managing risk and security in outsourcing it...

Managing Riskand Security in

OutsourcingIT Services

Onshore, Offshore and the Cloud

Frank Siepmann,CISM, CISSP, ISSAP, NSA-IAM, NSA-IEM

Managing Risk and Security in Outsourcing IT Services: Onshore, Offshore and the Cloud Frank Siepmann ISBN 9781439879092 (Print) Excerpt for IT Today

CRC PressTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742

© 2014 by Taylor & Francis Group, LLCCRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paperVersion Date: 20131023

International Standard Book Number-13: 978-1-4398-7909-2 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor-age or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copy-right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro-vides licenses and registration for a variety of users. For organizations that have been granted a pho-tocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.com

and the CRC Press Web site athttp://www.crcpress.com


http://www.crcpress.com/product/isbn/9781439879092

v

Contents

Foreword xiPreFace xiiiacknowledgments xvii

chaPter 1 outsourcing 1HistoryofOutsourcing 1

EarlyDaysofOutsourcing 2CurrentState 3

DeliveryModels 3Onshoring 3Nearshoring 3Offshoring 3

OutsourcingTypes 4TechnologyOutsourcing 4BusinessProcessOutsourcing 4BusinessTransformationOutsourcing 5KnowledgeProcessOutsourcing 5

InternalsofOutsourcing 5Phases 5TypicalFinancialOutsourcingModel 6GeographicalRegions 7

TopOutsourcingCountries 8India 9Indonesia 14Estonia 16Singapore 17China 20


vi Contents

Bulgaria 26Philippines 31Thailand 35Lithuania 40Malaysia 43

OutsourcingPersonnel 46ConsultingPersonnel 46FormerEmployeesofClients 47InternalResources 47Third-PartyPersonnel 47HiredPersonnel 48Teams 49Salaries 52GrowthStrategies 53

chaPter 2 the cloud 55SoftwareasaService(SaaS) 55

PlatformasaService(PaaS) 56InfrastructureasaService(IaaS) 57PrivateCloud 57CommunityCloud 58PublicCloud 58HybridClouds 60WhattheCloudIsandIsNot 61

BeyondtheCloud 62VirtualPrivateCloud 64StandardizationbetweenCSPs 64ComplianceintheCloud 65

SecurityandPrivacyIssueswithCloudComputing 65ScalabilityversusElasticity 65On-DemandSelf-Service 66RapidElasticity 66ResourcePooling 67Outages 68DenialofService 68VirtualizationSecurity 68Metering 69HypervisorSecurity 69VirtualNetworks 70MemoryAllocation/Wiping 70CloudNetworkConfiguration 71FirewallsintheCloud 73Self-Service 75MaliciousInsiders 77AvailabilityandServiceLevelAgreements 77Authentication,Authorization,Accounting 80TenantCredibility 81


viiContents

AddresstheCloudSecurity/PrivacyDilemma 82SAS-70,SOC1,andSOC2Audits 82CryptographyandtheCloud 83EncryptionKeysandtheCloud 84Third-PartyCloudSecurityProviders 85FedRAMPandtheFederalCloud 86HowtoSecurelyMovetotheCloud 86

chaPter 3 BeFore You decide to outsource 89SecurityandPrivacyImpacts 89SecureCommunication 90

Telephones 91e-Mail 93Mobile/CellPhones 94Smartphones 95BlackBerrys 96InstantMessenger 96LettersandParcels 98

OrganizationalImpacts 99LegalAspects 99PersonnelIssues 99TechnicalChallenges 100

NetworkAddressTranslation(NAT)Issues 100SingleSign-OnandFederation(SAML/XACML) 100BackupTechnologies 101RemoteDesktopSupport 101TroubleTicketSystems 101

BusinessContinuity 102

chaPter 4 readY to outsource 105PerfectOutsourcingCompany 105DoingYourHomework 105UnderstandWhatIsOffered 110

AuditReports 110IsBusinessTransformationOutsourcingtheRightChoice? 114AsktheRightQuestions 115DedicatedResourcesorNot? 115TalkingwithExistingClients 116WhatMattersfortheOutsourcingCompany? 117

ChallengesOutsourcingCompaniesFace 118WhichSecurityControls—OursorTheirs? 119StaffAugmentation 119CompleteOutsourcedOperation 119CostSavings 120SecurityControls 121

