Information Security and the Sarbanes-Oxley Act

25 03 2013

After taking my time to search for a valuable topic towards contribution to the blog, I remembered a financial accounting class that I had taken during the earlier part of my MSIT program. The course had small component on discussing the Sarbanes Oxley Act (SOX) and discussed financial controls and risk for publicly traded companies. It also briefly touched upon the impact of SOX on IT and how companies needed to transform their systems controls and reporting capabilities to stay compliant. For the purposes of this blog I decided to examine the subject in a little more detail by examining its requirements, related security frameworks and results from a study of organizations that implemented SOX. I will attempt to do this by answering some key questions.

What is SOX and how did it come into being?

SOX is a legislation reform introduced in 2002 to improve accuracy and integrity/reliability of the various financial statements of a publicly traded company. Its primary purpose is to ensure that the appropriate controls within an organization are implemented so that the creation and documentation of the information provided in the financial reports are governed according to a standard ( This purpose serves various objectives, not the least of which is to build confidence among the company’s investors, encourage independence between auditors and clients and assign more accountability and ownership to the company’s management (CFOs and CEOs) in relation to the disclosed financial information. The two sections that often quoted in IT security related discussions related to SOX are SECTION 404 (CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS) and SECTION 302 (MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS) ( – S302/S404.htm)

The reason why SOX came into being is due to a wave of accounting/audit malpractices and frauds by the executive of large corporations and their auditors such as Enron, Worldcom, Arthur Anderson (Wikipedia) that resulted in losses of hundreds of millions of dollars in investments as they collapsed during the turn of the millennium. In order to prevent this from happening, SOX was introduced and brought itself an a set of requirements that required an organizations information security landscape to change significantly if it was to stay in business.

Why did IT need to change?

The SOX act brought with it various bi-products such as regulatory authorities and governance frameworks. Among these were the Public Company Accounting Oversight Board (PCAOB). Its purpose was to provide guidance to the auditing firms that were assessing the compliance of the company with SOX through auditing standards. Among these standards was a clause that discussed the management of internal controls. It stated:

“Determining which controls should be tested, including overall relevant assertions related to all significant accounts and disclosures in the financial statements. Generally, such controls include: Controls, including information technology general controls on which other controls are dependent”(Stults, 2004, p4)

How was information Security impacted?

COBIT (Control Objects for Information and Related Technology) was a framework that was introduced to provide details on creation and assessment of various IT controls was introduced to allow information security teams to essentially implement the various requirements of SOX inside an organization. COBIT had detailed guidance on various IT related processes that were categorized into various domains including Planning & organization, Acquisition and Implementation, Delivery & Support and Monitoring (Stults, 2004, p6)

An organization created to help companies with their IT governance known as ITGI (Information Technology Governance Institute) used COBIT and COSO (another SOX related controls framework) and published guidelines on various information security topics. Amongst the key areas it provided details on Security Policy, Security Standards, Access and Authentication, Network Security, Monitoring, Segregation of Duties and Physical Security: (Stults, 2004, p7)

A lot of what forms the basis of a company’s security processes and infrastructure was being defined and enforced legally through the adoption of these frameworks. Organizations would have undergone information security transformation projects at all the above levels to become and retain compliant status.

A study by Dr. Janine L. Spears (DePaul University)  analyzes the impact of SOX on information security. The study was carried out around 2009 – seven years after the introduction of SOX. It is interesting to note the conclusions that were drawn from the study (Spears, 2009, p.1-4)

  1. Increased business collaboration and awareness of managing security risks within the organizations
  2. Greater maturity of security Risk management processes
  3. Increase in effectiveness of access control application
  4. Greater investments in information security to maintain compliance
  5. Building security programs around compliance requirements
  6. Improved overall information security in the organization (Spears, 2009, p.1-4)

Although all the above conclusions of the study indicate a positive sign and suggest improved impact on information security, the 5th point above is a little discourages. The discussion in the study points to the fact that organizations are limiting their security initiatives to the extent of only implementing controls that are required by SOX. They are not evolving to improve beyond that level which is cause for concern as these organization feel that it is not necessary.

What to conclude?

I think one needs to be able to appreciate the fact that the last 10 years have seen a greater awareness of information security as a whole in large organizations. Having said that, a lot of this can be attributed to the SOX legislation and the indirect effect of its requirements for enforcements of the controls and auditability of the information stored in a modern IT enabled business.


