Introduction

Introduction

In the age of hacktivism, malware and cyber-warfare, increasing numbers of publications are being produced by computer security specialists and systems administrators on technical issues arising from illegal or inappropriate on-line behaviours. Technical advances - in the ability of information systems to detect intrusions, denial of services attacks and also to enhance network monitoring and maintenance - are well documented and subject to constant research and development.

To date, however, there has been limited research into a range of other issues impacting on information systems (IS) security and its management. From a forensic computing (FC) perspective IS security management emerges as part of a much broader debate on the risks and challenges posed by digitalisation for legal, technical and social structures (Broucek & Turner, 2001a, 2001b). This perspective highlights that IS security management cannot be addressed by technical means alone. Indeed the development of effective security management relies on recognition of the need to balance a complex set of technical, legal and organisational issues (Lichtenstein & Swatman, 2000).

This chapter explores one of these issues, "user education" and identifies its relevance for, and interrelationships with, other IS security management issues. This exploration is conducted through an examination of the two most common Internet applications used in organisations: electronic mail (e-mail) and World Wide Web (WWW) browsers. By identifying common security weaknesses in both types of applications, the chapter examines how the security management problems are compounded by common online user behaviours. Retaining a FC perspective, the chapter makes recommendations for improving IS security management.

Part One

At a technical level, systems administrators are very aware of the security risks and security weaknesses prevalent in Internet applications and, in particular, in e-mail and WWW browsers. Significantly, while technical solutions are available (at a cost) to alleviate most of the major security challenges, the manner in which most users continue to utilise these applications compounds organisational IS security problems. While technical responses may be able to treat some of the symptoms of inappropriate and/or illegal user behaviours, they do little to treat the causes of these or future problematic behaviours (Broucek & Turner, 2002b). The focus here is on "user education", however, it is important to note that most technical solutions employed to detect intrusions, denial of services attacks and/or to engage in network monitoring/maintenance are not currently designed to collect forensic data (Broucek & Turner, 2002a).

As a result, user education of security risks and weaknesses must be treated as an important element in developing effective IS security management practices. For the purposes of user education of security management issues in an organisational context, users can be categorised in three major groups:

1. Employees lacking awareness of the implications of their online behaviours for organisational security;

2. Employees who are security conscious but who, in taking steps to protect their on-line privacy, remain unaware of the implications of these behaviours for organisational security; and

3. Employees who may deliberately exploit technical and managerial weaknesses to engage in inappropriate and often illegal online behaviours.

For all three types of users, targeted education, training and raising awareness emerge as critical to minimising these risks and improving IS security management practices and policies.

The following section examines some of the major security weaknesses of e-mail, their relationships with employees online behaviours and their implications for IS security and employees privacy.

E-Mail

Electronic mail (e-mail) has emerged as a major communication tool in academic, business and social environments. However, e-mail - or more technically Simple Mail Transfer Protocol (SMTP) as defined by RFC821 (Postel, 1982) and the proposed new standard RFC2821 (Klensin, 2001) - remains inherently insecure as a communications medium. As a result e-mail per se is not suitable for the transfer of any information that has to be kept secret. Significantly, most employees and many corporate managers remain unaware that e-mail, unless encrypted, is transferred in plain text, and that during its transfer from sender to receiver journeys through numerous computer systems that could provide points of access to the content of the e-mail. More worryingly, most e-mail systems in use still deploy the very efficient, but simple Post Office Protocol version 3 (POP3) (Myers & Rose, 1996). In most instances POP3 based e-mail clients send passwords in clear unencrypted text across computer networks, thereby enabling sniffing/spoofing type security breaches. Although partial solutions for both these weaknesses are available in the form of TLS/SSL capabilities of e-mail clients (Hoffman, 1999; Newman, 1999), their acceptance is very slow and often hindered by the lack of support for such capabilities in common e-mail software. For example, the version of SMTP daemon sendmail distributed by SUN Microsystems with their operating system Solaris 8 does not support TLS/SSL.

These security weaknesses are further compounded by the fact that, as has often been observed, many employees do not bother to have separate passwords for e-mail and other systems that they use in the course of their work. This "one password for everything" approach means that POP3 e-mail client sniffing/spoofing type security breaches may become access points for all organisational information systems.

Awareness of these security weaknesses in e-mail has led many systems administrators to enhance security and restrict access to organisational e-mail systems. From the user's perspective this has led to the perception of organisational e-mail systems as being "unfriendly." This is mainly because these systems tend not to be accessible outside the organisational "firewall" and/or because organisational policy prohibits their utilisation for private communications. As a result of the increasingly important social dimension to e-mail usage most employees solve this "problem" of lack of anytime/anywhere access to e-mail by subscribing to one of the numerous free Web-mail services, e.g., hotmail.com, yahoo.com, excite.com, etc. This user response to the need for e-mail access introduces further risks for organisational IS security management.

As was mentioned above, the tendency of employees to adopt the "one password for everything" approach means that the same password is used on organisational e-mail systems as well as on private Web-mail accounts. This dramatically increases the possibility of password sniffing/spoofing type security breaches. Web-mail services also appear susceptible to a higher incidence of direct or double-click attachment-based viruses that can easily migrate to the organisational information systems as a result of employee online behaviours. More significantly, most of these free Web-mail systems also allow the checking of POP3 e-mail accounts. Employees using these services are rarely aware that in doing so they may be allowing unauthorised access to organisational information.

