http://www.dmst.aueb.gr/dds/pubs/jrnl/1999-IMCS-Soft-Risk/html/soho.html
This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:

Citation(s): 65 (Google Scholar), 49 (selected).

This document is also available in PDF format.

The document's metadata is available in BibTeX format.

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Diomidis Spinellis Publications

According to the MCB Copyright policy ``authors are free to post their own articles on their Web site after they have been published in an MCB journal. This is subject to acknowledgement of first publication details and inclusion of a link to Emerald’s home page http://www.emeraldinsight.com.''


Security Requirements, Risks, and Recommendations

for Small Enterprise and Home-office Environments

D. Spinellis,1 S. Kokolakis,2 S. Gritzalis1

1 Dept. of Information and Communication Systems, University of the Aegean, GR-83 200 Karlobasi, GREECE

email: dspin@aegean.gr, sgritz@aegean.gr

2 Department of Informatics, Athens University of Economics and Business (AUEB),

76 Patission St., Athens GR-10434, GREECE, email: sak@aueb.gr


ABSTRACT

The pervasive use of information technology in enterprises of every size and the emergence of widely deployed ubiquitous networking technologies have brought with them a widening need for security. Information System security policy development must begin with a thorough analysis of sensitivity and criticality. Risk analysis methodologies, like CRAMM, provide the ability to analyse and manage the associated risks. By performing a risk analysis on a typical small enterprise and a home-office setup we identify the risks associated with availability, confidentiality, and integrity requirements. Although both environments share weaknesses and security requirements with larger enterprises, the risk management approaches required are different in nature and scale. Their implementation requires co-operation between end-users, network service providers, and software vendors.

Keywords: risk analysis, enterprise, home, security, recommendations

INTRODUCTION

Advances in networking technology, the explosive growth of the Internet, and the liberalisation of telecommunication markets increasingly allow small businesses and private individuals to reap the benefits of sophisticated networked computer applications. Examples of such applications include electronic commerce, teleworking, multimedia communication, information access, and entertainment. Unfortunately, the realisation of these applications is often hampered by insecurities typical to open networks: messages can be intercepted and manipulated, the validity of documents can be denied, and personal data can be illicitly collected. Large enterprises can typically design and implement security policies for their data networks (Kabay 1996) and implement them using technologies such as virtual private networks and firewalls. However, the use of networked information systems within small enterprises and modern home-office environments can be the source of serious security problems, because such enterprises typically lack the technical expertise and resources to create and maintain a suitable level of security.

The adoption of a systematic approach and a standard methodology for the establishment of a baseline on security practices for the emerging ubiquitous networking environment allows the stakeholders of this environment (users, network service providers, equipment and software vendors) to evaluate the required security level and take appropriate strategic and tactical decisions.

Risk Analysis, an orderly process adapted from practices in management, is a valuable methodology for every attempt towards the establishment of a secure Information System (IS), as it addresses two important issues (Eloff et al. 1993):

  1. The need for a systematic method to identify Information Technology (IT)-related risks. Continuous technological evolution, IS complexity, diversity in applications, technologies, and configurations are some of the reasons why identifying and assessing risks is considered such a laborious task.
  2. Total security is not feasible. In addition, an enterprise must justify expenditures for security. This brings out the need for a method to improve the basis for decisions; one can thus select a set of safeguards that will provide a level of security analogous to the level of risk in a cost-effective manner.

In this paper we apply a risk analysis methodology on representative examples of the emerging ubiquitous networking environment, analyse the associated risks, and provide and overview of approaches for risk management. The paper can serve as a rough roadmap marking the areas where the peculiarities of the new environment require novel approaches from end-users, vendors, and network service providers.

RISK ANALYSIS AND MANAGEMENT METHODOLOGIES

One can not reasonably develop security policies and procedures without clearly understanding the systems that must be protected and how valuable they are to the enterprise. In addition, one must determine the probability that the assets will be threatened. Therefore, the objective of risk analysis is to identify and assess the risks to which the IS and its assets are exposed in order to select appropriate and justified security safeguards. The analysis of risks is performed in five stages (ISO/IEC/JTC1 1996):

  1. asset identification and valuation,
  2. threats assessment,
  3. vulnerabilities assessment,
  4. existing/planned safeguards assessment, and
  5. risk assessment.

Assets are the elements of an IS that possess a value. A security incident that will affect an asset will also have an impact on the owner of the asset (i.e. the organisation, the enterprise, or the individual). Assets are valuated according to the impact of a probable asset impairment. Threats need to exploit a certain vulnerability in order to cause a security incident. Therefore, threats, vulnerabilities, and impacts should be combined together to provide a measure of the risk an IS is exposed to. The implied conceptual model (CEC 1993) is given in Figure 1.