Wikipedia – Accounting Scandals :

SOX 302:

SOX 404 :


Greg Stults, May 9, 2004 , SANS Institute:An overview of Sarbanes-Oxley for the Information Security -(

ProfessionalDr. Janine L.Spears , ISACA Journal Volume 6, 2009 How has Sarbanes-Oxley compliance Affected Information Security  -(

Enterprise Resource Planning systems

4 12 2012

Enterprise Resource Planning (ERP) systems integrate core business functions into one system that maintains all assets and resources. ERP applications are found in many companies and each system spans the entire company, often integrating with their customers and suppliers to become a single fluid system. With so many touch points on the system it is important to have procedures governing the policies and technology factors of each ERP system.  As an Undergraduate student, I had the opportunity to take an ERP systems course.  Throughout the class there were labs where the student used a SAP GUI interface to simulate a muffin-making company. Through this simulation, we had to use the ERP system to produce a large batch of muffins from the preliminary stages of acquiring raw materials all the way the production stages of mixing the ingredients, baking, and distributing. The final labs included the accounting and finance modules of the ERP system as well as a customer-relationship management component. While this lab was fictional, and each student had access to every part of the SAP ERP system, it demonstrated just how connected each part of the system was to every other module in the ERP system and how important a secure system is in an enterprise.

As ERP systems are being implemented and configured it is important to integrate security features from the start. Security can often be over-looked as companies strive to complete ERP projects on time and on budget. Security features should be factored into the development and deployment of an ERP system from the start to avoid major revisions to the system in the future. “ERP systems must be able to process a wide array of business transaction and implement a complex security mechanism that provides granular-level access to users” (Pandey 1). Having a system that can process large amounts of data across various departments while still being secure from unauthorized users or hackers can prove to be a challenge. Integration of suppliers and customers throughout the supply chain increases the number of authorized user accounts but also “introduces new entry points to business systems from outside the traditional IT security perimeter” (VanHolsbeck 1). This forward and backward integration of customers and suppliers on a collaborative ERP system can be a high vulnerability if critical measures are not taken to ensure security.

An ERP system consists of a three-tier client-server architecture. The first layer is the presentation layer that consists of a Graphical User Interface (GUI) that allows input to be entered and generates the output back to the user (She 154). The application layer uses the input entered from the presentation layer and processes it. The database layer manages the data for the entire company and often includes the Operating System and hardware components of an ERP system (She 154). In addition to each layer of the tier, ERP systems also use web-based services to complete tasks. A variety of mark-up languages including SAML (Security Assertion Markup Language) and XACML (XML Access Control Markup Language) can be used within an ERP system to aid in securing web technologies (She 162). ERP systems are easily customizable to different industries such as manufacturing, finance and banking, healthcare and retail firms. With the large amount of customization, companies should be aware of security issues with implementing an ERP system with custom codes for transactions, programs, roles and authorizations (Medvedovskiy 26). Since each ERP system contains a multitude of modules for each functional business area, patching weaknesses within the ERP can be very costly but are important for the longevity of the system.

ERP systems are most secure following the Role-Based Access control model. As personnel within a company move around and change jobs, their job description should determine what areas of the ERP system they have access to and what areas they no longer need to view. Following this access control model as well as the Principle of Least Privilege, companies can mitigate the insider threat by reducing their exposure. Constraints such as time and day restrictions should be in place to limit access for authorized users. If the company works with a decentralized system and there are multiple administrators, the most senior administrator should allow or deny access (She 158). Having thorough audit logs is another important component of a secure ERP system. With so many transactions across different departments, managers can often be concerned with the performance speed of the system if every transaction is being recorded. “In a compromise between security and performance, enterprises can avoid logging every detail of system activity and focus on meaningful information that’s relevant to the transaction” ( VanHolsbeck 2). Audit log systems can also be programmed to identify and alert an administrator if an anomaly occurs which would help utilize resources more efficiently. Since ERP systems also include maintaining financial accounting information, having efficient audit logs is necessary due to the Sarbanes-Oxley legislature from 2002. Along with the audit logs, enterprises should also practice sound internal control monitoring to be a deterrent to malicious insiders and work to protect the system (VanHolsbeck 4). Since each ERP system is company- wide it is vital to have a strong password policy in place to authorize use as well as a method to change the passwords if necessary. Allowing weak passwords for users on the ERP system could allow for outside attackers to gain proprietary knowledge about the business and cause damage. Purchasers of ERP systems should validate that vendors have a means to encrypt passwords that are stored on the system (Hughes 1). Encrypting passwords for the ERP system is another level of security that can protect the system if it was ever compromised.

A variety of different sized businesses are now using ERP systems as the costs of implementing and maintaining the systems continually decrease. Ensuring that all authorized users of an ERP system have secure access, while still achieving a high degree of availability, can be a continuous goal to achieve. Information security policies should not only focus on perimeter security relating to networks but also to in-house ERP systems that manage day to day business functions.


