their place of work (Leyden, 2003).
The final major issue is the susceptibility mobile devices have of being lost or stolen as they are
moved more frequently between locations, and tend to rely on the awareness of the employee to
maintain its physical security. A justification for this becoming a primary concern for organisations
with mobile workforces is that statistics that have been collected show just how much information is
being lost per year, all of which has the potential to be restricted or sensitive information, for
example Heathrow airport records 900 laptops that have been collected as lost property each week
(SC Magazine Staff Writers, 2008).
As shown within Secrets and Lies, Digital Security in a Networked World (Schneier, 2004) network
security is a chain, and is only as strong as its weakest link. Until these security vulnerabilities are
addressed by organisations with mobile workforces there will always be the threat of information
loss as mobile devices remain the most significant point of failure in an organisation IT infrastructure
and degrade the overall strength of the security solution and can cause implication for organisations.
4
Implications of Information Loss on Organisations
As possible vulnerabilities of the mobile workforce and their associated devices have been
discussed it is important to realise the effects of a security breach and loss of information assets on
an organisation. Information Assets are apparent within every industry, and are defined as “data
that is or should be documented, and which has value or potential value” (Hawley Report, 1994);
examples include market and customer information, human resource information and management
information and plans. The implications of a loss vary between organisations depending on the type
in conjunction with the public perception of the organisation’s brand in question; however there are
a number of high level implications that will affect all businesses.
The primary impact through the loss of information assets is where organisation will not be able
to carry out decision making as there will be no information that will help to reduce uncertainty that
exists within market industries today (Butler Group, 2004). This could be for articles such as
purchase orders or could be more severe such as processing sensitive data for benefits which will
have a direct implication on the organisation and customers if there is a breach of security whilst an
employee is using a mobile device outside of the office environment. This in turn has the causal
effect of impacting business deadlines and information throughput processes in order both maintain
budget decisions as well as generate revenue for the organisation. This is argued in the Reuters
report Information as an asset: the invisible goldmine (Reuters, 1995) where out of 500 telephone
interviews with senior managers in the UK one in four saw information as the most crucial asset to
business practises.
Another concern that will impact every organisation is the financial cost of a data loss which will
both impact the bottom line for the organisation as well as the individuals whose data has been lost.
Throughout 2007 alone, 90% of businesses suffered from a data loss at an average cost of $200,000
(Fitzgerald & Dennis, 2007) however the costs can far greater depending on the type of loss, for
example where Nationwide building society lost 11 million records of customer data which was
stolen from an employees house (BBC News, 2006) and the Financial Services Authority penalised
Nationwide with a £980,000 fine. These penalties described however, did not include the cost of
labour that was required to source the data and collect and create new hardware which would be an
additional overhead affecting the organisations budgets and time constraints as information
collection is a lengthy process (Smith, 2008).
A concern that can outweigh the financial losses of lost information due to removable media
being misplaced or stolen is that the organisational brand will be affected in a negative manner.
Consumer, as well as stakeholder, trust is an intrinsic method of security in conversing or purchasing
with an unknown or little known third party and will be the basis of whether or not a customer is
likely deal with the organisation in the first instance as argued in (Gluckler & Armbruster, 2003) and
The Role of System Trust in Business-to-Consumer Transactions (Pennington, Walcox, & Grover,
2004). A security breach will have an impact on the levels of trust that stakeholders will have in the
organisation and in the manner in which business is carried out using the mobile workforce
decreasing the likelihood of a transaction, as it will be the consumers information that will be being
transported between locations and across various media types . This is also shown in the figure
below:
5
<<<INSERT FIG 1 DIAGRAM ABOUT TRUST>>>
Therefore mobile workers and their devices must be properly protected to circumvent these
outcomes and showing that an initial expenditure into the correct methods will be far better for the
organisations reputation.
6
Securing Information Assets from a Technical Perspective
With a mobile workforce there a number of technical issues which need to be taken into account
when selecting the right way to protect your business. Primarily information security technology will
need to be used through “the selection and implementation of [or most] appropriate technologies
and products” (InfoSec, 2008), and will consist of reactive and pro-active types of security. The figure
below shows a basic taxonomy of methods that can secure a mobile device and are shown in respect
to whether they are reactive or pro-active.
Figure 1 - Security Taxonomy based upon (Venter & Eloff, 2003)
The taxonomy that is shown above is dependant on two main features, firstly whether or not the
security method reacts with the data instantly or at a different time and secondly at which layer
within organisations IT infrastructure the technology exists. A pro-active security technology is
where the data is secured in some manner before a data breach has the chance the to occur,
whereas reactive security technologies are where procedures or tasks are implemented and
performed once a security infringement is in progress or being attempted.
