Information Security: The Digital Frontier

Information Security: The Digital Frontier

Samuel Warren

IS 461- Information Security Overview

Professor Dan Morrill

March 9, 2011

Information Security: The Digital Frontier          

In the early days of the United States of America, there was a vast amount of unexplored land. This land did not really have any hard and fast boundary line, such as a wall. At different points, the boundary was a clear marker, though, for those who knew it. The boundary line was often referred to as the “frontier.” The American frontier brought with it promise and fear. Promises of wealth, the joy of discovery, and the excitement of the unknown were all wrapped up in the minds of the people that thought about it. For some, it would mean adventure; yet, to others it would spell too much change. Much like the physical frontier many of the early settlers faced, there is a new frontier within the digital world. Just like the frontier of old, this digital frontier has many challenges. These challenges vary and are potentially costly. Like the Marshalls of old, Information Security professionals work the towns and provinces along the frontier. They defend those who seek to interact with their favorite shops, sites, and social circles from the criminals attempting to exploit, maim, and injure those places. This exemplifies the battles and obstacles faced by Security professionals, the tools they utilize, and the rules they follow.

Ethics of Information Security

Undoubtedly, there are many reasons why someone would willingly choose to be a Marshall in the digital frontier. For some, there is a deeply profound sense of self-worth derived from helping others. Others may simply want a way to hack and exploit without fearing repercussions. Still others may choose to go into Information Security for the money. Whatever the reasons, the Marshalls all have a code. The code they follow in today’s terminology is referred to as ethics. According to the writers on Dictionary.com, ethics is described as “a complex of moral precepts held or rules of conduct followed by an individual: a personal ethic.” These rules of conduct make up the basis for every part of the profession. They define, not only the rules of interaction between customers and the professionals, but also what is unprofessional. It is the job, then, of the security professional to understand what is ethical. Most people, if only at a subconscious level, have an understanding of right and wrong. This understanding is what tends to drive professionals away from illegal practices and towards healthy interactions with their customers. For example, doctors have a basic understanding that they should not harm their patients, unless it is only to make healing easier. For a doctor to enjoy hurting, maiming, and permanently damaging people physically is not only ethically wrong, but also counterintuitive to the very reason many doctors begin practicing. Additionally, doctors who do cross ethical boundaries, when discovered, run the risk of losing their ability to practice medicine. The years of hard work and the thousands of dollars paid become worthless.

            With the digital frontier expanding, it becomes even more important for those who protect and preserve to be synchronous in their views of ethics, despite being asynchronous in their goals and places of employment. A tremendous advantage of working on the digital frontier is the ability to learn and grow one’s understanding of ethics. Oftentimes, one can see a bleed-over of ethics in relation to what is or is not ethical in other fields.

It is very easy to identify a grouping of domains that are distinct in themselves but that nevertheless share a concern with an overlapping set of ethical problems. All of these can be seen as contributors to a broader information ethics. Discussion of information ethics in the discourse of information science has tended to grow out of discussion of the ethics of librarianship. But media and press ethics, computer and internet ethics, and also the ethics of governance and business concern themselves with, amongst other issues, most of the same ground as the ethics of librarianship. (Sturges, p. 242, 2009)

With such commonality among ethics broadly, one could study ethics, learn a basic understanding, and focus on the specifics of Information Security. Ethics are the badge that the Marshalls on this frontier share; it is the creed that drives them. Like all creeds, it has to be rigid, enduring, and balanced enough to speak to every possible area. While there are a myriad of professions, Sturges (2009) indicates that because of what Information Security professionals protect, information, there is a huge advantage. The advantage is relative ease in comprehension of ethics. To protect information, we must also know how the information is likely to affect people if it were to get out. We need not know exact details of the information, but rather the type and quality of the information.