Medvedovskiy, Ilya, and Alexander Polyakov. “ERP Security. Myths, Problems, Solution.”Digital Security (2010): 1-75. Digital Security. Web. 6 Nov. 2012. <,%20Problems,%20Solutions.pdf&gt;.

Pandey, Santosh K. “Major Challenges in Auditing ERP Security.” IT Harmony, n.d. Web. 3 Nov. 2012. <;.

She, Wei, and Bhavani Thuraisingham. “Security for Enterprise Resource Planning Systems.”Information Systems Security 163rd ser. 16.152 (2007): 152-63. Information Systems Security. Web. 5 Nov. 2012. <;.

Van Holsbeck, Mark, and Jeffrey Z. Johnson. “Security in an ERP World.”, 24 May 2004. Web. 5 Nov. 2012. <;.

Cyber Lawfare: Establishing Norms for Use of Cyber Weapons

1 12 2012

by Max Blumenthal

Cyberwar is upon us. That is the call being issued by top American cyber experts in the wake of increased attacks from Iran and China. The U.S. is also stepping up its offensive cyber capabilities. As Secretary of Defense Leon Panetta stated, “We are facing the threat of a new arena in warfare that could be every bit as destructive as 9/11” (Thompson). These attacks are often directed at private enterprises that are considered critical infrastructure, such as banks and utility companies. In conventional warfare, there is a clear distinction between attacking strategic targets and protecting civilians. In cyberwar, no such distinction currently exists. One way of beginning to protect civilians in a cyber conflict is to create a treaty for international humanitarian law for cyberwarfare (Schneier). This treaty should be modeled after previous international humanitarian law, such as the Geneva Conventions and arms limitations treaties.

Geneva Conventions

The four Geneva Conventions are internationally agreed upon rules for nation-state conduct in warfare created after the tragic loss of life for tens of millions of civilians during World War II. The first Geneva Convention requires states to protect wounded soldiers as well as refrain from targeting medical personnel in a combat zone. The second Convention allows neutral parties to care for the wounded without being attacked by either side of a conflict. The third Convention extends protections for non-State actors, while the fourth Convention prevents collective punishment. Additional protocols prevent perfidy and indiscriminate attacks on civilians targets or total war (Red Cross).

In cyberwarfare, attacks should also respect these established norms. Perhaps the most important, yet most challenging to enforce, of these conventions is the prohibition against perfidy. Neil Rowe, of the Naval Postgraduate School, argues that most cyber-attacks are a form of perfidy in that they masquerade as a legitimate program, but carry a malicious payload. When the payload is discovered, some attacks may try to frame another target to avoid reprisal attacks. Rowe suggests that to prevent wrongful attribution of an attack, digital signatures could be required on cyber weapons to reduce the risk of collateral damage (Rowe).To allow for concealment of an attack while still providing attribution, these “signatures could be hidden steganographically”. The fourth Geneva Convention also offers an important  rule for cyberwarfare, prohibition against collective punishment. Unrestricted cyberwarfare should be eliminated. This means attacks on vital civilian systems, such as water treatment facilities and the financial system, should not occur because they provide little military benefit, but create massive civilian harm.

Arms Limitation or Weapons Ban

The Strategic Arms Limitation Talks Agreements (SALT I and SALT II) sought to halt Soviet and American nuclear ballistic missile launcher production. In cyberwar, an arms limitation treaty has been championed by Russian and China and recently won the consideration of the United States (Gorman).Such a treaty could allow for cyber weapon development and usage for certain military systems, but outright ban weapons that seek to attack civilian infrastructure or military command and control systems. The greatest difficulty with such an agreement is enforcement. Unlike a physical weapon, it fairly easy to conceal a cyber weapon from inspectors (Goldsmith). Also, a treaty does not necessarily prevent countries from giving weapons technology to non-state actors, the main road-block for U.S. adoption of the Russian proposal.

In contrast to an arms limitation treaty, an all out ban on certain weapons has also proven effective for certain weapons. For example, the Biological Weapons Convention prohibits the production and use of biological and toxic arms in warfare. The reason for an all-out ban on biological weapons is that this kind of warfare was deemed indiscriminate and “abhorrent” (Red Cross) even in war. Poorly designed cyber weapons have the potential to have significant unintended consequences. For example, a U.S. cyber attack on Iraq’s financial system in 2003 was prevented, because “Bush administration officials worried that the effects would not be limited to Iraq but would instead create worldwide financial havoc” (Markoff and Shanker). Like an arms limitation treaty, enforcement would be difficult, but inspectors will only need to find evidence of a cyber weapon’s development instead of determining the target of the weapon. Bruce Schneier recognizes that while this may be the ideal policy, a ban on “unaimed or broadly targeted weapons” (Schneier) would also have a significant positive effect and be easier to implement.


