The Bulletin, issue no.4
By Ian Perason and Rohit Talwar, August 2009.
Future Security Issues
As we look beyond the current downturn, we believe that security is going to raise its head as a multi-dimensional issue for nations, organizations and individuals. Over the next few editions of the bulletin we will explore a number of critical aspects of these future security threats. In this issue, we start by focusing on two increasingly important and somewhat overlooked dimensions of the security challenges associated with information and communications technology – policy and hardware threats. These will have impacts at every level in society from securing personal information through to protection of the data that is the lifeblood of national economies and critical infrastructure.
Policy-based threats Perhaps counter-intuitively, we believe that overzealous organisational security policies could be an ever-increasing and potentially serious source of risks and threats in their own right. Human nature drives employees to attempt to bypass procedures that get in the way of doing their job. If they want to access something forbidden by a security policy, they are likely to step outside of the secured domain by using their own equipment, or by being devious. In the extremes, staff can end up doing a lot of their work on their own equipment rather than use that provided by the organisation. For example, we recently met the marketing department of a major global consumer products company which is not allowed to download the many daily attachments sent to them by their various agencies. Productivity and efficiency is seriously hindered as staff have to download the documents on their personal emails at home and then ask the IT department to load them onto the network for their colleagues to review. It can take 48-72 hours before the marketing team can all have access to a key document. As a result of these everyday workarounds, employees’ work may be conducted substantially outside the influence of any security controls that exists.
A wiser approach is to work with the employees to understand the nature of their work and interactions with the outside world. This allows us to establish a cooperative policy that staff will adhere to willingly – instead of trying to impose one that they are likely to be tempted or compelled to ignore or bypass. Additionally, if a policy is too tight, but staff are nevertheless forced to follow it by some means, it might have the result of reducing performance and productivity. If it is too hard to do the job, it will take longer or not happen at all. This is obviously a threat to the wellbeing of the organisation, making it unproductive, uncompetitive and possibly threatening its existence. A policy designed to protect a company should clearly not threaten the ability of the company to function efficiently by impeding the ability of staff to do their jobs well. A more sensible security policy is one that provides strong protection for key intellectual property and essential systems, but is more flexible in other areas. Staff should be trusted to do their jobs responsibly, with good management and if necessary, disciplinary procedures to encourage compliance with ‘common sense’ and good business practice. Given greater freedom and clearly sensible boundaries, most employees respond with responsible behaviour.
Hardware based threats Concern is beginning to increase because most virus protection applications only check for software based viruses. However, it is possible to build increasingly dangerous hardware based attacks, using what are known as ‘field programmable gate arrays’ (FPGAs) to build custom hardware that interface directly with other equipment and bypasses software virus security checks. Although this is seen as a relatively new phenomenon, it is likely to grow as a problem, driven by improvements in design tools and the increasing availability of powerful, yet small devices.
Another hardware threat arises from the deliberate introduction of malicious algorithms into the hardware during the design or manufacturing processes. It is quite possible to design hardware that achieves all its legitimate requirements but which also has hidden circuitry that only comes into play when a particular instruction is received or a specific set of circumstances arises. These viruses can go undetected because hardware testing can only make a finite number of tests while there are an infinite number of ways in which these ‘back door’ viruses can be added invisibly into circuit designs. To make the problem even more difficult to address, circuits that appear to be quite innocent might also be part of a larger malicious circuit or algorithm that is only triggered when other devices or software applications are brought into play. Such jigsaw approaches can be impossible to test for. These ‘sleeper circuits’ could already be waiting in millions of machines, only coming into play when the final piece of the jigsaw is introduced via accessing a superficially benign web site or an otherwise innocent-looking email.
The next hardware based threat to consider is that posed by personal data storage devices. Memory sticks are improving rapidly in capacity. Although at home, people may have large volume of music or video files that would not fit on today’s memory sticks, they are able to store all the files a typical employee uses in everyday office work. They present an obvious and direct security threat if employees use them to store confidential data, since they are easily lost, forgotten, or left in someone else’s USB port. They are also a good vehicle for viruses to cross between machines, though most virus management software attempts to protect against such problems. Some large companies prevent their computers from accepting memory stick connection because of this, but they are also disadvantaged because they lose all the benefits that memory sticks bring. This is a good example of a trade-off between work flexibility and risk management. As memory sticks continue their increasing penetration into every area of our lives, it will become necessary to have security polices that accept this use and work around it.
Miniaturisation is the next and growing area of concern. Ongoing technology advances are making it increasingly possible to do very sophisticated things with tiny gadgets. Putting a microscopic surveillance device into a piece of office equipment might allow signals to be intercepted and recorded during printing or scanning tasks. Then could they sit quietly until their owner removes them for subsequent downloading. Such miniaturisation will make corporate espionage easier. In fact, as devices get smaller and smaller, there will come a time where ‘smart dust’ (nanoscale electronic sensors and computing devices) becomes so tiny that individual devices could be too small to be seen by the naked eye, making it almost impossible to detect them. Since such devices could be largely passive, and only respond to particular types of signal, they might be hard to detect even electronically.
Finally, every year, new devices will appear that add to the range of potential gadget-based threats. We are only a few years away from being able to incorporate almost any kind of IT function into small pieces of jewellery. For example, by 2015, it is likely that a small electronic lapel pin will be able to act as a personal wireless web site/blog/ego badge. These devices will broadcast information about their owner into the nearby space and interact with badges worn by other people for social or business networking purposes. It might simultaneously act as a phone, processor, tracker, security badge, music player, video camera and perhaps many other things too. Size and shape will be no constraint on function in the future. Staff will not expect to have to leave personal devices like this behind when they go to work. So companies will have to build security systems that can cope with very high levels of personal electronic functionality, with all the potential for malicious presence on those devices.