Making the Right Choice:
Innovations in Internet Security

Status: Delivered at the following conference:

Internet Banking Technologies: Strategies for success in the retail banking market
ICM/THG, February 2, 1999, London

Summary: There has never been a shortage of security technology, but there is always a shortage of security technology that is fast and convenient enough, safe and cheap enough, for the latest wave of information system deployment. As we move to secure Internet-based information systems, making the right choice in security technology can be a critical factor in determining commercial success. If we look to past experience we can gain at least some insight into the right choices for an unknown future.

This paper focuses on the single most important security component in electronic commerce: authentication, without which it is impossible to implement effectively any of the other technologies, such as access controls (firewalls), computer misuse detection, or encryption. We will close with suggested directions for future developments and the growing pressure to improve security arising from legal and regulatory initiatives.

Assessing Likely Leaders

You are probably familiar with several different approaches to the subject of "likely leaders" in Internet security technologies. There is the review approach: a security product is reviewed by an industry publication and deemed to be a "promising," or even a "very promising," development for besieged IT managers, network administrators and data protection officers. There is the eye-on-the-IPO approach: a security product is reported to be very promising in terms that boil down to its potential to drive a successful stock offering, or drive up the market value of an existing stock (such reports may appear in a variety of media, thus seeming to come from multiple sources, when in fact they can all be traced to press releases issued by the company responsible for the product).

Unfortunately, these approaches tend to be short on input from the very IT managers, network administrators and data protection officers the technology is supposed to assist. While some publications make a point of getting quotes from IT managers, network administrators and data protection officers, these may not be as helpful as they at first appear. For example,
When asked if instant, accurate identification of users by means of this new finger-nail ridge analysis technology would be a helpful addition to the IT security officer's arsenal, Fred Smith, IT security manager for Megabank, PLC, said: "If it works as claimed and integrates smoothly at reasonable cost, then yes."

The Problem

Unfortunately, there is no easy solution to the problem identified above, that is, a shortage of large-scale, independent, real-world testing facilities for security technology implementations. A lot of publications and organizations can assess a desktop encryption and access control solution in isolation, or even on a small test network. But very few have the means to simulate something like the roll-out of such a solution to 10,000 users in five countries across ten time zones and three major platforms. Yet project parameters of this scale are typical for today's corporations.

A Different Approach

In an effort to provide practical assistance to besieged IT managers, network administrators and data protection officers, I am going to assess "likely leaders" in Internet security technologies in practical terms, based on real-world experiences such as the above. My conclusions may not be popular with those whose idea of security is heavily hardware-oriented (what we may refer to, if you will pardon a James Bond analogy, as the Q-Factor). However, I think my comments will help you formulate the right questions to ask as you evaluate new product offerings and try to map them to your needs as an increasing Internet-based IT shop.

Preceding conference sessions have given plenty of information about a variety of developments in technology such as smart cards (Alan Leibert from Card Europe) and next generation Internet security products (Kevin Black from ISS and Steve Barnett from Checkpoint). I think our assessment of these or any other security technologies has to be grounded in this question "What is the underlying problem that we are trying to solve?"

We Are The Answer

The answer is people. Security is, after all, a people problem. Computers don't steal money, people steal money. With the exception of anomalies in certain operating systems that will remain nameless, computers don't trash data, people trash data. Computers don't write viruses, people write viruses. To put it another way, if security were a question of technology, then organizations could simply throw technology at the problem until it went away, but it wouldn't, because it isn't. Security is a people problem and the fundamental challenge to computer security is to identify who is using the computer.

Consider encryption, where debate about length, strength, speed, and other technical prowess factors is rampant. How many cases of computer fraud and abuse are based on, or even include, practical cryptanalysis? How many banks have lost money due to the relative weakness of 56-bit DES, relative to other exploits? We assert that the answer is few-to-none (any members of the banking community who wish to dispute this assertion with facts of which they are personally aware are very welcome to do so, preferably via encrypted channels).

Yet there are numerous documented cases of banks losing money despite the fact that their systems employed strong encryption. This typically occurs because of some form of collaboration between outsiders and insiders, and almost always involves weaknesses in authentication, the art and science of accurately identifying who is using the computer. Encryption is defeated when a person, referred to as the attacker, who is someone other than the intended recipient, decrypts the message. The attacker can either use a form of cryptanalysis, such as chosen plaintext or brute force (typically complex and resource intensive), or impersonate the intended recipient (typically simple and easy to do).

