Computers and Security, Vol. 16, No. 6

works against Internet-based security threats has, fortu- nately, become considerably more manageable, but a new potentially more complex problem has emerged - securing connections from third parties such as busi- ness partners and customers. Controlling security in this case is more difficult because many third party entities must for business reasons be trusted to some degree and also because business agreements may not allow the needed amount of traflic restriction for these connec- tions. In addition, it is often difficult to determine how widespread the level of potential and actual access to a third party network itself is - a third party afliliate that needs a connection to another organization’s network may allow unrestricted Internet access, potentially opening the organization’s network to a flood of exter- nal attacks.This paper explores the real nature of secu- rity threat resulting f?om third party connections and presents several major types of solutions.Although tech- nical solutions are likely to some degree to solve the problem, administrative/managerial solutions comprise the other part of a complete approach to the problem of securing third party connections.

Title: Information Flow within the Globally Connected Environment

Author: Sarah Gordon, IBM

One of the principal benefits of Internet connectivity within the corporate environment is the ability to transfer large amounts of information quickly from point to point. This paper will examine some of the benefits and potential dangers about this rapid exchange of data.

STREAM 2 (am): Electronic Commerce

Title: The Strategic Value of Information in Business

Author: Donn B. Parker, SRI International

Your business can be more successful with prudent pro- tection of the information associated with your prod- ucts and customers in today’s knowledge management. We hate the constraints of information security. We need to determine how little security can achieve pru- dent due care, not how much we can tolerate. Strategic application of information security is needed.

Title: Essential Controls for Internet Electronic Commerce

Author: Charles Cresson Wood, Baseline Software

A recent study by RGH Consulting indicates that 75% of CIOs intend to go ahead and do business on the Internet, even though security issues have not been resolved to their satisfaction. The extent to which marketing pressures are dominating security concerns in this area should be cause for great concern among information security practitioners. Meanwhile security, according to another recent study conducted by KPMG Peat Marwick, remains the number one barrier to establishing an Internet electronic com- merce presence.This presentation will define the spe- cial risks associated with Internet electronic com- merce, as well as 17 fundamental controls that can be used to address these risks. Material for this presenta- tion will be extracted from the author’s 1996 book entitled, How to Handle Internet Electronic Commerce Security: Risks, Controls G Product Guide.

STREAM 2 (pm): Information Warfare

Title:

Author:

Information Warfare and Defending the UK Nation State Michael J. Corcoran, Defence Research Agency

This paper addresses the Minimum Essential Defence Information Infrastructure (MEDII) of the National Information Infrastructure (NII). It poses the following questions and hopes to provide a direction to follow in which to seek answers: what is information warfare? Does it really exist? To what is the threat posed? How vulnerable are the targets? Who poses the threat to the MEDII in an informa- tion warfare scenario? What counter-measures can be implemented? What is the MOD’S role in this process?

Title:

Author:

Penetration Testing and System Audit - Experience Gained and Lessons Learned During the Investigation of Systems Within the United Kingdom Andy Jones, Defence Evaluation and Research Agency

525

COMPSEC ‘97 Paper Abstracts

In the main, Information Technology (IT) security within the UK has been achieved as a result of the production of a System Security Policy (SSP) or some similar document which defines the security requirements for the system, based on the threat against it. The threat to any system is dependent on a number of factors, including the value of the data or processes, the attractiveness of the system as a target to potential attackers and the inherent vulnerability of the system. All of these factors have to be taken into account when deciding the strategy that will be adopted to secure the system. From the requirements laid down in the SSP, it has been the norm to pro- cure systems and components that have, where it is necessary, undergone evaluation and received certifi- cation by the national authorities to the appropriate level. The person with overall responsibility for secu- rity within the relevant organization has then, after taking into account the security measures that have been implemented, ‘accredited’ the system for use in the manner defined in the SSP. The person who accredits the system is, in so doing, identifying that the residual risk to that system is acceptable and sig- ni@ing that they will take responsibility for this residual risk.

STREAM 3: Technology Issues

Title: A Comparison Between Java and ActiveX Security

Author: David Hopwood, Network Security Corp.

ActiveX and Java have both been the subject of press reports describing security bugs in their implementa- tions, but there has been less consideration of the secu- rity impact of their different designs. This paper con- siders the questions: “Would ActiveX or Java be secure if all implementation bugs were fixed?” and, if not, “How difficult are the remaining problems to over- come?”

Title: Intelligent Agents: New Security Issues Author: Steve Bailey, Steve Bailey Associates

Intelligent Agents have become an essential element of major networks such as the Internet.They provide us with the means to automate many of the mundane

and repetitive tasks such as searching for information. They do, however, come with some degree of risk to the network’s security They are intrusive, resource intensive and threaten the confidentiality, integrity and availability of the data.

Title: Smartcards - Is Britain Getting Smarter?

Author: Alan Laird, Bull Information Systems Ltd

Last year it looked as though the UK was falling behind in the exploitation of smartcard technologies. Whilst investment strategies have not changed, there are an increasing number of signs that Britain will be ‘smart’ by the end of the millennium. This paper looks at these signs and uses actual examples to pro- vide evidence.

STREAM 4 (am): Legal Issues

Title: The Internet - A Legal Quagmire Author: Mark Crichard, Garretts

Although many businesses have yet to find the ‘killer application’ in the use of the Internet, its use is con- tinuing to grow at a phenomenal rate. Two years ago there was, apparently, no real legal regulation of the Internet. Since then there has been an ever increasing flow of legal activity arising out of Internet use - largely as a result of misuse.This paper aims to quick- ly run through the current state of the law as it stands in the US and UK in particular and to highlight the latest developments.

STREAM 4 (pm): The Year 2000

Title: The Year 2000 Problem Author: Margaret Joachim, Taskforce 2000

TheYear 2000 problem has the potential to cause seri- ous business, economic and social difficulties, resulting from the unpredictable operation, inaccurate process- ing or outright failure of computer, systems and microprocessor technology. Conventional disaster recovery procedures are irrelevant; only ruthless prior- itization, effective risk management and creative con- tingency planning will ensure survival.

526