ISACA Journal
Volume 5, 2,014 

Features 

Imperfect Technologies and Digital Hygiene: Staying Secure in Cyberspace 

Ed Gelbstein, Ph.D. 

There are three domains that impact information security. Although these domains interact with each other, they tend to be discussed separately in different circles:

  • The vulnerabilities of devices and services (the responsibility of security practitioners)
  • The security practices that should be followed by end users (the concept of “digital hygiene”)
  • What can be done about these two things and who should be doing it (the role of governance)

Vulnerabilities of Devices and Services

In the early days of IT, it was accepted that:

  • Hardware will eventually fail
  • Software will eventually work

While both remain true today, hardware has become quite reliable and software products for personal computers, smartphones and other mobile devices have shorter life cycles between versions than in the past. As bugs that may compromise security are discovered, software has to be updated regularly (sometimes frequently). Each update may well introduce new bugs.

Unfortunately, the story does not end here. In today’s mobile environment, security is impacted by the activities of many players before even getting into the hands of the end user.

Hardware Vendors
An emphasis on innovation, time to market and value for money has worked well for many organizations and these technologies’ contribution to how individuals live and work is undeniable. However, their approach may, by design, not have as strong a focus on security as in other industries (e.g., aircraft, nuclear). As a typical processor chip in a modern smartphone will have millions of transistors and include embedded code, security may not be easy to reach. For example, some hardware vendors include software other than the operating systems and utilities in the devices they commercialize. Such features may make commercial sense, but may be no more than “crapware”1 to the buyer and many of these features cannot be removed.

Software Developers in Different Categories
These include those developing operating systems either as proprietary software (e.g., iOS) or open source (e.g., Android). It is reasonable to expect that the software development and testing cycle is based on proven practices and an emphasis on quality assurance. Such software is complex and estimates for its size range from 3 million to 11 million lines of code. Bugs are inevitable and developers have a responsibility to ensure that zero-day events are kept to a minimum and are discovered by them, or well-intentioned individuals, rather than by hackers with malicious intent.

The other category is that of application (app) developers, a free and unregulated market anyone can join. Some app developers have been very successful: In 2013, a 16-year-old in the United Kingdom sold an application called Summly (it summarizes news) to Yahoo for a reported US $30 million.

In 2013, more than a million Android apps were available2 and there were another million estimated for the Apple iOS environment3—some very useful, others very ingenious and well designed. Many apps can be downloaded free of charge or for a modest sum. The degree of app quality assurance depends on who provides them. Many apps are known to contain malware. The concept of caveat emptor (customer beware) is just as important now as it ever was. The extent of apps’ usefulness is, like beauty, in the eye of the beholder.

Internet Service Providers
Internet service providers (ISPs) offer Internet access through various networks. Some provide security services, such as backup in the cloud and antivirus and antispam services for electronic mail, often as optional, additional subscriptions.

GSM Network Operators
Many key players in the wireless mobile world emphasize market share, pricing and subscription schemes. They also engage in a competitive game where operators may also add apps to the devices they distribute. Most of them provide ISP services included in their subscriptions.

Wi-Fi Internet Access Providers and Other Contactless Data Exchanges
The Wireless Local Area Network referred to as Wi-Fi has become ubiquitous. In many countries, it is available free of charge at, for example, airports, coffee shops, restaurants, hotels, universities and hospitals. Recent developments have seen Wi-Fi networks becoming available on trains and airplanes. When the connection is free of charge, such networks are usually unencrypted. Even when some operators charge for this service, this does not guarantee that the communications are encrypted. Bluetooth is another possible way to access devices without device owners being aware of it.

Lessons From the Medical Field

The vulnerabilities described in the previous section can be argued to have equivalents in the field of health care. It is no coincidence that the name given to the first malicious software to emerge was “virus.” Good hygiene and medication have contributed to reducing the risk associated with illnesses. How can digital hygiene reduce information risk?

There are two distinct domains for the information security industry to note: hygiene and regulation.

Hygiene
Humanity has lived with contagious disease, infections, plague and other unpleasantness for millennia. It was only in the mid-19th century (at least in the Western world) that the concepts of hygiene, germs and bacteria were developed. A key figure in the development of hygiene among the medical community was Dr. Ignaz Semmelweis,4 a medical practitioner in Vienna who advocated that doctors wash their hands before touching patients. This was not well received by his peers and was generally ignored. Several years passed before the work of Louis Pasteur and Joseph Lister confirmed the validity of this advice.5 Is something similar happening today with information security?

Regulation
In most countries in the world, the sale of medicine is regulated in terms of the tests a product must undergo before obtaining a license for selling it, whether or not its sale should be restricted by requiring a doctor’s prescription and in providing information to the consumer. Most medicine packages include a leaflet describing the product, including information on how much to take, when to take it, clear descriptions of contraindications, possible side effects and what to do about them, and other risk factors. Nothing of the kind is provided with computers, smartphones or tablets. Quite the opposite, the full text of an end-user license agreement for software (if one can get past the legal jargon) basically states that should anything go wrong, it is the user’s problem.

