Whilst it is true that information security has become a greater priority in the last two years, especially at board level, the threats have also increased substantially. Modern cryptography techniques and services can add substantial benefits to electronic business arrangements. These techniques can scramble data to avoid unauthorised disclosure, and also to ensure the integrity, authenticity and legitimacy of electronic communication records and computerised transactions. Whether or not businesses in the UK actually get this message still remains to be seen. There are robust, readily available solutions that can be used to protect electronic mail and these usually consist of two distinct elements that should be used in conjunction for truly safe practice.

1. Encryption This is the electronic equivalent of putting a message in an envelope (see Figure 2.1.1). It protects confidentiality and confirms for the recipient that the message has arrived in its original state without having been seen by an unauthorised person. Good encryption software ensures that information is only decrypted as and when needed, and then makes provision for the safe deletion of electronic messages. This would have the same effect that a shredding machine has on paper that needs to be destroyed.

2. Digital signature This is the electronic equivalent of signing and sealing a letter by hand (see Figure 2.1.2). It maintains the integrity, authenticity and non-repudiation aspects of an email in much the same way as a personal hand-written signature is proof of authorship of a letter. Digital signatures are an even greater guarantee of authenticity than their hand-written counterparts as they cannot be forged. An email that has been digitally signed ensures that the message cannot be repudiated or considered invalid (ie denied by the sender). Cryptographic techniques and digital signatures, though widely available for both private and business use and simple in concept, can nevertheless be technically difficult solutions to understand for someone with poor IT knowledge. This should not, however, deter users from further investigation; for with a little effort the solution will come to light. Misinformation or inadequate education of IT security (both in terms of possible solutions and knowledge of what constitutes the biggest threats to that security) go some way towards explaining the apparent reluctance to embrace the available technology.

Perceived barriers to securing email

Email encryption and virus detection software One of the biggest perceived problems regarding IT security faced by business users is the widely held belief that encrypted email messages would bypass anti-virus and contentchecking server-based software. This is exacerbated by the fact that the equally potent threats posed by hackers and viruses now frequently converge, the Code RedWorm (2001) being a good example of this. As such, the use of cryptographic tools is not as common as it should be.6 Companies frequently use as explanation for their failure to make adequate security provisions for email the fact that cryptographic technology has not been implemented because of the need to scan incoming messages for viruses and inappropriate content. Because of this confusion, many businesses have failed to protect their electronically transmitted information instead of aiming to find appropriate solutions. The simple fact that has been largely overlooked by the IT departments of most organisations is that anti-virus software and encryption techniques are actually compatible, and if this crucial misunderstanding were to be rectified, email users could enjoy far greater security and peace of mind. There is no reason why email users should be under the impression that serious vulnerability is something they must accept if they want to transmit information over the Internet. Anti-virus software is only rendered ineffective by encryption software when it is installed on a network server. When, on the other hand, the installation is made at desktop level, the two sets of software are fully complementary, which in conjunction with the firewall gives the user a sound level of security. There is a very wide range of anti-virus products available on the market, many of which are fully compatible with cryptographic techniques and which can be installed locally. In cases where the anti-virus software cannot be installed locally, the email rules inherent in encryption software are so flexible that users are able to determine which messages are encrypted and which are not. By combining the use of solid encryption techniques and careful rule-setting with modern, desktop-based, anti-virus software, comprehensive and effective control of email security would lie entirely, and independently, with the user.

Plugging the hole Rather than being baffled by the technology, businesses need to be clear about their security needs and to choose modern encryption software with good functionality that they understand completely. Businesses need to recognise that unprotected email is a risk. It is a vulnerability that cannot be fixed by a firewall installation or by anti-virus implementation. A security policy that does not address the open nature of emails is falling short of its purpose. Email usage is too prolific not to assign an appropriate level of protection to it. Its use will not diminish – it is here to stay – and legislation will dictate that businesses must apply sound security measures.

Web security Internet software was generally designed with security as an afterthought. Unfortunately the consequences can be disastrous, warns Sam Green of Zeus Technology.

History Security holes in business-critical software are a significant threat to organisations. However, vulnerabilities in Internet-related software can be disastrous. In a recent survey, respondents said that 70 per cent of their security attacks occurred through their Internet connection. Ironically, Internet software was generally designed with security as an afterthought. Networks were largely considered to be either private and therefore physically secure, or public and therefore inherently open. With the enormous growth in the Internet as a medium for business, this assumption is extremely dated; and coupled with a limited understanding of the requirements for truly securing an online offering, we are currently paying the price for a history of non-secure software design. In some areas this mindset still has not changed. For example, wireless local area networks (LANs) became popular and cost-effective in 2001, and with their rise in popularity it was only a matter of time before hacking tools for this medium were created. On 12 April 2001 ‘WEPcrack’ was released. WEP is the encryption method used to protect data sent across a wireless link, and through the use of WEPcrack an attacker can quickly compromise security on a network. WEP is a modern design, but it highlights the fact that software designers still see security as an afterthought.

The amount of private information transmitted across the Internet increases daily. It is now an integral part of most people’s lives, ranging from buying articles at Amazon on a credit card through to making money transfers and payments via an online bank. For businesses it is even more ingrained; organisations typically use the Internet to sell goods and services and to perform stock control via trusted links to supply chain partners. Potentially there are numerous reasons for the growth in security attacks; but one trend that is undeniable is the growth in the number and sophistication of hacking tools. Historically attackers required detailed understanding of the systems that they were attempting to compromise, and performing an attack could be a time-consuming operation. The sophistication of tools such as NMAP, BackOrifice and other similar tools has brought about a rise in the number of novice attackers (sometimes referred to as ‘script kiddies’). These attackers have very little understanding of system security, attack methods and avoiding detection; however, with modern hacking tools this is largely irrelevant. Statistics show that over 300,000 hosts were infected by Internet worms like ‘Code Red’ and ‘Nimda’ during the past two years. The cost of Code Red is estimated to be approximately US$2 billion, making it the second costliest outbreak ever (Information Security, September 2001). These two worms are not the only ones; in fact there is a long history of similar events. The first recorded Internet worm was released in 1988. It used a buffer overflow in the finger service on UNIX systems. Written by a student, this worm severely affected 6,000 systems and the entire Internet came to a near standstill. For many years, writing worms and viruses was a secret activity until Aleph One wrote an article called ‘Smashing the Stack for Fun and Profit’, which was published in Phrack magazine. His paper described in great detail how to exploit buffer overflow problems on a UNIX system. Many people started writing their own viruses and worms to attack other systems, especially open source software, because the source code was available and problems could be found by reading the code. In 1997 and 1998, almost weekly updates of widely used software like the mail server Sendmail were common. In 1999 the list of known exploits had continued to grow, but for the first time there were exploits aimed against Microsoft products.

Microsoft was shielded from these problems because the operating system and all its applications were written in a completely different style to applications for UNIX; and, at the time, Microsoft was largely focused on desktop operating systems or basic workgroup functionality rather than being a credible Internet server operating system – which had traditionally been UNIX hackers’ operating system of choice. There also was no source code available to read to find security vulnerabilities. Dildog’s paper on how to exploit Microsoft applications opened the door to many hackers. Initially it might have been harder to find weaknesses in Microsoft applications, but once they were found it was possible to use almost any functionality that the Windows operating system provided in order to spread the virus or worm. Because the process and security model in Microsoft’s operating systems was very easy to break into and exploit – coupled with the explosion in PC users – it quickly became very popular to write viruses and other tools to exploit all these weaknesses. Tools like Back Orifice and NetBus became very popular and allowed a large number of amateur hackers to create havoc on the general PCowning population.