There are a number of pro-active security technologies that can be applied to a range of mobile
devices that are in use in the modern methodologies of working today. The first and most widely
used in the current mobile workforce is that of cryptography, where information is translated into
cipher text (encryption) and then translated back into readable information (decryption) by the user
or recipient of the information (Rivest, 1995). There are a number of hardware encryption tools that
are readily available for businesses to use, the current number one being Pointsec Mobile
Technologies closely followed by PGP Universal and a number of other vendors as described in
Appendix 1. <<<IN APPENDIX 1 show TABLE 1 from Heikkla Crypto paper>>>. Although the expense
7
equipping a mobile workforce with this sort of technology is high, for example a license for Pointsec
will cost for $129 per laptop and $76 per Pocket PC or PDA (Brooks, 2005), there a number of
benefits that will outweigh this cost. The first of the advantages is that your workforce will have full
hard disk encryption meaning that files can only be accessed after a successful password entry upon
their mobile device system start-up, preventing unauthorised access to the files from the outset,
meaning if a device is lost then the “new owner won’t be able to retrieve the protected data”
(Heikkila, 2007). Encryption with these tools also allows for devices such as virtual drives where all
the encrypted data can be stored and accessed simultaneously in real time, such that the process of
encryption and decryption is transparent to the users and will not have any effect on the speed in
which their work is undertaken. However encryption does have its drawbacks, if malicious code is
able to intercept administrative access rights encryption and most other pro-active security
measures will be significantly reduced in terms of security level, which promotes the need for
reactive security measures as well, which is argued within “The Inevitability of Failure” (Loscocco,
Smalley, Muckelbauer, Taylor, Turner, & Farrell, 1998).
Encryption can also be used on removable media and other types of ‘smart phone’ which do not
encompass the same level of security as PDAs or Pocket PCs. This gives an organisation a higher level
of safety, especially when used in conjunction with laptop hard disk encryption, as it means that the
likelihood of information disclosure to unauthorised users is reduced. This is a wise organisation
decision as 57% of organisations do not encrypt the data held on their PDAs or removable devices
and that in the United States alone 35,000 PDAs and 232,000 mobile phones were lost or stolen in
2001 (Hinde, 2004). By encrypting devices it is possible for a network to store the encryption key for
the removable device and therefore only when it is authorised by the corporate IT network the user
will be allowed to access the information on the device, adding yet another layer of security to the
mobile devices in use. This is a useful tool as this can be used to create logs which will help IT
administrators review or monitor the amount of data, and what specific data, an employee has
transferred to a removable device making the auditing of data movement much easier in the case of
loss or theft (Heikkila, 2007). In turn encryption can be combined with a number of other
technologies such as Tokens, Virtual Private Networks (VPN) and Digital Certificates to create a wider
range mobile corporate IT infrastructure. An example is the RSA SecurID Token which is used in
conjunction with a VPN to create a secure remote access point to an organisations infrastructure
and will encrypt bytes of information as they sent and received which only the recipient and sender
having the appropriate decryption keys in order to return the cipher text back to clear text. The cost
of implementing a solution such as this would be $637,900 for 10,000 users (Entrust, 2008) for the
RSA SecurID tokens alone plus the installation of VPN clients such as Nortel Networks including VPN
enabled routers and the client software is around $20,000 for every 100 users (Nortel Networks),
which is large organisation security decision so that a mobile workforce is secure, however when
compared to the cost of peace of mind, this may not seem such a large expenditure.
REACTIVE METHODS?!!
-
Taxonomy of security procedures
Layering of security solutions
Software in use
8
-
Costs / Benefits / Disadvantages
Reactive and proactive methods
Lead into why technology is generally less needed than social aspects
9
Securing Information Assets from a Social Perspective
Security of mobile devices has never been more of a risk than it is today, this is through a mixture
of naivety and attitudes towards security on mobile devices, and this is shown in a press release
from Pointsec where the MD Magnus Ahlberg discusses that users of mobile devices “often try to
circumvent [security measures] due to the time and ‘hassle’ factor associated with them” (Ahlberg,
2004).
Awareness is a primary concern in mobile security as reports from the defence industry have
shown that the employees and internal individuals are as important as external factors where “you
are obsessed with fighting and external enemy... the last thing on your mind is to fight scrupulous
individuals within [the organisation]” (Desouza & Vanapalli, 2005). A correct training scheme or
process within an organisation is essential to effective data security, especially within a mobile
scenario as it will reduce the likelihood of costly mistakes or loss of devices occurring initially as
within a study by the Harris Interactive Service Bureau it stated that two thirds of the interview
organisations recognised that “employees rather than hackers [pose] the greatest risk to customer
privacy” (Hinde, 2004). Organisation will need to enforce security policies and present a form of
information protection framework that will be conveyed to the employees within a mobile situation
such that there is an understanding of both the ethical issues of losing data, such as loss of personal
trust as well as the procedures for reporting data loss and maintaining a vigilant eye on the
organisation’s mobile equipment during travelling or ‘on-the-move’ working. This will include the
disposal of IT equipment and the methods in which data is erased using software such as the open
source Eraser program where the information will be continually over written with fake text to
prevent recovery of this information if it was misplaced or stolen (Heidi Computers Ltd, 2008).