NextStep—CleanHouse 126MaturityLevel 126


viii Contents

AlignmentofStrategies 127Transforming 127

OutsourcingPreparation 128InformationSecurityPolicy 128OrganizationofInformationSecurity 129ExternalParties’Security 130InformationClassificationSecurity 131PriortoEmploymentSecurity 131DuringEmploymentSecurity 132TerminationorChange-of-EmploymentSecurity 132SecureAreasSecurity 133EquipmentSecurity 134OperationalProceduresandResponsibilitySecurity 137Third-PartyServiceDeliveryManagementSecurity 137SystemPlanningandAcceptanceSecurity 138ProtectionagainstMaliciousandMobileCodeSecurity 139InformationBackupSecurity 140NetworkSecurityManagementSecurity 140Media-HandlingSecurity 141ExchangeofInformationSecurity 142ElectronicCommerceServicesSecurity 144MonitoringSecurity 145BusinessRequirementforAccessControlSecurity 148UserAccessManagementSecurity 148UserResponsibilitiesSecurity 150NetworkAccessControlSecurity 151OperatingSystemAccessControlSecurity 154ApplicationandInformationAccessControlSecurity 156MobileComputingandTeleworkingSecurity 158SecurityRequirementsofInformationSystems 159CorrectProcessinginApplicationsSecurity 161CryptographicControlsSecurity 162SecurityofSystemFiles 163SecurityinDevelopmentandSupportServices 164TechnicalVulnerabilityManagementSecurity 166ReportingInformationSecurityEventsandWeaknessesSecurity 167ManagementofInformationSecurityIncidentsandImprovementsSecurity 169InformationSecurityAspectsofBusinessContinuityManagement 171CompliancewithLegalRequirementsSecurity 173InformationSystemsAuditConsiderationsSecurity 178OutsourcingSecurityReadinessAssessment 180TacticalGoals—NoworLater? 182StrategicObjectives—When? 182


ixContents

chaPter 5 daY one and BeYond 185EnablingtheOutsourcingCompany 188

AccesstoRequiredInformation 188Documentation 189Personnel 189

TransitionPhase 190TheStableYears 191

SecurityIncidents 191OutsourcingPersonnelTurnover 192RegularActivities 193Reporting 195

chaPter 6 when we Part 199HowtoPrepare 200

TheContract 200AnalysisofWhatNeedstoBeDone 201ExitPlan 201

WhentheDayComes 202TakingControl 203

chaPter 7 outsourcing anecdotes 205BritishHealthRecords 205TransportationStrikeinBangalore 206SubmarineCableCuts 206CloudOutages 207

T-Mobile:SidekickinDangeroftheMicrosoftCloud 207OutagesatAmazonAreSometimesdueto“Gossip” 207GoogleServicesImpactedbyCloudOutages 208Microsoft’sAzureandHotmail 208Salesforce.com’sCloudGoesDown 208CloudFlareDDoS 208

BackgroundInvestigationLacking 209PrivacyLaws—NotHere 209CanYouHearMeNow?CDMALimitations 209Overlooked 210PrematureTransformation 210PublicInstantMessenger—SharetheJoy 210

index 213


xi

Foreword

IthinkthatFrankdoesagreatjobofdiscussingoutsourcingandhisinsightsforareastowatchoutfor.Heisdead-onwithmanyofhisobservations, having been working with outsourced environmentsmyselfforanumberofyears.Iappreciatehisfrankobservations(par-don the pun!) and direct style in approaching the issues—in otherwords,hecallsthemasheseesthem.Theinformationonthediffer-entcountries,albeitsomewhatlengthy,providesagreatperspectiveastowhatisgoingonintheworldandwhyitissoimportanttoknowwhoandwhatcountryyouaredealingwith.Ialsolikethewaythathemovesintothecloudfromoutsourcingandshowsthesimilarities.Thelattersectiondescribingthecontrols,comments,andquestionsmappedtoISO27002-typerequirementsisverygoodaswell.Ialsolikethewaythatthebookfinishedupwithanecdotestoillustratethattheseissuesarereal.