The Great Digital Uninformed (GDU)

IT and information security practitioners agree that the four pillars that enable sustainable success are: governance, process, technology and people. People should be considered the weakest link and the existence of the great digital uninformed (GDU) makes success harder to achieve.

While there are many competent and technology-aware people, they may be outnumbered by the GDU, who can be found in many circles. The majority of GDU share four characteristics:

  • They do not know what they should be doing to keep their devices clean.
  • They do not know why. Even recent reports on crime, the collection of metadata by governments and frequent articles in the press lead to an “I am not really interested” reaction.
  • They do not know how. There are many sources of advice on how to protect your identity, secure online transactions and privacy. Notwithstanding, commonly used passwords include “123456” or the person’s date of birth. Such a password is then used for many, if not most, logins.
  • They do not care. This is the biggest challenge. Ignorance is bad, but indifference is worse.

The GDU story does not end here. The popularity of social media has changed how individuals think of topics such as privacy and discretion for both personal and corporate information. Privacy is a matter of understanding what personal information can be shared with third parties. Governments require certain information by law, e.g., civil status, personal identity documents, property ownership, taxation, driving licenses. Employers require information, e.g., address, copies of qualifications, bank account details, next of kin, as part of their conditions of contract.

The next category of shared information is that required to join schemes where membership is optional, such as frequent flyer miles and hotel points, supermarket loyalty cards, and subscriptions to journals and newsletters, and providing personal information offers some perceived benefits.

Next come the numerous opportunities to disclose information and opinions to all, for example, through social media. In today’s online world, anyone can be a content provider with little or no editorial control. To what extent can such information be trusted?

The other side effect of being online is that of spontaneity: an opportunity to act before thinking. Albert Einstein was right when he stated, “The difference between stupidity and genius is that genius has limits.”

Finally, there are recently added features that may weaken privacy, such as GPS built into mobile devices and several short-range, contactless data transfer protocols (e.g., Bluetooth.)

Impact of the GDU on the Corporate Environment

Information security practitioners already deal with the convergence of scale and complexity by:

  • Adopting good practices and standards and then having independent audits
  • Improving their process capability assessment (using, for example, ISO 15504 and COBIT 5 for Information Security)
  • Collecting and analyzing diagnostics and metrics as well as deploying automation tools
  • Recruiting and developing motivated, knowledgeable and dedicated staff

All of these are desirable and, to achieve them, resources and effective governance are required. In the absence of dependable metrics and quantified business cases, these may not materialize.

The characteristics of the GDU behavior that are likely to lead to corporate information security problems include the following, all of which are hard to change:

  • The shifting boundaries between work and home life— Mobility has given the workforce the opportunity to work and play anytime, anywhere. People can be seen reading confidential corporate documents on their mobile devices on planes and trains and interacting on social networks in their offices.
  • Autonomy and independence—With limited guidance to assess the quality and security of electronic devices, individuals purchase devices that they like and use them as both personal and corporate devices (i.e., bring your own device [BYOD]).
  • Device owners with information security and data protection responsibilities—These include, for example, protecting access to the device; managing services, such as Wi-Fi and Bluetooth; not transferring sensitive data to cloud services unless authorized; and updating operating systems and other software. Unfortunately, such things may not be known to the individual.
  • A lack of personal engagement (the “I don’t care” syndrome)—This arises from having a job that is unfulfilling, does not provide opportunities for growth, lacks a clear purpose, or where management has little credibility and is not respected.6

The CISO and Corporate Challenges

The chief information security officer (CISO) may be in a similar situation to that which, around the year 1000, led King Knut of England and Denmark to show to his court that his powers were limited by placing his throne on the beach and ordering the tide to stop. He knew perfectly well this was not possible.

The CISO recognizes that rapid technical innovation (i.e., a technami) combined with scale, complexity and GDU behavior may have become another unstoppable tide. However, the CISO’s span of control is small.

The span of influence is not defined by organizational charts, but by the person’s soft skills. This will be effective only when it includes senior managers and is supported by the credibility of and trust in the CISO.

It is important that users are informed: “I know we have a CISO responsible for… .” However, the less informed (i.e., those asking: “What does CISO stand for? Do we have one? What do they do?”) may be more predominant in any big organization.

The CISO is also confronted with other corporate governance issues, in particular, the pressure to do more with less,7 driven by financial pressures on the enterprise. The problem is that measuring the value of security is hard and controversial and the true cost of providing information security cannot be clearly defined because it is hard to know exactly what to count as a component of the cost of information security. Therefore, all figures should be seen as rough estimates (or guesses). Information security metrics are underdeveloped and underused. Some of the metrics8 are (controversially) not even useful, such as the return on security investment (ROSI), as it is not too difficult to come up with any desired answer.

Security is a corporate governance issue that includes areas of building awareness and, most particularly, the management of security policies. These policies figure prominently in all standards on the management of information security and are problem areas. The policies must be concise, easy to understand, maintainable, easy to implement and effectively monitored for compliance.