From the authors' own experiences in network administration within a university environment, it is evident that more than 70% of current students opt for a free Web-mail account in addition to their university e-mail accounts. From class discussions the main reason given by students was the concern that university administrators could gain access to their university e-mail accounts, making them feel concern that their personal e-mail would be read. Following open discussions of the security weaknesses and risks of Web-mail accounts with a class of 30 postgraduate students, all but one opted to stop utilising Web-mail and to use the University e-mail system providing POP3 access internally and SSL protected Web based access from outside of university firewall.

Finally, it is also worth noting how, at a time when legal principles providing for privacy and data protection in the on-line environment have become increasingly common and users privacy expectations have continued to grow, there has been an exponential growth in inherently insecure digital communications that provide individuals with little or no privacy (Broucek & Turner, 2002b).

WWW Browsers

Web browsers, like e-mail, have become central to the development of the information age. But they also exhibit many security weaknesses that combine with users' online behaviours to compound IS security management problems. These include:

• Web browser history and cache files being kept on local drives:

  Generally users are unaware of this and its implications for their privacy, including the ease with which the sites they have visited can be viewed. This problem becomes even more significant for privacy in environments where computers are shared;

• Extensive use of cookies:

  This is problematic because many sites now do not work if cookies are disabled in browsers. This raises issues not just because of the privacy of the user, but also because organisational information is disclosed through the TCP/IP address and through other details available from browsers;

• Possible disclosure of information about computers running the browsers:

  The majority of browsers, if not "hardened," enable the collection of information about themselves and the underlying software and hardware they run on. This can be used by hackers for collecting information about computers and software. This "fingerprinting" generates information that can subsequently be used to find systems vulnerabilities that hackers can exploit to hack into these systems;

• Corporate users assuming that being behind corporate firewall/cache/proxy means that their true identity is not exposed to browsed Internet sites:

  This is often not the case because many corporate installations pass through the HTTP_X_FORWARDED_FOR environment variable;

• Active pages - using Java applets, Java scripts, ActiveX technologies:

  Introducing executable elements into Web pages creates potential risks for the spread of malware, viruses, etc.;

• Data collected from browsers can be used for Internet user profiling and consequently for targeted advertising and context:

  For example, a person that once visits "porn site" will later on be targeted by receiving "e-mails" advertising "porn sites," they may be subject to pop-up screens redirecting them from browsing legitimate site to sites considered to be inappropriate and often illegal.

Having highlighted the major weaknesses of browsers, it is perhaps worth mentioning that from a forensic computing perspective, it is these very weaknesses that are often exploited to create the invaluable resources that form the basis for forensic investigations.

Access to Internet through Web browsers creates further privacy issues for both users and IS management. Many organisations use proxy/cache for speeding up, controlling and monitoring access to Internet by using proxy authentication. Proxy authentication and monitoring can create amongst users the perception of a modern form of "Panopticon" (Dishaw, 2002). In particular, this perception can be created if such monitoring and/or authentication are introduced without proper policies, and if the purpose of their introduction is not explained to users. Proxy authentication is often used only for statistical purposes, however it often can create a "big brother" type of surveillance fear amongst the users. Unfortunately, current available proxy authentication tools and proxy authentication implementations in major Web browsers do not support any sophisticated forms. As a result, passwords used for proxy authentication travel across the wire in "BASE64 uuencoded" format that is close to plain text. These issues have been further compounded by some implementations of proxy authentication requiring users to use the same password as for their e-mail.

Part Two

In the context of the above discussion, this part of the chapter aims to generate recommendations for improving user education as a component of IS security management practices. From a forensic computing perspective these recommendations remain conscious of the need to balance improved security for the organisation and the privacy of employees, without compromising the potential for future forensic investigation of inappropriate, criminal, or other illegal online behaviours.

Clearly a major element in any organisational IS security management approach must be to provide detailed explanations and demonstrations to users of how their online behaviours with these two applications could potentially damage the organisation. As part of this education, it will be important to address head-on employees' privacy concerns and to introduce transparent and documented procedures for any investigations over particular behaviours. Users must also be made aware that using anonymous e-mails, proxies and anonymizers will not prevent future forensic investigations from being able to track and trace their online activities. It is also imperative that the risks associated with computer viruses are explained, along with the potential fallibility of current antivirus software. In particular, the importance of not running or opening files (usually referred to as "double clicking") received via e-mail from unknown or unreliable sources should be explained.

In addition to explanations and demonstrations it is important that organisations put in place IS security management policies that balance employee privacy concerns with the need for improved security. These policies must be transparent and developed in cooperation with employees. Where deterrents to inappropriate online behaviours are introduced, they should be explained and discussed. If organisations feel the need to have the option of monitoring online behaviours or conducting forensic investigations, then staff should be informed of the procedures and the results of any investigations or monitoring. Creating a "big brother surveillance" perception amongst employees may well be counter-productive in terms of IS security and/or wider organisational goals (Dishaw, 2002). Effective IS security management will increasingly rely on informing users of the risks and allaying privacy concerns they may have as the need for monitoring and forensic investigation become increasingly common.

Conclusion

This chapter has highlighted a series of security and privacy problems with e-mail and Web browsers, and suggested how improved and targeted user education can significantly improve IS security management within organisations. With the dramatic growth in malware and cyber-attacks that looks set to continue, it has become increasingly important that organisations improve their IS security management policies and practices through a balanced and cooperative approach.