—Todd FitzgeraldGlobalInformationSecurityDirector

GrantThorntonInternational,Ltd.


xiii

Preface

Sincetheearly1990s,outsourcinghashadalargeinfluenceonvari-ous industries in the Western world. Outsourcing companies haveattracted industry giants such as Ford, GE, and Siemens, just toname a few, with promises of better expertise and significant costsavings.Nowapproximately20yearslater,notallofthosepromiseshavebeenkept.Organizationshavelearnedtheirlessons—outsourc-ingisnotasilverbullet.Somepoliticalandeconomicdynamicshaveresultedinashiftinhowoutsourcingisperceived.Oneoftheareasofconcernwithmanyoutsourcingcustomersisthelevelofsecurityand privacy of their data. Now with cloud computing becoming astandard inmodernITenvironments, thepicturehasbecomeevenfuzzier.Manysecurityexpertsareraisingtheflagregardingsecurityandprivacyinoutsourcedcloudenvironments.Thisbookwaswrit-tenwiththe intent tohelpthemanagerwhoischallengedwithanoutsourcingsituation,whetherpreparingforit,livingitdaytoday,orbeingtaskedtosafelybringbackinformationsystemstotheorganiza-tion.Itprovidesguidanceonhowtoensurethatsecurityandprivacycanbeachievedduringanoutsourcingsituation.Ihaveworkedintheconsultingandoutsourcingindustryformorethan15years,leadingmedium-to large-sizedsecurityorganizationsandteams.I learnedovertheyearsthatmanyriskscanbeaddressedwhenthereisamuchbroaderunderstandingofasituationthanjustthetechnicalaspects.


xiv PrefaCe

Many factors canplay into the successor failureof anoutsourcinginitiative.Thisbookprovidesnotonlythetechnicalbackgroundbutalso some broad information about outsourcing and its mechanics.Organizationssometimestrytoresolvetheirissuesofanexpensive,fragmentedITinfrastructureby lookingintooutsourcing.Ifthis istrulyavalidstrategy,thenitisheavilyrelyingoncircumstancesandindividual factors specific to that organization. Yet there are somecommonpitfallsthatshouldbekeptinmindbeforejumpingtotheconclusionthatoutsourcingwillprovidecostsavingsandasmoother-runningoperation.Onecriticalfactorforasmooth-runningIToper-ation is a governance framework, resulting inmatureprocesses, anexecutableITstrategy,andanITenvironmentthatismaintainable.MostorganizationsthatlackmatureprocesseshavetosupportanITenvironmentthatrangesfromWindowstothreedifferentUNIXfla-vors.Thoseenvironmentsareusuallynotsustainableinthelongrun,outsourcedornot.Tobelievethatoutsourcingsuchanenvironmentwouldresultincostsavingsandbetterperformancecanveryquicklyturn into a big disappointment. Yes, a large outsourcing companywillcertainlyhavetheresourcestosupportthevariousplatformsandtechnologies.However,themoreindividualsanoutsourcingcompanyneedstoprovidetosupportacustomer’senvironment,thehigherthecostwillbe.Laborcostistheexpensivepartoftheoutsourcingequa-tion, even delivered from low-cost countries like India and China.Theleadingoutsourcingcountriesinparticularhaveacommontrend:thecostoflivingisrising,resultinginhigherlaborcosts,makingcostsavingsashort-liveddream.

Thatcostsavingsandsecuritytraditionallydonotgohandinhandshouldbenosurprise toanyone.Let’sbeclear:costsavingscanbeachievedinoutsourcingifsecurityisdoneright.However,thetypi-callarge-scaleoutsourcingengagementdoesnothavesecurityastheprimaryobjective,butcostsavings.

Definitions

Thisbookusesforthepurposeofstandardization,wheneveravailable,thedefinitionssetbytheUSNationalInstituteforStandards(NIST).Particularly in the fast-moving market of outsourcing, companieshavecomeupwiththeirproprietarymarketing terminology, trying


xvPrefaCe

todistinguishthemselvesfromtheircompetitors.Lookingunderthe“hood”ofsuchproprietaryofferings,theyusuallyareeasilytiedbacktotheNISTdefinitionsandstandardindustryterminologies.


