Unleash Your Potential - Namagunga Girls Coding Club
Meletis Belsis - THE MULTIMEDIA APPROACH: AN EXTRA LAYER OF DEFENCE IN THE ENTERPRISE SECURITY
1. Proc. Of the 2nd
Symposium on Research in Computer Science, Coventry, UK, May 2002.
THE MULTIMEDIA APPROACH: AN EXTRA LAYER OF DEFENCE IN THE
ENTERPRISE SECURITY
Andreas Oikonomou, Meletis A. Belsis, Saad Amin, Leon Smalov
{a.oikonomou, belsis, s.amin, l.smalov}@Coventry.ac.uk
ABSTRACT
The theme of Internet security has recently
became extremely attractive. From big
national newspapers to discussions between
groups of teenagers - no one has been left
neutral. Practically some of technical
aspects of defence are completed by system
administrators and/or network managers.
Outsiders like hackers, insiders like
disgruntled employees or simply ignorant
employees, all present a serious risk for the
corporate data. In case of the latter the
firewalls do not give protection at all. Social
engineering methods are common and
usually successful.
To provide effective and comprehensive
defence all corporative users need to be
educated. However an attempt to convert all
corporative users in to security experts or
network managers by simple team briefing
sounds as not very realistic. Using
traditional approaches such as posters,
newsletters and e-mails is not so effective.
This paper discusses the potential and
effectiveness of using multimedia in the
process of users’ education on the essential
aspects of information security. Multimedia
applications have been successfully used in
other areas of training and education, with
astonishing results both in terms of
educational and cost effectiveness.
Examples of the use of multimedia will be
given; the challenges and benefits of similar
approaches to info security training will be
discussed.
1. INTRODUCTION.
The last decades the world of computing has
changed. The TCP/IP protocol suite and the
evolution in both hardware and software have
changed the way computers are used. The
Internet as it is known today provides
functionality from e-commerce and on line
banking to entertainment and multiplayer
gaming environment.
These new trends and the shape of the
modern computing usage have opened a new
market for criminals of any form. Today an
adversary does not have to be a computer
expert to attack systems connected on the
Internet. Automated attacking software may
potentially penetrate the secure perimeter to
attack the corporative systems in milliseconds.
Security incidents that involved the
defacement of a corporate Web site are
numerous. Organized distributed denial of
services attacks can make e-commerce sites
unavailable producing millions of dollars in
losses.
To make things worst the employees may
attack the corporate networks to revenge a
manager’s action or to sell corporate
confidential information to opposing industries.
Insider’s attacks are the most difficult to
prevent. This is due to fact that employees
know the corporative procedures, where the
weak links in defence and the locations where
sensitive information stored.
To understand the size of the problem one
has to look at table 1 [CSI/FBI 2000]. This
table displays the statistics coming from
different types of attacks. Note: According to
the CSI/FBI in year 2000, 74% of the survey
respondents acknowledge financial losses, but
only 42% of respondents could quantify the
losses.
In this paper authors will justify a real need
for users’ education, discuss the advantages of
using multimedia technologies and techniques
to provide effective security training, consider
potential challenges and difficulties.
1. WILL USERS’ EDUCATION
COMPLIMENT A STRONG
DEFENCE?
One of the most effective strategies for
defending corporative information is based on
the following paradigm: Protect-Detect-React.
This encouraging organisations not to rely on
defences but to expect breaches of security,
concentrate efforts on earlier detection of these
breaches and finally to coordinated response
and recovery procedures.
In most cases the information security is
treated as a “step child”, no one responsible for
anything: network administrators are busy to
keep a corporative network going, system
administrators are engaged in endless
troubleshooting of users’ day-to-day problems,
help desks are trying to sort out the “leftovers”
of the first two. Security services have
2. Proc. Of the 2nd
Symposium on Research in Computer Science, Coventry, UK, May 2002.
Respondents Total losses
Year 1999 2000 1999 2000
Theft Of proprietary Info 23 22 $42,462,000 $66,708,000
Sabotage of data or networks 27 28 $4,421,000 $27,148,000
Telecom eavesdropping 10 15 $765,000 $991,200
System penetration by outsider 28 29 $2,885,000 $7,104,000
Financial Fraud 27 34 $39,706,000 $55,996,000
Denial of Service 28 46 $3,255,000 $8,247,500
Virus 116 162 N/A N/A
Telecom Fraud 29 19 $773,000 $4,028,000
Unauthorised insider access 25 20 $3,567,000 $22,554,500
Insider abuse if Net Access 81 91 $7,576,000 $27,984,740
Active wiretapping 1 1 $20,000 $5,000,000
Laptop theft 150 174 $13,038,000 $10,404,300
Table 1: losses from computer crime
installed few CCTV cameras, bolted cages on
the top of servers, chained PCs to the desks,
computing services have installed firewall
facilities and e-mail scanner, the
administration has detailed corporative
security policy, and users are well-protected
from the possible intrusion. Or are they? Here
it is – the “dark side of the moon”: CCTV
cameras could be easily jammed with “laser”
pointers, bolted servers could be access with
CDs or floppies, email could be read from
“hotmail” or “yahoo” accounts, viruses could
be brought in from a home PC, employees or
contractors may have escalated their access
rights, temporary accounts are “forgotten”, the
vendors patches get ignored by system
administrators, fake questionnaire “win a free
trip to Paris – just answer five questions about
your network”, corporative security policy was
unchanged since “the Romans were here”.