The risk analysis methods database developed within the CEC/INFOSEC Programme (CEC 1993b) contains more than seventy risk analysis methods. In our analysis we chose CRAMM, the United Kingdom Central Computer and Telecommunication Agency (CCTA) Risk Analysis and Management Method, for the following reasons:

  1. CRAMM has been extensively used since 1987, and is considered an effective and reliable method,
  2. as CRAMM is the mandatory security analysis method for UK governmental organisations it has been thoroughly tested, and
  3. CRAMM is supported by a software tool.

Figure 1. Threats, Assets and related concepts.

The CRAMM software tool provides automated selection of countermeasures. CRAMM countermeasures are also ascribed to policy statements that constitute the security requirements of the system and form the basis for the development of a security policy.

The CRAMM methodology (UKCCTA 1996) involves three stages:

SCENARIO DESCRIPTION

Our study has been based on two exemplary scenarios. The first one concerns a small enterprise and the second a home user that maintains a home-office environment.

Small enterprise

The first scenario represents a modern small enterprise that makes use of advanced networking technology, while retaining a basic computing infrastructure. The infrastructure of the enterprise includes three PCs and a printer connected via an ethernet local network. Two of the PCs are used as workstations, whilst the third one is used as a server. The latter also hosts a Web Server. An ATM line connects the enterprise with a Network Service Provider that provides Internet connectivity.

Figure 2. Small Enterprise

The business functions of the enterprise that involve the use of computing facilities are the following:

Home-office environment

The second scenario represents the case of a home user who uses ISDN technology for both entertainment and business purposes. The equipment used includes two PCs and a printer connected to a local ethernet network and through an ISDN line to a Network Service Provider who provides Internet connectivity. The ISDN line gives the user the ability to use the same connection for a video phone, a fax, and a conventional telephone. The basic activities in this setup include:


Figure 3. Home-Office Environment

RISK ANALYSIS

After performing the risk analysis of the two scenarios using the outlined methodology, we found that although different in size the small enterprise and the home-office face a similar level of risk. This can be justified if we consider the risk analysis process. Risk is calculated as a combination of the value of assets (estimated according to the impact an asset impairment may have), the level of threat, and the level of vulnerability. The threats are common in both cases and result mainly from the use of open, high speed networks, though physical threats (e.g. fire) have not been ignored. The level of vulnerability is similar in both cases with the home-office case being more vulnerable because of the use of the same facilities for both work and entertainment. The only significant differences have been identified through impact assessment, where it appears that the small enterprise has a greater need for availability, confidentiality and integrity for the purpose of conducting electronic commerce (Warren and Furnell 1998). However, the home-office also requires a high level of protection since all professional activities are conducted through the same computing facilities. The following paragraphs provide an overview of the availability, confidentiality, and integrity requirements that we identified.

Availability

Large enterprises may have several computing installations and produce a wide range of products, so the unavailability of a certain installation can be overcome by activating other resources. In contrast to large enterprises, home-offices and small enterprises have a greater dependency on their IT systems since their owners typically have no other source of income or spare IT resources.

Confidentiality

Unauthorised disclosure of information is a significant threat in both scenarios. Especially in the case of a small enterprise, electronic commerce data exchanged is quite sensitive (e.g. credit card numbers) and often protected by law. In addition, it is important to protect the privacy of the employees of the small enterprise, the home user, and their clients.

Integrity

Integrity issues are quite important especially considering the application of electronic commerce. Modification of e-commerce data may result in high financial losses. A wide range of potential perpetrators may be interested in deliberately modifying financial, commercial, and EDI data. These may be dissatisfied or malevolent customers, crackers, or aggressive competitors.

Tables 1 and 2 show the highest risk values in the two case scenarios. The evaluation of risks follows a scale of 0-7 where 6 and 7 mostly apply in safety critical systems. CRAMM estimates risk values for every combination of asset impact, threat, and vulnerability. The list of all risks is several pages long and is considered beyond the scope of this paper.

Table 1. Availability related risk values (scale 0-7).
15M
1H
3H
12H
1D
2D
1W
2W
1M
2M
Small enterprise
1
2
2
3
3
3
4
4
5
5
Home-office
-
-
2
2
2
3
3
4
4
4
Unavailability: 15M-15 min., 1H-1 hour, 3H-3 hours, 12H-12 hours, 1D-1 Day, 2D-2 Days, 1W-1 week, 2W-2 weeks, 1M-1 month, 2M-2 months.