89

3BefOre YOu decide

tO OutsOurce

The question “What are the risks?” is not easily answered and hasmoreaspectstoitthanjustfromasecurityperspective:forexample,howagiledoesmyITneedtobetosupportourbusiness?CompaniesthatneedflexibilityinhowITsupportstheirbusinesswillhaveahardtimefindinganoutsourcingcompanythatactuallycan(andImeannotonethatonlycommitstoitintheirStatementofWork)keepupwiththeirdemandfortheever-changingITinfrastructure.RealityisthatchangestotheITinfrastructurehavenowanotherbureaucraticlayer, when outsourced, in the form of Service Level Agreements(SLAs), contract terms, changeorders, and so forth.This iswidelyunderestimatedandmaybeevenignoredbymanagersthatmakethefinaldecisiontooutsourceornot.

Outsourcing is like giving up a hand-tailored suit that fits likenothingelse.Mostcompanieswillnotachievethis“rightfit”byout-sourcingpartsorallofIT.ItmightresultinamorematureITenvi-ronmentwith lesscost,but itneedstobeunderstoodthatthiswillbemoreakintothesuitofftherackwithsomeslightmodificationsthanthehandmadeIT-Armanisuitthateverychiefinformationoffi-cerdreamsof.

Security and Privacy Impacts

WhenoutsourcingbusinessprocessesorIT,security is impactedatvarious levels. Information thatused to reside ina controlledenvi-ronment,physicallyaswellaslogically,ispassedontoathirdpartythatisnowentrustedwithprotectingtheinformationagainstunau-thorizedaccessandcorruption(intentionallyorunintentionally)andwithmaking it available to the business whenever it is needed. Toaddtotheserequirements,nowyourorganizationneedstomakesure


90 Managing risk in outsourCing it serviCes

thattheoutsourcingcompanyistrustworthyandexecutesasagreedoninthecontractbothpartiessigned.Criticalpiecesofinformationthatensurethatyourorganizationiscompetitive(e.g.,theCoca-Colarecipe)oryourpersonnelfileswithPersonalProtected Information(PPI) are now accessible by the outsourcing company’s personnel.InformationthatisprotectedbylawsandregulationsinvariousstatesandcountriesaroundtheglobebecomesanSLAwiththeoutsourcingcompany.The levelofcriticalityofparticular information ismaybepassedontotheoutsourcingcompanyinasignedcontract,butdowntheroadtheinformationisjustonepieceamongmany.Furthermore,theoutsourcingindustryhasadoptedamodelofcascadingoutsourc-ingthathasresultedinsomeoftheservicesnotbeingprovidedbytheoriginaloutsourcingcompanybutbyathirdpartythattheoutsourc-ing company has contracted to provide certain services to the out-sourcingcompany.Thisthirdpartymighthaveanotherfourthpartythatprovidesservicestotheminvolvingyourdata.Itisveryunlikelythatthoseadditionalserviceprovidersunderstandyourrequirementsfor security and privacy of the information that you entrusted totheoriginaloutsourcing company.This results in a situationwherenobodycanunderstand thecompletepictureanymore. Informationthat should have been hosted only in the United States suddenlywindsupinIndiaorothercountries.Withtheintroductionofcloud-basedoutsourcingofferings,thissituationhasnowbecomeevenmorecomplexsincemanycloudserviceproviders(CSPs)usetechnologiesthatallowforcloudbursting,whichcanmeanthatadditionalcloudresourcesareaddedfromothergeographicalregions.Cloudburstingcanalsomeanthatyourprivatecloudsuddenlyhasresourcesaddedfromapubliccloud.Thevisibilitytotheinformationowneristakenawaymoreandmore.

Secure Communication

Thesooneryouthinkaboutsecurecommunicationintheoutsourcingdeal,thefasteryougetoneofthebiggest informationleakageareasundercontrol.Communicationisgoingtotakeplaceatvarious lev-elsoftheorganizationsandinvariousformats.Phone,e-mail,instantmessaging,paper,andvideoconferencingarejustsomeofthemodernwaysthatweusetocommunicatewitheachother.Theproblemisthat


91Before You deCide to outsourCe

thosewaysofcommunicatingarenotalwayssecure.ParticularlyaftertherevelationsofEdwardSnowden,whowasnotthefirst,pointingoutthatgloballytherearegovernmentseavesdroppingonallformsofcommunication.ThePRISMprogramisprobably themost famous,controlledbytheNationalSecurityAgency(NSA)however,itisnottheonlyprograminplace.Isaythisbecausewithoutsourcingdealsthecommunicationtakesplaceatagloballevel.Onlyifbothendpointsandthecommunicationchannelaresecurecantheinformationthatiscommunicatedstaysecure.Securecanmean it staysconfidential,ortheintegrityoftheinformationstaysintact,orthecommunicationcantakeplaceandisavailabletoyou.