If employees are trained correctly as well, and a good information security framework is in place
it will reduce the possibilities of other human factors causing a loss of organisational information
including the emerging threat of social engineering, and simply the unauthorised removal of
information (DTI, 2007). In organisation with mobile workforces today it is training of the mobile
employees that are important such that items such as confidential data or employee passwords are
not given to the wrong people, especially with the increase of social engineering. This is a method of
hacking whereby persuasive techniques are used to extract secure or confidential information from
employees, without much or any actual contact with them, and can be stopped simply by training
the workforce correctly with regards to who to talk to about access controls and other information
divulgence (Gaudin, 2002) (Pabrai, 2005). A clear policy on information security will also decrease
the inevitability of employees that leave an organisation taking confidential or critical information
with them, as this is lacking in the current mobile workforce environment where only a quarter of
organisations have “security policies in place to ensure employees cannot damage the organisation
when they leave” (Hinde, 2004).
It is understood that an organisation cannot respond to every security threat equally however
there should be a form of security framework in place that lets “managers... sort through which risks
are most likely to materialise and which could cause the most damage to the business” (Austin &
Darby, 2003). Where an information security framework is set up within an organisation it should,
where possible, attempt to gain ISO certification for the level of information security. As defined by
10
ISO standard 17799 there are a number of ‘control clauses’ that need to be implemented within an
organisation in order to achieve the greatest level of information security as it will define items such
as a comparison between management support for security in conjunction with business objectives
as well as legislative requirements and consequences of violations of a information loss (Yhan, 2002).
The Control Clauses of ISO 17799:
1.
2.
3.
4.
5.
Security Policy
Organisational Security
Asset Classification & Control
Personnel Security
Physical & Environmental Security
6.
7.
8.
9.
10.
Communications & Operations Management
Access Control
System Development and Maintenance
Business Continuity Management
Compliance
(Yhan, 2002)
Figure 2 - ISO 17799 Control Clauses
Security frameworks have drawbacks such as the initial expenditure and the technical staff
resources that will need to keep abreast of the current climate of potential threats to security
including the working time expense of organising the risks according to potential business damage.
In addition there will be the cost to achieve ISO certification, but as sources have shown that users
are the most likely method of where data loss occurs within a mobile workforce it is far more
beneficial to have the social practises and standards in place before the hardware and software
aspects of information security are implemented into an organisation mobile workforce. If these
items are put into place and marketed to the potential consumer market, this creates a level of
cognitive trust that will make a transaction more likely.
11
Conclusion
Hardware and software security are not the final solution to the problems that the mobile
workforce face in terms of securing information assets, especially when it is more likely that it will be
the negligence of the workforce that causes information loss (Pabrai, 2005). To produce secure
methods of information access via a mobile workforce both social and technical aspects will need to
be considered at the appropriate times. Before the hardware and software are introduced an
organisation must first set out the correct frameworks for information security, this will involve
creating policies surround access and removal of an organisations information assets and also hiring
the necessary technical staff to keep abreast of the latest threats to the mobile workforce. Once this
is in place the technical staff can evaluate the hardware and software solutions that are available
and then apply the correct technologies for the correct business activities. Once in place the correct
framework will allow for logs and reviews to see if the current implementation is working for the
mobile workforce. This will be an on-going cycle as shown in the figure below:
Monitor usage through
the use of audit logs,
and viewing information
Security threat analysis
and acknowledgement
of ISO standards
Information Asset
Security
Procedures
Hardware and Software
security implementation
and employee training
Creation of Information
Security Framework and
selection of technologies
Figure 3 - The Security Cycle, an elaboration from (Heikkila, 2007).
Therefore if a system similar to the above is in place within an organisation this will lead to the
most possible secure methods in which an organisations mobile workforce can operate and interact
using their devices with the central organisational IT infrastructure.
12
Works Cited
Ahlberg, M. (2004). The Mobile Workforce, The Weakest Link. Pointsec Press Release.
Austin, R. D., & Darby, C. A. (2003). The Myth of Secure Computing. Harvard Business Review.
BBC News. (2006, November 18). Security Raised Over Laptop Theft. Retrieved November 23, 2008,
from BBC News UK: http://news.bbc.co.uk/1/hi/uk/6160800.stm
Brooks, J. (2005, June 13). PointSec, WinMagic Lock Down Mobile Data. Retrieved November 8,
2008, from eWeek.com: http://www.eweek.com/c/a/Security/Pointsec-WinMagic-Lock-DownMobile-Data/
Butler Group. (2004). Exploiting Corporate Information Assets. Hull: Butler Group - Technology
Management & Strategy Division.