Table 2. Integrity and Confidentiality related risk values (scale 0-7).
B
T
O
SE
WE
DM
In
Or
Rc
Nd
Mr
Tm
Small enterprise
4
5
4
3
4
5
3
3
3
3
2
1
Home-office
4
5
4
2
3
4
4
4
4
4
3
3
B-loss of data since last back-up; T-total loss of data; O-disclosure to outsiders;
SE-small scale errors; WE-widespread errors; DM-deliberate modification;
In-insertion of false message; Or-repudiation of origin; Rc-repudiation of receipt;
Nd-non-delivery; Mr-mis-routing; Tm-traffic monitoring.

Risk Analysis Conclusions

The main conclusions resulting from our risk analysis review are the following:

The aforementioned conclusions highlight the necessity for risk management. This is performed by determining the security requirements and selecting appropriate countermeasures.

RISK MANAGEMENT

Managing risks may follow three strategies: risk reduction, risk transfer, and risk acceptance. Accepting risk means that although one is aware of it he or she prefers to accept the consequences instead of applying countermeasures. This applies in the case where the cost of countermeasures is significantly higher than the impact of a potential security breach. An example of risk transfer is insurance and applies in particular to physical assets (e.g. computers). Note that in most cases the insurance contract covers the replacement value of equipment and not the value of the data contained or processed by it. Finally, reducing risk could be achieved by means of reducing threat, reducing vulnerability, reducing impact, or recovering from threat occurrences.

CRAMM provides a list of recommended countermeasures that reduce risk in any of the ways mentioned above. A security expert may select those that provide the highest effectiveness with the lowest cost. As a result of the high risk values that we identified in the previous section, we compiled a lengthy list (a few hundred items) of requirements (Dubois and Wu 1996, Rohm et al 1998) and countermeasures to be applied. The most important requirements are abstracted in Table 3. The cost of implementing the countermeasures is obviously beyond the abilities not only of a home-office environment, but of a small enterprise, as well.

Table 3. Risk analysis requirement specifications and possible solutions.
Requirement Possible Solution
User IDs All users should be allocated an identifier (user ID). The operating system should ensure that access is only granted with the provision of an ID and a means of authentication (e.g. password, smart card).
Password management Passwords should be difficult to guess. They should be kept in a one way encryption form; they should change at least once every six months; they should be transmitted in an encrypted form; they are not to be stored in macros or function keys. Current practice in PC-based systems does not comply with the above requirements (e.g. passwords are often stored in macros to be used for ftp or telnet sessions). The problem could be addressed by means of using proactive password checkers, password generators and the provision of relevant services by the operating system. Smart cards provide an alternative authentication method, but appropriate infrastructure is needed (e.g. inexpensive and easy to use card readers, standardisation in smart card technology).
Logical Access Control The owner of a file or a program should be provided with the facility to specify who is allowed to access the file or program (Discretionary Access Control). All files and directories should have an owner. Incorporate Discretionary Access Control in PC-based operating systems and networking software.
Access Control Access rights should be reviewed at regular intervals. Inactive accounts should be locked. Automate the review of access rights based on checklists and procedures available in certified Security Handbooks.
Auditing Tools A range of facilities for keeping and analysing Audit Logs should be provided. Audit logs should be available in database format and reports should be provided in word-processing format. Provision of easy to use audit tools, with predefined auditing profiles and customisation options. Quite often the difficulties of managing huge audit logs force users not to activate auditing.
Investigation of Incidents When incidents are detected or suspected they must be investigated in a thorough manner. Development of Incident Reporting Schemes (IRS). General purpose CERTs will not be able to address the increasing needs for incident response in the future. The development of sector-specific IRS appears as a more promising solution.
System Security Acceptance Criteria Acceptance criteria should be established against which suitable test should be carried out prior to acceptance of a system as providing the required level of security. Certification of software by accredited certifiers.
Software Integrity Checks Breaches of software integrity should be detected and prevented. Several security packages offer file integrity checking. These facilities could be integrated into the operating system.
Detection of Malicious Software Any malicious software should be detected, identified, isolated, and removed. Users have to deal with attacks from malicious network applets which can cause many problems, such as denial of service, invasion of privacy, and annoyance. Anti-virus tools and good practice rules. All anti-virus tools must be kept up-to-date. Digital signature techniques can be used for the verification of signed applets (e.g. Microsoft's Authenticode technology) (Gritzalis et al 1999).
Security of Network Services The service provider's contract should formally define the security issues for the Network Service. Standard contracts and terms of business relating to security issues can be standardised by relevant bodies and applied uniformly across all network service providers.
Mutual Authentication All communicating entities should be authenticated. Public-key infrastructure (PKI); application of cryptographic and authentication protocols for implementing Virtual Private Networks
Network Access The flow of traffic to and from external networks should be controlled. Integrate firewall functionality and auditing facilities into router and gateway software.
Message Origin Authentication The origin of a message should be authenticated. Research has provided several non-repudiation techniques that need to be standardised and employed. Digital signatures, based on public-key cryptography, are widely considered as crucial. Legal and regulatory issues have to be addressed by governments leading towards an integrated framework for secure network transactions.
Operational Change Procedures Management responsibilities and associated procedures are necessary to ensure satisfactory control of all changes to equipment, software, and procedures. Minimise the security vulnerabilities that can be introduced by user modifications. Encourage the use of certified Security Handbooks and Checklists.
Operating System Changes When such changes occur the security of the system should be reviewed to ensure that the changes have not introduced any adverse affects. Include security checks in the installation procedures of operating systems updates. Provide a certification framework for operating system upgrade procedures.
Access to Manager Accounts The system administrator account should not be used for day-to-day operations. Design network and operating system administration procedures to minimise the need for a system administrator account.
Data Backups Backups should be taken of all essential business data; backup should be stored in a separate location; it should be possible to re-create data lost since the last backup. Provision of backup services by network service providers; for example, user data backup can be performed over a high-speed network.
Security Awareness Staff should be aware of IT security issues. Small enterprises cannot afford seminars and training programs on security, but at least users should be aware of the threats and of the basic security requirements.
Security policies An IT Security Policy should be documented. Use of baseline or standard security policies developed by associations, standardisation bodies and other trusted organisations.
Incident Handling Security incidents should be detected and investigated thoroughly. Development of sector-specific Incident Reporting Schemes. Some types of incidents could be automatically reported and managed by the network service providers.