Telephones

Thetelephone isoneof theoldest formsof communication. In theearly days of telephone service, so-called party lines were in place.Acoupleofneighbors sharedonephone line. Itwas expected thatwhenapartyrealizedthatthecallwasnotforthem,theywouldhangup.Somuch for that theory. In realityhumancuriosity resulted inneighborssometimes listeningtoeachother’sconversations.Nottomentionthattheoperatorwhohadtomanuallypatchcallsthroughcould easily listen in to calls. Nowadays we have telephone servicenearlyeverywhere.Landlinesaredyingaslowdeathwithagenera-tionofcollegegraduatessimplyrelyingontheirmobilephonesandhavingnoneedforalandlineanymore.Timeshavechanged,butnothumancuriosityorthefearofmissingoutonadetailthatcouldbeterrorism relatedor in some cases beused for corporate espionage.So-calledsignalsintelligence(SIGINT)-gatheringsystemsarecapa-bleofgatheringinformationfromsatellitecommunication,microwavelinks(asusedbytelephonecompaniestobridgelongdistances),wire-less services (cell phone service) and cordless phones. ECHELONis one system that performs SIGINT by collecting and analyzingworldwide communication. The ECHELON network is operatedon behalf of five countries (Australia, Canada, New Zealand, theUnitedKingdom,andtheUnitedStates)accordingtotheUKUSASecurityAgreement.*ECHELONwasoriginallycreatedtomonitor

* http://www.nsa.gov/public_info/press_room/2010/ukusa.shtml.



themilitaryanddiplomaticcommunicationsoftheSovietUnionanditsEasternBlocalliesduringtheColdWarintheearly1960s.TheEuropean Parliament formed a committee during 2000 and 2001to investigateECHELONand issueda report in2001.ThereportstatedthattheECHELONisusedinanumberofcontextsbutthatevidenceindicatesthatECHELONstandsforasignalsintelligencecollectionsystem.ThisinvestigationuncoversaninterestingsituationwiththeUK,whichispartoftheEuropeanUnion(EU)andisalsoactivelyinvolvedwithECHELON.Itissuspectedthatthefivemem-bercountrieshavedividedupthemonitoringresponsibilities.

• Australia eavesdrops for communication that originates inIndochina,Indonesia,andsouthernChina.

• CanadausedtomonitorthenorthernportionsoftheformerSovietUnionandconductedsweepsofallformsofcommu-nicationthatcouldbepickedupfromembassiesaroundtheworld. After the Cold War era ended, the focus shifted tomonitoringsatellite,radio,andcellphonetrafficoriginatingfrom Central and South America to track drugs and non-alignedparamilitarygroupsinthatregion.

• New Zealand istargetingthewesternPacificwithlisteningsta-tionsintheSouthIslandatWaihopaiValleyandontheNorthIslandatTangimoana.Localsholdregularprotestsagainstthelisteningposts,demandingthattheybecloseddown.

• United Kingdom is responsible for monitoring communi-cation inEurope,Africa,andtheEuropeanpartofRussia.There have been cases in which companies located in non-ECHELON participating countries suspected that theECHELONsystemwasused toprovideUK-orUS-basedcompaniesacompetitiveadvantagebypassingrecordedinfor-mationtocompaniesintheircountries.

• United States monitorsmostofLatinAmerica,Asia,AsiaticRussia,andnorthernChina.