Technology

            Understanding the ethical practices work is like the software to a computer. The tools of the profession would be like the hardware to match the ethics software. Without hardware, a computer does not exist. Yet the tools used by Information Security professionals today will not be the same in the near future. On the frontier, Marshalls used firearms, horses, shovels, jails, all tools which were necessary to keep evil-doers from stirring up fear and creating havoc. The tools used today are most often employed to the extent that they are not too costly. The major problem with the use of the tools is that too many business managers see Information Security as a kind of insurance costing more than it is worth until something happens. Some tools currently in use are for add-on support, some are simply a test using a few complex code scripts. The most common tools are Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). However, most common people outside the Security industry recognize systems, such as firewalls, anti-virus protection, and malware protection. These systems are good to an extent. However, if the information is not coded to the extent it can stand up on its own against attacks, they are not good enough.

            The policy of coding, the methodology of testing, the very understanding of what the technology is, and how it works, are at the heart of security. Unless developers begin to utilize smart coding practices and spend deliberate time looking for ways to improve their code, increasing holes needing to be filled will occur. Unfortunately, our business world is an expansive, demanding, rapidly-paced machine. The demand for new products in a shorter time is something with which many developers are very familiar. Add to that the ever-increasing knowledge-base of criminal hackers and the enlarging hole in the security.

Given the ever increasing sophistication of attacks, developing and monitoring secure products have become increasingly difficult. Despite the wide- scale [sic] awareness of common security flaws in software products, e.g., buffer overflows, resource exhaustion, and structured query language (SQL) injection, the same flaws continue to exist in some of the current products. The objective of this paper is to introduce a technology-agnostic approach to integrating security into the product development lifecycle. (Gupta, Chandrashekhar, Sabris & Bastry, p. 21, 2007)

The authors go on to emphasize the need to develop security into each piece of any solution that is developed. However, it needs to be more than that if security professionals are to be able to more effectively close the gap between technology and security. Even if one is able to account for all of the most common problems today, as long as humans develop code and humans review it, there will be a possibility of holes in the security. The tools, while expensive at times, are the best chances the Marshalls of the digital frontier have to lessen the impact of the holes. The tools used are very important; but they face the ever-changing landscape of the digital frontier.

Additional Challenges  

Just as the frontier in the United States quickly changed, the digital frontier is rapidly expanding. This presents a problem for many areas, such as the infrastructure, methods, tools, and change management. Where once a cloth covered wagon was good enough to transport the early settlers, today there is a wide array of choices; from automobiles to airplanes. On the digital frontier, implementation of a given problem requires continuing education concerning the potential risk associated with said choice. In many cases, a company could implement multiple solutions for the same problem. The multiple solutions mean determining the best and most cost-effective is much harder. If, for example, a company needs to be able to post pictures and blog articles to the web, one could put everything into a pre-made content management system (CMS), such as Drupal or Wordpress. One could also use a custom-built system, more customized to the specific needs of the organization. Where once the custom CMS’s were more prevalent due to the lack of standardization, the companies responsible for the creation of the Wordpress and Drupal tools decided they would undergo the daunting task of creating a one size fits all system. The challenge for the Information Security professionals is determining the size and severity of any risks that may exist in those systems. That is just one example of the kind of changes that happen every day on the digital frontier.

            Another important challenge existing is the constant need to remain in compliance. Depending on the field, there may be one area of compliance or many. For example, a successful health-care facility that accepts debit and credit cards online would need to be Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley Act (SOX) compliant. Staying compliant in just one of these areas is very time consuming, but staying compliant in all three is a challenge rivaling the creation of the new towns on the frontier. The issue being that the produced technology does not always lend itself to easy modification for compliance’s sake.

