- Email: [email protected]
Fools gold and the quest for internet security
Fools Gold And The Quest For Internet Securitv
J
August Bequai
them; one that it has for too long shunned to the side.
DATA PROBLEMS: does not announce the introduction of a so-called magic cure for the crime and other ills that afflict the Internet. Like the Conquistadors, today’s hightech security gurus view the Internet as El Dorado - with streets paved of gold. With the prize going to the one who invents the needed “silver bullet.” But as with the Conquistadors, many in corporate America are fast learning that the majority of the ills that afflict the Internet do not necessarily lend themselves to simple or hightech solutions. In many cases, the problems emanate within the workforce of the victim organization; lax security and not the hacker, are responsible a lot of the corporate woes connected to the Internet and management can play a crucial role in addressing
Computer Audit Update 0 1997, $17.00 Elsevier Science
l
July Ltd.
1997
The theft, alteration, and destruction of corporate data - some of it of a proprietary nature - has been amply documented as being a serious and growing problem both within and outside the US. Also documented in the security and HR journals is the fact that many of these abuses are connected to insiders - men and women in positions of trust within modern organizations, who either by design or negligence, have caused these problems. The insider and not the hacker - unfortunately, much of the thrust in the high-tech security arena has been directed at the latter - is the main problem. However, in dealing with the former, there are adequate measures that a modern organization can take to address the problem. Interestingly, unlike the high-tech security
gadgetry that permeates the current marketplace, they are inexpensive and simple to implement. Among these: ALimiting or proh:biting nonbusiness use of the Internet or E-mail. Notifying employees, in writing, of the company’s right to monitor and review employee communi-cations and other on-line activities. Conducting periodic (and un-announced) inspections and audits. Ensuring that a trusted system operator, manager or corporate oflcer has access at all times to all employee passwords Training systems and
manage-mentpersonnel to respect the conrdentiality of personal information, except when needed to document violations of company policies. Co-ordinate E-mail, and data policies with other corporate policies, and objectives; for example, ensuring that employee credit and medical information is handled in conformity with privacy laws.
SEXUAL HARASSMENT: It is no secret that pornography has become one of the fastest growing industries in cyber-space. A growing number of US courts ate taking the view that unless a company is a publisher of such materials - which very few are - there is no legitimate business purpose for its staff to download, transmit, possess, or generate digitized pornography. A company could face the risk that if these materials are broadcast or electronically “pinned up” at work, an offended employee could claim that a hostile work environment exists. The very informal nature of E-mail can delude individuals into assuming that their profanity, sexual references, jokes, and related comments over the Internet are merely harmless pranks. However, some simple (and inexpensive) self-help measures can address the problem. For example: l Prohibiting the downloading, transmission and possession of all pornographic, profane sexually explicit and/or materials. l Mod$ying existing sexual harassment and discrimination policies to include all electronic communications and data. l Using technical $lters to all inappropriate prohibit content and access to such sites. MISUSE OF TRADE SECRETS: While a company’s employees and agents have an obligation frequently expressed in a written contract - to preserve its trade secrets and other information confidential
against disclosure, Employee their productivity, misuse has become a chronic however, is primarily a problem in the US. In large management issue; not a part, because E-mail, Internet security problem. The access and on-line networks security issues arise when make it easy for employees to electronic monitoring of inadvertently or intentionally employee communications is destroy trade secrets by carried out to enforce company divulging them widely and policies on “surting”; or instantaneously. whether the company handled To address the problem, appropriately the attendant management should consider disciplinary, grievance and the following: termination actions which l Installing encryption and could result from infractions technical devices to limit the of its Internet policies. uploading, transmission and Consider the following: file attachments of trade Developing a ratio&l and secrets and other contdential balanced plan for employee information; as well as use of the Internet and the protect sensitive files against company’s E-mail; one that unauthorized copying. will not prohibit i’sut$ng” in l Include misinformation and its entirety since it markers in customer lists and occasionally can serve to trade secret files to facilitate spark innovative ideas. their tracking. Encourage employees to read l Limit the number of materials relevant to the employees with on-line access company’s business; as well who can also access trade as discouraging them from secretjles. spending much of the work l Review and, $ necessary, day browsing non-work revise existing confidentiality related web sites. restrictions in employment Tailor the internal security agreements and employee policies to address the varying policy manuals, to clearly functions qf its diverse cover network issues. workforce. l Keep an audit trail on all Educate employees on what inbound and outbound constitutes authorized work. transmissions. 9 Carry out; as well as publicize, periodic random HR FUNCTION: audits. Since many of the Internet l Sensitize employees about connected abuses fall within the need to safeguard the purview of both the corporate trade secrets. Human Resources (HR) and security staffs, the two EMPLOYEE SECURITY: departments should coordinate their plans so as to While cyberspace was meant minimize the company’s to enhance the productivity exposures. of employees, unfortunately For example, to the this has not always been the extent that hiring and firing case. Employee game playing decisions are documented by and pranks over the Internet E-mail, both the HR and have become chronic problems need to for many US businesses. security staffs
Computer
Audit Update 0 1997, $17.00 Elsevier
l
July 1997 Science Ltd.