ThereportissuedbytheEUalsoconcludesthatECHELONwascapa-bleofeavesdroppingonandanalyzingtelephonecalls, faxes,e-mail,andotherdatatrafficthattraverseviasatellitetransmission,microwavelinks,andpublic-switchedtelephonenetworks(carryingInternettrafficduringtheearlystagesoftheInternetrevolution).Ithasbeensuspected



forquitesometimethatECHELONisusednotonlytoprotectthenationalsecurityofthefivememberstatesbutalsoforindustrialespi-onage. Germany’s national intelligence agency, Verfassungsschutz,has warned German businesses and the German industry commu-nityagainstECHELONsinceJune1999,whenitrecommendedthatGermancompanies encryptall important information—encode it topreventECHELONstationsfrompickingupthecommunicationandusingittotheiradvantage.TheVerfassungsschutzevenissuedin2008abrochure*toGermancompaniesprovidingguidanceonhowtoprotectsensitiveinformation,notmentioningECHELONbutclearlystatingthatcommunicationcanbeeavesdroppedon.

e-Mail

In the early days of e-mail communication, the e-mail serversexchanged the content of e-mails in clear text across the Internet.Sincetheseearlydays,thishaschanged,andmanye-mailserversnowoffersecuretransmissionofe-mailsviatheTransportLayerSecurity(TLS),thesuccessoroftheSecureSocketsLayer(SSL)protocol.Thisallowsforsecurecommunicationbetweene-mailservers.TocheckifTLSisinplace,youcaninspectthefull-headerofane-mailthatcon-tainstheserverhandshakepart.Iftheheadercontainsalinelikethis(orsimilar—thekeywordisTLS),“(version=TLSv1cipher=RC4-SHA bits=128/128),” then TLS version 1 was used to secure thecommunicationfromonee-mailservertoanother.Onecaveattotheabove line, theRC4cipher† isno longerconsidered secure, andane-mailservershouldnotusetheRC4streamcipheralgorithmany-more.Aprominentvictimof theweaknessofRC4was theWiredEquivalent Privacy (WEP) protocol that is nowadays consideredhighly insecure.Toooften individuals (particular auditors) seem tocheckonlyforthewordTLSintheheaderofane-mailanddonotactuallypayattention to theactualcipher that isbeingused.Withcomputing power doubling every two to three years (see Moore’s

* http://www.verfassungsschutz.de/de/oeffentlichkeitsarbeit/publikationen/pb-spionage-und-proliferationsabwehr/broschuere-4-0806-wirtschaftsspionage(inGerman).

† http://www.schneier.com/blog/archives/2013/03/new_rc4_attack.html



law*),aweakcryptoalgorithmcaneasilyresultinnoobstacleatallafterjustacoupleofmonthsoryears.

IntheUnitedStatesandinEurope,thegovernmentsareactivelydiscussingthestorageofinformationaboutcommunicationthattakesplaceusinge-mail, socialmedia,or telephone.Theapproaches thattheEUandtheUnitedStatesarepursuingvary.TheEUapproachingeneralonlyrequiresthestorageofenvelopeinformationofane-mailbut not the actual content of the e-mail. The actual interpretationandimplementationoftheEUdirectivehavevariedbycountry.TheUnitedStates,ontheotherhand,hasimplementedmeasuresthatgobeyondwhattheEUhasdefined.Afterthe9/11attacks,ashifttookplace in how anonymity and privacy of e-mails are handled in theUnitedStates.Intelligenceagencieshavebeenusingintelligentsoft-warethatcanscreenthecontentofmillionsofe-mailswithrelativeease(e.g., NSA’sXKeyscore†goesevenbeyonde-mails).Civilrightsactivistsheavilycriticizethepracticeofscreeninge-mails.Agenciessuch as the US Federal Bureau of Investigation conduct screeningoperationsregularly.TheAmericanCivilLibertiesUnionandotherorganizationsallegedthatVerizonillegallygavetheUSgovernmentunrestricted access to its entire Internet traffic without a warrantandthatAT&ThadasimilararrangementwiththeNSA.In2008,CongresspassedtheFISAAmendmentsActof2008(FAA)grant-ingAT&TandVerizonimmunityfromanyprosecution.Accordingto awhistleblower (WilliamBinney, a formerNSAemployee), theNSAhascollectedover20trillioncommunications,includingmanye-mailcommunications.