Desouza, K. C., & Vanapalli, G. k. (2005). Securing Knowledge in Organisation: Lessons from the
Defense and Intelligence Sectors. Chicago: International Journal of Information Management.
DTI. (2007). Information Security: Protecting Your Business Assets. Business Link.
Entrust. (2008, September 1). Entrust IdentityGuard Price. Retrieved November 23, 2008, from
Entrust: http://www.entrust.com/strong-authentication/identityguard/calculator.cfm
Fitzgerald, J., & Dennis, A. (2007). Business Data Communications and Networking (9th Edition).
Virginia: John Wiley & Sons Inc.
Gaudin, S. (2002). Social Engineering: The Human Side of Hacking. Earthweb.
Ghosh, A. K., & Swaminatha, T. M. (2001). Software Security and Privacy Risks in Mobile ECommerce. Communications of the ACM, ACM.
Gluckler, J., & Armbruster, T. (2003). The Mechanisms of Trust and Networked Reputation. Sage
Publishing.
Goss, P. (2008, October 13). Hackers Account for Just 1% of Data Loss. Retrieved November 3, 2008,
from TechRadar: http://www.techradar.com/news/computing/hackers-account-for-just-1-of-dataloss-475258
Hawley Report. (1994). Information As An Asset: The Board Agenda. KPMG Impact Group (p. 7).
London: KPMG Press Release.
Heidi Computers Ltd. (2008). Eraser | Internet Security and Privacy. Retrieved November 25, 2008,
from Heidi Computers Ltd: http://www.heidi.ie/node/6
Heikkila, F. M. (2007). Encryption: Security Considerations for Portable Media Devices. IEEE Computer
Society.
Hinde, S. (2004). Confidential Data Theft and Loss: Stopping the Leaks. ScienceDirect.
13
Igbaria, M., & Tan, M. (1998). The Virtual Workplace. IGI Publishing.
InfoSec. (2008, November). InfoSec - Security Management. Retrieved November 26, 2008, from
InfoSec: http://www.infosec.gov.hk/english/business/security_imsf_3.html
Leyden, J. (2003, April 18). Office Workers Give Away Passwords for a Cheap Pen. Retrieved
November 9, 2008, from The Register:
http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/
Loscocco, P. A., Smalley, S. D., Muckelbauer, P. A., Taylor, R., Turner, J., & Farrell, J. F. (1998). The
Inevitability of Failure: The Flawed Assumptions of Security in Modern Computing Environments.
Proceedings of the 21st National Informations Systems Conference. National Security Agency
Release.
Nortel Networks. (n.d.). Nortel Networks. Retrieved October 29, 2008, from Nortel: Products: VPN:
http://www2.nortel.com/go/product_cat.jsp?parId=0&pcatId=-9965&segId=0&catId=9972&locale=en-US
Pabrai, U. A. (2005). Awareness Training - Strengthen Your Weakest Link. MediaTec Publishing Inc
[Certification Magazine].
Pennington, R., Walcox, H. D., & Grover, V. (2004). The Role of System Trust in Business-to-Consumer
Transactions. Journal of Management Information Systems.
Reuters. (1995). Information As An Asset: The Invisible Goldmine. London: Reuters.
Rivest, R. L. (1995). The RC5 Encryption Algorithm. MIT Laboratory for Computer Science.
SC Magazine Staff Writers. (2008, August 1). 900 Laptops Lost at Heathrow Per Week. Retrieved
November 10, 2008, from SC Magazine: http://www.securecomputing.net.au/News/118424,900laptops-lost-at-heathrow-per-week.aspx
Schneier, B. (2004). Secrets and Lies: Digital Security in a Networked World. Wiley.
Smith, D. M. (2008, July 23). The Cost of Lost Data. Retrieved November 24, 2008, from Pepperdine
University: School of Business & Management: http://gbr.pepperdine.edu/033/dataloss.html
Venter, H., & Eloff, J. (2003). A Taxonomy for Information Security Technologies. Computers &
Security.
Yhan, G. (2002). ISO 17799: Scope and Implementation - Security Policy. International Organisation
for Standardisation.
14
Appendices
Table of Encryption Software
15
Related documents
Corporate Performance Evaluation
Corporate Performance Evaluation
Unit G620
Unit G620
Managing Human Capital
Managing Human Capital
Vision and Mission
Vision and Mission
Business Plan Headings
Business Plan Headings
Members' Code of Conduct - Bournemouth Council for Voluntary
Members' Code of Conduct - Bournemouth Council for Voluntary
Risk-management-approach - Australian Commission on
Risk-management-approach - Australian Commission on
Download
advertisement