q
understand and coordinate the company’s archiving and records retentions policies and procedures. Care should also be taken with regard to disclosures made in response to E-mail reference checks about current and former employees.
To cite some safeguards: A company’s HR and security policies and procedures should be periodically reviewed, to ensure conformity with the law and the company’s business objectives; as well as to identify new Internetrelated risks. Review the coverage and adequacy of existing insurance and bond policies to ensure they cover employee theft and dishonesty; as well as upgrade them if necessary.
ADVERTISING EXPOSURES: The hottest applications US currently companies are implementing are Internet sites on the World-Wide enable them Web, to to disseminate marketing information about their business and products. However, there are legal risks connected to this; among
q
Computer Audit Update 0 1997, $17.00 Elsevier Science
l
July Ltd.
1997
them, potential copyright accountable for any content and trademark infringement, on that page. unfair trade or deceptive For does example, practices, consumer protection, providing a hyperlink amount defamation, and product to the incorporation by disparagement. reference of the linked Some companies have system. Further, does a addressed these risks by company have to vouch for implementing programs and the accuracy of content on policies that require various the linked page/system; or reviews of all advertising does it have a duty to review materials prior to their the content of linked sites. publication. Among these are: The answers are not simple. l Review all existing Here are some guidelines marketing policies, procedures that should help alleviate and protocols to determine if such problems: they are adequate to address Include appropriate disclaimers legal exposures related to in its Web site; including Internet and Web advertising. disclaimers as to the content l Require apprq’ate screen-ing of the other (third-party) of all corporate materials and hyperlinked home pages. contextmadeavailable on the Establish policies regard-ing Internet and Web. hyperlinking, cross-linking l Examine agreements with all referral agree-merits; and Internet and Web consultincluding who can make such ants and outsources, to ensure agreements) and the parties’ that they do not mod$y or termination rights. publish corporate materials Review the liability which have not been properly insurance coverage; as well as screened. requiring vendor endorsements l Educate all corporate personnel +om hyperlink “‘agents. ” involved in Internet and Web marketing and advertising ON-LINE about the potential risks and liabilities, and how proper CONTRACTING: Many US businesses have screening can help. l Include trademark and other started to engage in on-line legal dkclaimm in the contracting for nearly any corporate marketing of commodity they buy or sell. products, etc. Purchases can be made via accessible systems; widely many of their PROBLEM OF which employees can also access. HYPERLINKS: This obviously raises serious One of the most intriguing problems, among them, aspects of the Web is the ability to “hyperlink” from forgeries and unauthorized one Web page to another site; transactions. In the past, businesses frequently operated by an negotiated “electronic trading independent entity. However, partner” agreements before if a company builds into its either company honoured Web page a hyperlink to the “electronic contract,” they another company’s Web page, would execute a written the question frequently asked paper agreement; this established is whether it will be held
protocols for electronic authentication and digital signatures. But in on-line contracting, a user simply logs on; at a click, a contract is formed. But the reliability and authenticity of such contracts depends upon both technology (e.g., secure digital signatures) - and status of the law. However, US law does not adequately address the use of digital records. Many of the existing laws were enacted before computerized records existed. In addition, since bogus and unauthorized on-line contracting can prove difficult to detect, businesses will continue to have problems even after the legal issues are clarified. There are steps that a business can take to address the on-line misuse of contracting: l
l
l
l
l
FINANCIAL TRANSACTIONS:
A growing number of US businesses are exploring online financial transactions to facilitate their business dealings in cyberspace. But the ability to move digital money instantly worldwide, raises serious security concerns. Businesses will also need to satisft government regulators and auditors that the controls on their financial systems are secure and reliable. The legal exposures connected to electronic financial transactions include potential liabilities for unauthorized payments, employee thefts, and data alteration, etc. To guard against this, a business should: l Update its security policies, reviews and audits. l Assess the adequacy of its &uncial reporting controls; as Before implementingits onwell as compliance with line contracting capabilities, a accounting and auditing company should undertake a procedures and standards. risk and security assessment. l Evaluate the need for special Review applicable legal security measures for its requirements for the international transactions. establishment of binding online contracts. Create a paper archive or SECUFUNG DATABASES: As the information superconfirmation record until, oncontinues to grow, line contracting becomes highway the value of a database will standard legal practice. Employ electronic trading depend on the quality and partner master agreements quantity of the business with its regular customers. information that it stores. Provide an “opt-0ut”process; However, many databases do or not qualify whereby an existing for copyright prospective customer who protection. Under current wishes to negotiate or discuss US law, the more compthe terms of the agreement rehensive the database, the can do so; as well as have an less available the copyright opportunity to terminatethe protection. transaction.
As should:
such,
management
Conduct an inventory of its databases to determine what it stores in them; as well as how the information is collected and used. Assess the application of existing statutory and regulatory scheme; as well as compliance with it. Make the needed changes to ensure conformity with the existing laws. Educate its stafon the scope of their legal obligations. Include conjdentiality provisions in all agreements with employees, consultants and customers who have access to conjdential data.
CONCLUSION The Internet and the other components of cyberspace are still in their infancy. Crime and the many other abuses connected to cyberspace. likewise, are in their infancy; very likely to grow in sophistication in the coming years. There is little or no disputing that efforts to secure the Internet in the fuure will prove more complex and costly. High-tech “silver bullet” - while attractive and desirable - is unrealistic. Less costly organizational security measures should be explored and considered as supplementary.
Computer
Audit Update 0 1997, $17.00 Elsevier
l
July 1997 Science Ltd.
J
August Bequai
them; one that it has for too long shunned to the side.
DATA PROBLEMS: does not announce the introduction of a so-called magic cure for the crime and other ills that afflict the Internet. Like the Conquistadors, today’s hightech security gurus view the Internet as El Dorado - with streets paved of gold. With the prize going to the one who invents the needed “silver bullet.” But as with the Conquistadors, many in corporate America are fast learning that the majority of the ills that afflict the Internet do not necessarily lend themselves to simple or hightech solutions. In many cases, the problems emanate within the workforce of the victim organization; lax security and not the hacker, are responsible a lot of the corporate woes connected to the Internet and management can play a crucial role in addressing
Computer Audit Update 0 1997, $17.00 Elsevier Science
l
July Ltd.
1997
The theft, alteration, and destruction of corporate data - some of it of a proprietary nature - has been amply documented as being a serious and growing problem both within and outside the US. Also documented in the security and HR journals is the fact that many of these abuses are connected to insiders - men and women in positions of trust within modern organizations, who either by design or negligence, have caused these problems. The insider and not the hacker - unfortunately, much of the thrust in the high-tech security arena has been directed at the latter - is the main problem. However, in dealing with the former, there are adequate measures that a modern organization can take to address the problem. Interestingly, unlike the high-tech security
gadgetry that permeates the current marketplace, they are inexpensive and simple to implement. Among these: ALimiting or proh:biting nonbusiness use of the Internet or E-mail. Notifying employees, in writing, of the company’s right to monitor and review employee communi-cations and other on-line activities. Conducting periodic (and un-announced) inspections and audits. Ensuring that a trusted system operator, manager or corporate oflcer has access at all times to all employee passwords Training systems and
manage-mentpersonnel to respect the conrdentiality of personal information, except when needed to document violations of company policies. Co-ordinate E-mail, and data policies with other corporate policies, and objectives; for example, ensuring that employee credit and medical information is handled in conformity with privacy laws.