Needles to say a properly scaled and combined
attempt will certainly be a successful one! Our
respectable opponents may say, “This is
paranoia”. To justify our point we will produce
two cases:
1. Very “famous” Code Red worm has
exploited vulnerability in Microsoft’s IIS web
server software. The Code Red worm freely
ran on the Internet starting July 19, 2001
despite the fact that Microsoft had released a
patch for the vulnerability on June 18, 2001.
And all system administrators and network
managers have had more than a month –
perhaps it was a holiday period! Next one and
not less “famous” W32.Nimda worm has
enjoyed not one but two different
vulnerabilities. The worm introduced itself
September 18, 2001 but Microsoft had
released fixes for both vulnerabilities on
August 10, 2000 [Microsoft 2000] and March
29, 2001 [Microsoft 2001]. On this occasion
one can see that system administrators along
with network managers have been given
enough time to cover the gaps. Why did they
fail?!
2. Kevin Mitnick, who claimed he has
penetrated into all targeted sites but one,
openly declared in his Senate testimony
[Mitnik 1997] that: “Enacting policies and
procedures simply won't suffice. Even with
oversight the policies and procedures may not
be effective: my access to Motorola, Nokia,
ATT, Sun depended upon the willingness of
people to bypass policies and procedures that
were in place for years before I compromised
them successfully”. Please note this
“..willingness.. to bypass..” and “..in place for
years..”.
No single security measure can guarantee the
strong defence and the complicated and well-
protected system may get compromised.
Users’ reaction - this last element of the triad
is as important as the first two. Simple yet
effective backup procedure will reduce loses as
3. Proc. Of the 2nd
Symposium on Research in Computer Science, Coventry, UK, May 2002.
well as the recovery time, without the backup
strategy the corporative data may be lost
forever.
So let us summarise: all complicated and
expensive technological approaches will not
work without appropriate education and
training all corporative users. The famous
hacker has openly “shared” [Mitnik 1997] his
opinion: “The methods that will most
effectively minimize the ability of intruders to
compromise information security are
comprehensive user training and education”.
Such education is expensive and continuous
process and on authors’ opinion the
Multimedia approach will play an ultimate role
here.
2. WHAT IS MULTIMEDIA?
Multimedia is defined as “computer
mediated interactive presentations that utilize
more than one medium” [Elsom-Cook 1997].
This definition tells us that multimedia is
primarily used to for the presentation of
information. Computers have been used as
tools for processing information for years. It
was only lately during the 80s and the
appearance of the first home computers that
computers have been used for presenting
information as well as processing it.
Multimedia is a relatively new field of
Information Technology. Advances in
computer technology has allowed for computer
presentation to include images and other media
in addition to the text only presentations of
older computer systems. This has been
achieved in widely and multimedia ready
computer systems are available in most houses
and even more businesses in the Europe and
the United States.
3. WHY MULTIMEDIA IS MORE
EFFECTIVE THAN OTHER
TRAINING APPROACHES?
To enhance the user learning process and to
reduce the training time a number of
mechanisms exists [Seymour 2001]:
• Magazine articles discussing security
procedures.
• Wall sings explaining different parts
of the security policies.
• Network messages that inform users
on new vulnerabilities and viruses.
• E-mail newsletters describing
different areas of the system’s
security.
• Training classes where security
experts explain hacking techniques
along with the countermeasures for
them.
Although all of the above aids are successful
up to a degree, they are less successful than
what is required in terms of security by
business organisations. In an attempt to
provide better quality more effective, more
efficient and more cost–effective training,
multimedia technology needs to be utilised for
the specific needs of security training and
awareness among organisations that rely
primarily on IT for their everyday
organisational needs.
Comprehension and memory recall could
be improved as realistic simulation of action
descriptions can be achieved [Faraday 1997].
Multimedia technology enhances computer
presentations by introducing all or some (but at
least two) of the following elements [Elsom-
Cook 2001]:
• Audio
• Video
• Animation
• Text
• Still images
All of the above elements are used to
improve communication between the presenter
and the presentation receiver. It is proven
[Scarlatos 1997] that the use of multiple
channels of communication correctly utilized
can be more effective than a single channel of
communication. For example, it would be a far
more effective educational method to use an
image or an animation along with the textual
description of an action. Multimedia enhances
a software presentation in such a way that
communication of knowledge is more effective
and efficient
4. EXAMPLES OF USER TRAINING
WITH MULTIMEDIA
Multimedia presentations have been used
extensively in user training along wide and
diverse areas of application. A few examples
of training with the use of multimedia would
be the following:
• Military training
• Biomedical training
• Scientific training
• Industrial training
• Educational tra ining
4. Proc. Of the 2nd
Symposium on Research in Computer Science, Coventry, UK, May 2002.