Mobile/Cell Phones

Asalreadymentionedinthetelephonesection,governmentsaroundtheworldarespyingonwirelessandwiredcommunication,nomatterwhereyouare.Sincethenewmillennium(potentiallyearlier),com-panieslikeThorpeGlen,VASTech,Kommlabs,andAqsacomsellso-calledpassiveprobingdata-mining services togovernments around

* http://www.merriam-webster.com/dictionary/moore’s%20law† http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-

data



theworld,accordingtoaLondon Review of Booksarticle.*Forexam-ple,ThorpeGlen,aUK-basedvendor,providesmobilephonelocationandcallrecordsviaitsdata-miningsoftware.Theskyseemstobethelimitwhenitcomestoanalysisofdatagathered:atarget’scommunityof interest, a single person swapping SIM cards, or even throwingawayphones—noproblem.

Smartphones

The success of smartphones around the globe is unprecedented.Particularlytheyoungergenerationhasadoptedthisnewtechnology,usingitwherevertheycan:e-mail,text(SMS),one-timeaccesscodeapplications, and so forth. Unfortunately, smartphones have becomethetargetnotonlyofcriminalsbutalsogovernments,whichwanttocontrolanyinformationthatmightgoagainsttheregimeinthatcoun-try.Westerncountriesuse“governmentspyware”onsmartphones,too.OnecompanythathastappedintothismarketisGammaInternational,aUK-basedcompanymarketingaspywarecalledFinFisher,underthedescription“ITintrusionandremotemonitoringsolution.”FinFisherissupposedlyonlyofferedtolawenforcementandintelligenceagenciestocovertlymonitorcriminals.However,accordingtoresearchers,ithasbeenusedbyrepressiveregimes,forexample,bytheBahrainigovern-menttospyondissidents.Accordingtosomeanalysis,ademoversionoftheFinFishersoftwarewasinsomecasesreverse-engineeredtoacer-taindegreeremovingthedemomodelimitations.FinFisherisavailableinversionsthatworkonmobilephonesofallmajorbrands.FinFisherhastheabilitytotakecontroloftargetsmartphonesandcaptureevenencrypteddataandcommunications.Using“enhancedremotedeploy-mentmethods”itcaninstallsoftwareontargetsmartphones.

FinFisher is, at the current time, the crèmede la crèmeof spy-wareforsmartphones(andcomputers).However,manyothersecurityissuesmightputyoursensitive informationat risk.Forexample, inlate2012aresearchteamattheUniversityofLeipzig,Germany,dis-coveredthattheSSLimplementation,†usedbymanyapplicationsonthepopularAndroidplatform,isinsecure.

* http://www.lrb.co.uk/v30/n16/daniel-soar/short-cuts.† http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf.



Inanothercase,freesmartphoneapplicationsthatwereusinganadvertisement framework to generate revenue for the usage of theapplication were introducing malware through the advertisementframework.*

Manyotherthreatsmakesmartphoneplatformspotentiallyunsuit-ableforhighlysensitivedata.

BlackBerrys

ProbablystillthemostsecuresmartphoneplatformavailableistheBlackBerry.EvenResearchinMotion(RIM),themanufacturerofBlackBerrys,hadtogiveintodemandsfromtheIndiangovernment(andothers)toallowittoeavesdroponcommunicationtakingplaceusing the BlackBerry encryption. RIM demonstrated in August2012asolutiondevelopedbyafirmcalledVerintthatcaninterceptmessagesande-mailsexchangedbetweenBlackBerryhandsets.Thissolution makes encrypted communications available in a readableformattoIndiansecurityagencies.ManyexpertsdoubtthevalidityoftheclaimoftheIndiangovernmentthatitusestheeavesdroppingtoidentifyterrorism.ItissuspectedthattheIndiangovernmentusestheintelligencegatheredfromthebusiness-to-businesscommunica-tion(this is theonlycommunicationthatRIMhadencrypted) forotherpurposes.

Instant Messenger

Itisnotawell-knownfactthatinstantmessaging(IM)predatestheInternet. Early versions of instant messaging appeared already inmultiuseroperating systems likeCompatibleTime-SharingSystem(CTSS) and Multiplexed Information and Computing Service(Multics)inthemid-1960s.Laterwhennetworkconnectivitybecamemorewidely available, somenewprotocols cameup, someof themusing peer-to-peer protocols (e.g.,talk, ntalk and ytalk) and othershavingaclient-serverarchitecture(e.g.,InternetRelayChat[IRC]).Many IM solutions followed. However, America Online (AOL)

* http://www.csoonline.com/article/732204/bogus-ad-network-marks-new-twist-on-android-malware.