Consider another "hot" security technology, the firewall. Essentially this is a specialized form of access control, and access control is currently the primary mechanism for securing computers and the data they process. A firewall controls the flow of traffic between two networks based on a set of rules, some of which are designed to allow different people to do different things. This simply does not work as a security technology if you don't have a reliable method of distinguishing between different people, something which requires, in many cases, accurate identification of actual people.

Consider the lessons of our real world penetration tests (current score: Targeted 50, Penetrated 50). One of the most productive avenues of approach when faced with a network protected by a firewall is to use what my colleague David Brussin refers to as "allowed path attacks." This is based on the fact that all firewalls, except the legendary "Air Gap" model, allow some traffic to pass through (a parallel observation is that virus code spreads because computers are designed to execute code).

For example, a firewall might be configured to serve up web pages containing forms and accept browser input from users of those forms. If you can find a weakness within the coding of the forms, it may be possible to compromise the network on the other side of the firewall because the firewall allows input from the web pages served up by the system it is protecting. Even if the firewall is highly paranoid and only allows input from authorized users, it may be still vulnerable if someone can impersonate an authorized user. The same is true of network access controls.

Who's There?

Now consider the security of e-commerce and online banking. What would it take for you to gain illegal access to my Fidelity Investment account? My social security number and a four digit PIN. Since social security numbers are not hard to obtain (for example, they are on a lot of driver licenses and even show up on the web from time to time) guessing that PIN is all it takes. How many times can I guess wrong before I am locked out? Too many. Think about how long would it would take for me to gain access to your account if I simply had access to your computer, not long at all. Suppose I am an unethical network administrator at a large company where a lot of people do Internet banking over the company's Internet connection. How quickly could I build a collection of account number/PIN combinations, much too quickly.

This current state of affairs is clearly unacceptable, even if the rate at which people are taking up online banking and shopping looks good when expressed as a year-on-year growth rate (it is entirely possible for things to be going so well you fail to see how much better they could be going). There are holes in the infrastructure and I have no doubt that they will become a problem if they are not dealt with. Already we see online merchants struggling with massive charge back problems, where online orders are repudiated. The current infrastructure provides very little as far as non-repudiation is concerned.

The existence of these holes in the e-commerce infrastructure might come as a surprise to people who see the "encrypted" icon in the corner of their web browser. Surely the browser-server connection is protected when this icon appears. Unfortunately, the most widely used security protocol on the web, SSL, is typically implemented in a relatively insecure fashion.

For example, when someone requests entry to the Fidelity Investments web site the Fidelity server establishes an SSL session so that the information passed between server and browser is encrypted. This can be either the relatively weak 40-bit encryption or the relatively strong 128-bit (it is telling that 128-bit is not a requirement). But there is relatively weak assurance that the someone requesting access is the person they claim to be. They can be anyone who has the right sequence of a set of numbers which is, as we have stated, not too hard to determine. Without the use of better authentication, SSL is rather like an armored car doing secure door-to-door deliveries to fake banks. If I question an online transaction on my Fidelity statement what basis does the company have to prove that I was the person who initiated the transaction? All they know is that somebody who knows my social security number and PIN issued certain instructions at a certain time. It is very easy to deny it was me.

What would constitute better authentication? The use of digital certificates is a step in the right direction, but the vast majority of online banking and shopping sites do not currently require them. Furthermore, unless there is a serious attempt to bind the certificate to the assured identity of the holder, then the certificate becomes just another layer of spoofing between the unauthorized user and the target data.

What Would Work?

Here is where I think we are headed. A physical device securely stores a verified digital certificate that identifies an individual who must be in physical possession of the card in order to use it. In other words, a combination of biometrics, encryption, and smart card/token technology.

I sit down at a computer and point the web browser to the Fidelity Investments site. I click on the Access My Account button. I am prompted to present my smart token to the reader that is built into the keyboard. The web site interogates the token and prompts me to touch it with my thumb. At that point I have access to my account. When I issue the command to pay a bill electronically, it is accompanied by the brief touch of my thumb as confirmation.