In particular educational training has been
one of the most common forms of multimedia.
The benefits of utilising more channels of
communication and interacting with the viewer
has been measured and documented well. The
saying “one picture equals a thousand words”
has been proven right over and over again.
Multimedia training is an accepted and
endorsed practice by the biggest and most
prestigious organisations including Microsoft,
IBM and Hewlett Packard to mention just a
few. Examples of multimedia training can also
be found in schools of all levels and for
numerous subjects and in a lot of Internet
websites. Atypical multimedia application will
use at least two channels of communication.
Today’s standards go far beyond that statement
to utilise even interactive 3D environments for
the purpose of accelerated learning. In figure 1
a typical multimedia application user interface
is shown [Digevent 2002].
Figure 1: Multimedia music instruction
In that particular example multimedia has
been used for musical training online. The
application utilises text, audio, images, and
video to present information of musical nature
to a worldwide audience. It must be mentioned
here that the application is interactive
providing viewers with the option to “ask”
questions and get answers in real time.
Training of that type would be impossible with
any other approach because of the following
reasons:
• Distance
• Availability of trainer
• Space related issues (how can one
accommodate for a world wide audience?)
Al these issues are addressed successfully by
the multimedia application.
In figure 2 we can see another example of an
educational multimedia application
[Oikonomou 2002].
Figure 2: BSE application Interface
This is an offline application used for
biomedical training and education specifically
on how to perform the breast self-examination
procedures (BSE), which is an aid to early
breast cancer detection. Breast cancer statistics
show that 1 in 10 women [Oikonomou 2001]
will develop breast cancer at some point in
their life. Making Breast cancer a common
disease. Multimedia has been considered as a
valid and effective method for such a highly
critical training need.
5. CONCLUSIONS AND FURTHER
WORK
The examples previously presented clearly
show that the use of multimedia for training
purposes is widely trusted and used in
applications where user training is important
and in some cases critical.
Information systems security is both important
and critical for businesses. The authors
propose the development of multimedia user
training material for the purpose of security
training. Providing such a training tool will
assist in providing better systems security.
Although effective a multimedia-training
tool could work as ma jor security flaw if fallen
into the wrong hands. Adversaries that can get
a copy of it will be able to understand the
security policy the business follows. In cases
where the tool includes training sessions for
security administrators, adversaries will be
able to understand the security methods and
tools that are used by the organisation. Any
further work in the investigation of the
application of multimedia for security
awareness, should take into account the
previous discussed challenge.
6. References
[Oikonomou 2002] A. Oikonomou, S.A.
Amin, R.N.G. Naguib, A. Todman, H. Al-
Omishy, “Breast Self Examination Training
Through the Use of Multimedia: Developing a
BSE
CHAPTERS
MENU
OPTIONS
MENU
INTERACTIVE 3D
ANIMATION,
IMAGES AND TEXT
VIDEO
5. Proc. Of the 2nd
Symposium on Research in Computer Science, Coventry, UK, May 2002.
prototype multimedia application”, submitted
to IEEE ICME 2002, Lausanne, Switcherland,
2002.
[Oikonomou 2001] A. Oikonomou, S.A. Amin,
R.N.G. Naguib, A. Todman, “Breast Self
Examination Training Through the Use of
Multimedia: A Benchmark Multimedia
Development Methodology for Biomedical
Applications”, IEEE-EMBS, 2001
[Microsoft 2001] Security Bulletin (MS00-
057), Microsoft Corporation. August 10, 2000
[Microsoft 1997] Security Bulletin (MS01-
020), Microsoft Corporation. March 29, 2001
[Mitnik 1997] Kevin Mitnick. Testimony.
Committee on Governmental Affairs, The
United States Senate, 1997.
[Elsom-Cook 2001] M. Elsom-Cook,
Principles of interactive multimedia, McGraw-
Hill, 2001.
[Scarlatos 1997] L.L. Scarlatos, R. Darken, K.
Harada, C. Heeter, R. Muller, B. Shneiderman,
Designing Interactive Multimedia, Fifth ACM
International Multimedia Conference, 1997.
[Faraday 1997] P. Faraday, A. Sutcliffe,
Designing effective multimedia presentations,
Computer Human Interaction conference,
Atlanta, 1997
[Digevent 2002],
http://www.digevent.com/events/consumer/mu
sic/guitar_mania/, accessed March 2002.
[CSI/FBI 2000] Computer Crime and Security
Survey, Computer Security Issues and Trends,
2000. Vol. VI, No1.
[Seymour 2001] Bosworth Seymour and M.E.
Kabay Kabay. Computer Security Handbook:
Fourth Edition. 2001.