Besides a number of enforcement concerns, a treaty’s effectiveness is also hindered by the gray area that separates cyber war and cyber espionage. A treaty would need to govern computer network attacks, but still allow for computer network exploitation. An all out cyber weapons ban is unlikely to happen, but it is possible that certain weapons, such as those that target SCADA units, or targets could be banned. An arms limitation treaty offers a more moderated approach that allows for some production and testing of weapons, but requires an unrestricted inspections, which may be difficult for rival nations to agree to. Finally, a treaty for cyberwarfare provides an opportunity to establish rules of engagement in cyberspace and has the potential to improve protections for civilians and limit the development and deployment of cyber weapons determined to be so destructive that they are immoral, even in warfare.


  1. Goldsmith, Jack. “Cybersecurity Treaties: A Skeptical View.” 9 March 2011. Hoover Institute Task Force on National Security and Law. 29 October 2012                   <;.
  2. Gorman, Siobhan. “U.S. Backs Talks on Cyber Warfare.” 4 June 2010. Wall Street Journal. 29 October 2012                   <;.
  3. Markoff, John and Thom Shanker. “Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk.” 1 August 2009. New York Times. 29 October 2012                   <;.
  4. Red Cross. “Chemical and biological weapons.” 29 October 2010. International Committee of the Red Cross. 29 October 2012 <;.
  5. —. “The Geneva Conventions of 1949 and their Additional Protocols.” International Committee of the Red Cross. 29 October 2012 <    law/geneva-conventions/index.jsp>.
  6. Rowe, Neil. “War Crimes from Cyberweapons.” Journal of Information Warfare 6.3 (2007): 15-25.
  7. Schneier, Bruce. “Cyberwar Treaties.” 14 June 2012. Schneier on Security. 29 October 2012<;.
  8. Thompson, Mark. “Panetta Sounds Alarm on Cyber-War Threat.” 12 October 2012. Time. 29 October   2012 <      threat/#ixzz2A9hs0hIX>.

Online Gaming: Real Money, Real Threats

30 11 2012

by A.J. Holton


Today millions of people across the world are joining together over the Internet to immerse themselves in the virtual world of gaming.  MMORPGs (Massively Multiplayer Online Role Playing Games) are the top guns of the industry, boasting millions of subscribers worldwide.  “New World of Warcraft® expansion sells 2.7 million copies in first week — global subscriber base passes 10 million” (“Alliance and Horde Armies”). This is a game which has been out for 8 years, and it still has many subscribers paying roughly $15 dollars a month for service.  Games like Blizzard’s World of Warcraft are constantly being exploited through cheats and account hacking.  Guild Wars 2 was just released late August 2012 and had problems with account security that day with more than 11,000 accounts being exploited due to malware from adversaries (Parrish). It would seem account hacking is somewhat correlated with third-party account modification. TheGuardian wrote a story on Chinese prisoners who were actually forced to play this game to turn a real profit through illegal sales (Beijing).  So as you can see, there is definitely a market for the willing adversary.  The focus here is on Blizzard as I am most experienced with their company, it is the biggest, and most newsworthy.  However, security applies to all online games, especially those of the MMORPG variety.  What I aim to discuss is the implementation of what is called a Real Money Auction House, but first I must explain the security measures already in place.

Security Measures

Overall, MMORPG security issues have been growing, forcing companies like Blizzard to come up with ways to counteract them.  “The Mobile Authenticator is an optional tool that offers, the Blizzard game client, account users an additional layer of security to help prevent unauthorized account access” (“ Authenticator”).  The authentication process was needed to help Blizzard deal with the amount of account compromises going on.  Basically what it does is generate a random number, held by Blizzard and the user, which changes every minute allowing only the user to log in (“ Authenticator”). Another security measure taken is the use of spyware like Blizzard’s Warden.  This software takes information from your RAM, hard drive, CPU, IP address, OSes, and others “FOR PURPOSES OF IMPROVING THE GAME AND/OR THE SERVICE, AND TO POLICE AND ENFORCE THE PROVISIONS OF ANY BLIZZARD AGREEMENT” (“World of Warcraft Terms of Use”). Obviously the implementation of these security measures is because of the severity of the problem.  We would expect for companies like Blizzard to continue making games safer, but sometimes money is more important in the end.

Real Money Auction House?