Considering the lack of resources, the lack of security provisions in PC-based systems, and the currently low security level of Internet technologies, there is no way a small enterprise or home user can afford an adequate level of security today. It is thus necessary to advance the state of the art to provide a secure baseline for small enterprises and home users. This will involve vendors, network service providers, government, and private organisations.

System Software Vendors Security services (e.g. authentication, discretionary access control, etc.) should be incorporated into PC operating system software. However, if these offer a wide range of security options it is obvious that a non-expert will be puzzled. Therefore, specific "security profiles" could be offered so that the user can select the profile that is closest to their needs. When selecting a profile the corresponding security policy will be automatically employed.

Network Service Providers They may offer a wide range of security services, such as anonymity, encryption, back-up, incident reporting, and data recovery services. Many of these services can be provided with minimal user intervention if they are standardised and tightly integrated with the networking software.

Third Parties It is absolutely essential to develop and deploy a security infrastructure (including a Public Key Infrastructure-PKI) that will address the needs of small enterprises. In addition, a network of accredited certifiers (Wilsher & Kurth 1996) that will provide security certification services for PC software products would absolve users from difficult to perform security tests of off-the-self software products. Additionally, non-expert users will benefit from "Security Handbooks" that will contain security policies, security procedures and checklists.

Users In most cases measures that transfer risk or enable recovery from security incidents require less resources and are easier to apply. Two measures of this kind, insurance and back-up, have always provided a good level of security. Insurance may cover losses in equipment and backup data losses. Backup data should have the same protection as active data, should be stored in a different location, and the restore procedure should be tested and be known by all users. Given a security infrastructure, the emerging network technologies could allow WAN-based backup services to be provided. Passwords are thought as the weakest point of attack in almost every system. Good password management practices provide a highly important defence safeguard in an IT system.

CONCLUSIONS

The advent of the Information Society brings up new business opportunities for small and medium size enterprises (SMEs) and promotes new forms of work organisation. Moreover, growth and employment largely depend on the proliferation of teleworking and the use of telematic services by SMEs (Bangemann committee 1994).

The Risk Analysis review performed for the purposes of this paper has shown that small enterprises and home offices currently operate in high risk environment. In addition, current security infrastructure and business practices do not allow for effective risk management. Consequently, the lack of a secure environment for small enterprises and home offices canbe expected to hinder their development. Moreover, recent security surveys (Hinde 1998) show that the rate of security breaches has increased in the last few years. The latest survey conducted by the UK Audit Commission reports that 45% of organisations surveyed had suffered from computer fraud and abuse - up from 36% three years ago (UK Audit Commission 1998).

This paper provides a rough roadmap for the establishment of a secure environment for small enterprises and home offices. The proposed solutions are based on novel approaches to security management practices, and imaginative use of sophisticated technologies. Their deployment requires tight co-operation between all stakeholders in the emerging network infrastructure: end-users, network service providers, and software vendors.