SEXUAL HARASSMENT: It is no secret that pornography has become one of the fastest growing industries in cyber-space. A growing number of US courts ate taking the view that unless a company is a publisher of such materials - which very few are - there is no legitimate business purpose for its staff to download, transmit, possess, or generate digitized pornography. A company could face the risk that if these materials are broadcast or electronically “pinned up” at work, an offended employee could claim that a hostile work environment exists. The very informal nature of E-mail can delude individuals into assuming that their profanity, sexual references, jokes, and related comments over the Internet are merely harmless pranks. However, some simple (and inexpensive) self-help measures can address the problem. For example: l Prohibiting the downloading, transmission and possession of all pornographic, profane sexually explicit and/or materials. l Mod$ying existing sexual harassment and discrimination policies to include all electronic communications and data. l Using technical $lters to all inappropriate prohibit content and access to such sites. MISUSE OF TRADE SECRETS: While a company’s employees and agents have an obligation frequently expressed in a written contract - to preserve its trade secrets and other information confidential
against disclosure, Employee their productivity, misuse has become a chronic however, is primarily a problem in the US. In large management issue; not a part, because E-mail, Internet security problem. The access and on-line networks security issues arise when make it easy for employees to electronic monitoring of inadvertently or intentionally employee communications is destroy trade secrets by carried out to enforce company divulging them widely and policies on “surting”; or instantaneously. whether the company handled To address the problem, appropriately the attendant management should consider disciplinary, grievance and the following: termination actions which l Installing encryption and could result from infractions technical devices to limit the of its Internet policies. uploading, transmission and Consider the following: file attachments of trade Developing a ratio&l and secrets and other contdential balanced plan for employee information; as well as use of the Internet and the protect sensitive files against company’s E-mail; one that unauthorized copying. will not prohibit i’sut$ng” in l Include misinformation and its entirety since it markers in customer lists and occasionally can serve to trade secret files to facilitate spark innovative ideas. their tracking. Encourage employees to read l Limit the number of materials relevant to the employees with on-line access company’s business; as well who can also access trade as discouraging them from secretjles. spending much of the work l Review and, $ necessary, day browsing non-work revise existing confidentiality related web sites. restrictions in employment Tailor the internal security agreements and employee policies to address the varying policy manuals, to clearly functions qf its diverse cover network issues. workforce. l Keep an audit trail on all Educate employees on what inbound and outbound constitutes authorized work. transmissions. 9 Carry out; as well as publicize, periodic random HR FUNCTION: audits. Since many of the Internet l Sensitize employees about connected abuses fall within the need to safeguard the purview of both the corporate trade secrets. Human Resources (HR) and security staffs, the two EMPLOYEE SECURITY: departments should coordinate their plans so as to While cyberspace was meant minimize the company’s to enhance the productivity exposures. of employees, unfortunately For example, to the this has not always been the extent that hiring and firing case. Employee game playing decisions are documented by and pranks over the Internet E-mail, both the HR and have become chronic problems need to for many US businesses. security staffs
Computer
Audit Update 0 1997, $17.00 Elsevier
l
July 1997 Science Ltd.
q
understand and coordinate the company’s archiving and records retentions policies and procedures. Care should also be taken with regard to disclosures made in response to E-mail reference checks about current and former employees.
To cite some safeguards: A company’s HR and security policies and procedures should be periodically reviewed, to ensure conformity with the law and the company’s business objectives; as well as to identify new Internetrelated risks. Review the coverage and adequacy of existing insurance and bond policies to ensure they cover employee theft and dishonesty; as well as upgrade them if necessary.
ADVERTISING EXPOSURES: The hottest applications US currently companies are implementing are Internet sites on the World-Wide enable them Web, to to disseminate marketing information about their business and products. However, there are legal risks connected to this; among
q
Computer Audit Update 0 1997, $17.00 Elsevier Science
l
July Ltd.