Yes, Blizzard’s Diablo III came with a new, experimental RMAH (Real Money Auction House) which allows users to purchase in-game items on the auction house with real currency.  In an auction house users can purchase anything from equipment to collectables.  With this RMAH, you no longer need to spend countless hours collecting materials for in-game currency to purchase items.  All you would have to do is enter your credit card number and your transaction is processed almost instantaneously.  I believe this was a bit too ambitious for Blizzard as security was already compromised frequently.   “This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard”, taken from the Blizzard website September 2012 (“Important Security Update”). Gaining access to Blizzard’s database would offer an adversary hundreds of account passwords and users’ credit card information.  Blizzard gets a cut from the RMAH, meaning when a player makes a sale, Blizzard takes15% off the top of the sale price (“Diablo III Auction House”). I think it almost goes without saying; the RMAH could be a very lucrative business for a skilled adversary to get into.  It would be easy to modify transactions or redirect funds to new accounts.  I can see countless vulnerabilities this new auction house brings to the online gaming world.  Finding ways in code to repeat a transaction, modify the value of items before or after transactions, rerouting money to different accounts, and simple password theft/account fraud are all examples of problems that could arise.  If the problem gets too bad, Blizzard could lose the trusted fan base they have been working so hard to maintain.  There is a story about a player losing $200 dealing with this RMAH, and the FBI even got involved.  They were able to assist and return the user’s money (Usher). This is just one of many problems this implementation has caused already, and the FBI getting involved is nothing to disregard.  We need to take a look at Blizzard’s perspective to better understand their reasoning behind creating a RMAH.

Blizzard’s perspective is totally profit driven in a sense; however this RMAH does offer a service to players.  Instead of players buying and selling items from third parties, which is usually the main culprit behind compromised accounts, they will buy the items from Blizzard (Heartbourne). When looking at it from this perspective, it doesn’t seem so bad.  This would actually help cut down on account hacking and make Blizzard big profits in the end.  I think using the RMAH as a “security device” is brilliant and could really bring about a new age of gaming, if successful.  I have not found sufficient numbers to determine the success of the RMAH in Diablo III, as sadly I think the game died out much too quickly.  If games continue with this trend, the system could be completely compromised by an adversary getting into the company database.  If they do not implement this, there will still be a demand for purchasing items with real money from third parties (possibly leading to user account exploitation).  It is a tough decision, but I would opt for the RMAH because it has a high profit margin for the company and reduces user attacks.  I would put more resources into keeping my company’s systems secure, whereas I do not have as much control over the user’s account.  All in all, there will always be a market for adversaries in the online gaming realm.  Blizzard will remain a key innovator in the industry and it will be exciting to see if other companies start to follow suit. I would like to hear other people’s thoughts and comments on whether a system such as this is a good or bad idea for the future of online gaming.


Beijing, Danny Vincent in. “China Used Prisoners in Lucrative Internet Gaming Work.” The Guardian. Guardian News and Media, 25 May 2011. Web. 01 Nov. 2012. <;.

Blizzard. ALLIANCE AND HORDE ARMIES GROW WITH LAUNCH OF MISTS OF PANDARIA. Blizzard Entertainment, 04 Oct. 2012. Web. 15 Oct. 2012. <;.

Blizzard. “ Mobile Authenticator FAQ.” Blizzard Entertainment, n.d. Web. 25 Oct. 2012. <;.

Blizzard. “Diablo III Auction House”. Blizzard Entertainment., n.d. Web. 26 Oct. 2012. <;.

Blizzard. “Important Security Update.” Blizzard Entertainment, n.d. Web. 26 Oct. 2012. <;.

Blizzard. “World of Warcraft Terms of Use.” Blizzard Entertainment, n.d. Web. 25 Oct. 2012. <;.

Heartbourne. “Diablo III Real Money Auction House: Analysis of Fees, Market Forces, and Strategy.” N.p., n.d. Web. 26 Oct. 2012. <;.

Parrish, Kevin. “Guild Wars 2 Accounts Hacked Immediately After Launch.” Tom’s Hardware. Tom’s Hardware, 08 Sept. 2012. Web. 20 Oct. 2012. <,17455.html&gt;.

Usher, William. “Gamer Loses $200 Due To Diablo 3’s RMAH Region Restrictions.” Gaming Blend, n.d. Web. 19 Oct. 2012. <;.

Online Banking Consumer Protection – the More the Better?

27 11 2012

Living as a complete foreigner in the United States for the last couple of months, one of the outstanding differences which gave me cultural curiosity is its banking. Two things were particularly confusing – the paper checks and the online banking. Some may ask “Isn’t their Internet banking super easy?” True, and that is where my confusion arises.  My new bank, and the clerk, never asked me anything about security options except setting up the password and 4-digit PIN. It was shockingly simple and minimal compared to my old bank in my hometown. Later on, when I browsed their site, it was connecting to their SSL server. It had the mind-boggling green box – a safe sign anyway. It was fast, easy, and I was not challenged by any other security questioned except my password and PIN. I could finalize my first month’s rent transfer online without trouble. A while later I happened to lock my account by entering incorrect password three times. Still I could reset my password by phoning the bank and dealing with the automated answering machine.

