Internet and Intranet Security Management: Risks and Solutions Lech Janczewski University of Auckland, New Zealand Senior Editor: Mehdi Khosrowpour Managing Editor: Jan Travers Copy Editor: Brenda Zboray Klinger Typesetter: Tamara Gillis Cover Design: Connie Peltz Printed at: BookCrafters Published in the United States of America by Idea Group Publishing 1331 E. Chocolate Avenue Hershey PA 17033-1117 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: cust@idea-group.com http://www.idea - group.com and in the United Kingdom by Idea Group Publishing 3 Henrietta Street Covent Garden London WC2E 8LU Tel: 171-240 0856 Fax: 171-379 0609 http://www.eurospan.co.uk Copyright © 2000 by Idea Group Publishing. All rights reserved. No part of this book may be reproduced in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Library of Congress Cataloging-in-Publication Data Janczewski, Lech, 1943- Internet and intranet security management: risks and solutions / Lech Janczewski. p. cm. Includes bibliographical references and index. ISBN 1-878289-71-3 1. Internet (Computer network)—Security measures. 2. Intranets (Computer networks)—Security measures. 3. Computers—Access control. 4. Cryptography. I. Title. TK5105.875.I57 J358 2000 005.8 — dc21 00 - 022538 British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library. NEW from Idea Group Publishing __ Instructional and Cognitive Impacts of Web-Based Education Bev Abbey, Texas A&M University/ISBN: 1 - 878289 - 59 - 4 __ Web-Based Learning and Teaching Technologies: Opportunities and Challenges Anil Aggarwal, University of Baltimore/ISBN: 1 - 878289 - 60 - 8 __ Health-Care Information Systems: Challenges of the New Millennium Adi Armoni, Tel Aviv College of Management/ISBN: 1 - 878289 - 62 - 4 __ Evaluation and Implementation of Distance Learning: Technologies, Tools and Techniques France Belanger, Virginia Polytechnic Institute; Dianne H. Jordan, Booz Allen & Hamilton/ISBN: 1- 878289 - 63 - 2 __ Human Centered Methods in Information Systems: Current Research and Practice Steve Clarke and Brian Lehaney, University of Luton Business School/ISBN: 1 - 878289 - 64 - 0 __ Managing Healthcare Information Systems with Web - Enabled Technologies Lauren Eder, Rider University/ISBN: 1 - 878289 - 65 - 9 __ World Libraries on the Information Superhighway: Preparing for the Challenges of the Next Millennium Patricia Diamond Fletcher, University of Maryland Baltimore County John Carlo Bertot, University at Albany, State University of New York/ISBN: 1 - 878289 - 66 - 7 __ Social Dimensions of Information Technology: Issues for the New Millennium G. David Garson, North Carolina State University/ISBN 1 - 878289 - 86 - 1 __ Object Oriented Technologies: Opportunities and Challenges Rick Gibson, American University/ISBN 1 - 878289 - 67 - 5 __ Process Think: Winning Perspectives for Business Change in the Information Age Varun Grover & William Kettinger, University of South Carolina ISBN: 1 - 878289 - 68 - 3 __ Community Informatics: Enabling Communities with Information & Communications Technologies Michael Gurstein, University College of Cape Breton/ISBN: 1 - 878289 - 69 - 1 __ A Primer for Disaster Recovery Planning in an IT Environment Charlotte Hiatt, California State University, Fresno/ISBN: 1 - 878289 - 81 - 0 __ Information Technology Standards and Standardization: A Global Perspective Kai Jakobs, Technical University of Aachen/ISBN: 1 - 878289 - 70 - 5 __ Internet and Intranet Security, Management, Risks and Solutions Lech Janczewski, University of Auckland/ISBN: 1 - 878289 - 71 - 3 __ Managing Web-Enabled Technologies in Organizations: A Global Perspective Mehdi Khosrowpour, Pennsylvania State University/ISBN: 1 - 878289 - 72 - 1 __ Distance Learning Technologies: Issues, Trends and Opportunities Linda Lau, Longwood College/ISBN: 1 - 878289 - 80 - 2 __ Knowledge Management and Virtual Organizations Yogesh Malhotra, Florida Atlantic University/ISBN: 1 - 878289 - 73 - X __ Case Studies on Information Technology in Higher Education: Implications for Policy and Practice Lisa Ann Petrides, Columbia University/ISBN: 1 - 878289 - 74 - 8 __ Auditing Information Systems Mario Piattini, University de Castilla - La Mancha/ISBN: 1 - 878289 - 75 - 6 __ Electronic Commerce: Opportunity and Challenges Syed Mahbubur Rahman, Monash University & Mahesh S. Raisinghani, University of Dallas ISBN: 1 - 878289 - 76 - 4 __ Internet-Based Organizational Memory and Knowledge Management David G. Schwartz, Bar-Ilan University; Monica Divitini, Norwegian University of Science and Technology; Terje Brasethvik, Norwegian University of Science and Technology __ Organizational Achievement and Failure in Information Technology Management Mehdi Khosrowpour, Pennsylvania State University/ISBN: 1 - 878289 - 83 - 7 __ Challenges of Information Technology Management in the 21st Century Mehdi Khosrowpour, Pennsylvania State University/ISBN: 1 - 878289 - 84 - 5 Excellent additions to your library! Receive the Idea Group Publishing catalog with descriptions of these books by calling, toll free 1/800 - 345 - 4332 or visit the IGP web site at: http://www.idea - group.com ! TABLE OF CONTENTS Preface i Part I: State of the Art 1 Jonathan W. Palmer, University of Maryland, USA Jamie Kliewer and Mark Sweat, University of Oklahoma, USA Chapter 1 Security Risk Assessment and Electronic Commerce A Cross-Industry Analysis 2 Jairo A Gutierrez, University of Auckland, NZ Chapter 2 Securing the Internet in New Zealand: Threats and Solutions 24 Part II: Managing Intranet and Internet Security 