Additionally, technology frequently lacks transparency, creating an additional layer of obscurity for those seeking to monitor business operations and compliance inside and outside the firm. By technology's operation—the perfect way in which its rule-based systems exclude some factors and include others—it can render the choices and metrics embedded in compliance systems by private third parties invisible to regulators. (Bamberger, p. 676, 2010)

Perhaps the reason technology lacks transparency is due to the desire to keep the code confidential to prevent theft or duplication from other developers. It could also be that some of the programs and internet pages that are created now are so complex in different elements that they are incredibly difficult to read! As developers begin to code a project, especially those projects dealing with compliance, they must be aware of the need to code transparently enough to be read by those needing to regulate the code. However, criminals on the digital frontier are expecting this; they develop tools to sniff out specific programmatic loop-holes. A great example is the use of WiFi products. Many WiFi products, especially gateway routers to the internet, are left unsecured by the end users. For one reason or another, they do not take the time to set up simple security or their ISP does not give them the tools to set it up. Unbeknownst to them, their WiFi routers are compromised by someone sitting in their driveway with a laptop. This was the case for a man in Sarasota, Florida:

What happened to Malcolm Riddell should not happen to anyone — but it can and does, and that's the cautionary tale shared by the Florida man, whose garden-variety wireless Internet signal was "stolen" by a criminal to distribute his library of more than 10 million child pornography photographs. (Choney, 2011)

This story also illustrates the need for education of the end user. While Information Security professionals are not necessarily responsible to educate every end user, there is a definite need for more transparency. This situation is commonplace among those who are not technologically savvy, such as the elderly or those who are do not take the time to read about what they are purchasing. While it really is the end user’s responsibility to protect themselves from this occurrence, it could be argued that it is the responsibility of the developers to make it more understandable and the job of the Information Security professional to keep the business side of the organization aware of the risks associated with their request.

Summary

            The office of Information Security on the digital frontier is much like the Marshalls of the “Wild West,” also considered the “frontier” of its day. The code of justice, the tools, and the challenges all make up what we know as the role of an Information Security professional. Much like the larger-than-life heroes, like Wyatt Earp, the industry is dangerous. However, this is a different kind of danger. Danger that is not a direct threat to life or health, but one that could have a severe impact: the very identity of the victim. Understanding the ethics associated with Information Security and the consequences associated with non-ethical practices is a huge portion of the job. Another is mitigating risk in an ever-changing tidal wave of technology add to that, the need to manage small budgets while maintaining the best possible protection is at the forefront of every digital Marshall’s mind. With a wide-variety of regulatory issues, ranging from how credit card information is transmitted to how one deals with health information, the Marshalls on the digital frontier have their hands full. However, it should be the goal of every professional in the trade to enlist the help of every end user to make the gap in security much less pronounced. While it is not the job of the security professional to train all end users how to send their information in a secure manner, making the tools they use more simple, and at the same time more secure, is a challenge that needs to be undertaken.

References

Bamberger, K. A. (2010). Technologies of Compliance: Risk and Regulation in a Digital Age. Texas Law Review, 88(4), 669-739. Retrieved from EBSCOhost..

Choney, S. (2011, March 9). Digital Life. In Is a criminal using your Wi-Fi? [News article]. Retrieved March 14, 2011, from Msnbc.com website: http://digitallife.today.com/_news/2011/03/09/6227119-is-a-criminal-using-your-wi-fi

Chong, S., Jed, L., Myers, A. C., Xin, Q., Vikram, K. K., Lantian, Z., & Xin, Z. (2009). Building Secure Web Applications with Automatic Partitioning. Communications of the ACM, 52(2), 79-87. Retrieved from EBSCOhost.

ethics. (n.d.). Dictionary.com Unabridged. Retrieved March 10, 2011, from Dictionary.com website: http://dictionary.reference.com/browse/ethics

Foreman, Park. ( © 2010). Vulnerability management.[Books24x7 version] Available fromhttp://common.books24x7.com.proxy.cityu.edu/book/id_30514/book.asp

Gupta, A. K., Chandrashekhar, U., Sabnis, S. V., & Bastry, F. A. (2007). Building secure products and solutions. Bell Labs Technical Journal, 12(3), 21-38. doi:10.1002/bltj.20247

Sturges, P. (2009). Information Ethics in the Twenty First Century. Australian Academic & Research Libraries, 40(4), 241-251. Retrieved from EBSCOhost.