It contrasts to my previous online banking experience, where some security features are mandated for the banks if they want to provide their customer banking service online. On top of the traditional password for the website and PIN for the account, a personal certificate and a physically distributed passcode are both issued. For example, using desktop or smartphone, I can only start my online banking after presenting my personal certificate signed by the bank (the banks operates like a Certificate Authority). And from that point I can access and see my account details. In process transactions, I need to present the certificate again in a process of digitally signing the transaction order’s confirmation. Before each confirmation, the server will also challenge me with ‘what you have’ passwords. The clients can choose to have an OTP (One Time Password) token after paying about $5. Other than the better security, the OTP usually grants higher daily transaction limit than the Security Card. If the customers don’t want to pay this $5, as an alternative the credit-card-sized Security Card, with a table of challenge number, can be issued for free. On every transaction order, the bank will challenge the client with two different numbers from this table.

From its complexity, some clients including me feel some sense of safety. Do these features imply that my old bank is safer than my new, password only banking? I thought so. Should they urgently adopt OTP, security card, PKI, or Smartcard to increase safety? Maybe.

Whatever security options the banks decide to deploy, their primary goals are confidential channel, authentication of user and server, data integrity and non-repudiation [1]. The bank can claim they have done their part, after providing standardized solutions to protection the end-to-end communication from the eavesdroppers and a good authentication that is enough to differentiate me from dogs of the Internet. Data-integrity and non-repudiation would be the side product of the security solution. In this sense, my new bank did its job by providing SSL connection and password authentication. More security features may redundant – if I can do my part to protect the password.

However, the challenge is in the client side. I am not sure if my computer is 100% secure, and the banks have no way to know whether their clients’ computers are running with banking Trojan or wiretapped by some network penetrator. I can only hope that my communication between the keyboard and the browser is not key-logged, my monitor not screen-logged, my web browser clean, and the SSL properly connected to my bank while I do my banking.

A scary scenario can be written if I don’t assume the safety of my PC, and there is not much my bank can do to save me. Thing can be stolen – password, PIN, my private key along with the certificate, my password to invoke my private key and partial contents from my security code card. This may mean, the expensive banking PKI becomes useless unless even with the bank’s effort to provide better security. Security Card can slow down the exfiltration, although it also can be fully revealed if the Trojan had enough time to collect all the 4 digit numbers in 35 table entries. My OTP may still stand safe.  Studies say that proper use of security card and OTP will minimize the attack vector down to man-in-the-browser or session hijacking attack [1], which is more costly or difficult for the attackers [2].

Should we force the banks to take more responsibility on the security of the client’s terminal, by distributing banking plug-in or anti-virus software for the client’s computer connecting their servers? The answer may be controversial, and solution may differ by countries and cases. It may annoy people, because the installation of the plug-in is sometimes not optional [1]. However, no matter how the bank tries to deploy new security supports, such effort can become useless when the users are infected by various kinds of Trojan, carelessly store their private keys in their email boxes, or their security card scanned and stored in the cloud storage.

Given that my new bank does not lose data somewhere else, my new bank’s simple password security is not worse than the one they provide in my hometown. I guess I should just be more careful and vigilant, maybe virtualize one of my desktop for banking only. However, since I can make mistakes and lose my data someday, I would feel safer if my bank promotes the OTP or security card as one of their security options.


[1] Hyoungshick Kim, Jun Ho Huh, Ross Anderson “On the Security of Internet Banking in South Korea” Computing Science Group, Oxford University, CS-RR-10-01

[2] Chris Sanders, “Understanding Man-in-the-Middle Attacks”,

Why the U.S. should continue development and increase funding for Internet Anti-Censorship Tools

12 11 2012

by Brian Thompson

Until earlier this week I never would have imagined that the U.S. State Department in conjunction with the Broadcasting Board of Governors, an independent U.S. government agency, of funding development on anti-censorship tools for the Internet [1].  According to an article in The Washington Post, “the United States spends about $30 million a year on Internet freedom, in effect funding an asymmetric proxy war against governments that spend billions to regulate the flow of information” [1]. The current administration is not trying to hide this from the world either; the program and its aims were brought up at a town hall meeting three years ago in Shanghai [1].

This policy and its implementation may alarm you.  According to, as recently as Sept 21, 2012 “The White House is working with the Department of Homeland Security, FBI and others to develop an executive order to counter cyber security threats” [2].  Could this seemingly innocuous government program be tied to future national counter cyber security rules of engagement?  Based on my experience in the Intelligence field for the military and from what I’ve read it is not and any thoughts to the contrary are pure fantasy.