1997
them, potential copyright accountable for any content and trademark infringement, on that page. unfair trade or deceptive For does example, practices, consumer protection, providing a hyperlink amount defamation, and product to the incorporation by disparagement. reference of the linked Some companies have system. Further, does a addressed these risks by company have to vouch for implementing programs and the accuracy of content on policies that require various the linked page/system; or reviews of all advertising does it have a duty to review materials prior to their the content of linked sites. publication. Among these are: The answers are not simple. l Review all existing Here are some guidelines marketing policies, procedures that should help alleviate and protocols to determine if such problems: they are adequate to address Include appropriate disclaimers legal exposures related to in its Web site; including Internet and Web advertising. disclaimers as to the content l Require apprq’ate screen-ing of the other (third-party) of all corporate materials and hyperlinked home pages. contextmadeavailable on the Establish policies regard-ing Internet and Web. hyperlinking, cross-linking l Examine agreements with all referral agree-merits; and Internet and Web consultincluding who can make such ants and outsources, to ensure agreements) and the parties’ that they do not mod$y or termination rights. publish corporate materials Review the liability which have not been properly insurance coverage; as well as screened. requiring vendor endorsements l Educate all corporate personnel +om hyperlink “‘agents. ” involved in Internet and Web marketing and advertising ON-LINE about the potential risks and liabilities, and how proper CONTRACTING: Many US businesses have screening can help. l Include trademark and other started to engage in on-line legal dkclaimm in the contracting for nearly any corporate marketing of commodity they buy or sell. products, etc. Purchases can be made via accessible systems; widely many of their PROBLEM OF which employees can also access. HYPERLINKS: This obviously raises serious One of the most intriguing problems, among them, aspects of the Web is the ability to “hyperlink” from forgeries and unauthorized one Web page to another site; transactions. In the past, businesses frequently operated by an negotiated “electronic trading independent entity. However, partner” agreements before if a company builds into its either company honoured Web page a hyperlink to the “electronic contract,” they another company’s Web page, would execute a written the question frequently asked paper agreement; this established is whether it will be held
protocols for electronic authentication and digital signatures. But in on-line contracting, a user simply logs on; at a click, a contract is formed. But the reliability and authenticity of such contracts depends upon both technology (e.g., secure digital signatures) - and status of the law. However, US law does not adequately address the use of digital records. Many of the existing laws were enacted before computerized records existed. In addition, since bogus and unauthorized on-line contracting can prove difficult to detect, businesses will continue to have problems even after the legal issues are clarified. There are steps that a business can take to address the on-line misuse of contracting: l
l
l
l
l
FINANCIAL TRANSACTIONS:
A growing number of US businesses are exploring online financial transactions to facilitate their business dealings in cyberspace. But the ability to move digital money instantly worldwide, raises serious security concerns. Businesses will also need to satisft government regulators and auditors that the controls on their financial systems are secure and reliable. The legal exposures connected to electronic financial transactions include potential liabilities for unauthorized payments, employee thefts, and data alteration, etc. To guard against this, a business should: l Update its security policies, reviews and audits. l Assess the adequacy of its &uncial reporting controls; as Before implementingits onwell as compliance with line contracting capabilities, a accounting and auditing company should undertake a procedures and standards. risk and security assessment. l Evaluate the need for special Review applicable legal security measures for its requirements for the international transactions. establishment of binding online contracts. Create a paper archive or SECUFUNG DATABASES: As the information superconfirmation record until, oncontinues to grow, line contracting becomes highway the value of a database will standard legal practice. Employ electronic trading depend on the quality and partner master agreements quantity of the business with its regular customers. information that it stores. Provide an “opt-0ut”process; However, many databases do or not qualify whereby an existing for copyright prospective customer who protection. Under current wishes to negotiate or discuss US law, the more compthe terms of the agreement rehensive the database, the can do so; as well as have an less available the copyright opportunity to terminatethe protection. transaction.
As should:
such,
management
Conduct an inventory of its databases to determine what it stores in them; as well as how the information is collected and used. Assess the application of existing statutory and regulatory scheme; as well as compliance with it. Make the needed changes to ensure conformity with the existing laws. Educate its stafon the scope of their legal obligations. Include conjdentiality provisions in all agreements with employees, consultants and customers who have access to conjdential data.
CONCLUSION The Internet and the other components of cyberspace are still in their infancy. Crime and the many other abuses connected to cyberspace. likewise, are in their infancy; very likely to grow in sophistication in the coming years. There is little or no disputing that efforts to secure the Internet in the fuure will prove more complex and costly. High-tech “silver bullet” - while attractive and desirable - is unrealistic. Less costly organizational security measures should be explored and considered as supplementary.
Computer
Audit Update 0 1997, $17.00 Elsevier
l
July 1997 Science Ltd.