38 Dieter Fink, Edith Cowan University, Australia Chapter 3 Developing Trust for Electronic Commerce 39 Lech Janczewski, University of Auckland, NZ Chapter 4 Managing Security Functions Using Security Standards 81 Fredj Dridi and Gustaf Neumann University of Essen, Germany Chapter 5 Managing Security in the World Wide Web: Architecture, Services and Techniques 106 Part III: Cryptography and Technical Security Standards 140 Henry B. Wolfe, University of Otago, NZ Chapter 6 Cryptography: Protecting Confidentiality, Integrity and Availability of Data 141 Dieter Gollmann, Microsoft Research, UK Chapter 7 Foundations for Cryptography 163 Chris Mitchell, University of London, UK Chapter 8 Developments in Security Mechanism Standards 185 Part IV: Security and the Law 247 Charles Prysby, University of North Carolina, USA Nicole Prysby, Attorney at Law, Virginia, USA Chapter 9 Electronic Mail, Employee Privacy and the Workplace 251 Gehan Gunasekara, University of Auckland, NZ Chapter 10 Protecting Personal Privacy in Cyberspace: The Limitations of Third Generation Data Protection Laws Such as the New Zealand Privacy Act 1993 271 About the Authors 296 PREFACE In information security, as in all areas of information technology, knowledge and practice is advancing rapidly. There is a need for up-to-date material, but the rate of change is so great that a textbook only a few years old will already be obsolete. Covering the most important changes in the field of information security to produce an updated text before it becomes obsolete is a lot to ask of one author, so we have asked several, each expert in their own speciality, to complete one chapter. Overlaps are minimal, but chapters are substantially independent. Readers can, therefore, either follow the text from the beginning to end, or pursue only their special interests without having to read the whole text. The book is divided into four separate parts: Part I— State of the Art Here major issues concerning development of Internet and intranet are discussed. To present a balanced, world perspective, two points of view have been included: from the United States (J. Palmer et al ) and from a much smaller country, New Zealand (J. Gutierrez). Despite their different situations both countries face surprisingly similar information security problems. Interestingly, system malfunctions rather than hackers and similar unwelcome characters are still considered to be the greatest security threats. Part II— Managing Intranet and Internet Security Three authors discuss issues related to efficient management of the security of distributed systems. Electronic commerce requires not only technology but also people trusting this method of doing business. In his chapter Dieter Fink discusses the components of trust for electronic commerce and the methods of building and sustaining it. The foundation of every security system is the information security policy (ISP). Lech Janczewski presents a method to allow rapid creation of an effective ISP. A variety of documents that standardise development and assessment of information security functions are discussed. Fredj Dridi and Gustaf Neuman present an overview of Internet security issues with special emphasis on Web security. An architecture is presented in which security services are built to protect against threats and to achieve information security for networked systems. Basic security protocols like IPSec, SSL, Secure HTTP, and others are also presented. Part III— Cryptography Methods and Standards Cryptography is the major technique allowing secure transport of data through insecure environments and secure storage of data. In this part three authors discuss a number of important issues related to cryptography: Export of cryptography is restricted by a number of national and international agreements. Henry Wolfe in his chapter describes and discusses these restrictions. In his opinion, it is impossible to enforce these restrictions and they should be abolished. To allow a smooth introduction to more technically challenging issues discussed later in the book, Dr. Wolfe presents a short description of the most popular types of ciphers. Adequate security requires not only implementation of powerful cryptography (for instance the development of a DES replacement), but also an adequate solution for successful cryptography deployment. These issues are discussed by Dieter Gollmann . In the final chapter of Part III, Chris Mitchell outlines the major standards regulating cryptographic methods. The OSI security architecture, DES, Message Authentication Codes, Digital Signatures, Hash Functions, and Key Management are presented Part IV— Security and The Law It is not enough to understand information security merely in terms of technology (like PKI) and psychology (trust). Understanding the law is also necessary. Technology is advancing so rapidly that law makers can't keep up and changes, which are often inconsistent, are made in haste. Issues such as the rights of an employee to keep data on his/her computer at work private, are not well understood. These issues are discussed by Charles and Nicole Prysby . As professionals living in the USA, Charles and Nicole Prysby have an American viewpoint. To give the reader a wider perspective the last chapter of this book, written by G. Gunasekara from Auckland, presents similar issues in a New Zealand context. Acknowledgments The project could not have been successfully concluded without each author's contributions, and to each I give my heartfelt thanks. I