The next question you might be asking yourself is why are my tax dollars going to subvert foreign governments’ sovereign right to manage their own affairs?  Viewed another way, why does the U.S. government send billions of dollars in aid to foreign countries every year?  According to the global aid organization Oxfam, the U.S. spent $30.2 billion dollars or 0.21% of the 2010 budget in various forms of financial aid to foreign countries [3].

Some strategic reasons why the U.S. sends this aid are national security, national economic interests and, lastly, to demonstrate good moral leadership towards others [3].  To me, these reasons are very logical.  Too many times in the past, our country’s government and others have tried to influence events in other nations through the barrel of a gun.  In today’s world, everybody has a gun and the real power is in the expert use of “soft power.”  According to Harvard Kennedy School Professor Dr. Joseph Nye, who defined the concept as “co-opting people rather than coercing them,” soft power has been a tool of the military and statecraft in various forms for many years [4].  It is through the domain of cyberspace that this type of power can be leveraged for good and more importantly with no bloodshed.

The aim behind developing tools like Tor, Ultrasurf, DynaWeb and Freegate is to increase access to the open and expansive Internet to those living in countries with less restrictive Internet policies.  In the U.S., we take for granted immediate access to news, opinions, facts, art, literature, education and much more wherever we are.  While other countries, such as China, North Korea, and Iran who restrict and manipulate their citizens’ access to this global digital community to the extent that they don’t even know what or who to believe anymore.

Supporting Internet anti-censorship tools helps the United State’s national security policy and promotes public goodwill toward support of anti-censorship tools that breakup the building distrust of the U.S. to outside eyes.  Foreign nationals can see that the U.S. is not a threat to their way of life and that it stands ready to assist in helping their security through partnerships, not invasions.  It can also work internally as well.  By breaking through cracks in the censors, common Chinese citizens can organize and have a better understanding of the crimes their government seeks to suppress.

For example, in China, where the “Great Firewall,” as it is affectionately known, has near total control of the incoming and outgoing Internet traffic of not only its citizens, but all foreign companies that are based there [5].  The main component in China’s strategic control of the Internet inside its borders is called the Golden Shield Project [5].  While the U.S. has a tremendous amount of entry points for the Internet, “China’s Internet was designed with ready-made choke points; these are a tiny collection of fiber-optic cables entering the country at a limited number of points: Beijing, Shanghai, and Guangzhou” [5].

By using monitoring software and hardware on these choke points, the government can then process all traffic via the Golden Shield network, and utilize extensive security techniques such as: DNS Blocking, Connection Resets, URL Keyword blocking and Site Scanning [5].  The final component in this grand strategy of China’s Internet censorship is of a human nature where they employ “at least 10,000 government paid censors and volunteers who search for offensive sites, delete posts and warn netizens of their web behavior.” [5]

From an economic perspective, China’s Great Firewall could possibly infringe on corporations proprietary and copyrighted material and in turn, manipulate the markets by passing sensitive information to state-controlled or backed competitors.  Anti-censorship tools wouldn’t accomplish much in preventing this, but it will go a long ways towards making the government more accountable when their citizens hear about the Communist Party’s anti-competitive ways in the business arena.

Just as security professionals in a modern corporation manage black and white listings through their firewall programs and hardware; China’s government performs the same operations except it is to stifle freedom of speech and dissemination of non-biased state-based news and information.  China’s official policy is that it performs these actions for the protection of its people and the Communist Party of China, but in actuality it oppresses their population by sowing mistrust of the outside world through disinformation of news from inside and outside the country [5,6].

Unfortunately, China is not the only country that distorts, in my mind, the tools that information security professionals use around the world to safeguard personal, physical and digital property.  Many other authoritarian regimes utilize firewalls, IPSs, IDSs and all manner of network attack, defense and exploitation operations to protect their leaders and regimes by sacrificing their people’s freedoms in cyberspace.

It is in the United State’s best interests of national security, national economic interests and good will from the American people to continually fund the development and dissemination of Internet anti-censorship tools.









Information Security and Economics

8 11 2012

Although the administrative, risk management and technical solutions etc., surrounding information security make up the bulk of the areas that affect information assurance goals, there are also individual economic incentives that surround the actions of the many stakeholders that form the chain of information security. First, it has to be established that security is like a commons, where there is almost always an externality, in the economic sense, where individuals, for example, can cause air pollution that affects others, or where individuals that leave their machines unpatched, do not solely bear the entirety of the consequences of their actions. In fact, what ends up happening is that the consequences these actions end up affecting others. This externality applies more so to information insecurity in that if these consequences were not externalized, there would be proper incentives to ensure each stakeholder in the chain of information security does his or her part to contribute to the information assurance goals. Consider many years back when there was some raucous involving ChoicePoint with regard to how it treated the information-security matters it was in. The ChoicePoint case was a case of externalities where consequences of ChoicePoint’s business model and actions were bore by others that did not benefit directly from ChoicePoint’s activities. Back then ChoicePoint was a company that essentially traded dossiers of people’s aggregated personal data intelligence, as informational services with corporations, governments, and individual clients, in exchange for money.