There are some simple answers to the creation of policies: download templates from a reputable source, buy templates from a commercial provider or engage consultants to develop them for you.

Using the excuse, “I never received a copy of the policy,” should not be acceptable. The practice of burying dozens of policy documents in a large corporate intranet and relying on individuals to look for and study the policies is certain to fail, but this has not stopped organizations from doing precisely that (it is, after all, cheap and quick). Open questions for which there is no universal answer include:

  • Should individuals acknowledge the receipt of policies?
  • Should this acknowledgement include the individuals’ commitment to adopt and follow the policy and accept the consequences of noncompliance?

Noncompliance does not apply when policies are considered optional and are put in place to satisfy the auditors (it happens). It has been said, “Never issue a policy that you are not able or willing to enforce.” This is sound advice.

Is There a Way Out?

There had better be, because innovations still to come are likely to be adopted with the same enthusiasm as recent ones. And, it is not possible to predict which ones will be successful.

Some organizations appear to have adopted controlled printers for sensitive information, although text on a screen can be photographed with a smartphone. Some highly secure organizations require visitors and staff to surrender their mobile devices prior to being authorized access to the building.

Attempting to reverse established practices such as BYOD and access to social networks during working hours, as well as working with sensitive data while traveling, is likely to encounter considerable resistance from the workforce.

Several governments have produced guidelines for the security of government-owned smartphones and tablets. Notably, in May 2013, the US Federal CIO Council and the US Department of Homeland Security issued a 104-page report.9 Similarly, the French government Agency for the Security of Information Systems (ANSSI) published several guidelines relating to the mobile world (available only in French at present).10

There are several professional bodies that have also published guidelines, such as the Mobile Survival Guide for Journalists11 and a brief note from the Kroll Advisory Services.12 Banks and other institutions are increasingly provided guidance on mobile security as mobile payments are on the increase.

Conclusion

This conundrum is centered on the concepts of future shock13 (i.e., the future arrives before organizations are ready for it) and human factors, such as empowerment, the blurring of the work/personal boundaries and a huge wave of attractive technologies that are enthusiastically adopted before considering the consequences of doing so without taking appropriate measures to secure them and the information they access and store (digital hygiene).

The emerging Internet of Things is expanding the boundaries where additional controls may be necessary to protect corporate information assets. Such situations also arose in the past. Change is challenging and requires leadership. This particular set of issues is complex because it involves several independent parties with incompatible objectives and may well be part of a “wicked problem,” in which each attempt at a solution is done with incomplete information and has consequences that transform the problem and/or create a new one.

Endnotes

1 “Crapware” is the name given to software preinstalled in a device by its manufacturer or distributor that uses resources and does not perform any particularly useful function. Such software may be impossible to remove, and it may be difficult to agree what constitutes a genuine feature or just junk software.
2 AppBrain, www.appbrain.com/stats/number-of-android-apps
3 Costello, Sam; “How Many Apps Are in the iPhone App Store?,” About.com, http://ipod.about.com/od/iphonesoftwareterms/qt/apps-in-app-store.htm
4 Science Museum, www.sciencemuseum.org.uk/broughttolife/people/ignazsemmelweis.aspx
5 Lane Library, http://elane.stanford.edu/wilson/html/chap5/chap5-sect3.html
6 Mind Gym, “The Engaged Employee,” http://uk.themindgym.com/the-engaged-employee-how-to-keep-your-people-flourishing-whatever-the-weather/
7 Kirecek, Konstantin Josef; “We, the unwilling, led by the unknowing, are doing the impossible for the ungrateful. We have done so much, for so long, with so little, we are now qualified to do anything with nothing.”
8 Gelbstein, E.; “Quantifying Risk and Security,” ISACA Journal, vol. 4, 2013
9 Federal CIO Council and Department of Homeland Security, Mobile Security Reference Architecture, USA, https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
10 Agency for the Security of Information Systems (ANSSI), France, www.securite-informatique.gouv.fr/gp_article712.html
11 Verclas, Katrin; Melissa Loudon; Alix Dunn; Mobile Survival Guide for Journalists, Safer Mobile, www.aswat.com/files/Mobile%20Journalist%20Survival%20Guide.pdf
12 Kroll Advisory Services, “Smartphone Security: Make the Most of Your Smartphone,” www.krollcybersecurity.com/media/MEM-054_Smartphone_Security.pdf
13 Toffler, Alvin; Future Shock, Bantam, 1970

Ed Gelbstein, Ph.D., has worked in IT for more than 40 years and is the former director of the United Nations (UN) International Computing Centre, a service organization providing IT services around the globe to most of the organizations in the UN System. Since leaving the UN, Gelbstein has been an advisor on IT matters to the UN Board of Auditors and the French National Audit Office (Cour des Comptes) and is a faculty member of Webster University (Geneva, Switzerland). A regular speaker at international conferences covering audit, risk, governance and information security, Gelbstein is the author of several publications. His most recent book Good Digital Hygiene—Staying Secure in Cyberspace can be downloaded from www.bookboon.com. He lives in France and can be reached at ed.gelbstein@gmail.com.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.