feel privileged to call them my friends, a friendship that was tested by this project. The test must have been passed — they are still willing to talk to me. Special thanks are due to Jan Travers from Idea Group Publishing for her help in advising me how to solve multiple problems and providing encouragement and to Robert Barnes for useful suggestions on how to organise the content. There are many other people who deserve my gratitude for their inspirations, comments, and other forms of help. Professor Andrew Targowski from Western Michigan University gave me the decisive push for this project, and my employer, the University of Auckland graciously allowed me to use their facilities necessary for conducting the project. Finally, members of my family who survived my emotional stress during the life span of this work. LECH J. JANCZEWSKI AUKLAND, NEW ZEALAND [...]... directing security activities within a firm A six-level model is proposed that identifies the role of security policy, continuity planning, security tools, internal organizational management, and external impacts on the security and integrity of organizational information (see Figure 1) References Ahuja, Vijay Network & Internet Security Boston, MA: AP Professional, 1996 Andreessen, Marc ''Interoperable Security. "... published security policy 5.14 5.81 3.86 4.70 No I have access to an up-to-date copy of the firm's security policy 4.57 5.82 5.14 3.7 Tend I understand what is expected of me in the firm's security policy 5.29 5.45 4.71 4.70 No The firm's security policy is developed with input from a myriad of employees 3.20 4.80 4.00 3.63 No The security policy addresses all areas that I consider to be problematic security. .. addressing security risks (Ernst & Young, 1996) Expenditures on information security are correlated with deterrence of crime Key preventive activities include the number of hours dedicated to data security, disseminating information about penalties and acceptable usage practices by multiple means, clearly stating penalties for violations, and the proper use of security tools /solutions (Straub, 1990) Security. .. firm's security policy 4.92 4.76 No I understand what is expected of me in the firm's security policy 5.35 4.86 No The firm's security policy is developed with input from a myriad of employees 4.33 3.90 No The security policy addresses all areas that I consider to be problematic security areas 4.81 4.00 Tend The security policy clearly states what steps will be taken by employees in the event of a security. .. personal security activities Overview of Security Information security is an important aspect of a firm that deserves adequate attention One of the first stages in safeguarding corporate information is recognizing the importance of security Ninety-five percent of senior management labeled data security somewhat important to extremely important in a recent Ernst & Young study Nearly 80% of all organizations... another security asset Key Issues The concept of threats and components for risk assessment provides a systematic way to analyze given situations There are differing issues concerning security contingent on the types of information shared and relationships involved This chapter examines the three basic situations: internal, business-to-consumer, and business-to-business transaction issues Internal Security. .. continents use Internet services (U.S Department of Commerce, 1997) Currently, the most common use of the Web is for e-mail and advertisement; however, the Internet is quickly becoming a common communication tool in business, the average businessperson is quite familiar with many of the other benefits the Internet offers As an extension of their Internet use, many companies have implemented their own intranets... be used simultaneously They complement each other well, and SSL can be used as an underlying security protocol for S-HTTP (Kalakota and Whinston, 1996) Encryption standards and security protocols are all tools that enable the security of transactions and data exchange via the Internet Because of the increased security, some applications are already becoming more popular and new ones are constantly being... often act as the ''go-between" service for trading partners handling the exchange of their EDI documents VANs are also another alternative for security measures They take on a large portion of the security responsibility However, the overall shift of EDI in the business community seems to be drifting away from VANs and toward the Internet Still, the concept of outsourcing security solutions to organizations... protection Security implementation varied across the industries, with significant differences in access to the Internet, use of firewalls, virus Table 1 Differences between managers and other employees Security Policy 1 = Strongly Disagree, 4 = Neutral, 7 = Strongly Agree Others N = 15 Managers N Significant = 20 I am familiar with the firm's published security policy 5.35 4.78 No I have access to an up-to-date . 1 - 878289 - 70 - 5 __ Internet and Intranet Security, Management, Risks and Solutions Lech Janczewski, University of Auckland/ISBN: 1 - 878289 - 71 - 3 __ Managing Web-Enabled. publisher. Library of Congress Cataloging-in-Publication Data Janczewski, Lech, 194 3- Internet and intranet security management: risks and solutions / Lech Janczewski. p. cm. Includes. Baltimore/ISBN: 1 - 878289 - 60 - 8 __ Health-Care Information Systems: Challenges of the New Millennium Adi Armoni, Tel Aviv College of Management/ ISBN: 1 - 878289 - 62 - 4 __