offeredthefirstIMthathadhugesuccess,withmillionsofusersstillusingittoday.TheAOLInstantMessenger(AIM)hasbeenleadingthewayformodernIMsolutions(GoogleTalk,YahooIM,MicrosoftMessenger,etc.)offeringnotonlyatextchatfunctionbutnowadaysalso voice chat, video chat, and file transfer function. As useful asIMsolutionsare—boostingproductivity,particularlyforteamsthataregeographicallydispersed—theyalsocarryahighriskiftheyareimplementedbyusingoneofthepublicIMofferings(Yahoo,AOL,Microsoft,Google,etc.).Thefollowingcouldbeconsideredthetopfiverisksandliabilities:

• Malware infections through IM—IMnetworkshavebeenusedtodeliverlargenumbersofphishinglinks(i.e.,URLs)andfileattachmentscontainingmalware.Evenifyourcom-puterisnotthedirecttargetofanattack,theuseraroundtheglobecouldnotrunantivirussoftwareontheircomputerandwouldgetinfectedwithmalware.

• Compliance issues—In the United States alone thereare more than 10,000 laws and regulations related to elec-tronic communication and records retention. Some of thewell-known ones include the Sarbanes–Oxley Act (SOX),the Health Insurance Portability and Accountability Act(HIPAA), and SEC 17a-3 requiring that certain exchangemembers are required to create records in a certain way.For example, in December 2007 the Financial IndustryRegulatoryAuthority (FINRA) issued tomemberfirms inthefinancialservicesindustryaclarificationstatingthattheterms electronic communications, e-mail, and electronic corre-spondencemaybeusedinterchangeablyanddoincludeelec-tronic messaging as instant messaging and text messaging.Thisrulingstates thatcompaniesthatarerequiredtobe incompliancewithitrecordIMandtextmessagessincemanyIMcommunicationsfall intothecategoryofbusinesscom-munications,whichmustbearchivedandretrievableaccord-ingtoSEC17a-3.

• Requiring additional ports—Unfortunately, due to thenatureofIM,runningbehindfirewalls,oronnetworksusingnetworkaddresstranslation(NAT),theprogrammersofsome



IMapplicationshavebeencreativeinkeepingacommunica-tionchannelopentotheIMserver.ThissometimesinvolvestheUserDatagramProtocol(UDP)networkprotocol.UDPisnotknownforitssecurityandallowsforspoofingofcom-municationsources.

• Social engineering—Justlikethetraditionalformofsocialengineering,IMhasbeenusedtoclaimtheidentityofsome-onetogatherinformation.SometimestheIMnamevariesbyonlyonecharacter,usingthelimitationsofcharactersets.Forexample,Iand1orOand0areoftenswappedforeachothertocreateanIMnamethatonthefirstglancelookslikethenameofatrustedperson.

• Leakage of confidential information—IMapplicationsusu-allyusecommunicationprotocolsthatareinplaintext,mak-ingthemvulnerabletoeavesdroppingattacks.Anotherareaof concern is that many IM protocols are not peer-to-peerprotocolsbuttraversethroughserversofthecompanyoffer-ingthefreeIMsolutions.Therehavebeenmanyspeculationswhythisisbeingdonesinceitcreatesacostoverheadforthecompanyofferingthefreeservicetothepublic.

IM has been widely used by outsourcing companies; however, therisks that theusageof IM introducesmustmeetupwithyour riskappetiteandcompliancerequirements.

Letters and Parcels

Theold-fashionedwaytotransportinformationfrompointAtopointB,usingacarrierthatprovidestrackingofyourshipment,cangiveyouafalsesenseofsecurity.Yes,youknowwhereyourletterorparcelis;however,trackingdoesnothelpmuchwhentheletterorparcelhasbeendeliveredtothewrongaddressandthesignatureiscompletelyunreadableornosignaturehasbeenrecorded.Inmostcasesinterna-tionalshipmentsrequireadditionalpaperwork,suchascustomsformsthatneedtobefilledout.Insomecountries,parcelsorlargerenvelopesareroutinelyopenedandinspected.Thoseinspectionsservedifferentpurposes,dependingonhowstabletheregimeisinacertaincountry.


managing risk and security in outsourcing it...

Documents