REFERENCES

Bangemann Committee (1994) Europe and the Global Information Society: Report of the High Level Group on the Information Society (Bangemann Report), Commission of the EU, Brussels.

Commission of the European Communities (CEC 1993) Glossary of information systems security. DGXIII, INFOSEC Programme/S2001.

Commission of the European Communities (CEC 1993b) Risk analysis methods database. DGXIII, INFOSEC Programme/S2014/WP08.

Dubois, E., Wu, S. (1996) A framework for dealing with and specifying security requirements in information systems. In Sokratis K. Katsikas and Dimitris Gritzalis, editors, Information Systems Security: Facing the information society of the 21st century, pages 88-99. Chapman Hall.

Eloff H. P., Labuschagne L. , and Badenhorst K. P. (1993) A comparative framework for risk analysis methods. Computers and Security, 12(6):597-603.

Gritzalis S., Aggelis G., Spinellis D., (1999) Architectures for Secure Portable Executable Content", Internet Research Journal, Vol.9, No.1, pp. 16-24, MCB University Press.

Hinde S. (1998) Recent Security Surveys. Computers and Security, 17(3):207-210.

ISO/IEC/JTC1 (1996) Information Technology - Security Techniques - Guidelines for the Management of IT Security, GMITS. ISO/IEC DTR13335.

 Kabay E. (1996) The NCSA Guide ot Enterprise Security: Protecting Information Assets. McGraw-Hill.

Rohm A., Pernul G., Herrmann G., (1998) Modelling secure and fair electronic commerce, Proceedings of the 14th Annual Computer Security Applications Conference, pp. 155-164, IEEE Computer Press.

UK Audit Commission (1998) Ghost in the Machine - an Analysis of IT Fraud and Abuse. The Audit Commission, UK.

United Kingdom Central Computer and Telecommunication Agency (UKCCTA 1996) United Kingdom. CCTA Risk Analysis and Management Method: User Manual., version 3.0 edition. HMSO.

Warren, M. J., Furnell, S. M. (1998) Electronic Commerce: Winners and Losers in Proceedings of the INC'98 1st International Network Conference, pp.197-202, University of Plymouth.

Wilsher, R. G., Kurth, H. (1996) Security assurance in information systems. In Sokratis K. Katsikas and Dimitris Gritzalis, editors, Information Systems Security: Facing the information society of the 21st century, pages 74-87. Chapman Hall.

Biographical Information

Dr. Diomidis Spinellis holds an MEng in Software Engineering and a PhD in Computer Science both from Imperial College (University of London, UK). Currently he is lecturing at the Department of Information & Communication Systems, University of the Aegean, Greece. He has provided consulting services to a number of Greek and international Information Technology companies and has been involved in several national and EU funded R&D projects in the areas of Computer Security, Language Engineering, and Scientific Visualisation. He is the author of more than 40 technical papers and conference presentations. He has contributed software to the 4.4BSD Unix distribution, the X-Windows system, and is the author of a number of public domain software packages, libraries, and tools. His research interests include Information Security, Software Engineering, and Programming Languages. Dr. Spinellis is a member of the ACM, the IEEE, the Greek Computer Society, the Technical Chamber of Greece, and a founding member of the Greek Internet User's Society. He is a co-recipient of the Usenix Association 1993 Lifetime Achievement Award.

Spyros Kokolakis received the B.Sc. degree in Information Systems from the Athens University of Economics and Business (AUEB) in 1991. He is now a research student in AUEB, working on Information Systems Security. His current research interests include the development of an Information Systems Security Analysis and Design methodology, information security models and security policies and metapolicies.

Dr. Dimitris Gritzalis holds a BSc (Mathematics) from the University of Patras, Greece, an MSc (Computer Science) from the City University of New York, USA, and a PhD (Informatics) from the University of the Aegean, Greece. Currently he is an Assistant Professor with the Department of Informatics of the Athens University of Economics and Business (AUEB), Greece, and a Senior Researcher with the University of the Aegean. His work includes editorship of two international conference proceedings, and publication of three monographs and of 35 refereed papers. Dr. D. Gritzalis has been involved in many research and development projects on information security; most of them were funded by the EC under the ESPRIT, INFOSEC, AIM, RACE, ACTS, ETS, ISIS, VALUE and Telematics Administration Programmes. His current research interests include information security models and policies, secure healthcare information systems, and privacy. He is a member of the Data Protection Authority of Greece and the representative of Greece to IFIP Technical Committee 11 (Security in Information Processing Systems).