But, the real story here is that in 2005, ChoicePoint was embroiled in controversy over how it has treated the dossiers of people it had collected over the years. There had been a number of cyber attacks on ChoicePoint’s infrastructure that led to the exfiltration of vast amounts of peoples’ dossiers. In addition, the people whose dossiers were exfiltrated were not direct parties to the transactions with ChoicePoint, and so were unwitting that vast amounts of personal information about them had been aggregated, and that a repository of the same aggregated data had been breached. However, one of the main issues that brought about litigation with ChoicePoint was not the breach per se, it was more about the accuracy of the information in ChoicePoint’s databases and how that data was been used and the effect of the use. A case in point was that of Mary Boris, whose dossier with ChoicePoint had inaccurate data that implied that Mary Boris had filed four residential damage claims and therefore was a risky customer that the insurance companies do not want to insure.

Mary Boris contended that the dossier compiled about her was inaccurate and requested that ChoicePoint correct the data, yet no correction resulted and so litigation ensued. The errors illustrated problems within ChoicePoint’s CLUE database as well as structural procedural issues that negatively impacted individuals’ dossiers regardless of accuracy. Particularly when it is the case that the economic incentives to secure and keep accurate the information is not there for the stakeholders involved in the acquisition, storage and transport of these sorts of information. It could be argued that ChoicePoint did not do enough to protect the confidentiality, integrity, and accuracy of information on its databases. In fact, ChoicePoint only protected its peoples’ dossiers with an effort that was commensurate to the monetary value that the ChoicePoint places on each of those same dossiers. A Harvard Business School case study on ChoicePoint stated that “ChoicePoint generally assumed that information received from a reliable source [such as the government,] was accurate unless a complaint was registered [with them].”(ChoicePoint, Pg. 5) In the same case study, it was stated that ChoicePoint, in dealing with the Texas DPS, made the conscious decision to only update its databases of public records once a month instead of everyday, as the Texas DPS did, because it was costly. There is no doubt that if ChoicePoint was liable for inaccuracies in its data, they would have strived to get accurate records more often.

The millions of people whose dossiers had been compiled into ChoicePoint’s databases were not necessarily ChoicePoint’s direct customers. So the people whose dossiers ChoicePoint had did not have the power to switch credit agencies. They had neither the power of economic pressure nor market power that they could use as leverage to impact the problem. The fact was that ChoicePoint did not assume the costs of identity theft, so ChoicePoint did not take the costs of preventing identity theft into account when calculating the costs that needed to be allocated to preventing identity theft or improving data security, in the way it would have allocated had it thought the very existence of its business model relied on the confidentiality, integrity, and accuracy of the information it houses. Despite ChoicePoint being made to pay damages for errors in data it provides, ChoicePoint stood to gain from the transactions of trading personal information it sourced from public sources, while the harms of inaccurate data was bore by individuals whose dossiers have been erroneously aggregated. Even when ChoicePoint did come to the conclusion that the records it had gathered from public sources were indeed inaccurate, it took no action to correct such data because, as it said then, “it could not have a database with “public records” not matching those in the public record.” (ChoicePoint, Pg. 6) The crux of the problem was that the market involved buyers and sellers that do not care about the commodity; the commodity being the dossiers of people.

Considering the fact that ChoicePoint may not have been able to afford the cost of the damages that could ensue due to the harms caused by the lack of privacy, inaccuracy and insecurity, ChoicePoint had an interest in keeping these externalities externalized from itself. Whereas, the proper point of a regulation or liability or a form of remediation of possible market failure, particularly in this situation would be to make the externalities commensurately internalized to the stakeholders whose actions would amount to an economic consequence or harm upon another entity. This is one reason why the economics of the security of information, along with administrative, risk management and technical solutions etc., should be considered when the goals of information assurance are the focus. Why? Because risk and economics are related through liability and property rights, and risk can be transferred. However, liability and property rights have to be clearly established so that when one stakeholder would subsidize another during the transfer of risk, the legal framework will exist to enable it. This sort of transferability is supported under the economic theory known as Coase Theorem. Overall, stakeholder accountability, through establishing liability and property rights has to be established, in the applicable area, in order to get closer to providing information assurance.


Paine, L., & Phillips, Z. (2008). ChoicePoint (A) (Case No. 9-306-001). Boston: Harvard Business School.

Otto, P. N., Anton, A. I., Baumer, D. L. The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of

Personal Information. <;. IEEE Security Privacy Magazine 2007.