CFS November

ISSN 1361-3723/14 © 2014 Elsevier Ltd. All rights reserved
This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:
Photocopying
Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple
or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit
educational classroom use.
NEWS
UK citizens hit hard by cybercrime says Government 1
Retailers under sustained attack 3
FEATURES
The dark side of advertising 5
Most commercial web-based services and many
mobile applications rely on advertising for their main
sources of income. But while we’re all accustomed
to seeing ads embedded in web pages and apps,
this constant stream of advertising has also become
a source of serious threats to our security. Malicious
advertising – or ‘malvertising’ – is an increasingly
common way for cyber-criminals to either spread
malware or lure victims to sites where malware and
other scams lurk. Steve Mansfield-Devine examines
the nature of the problem and the (so far) limited
responses to it.
Embedding dependability attributes
into component-based software
development 8
In order to save costs, increase speed of development
and improve reliability, many organisations have
turned to reusing software components. However, this
approach also makes it hard to be confident about
the security of the resulting software. Hasan Kahtan,
Nordin Abu Bakar, Rosmawati Nordin and Mansoor
Abdullateef Abdulgabber of Universiti Teknologi MARA
discuss an implementation process that overcomes
the lack of security during component-based software
development and show how it’s implemented via a
case study involving an industrial software application.
The quantified self: a threat to
enterprise security? 16
Soon a large proportion of the population will be
wearing computing devices in the workplace, if the
pundits are to be believed. Wearable technology
is getting smarter and has been given a boost in
popularity following the launch of the Apple Watch.
The ‘quantified self’ trend has already driven massive
uptake of personal devices that measure heart rate
and activity and connect to health and fitness apps,
which in turn link with entire communities of people
comparing and contrasting their activity. This sector
is likely to grow much bigger very fast and will have
an impact beyond the strictly personal, as it has the
potential to threaten enterprise security.
Tracey Caldwell reports.
FEATURES
Editorial 2
News in brief 4
Calendar 20
Contents
computer
FRAUD&SECURITYISSN 1361-3723 November 2014 www.computerfraudandsecurity.com
Featured in this issue:
The dark side of advertising
Advertising is pervasive on the
Internet these days. It’s usually the
primary income stream for many of the
services, such as Facebook and Google,
that we take for granted. But it’s also a
source of serious threats to our security.
Malicious advertising – or ‘malvertis-
ing’ – is an increasingly common way for
cyber-criminals to either spread malware
or lure victims to sites where malware and
other scams lurk. Steve Mansfield-Devine
examines the nature of the problem and
the (so far) limited responses to it.
Full story on page 5…
Embedding dependability attributes into
component-based software development
Many industries have turned to
reusing software components
during development because this
makes applications cheaper, faster
and more reliable. However, it also
makes them hard to secure.
Hasan Kahtan, Nordin Abu Bakar,
Rosmawati Nordin and Mansoor
Abdullateef Abdulgabber of Universiti
Teknologi MARA discuss an implementa-
tion process that overcomes the lack of
security during component-based software
development and show how it’s imple-
mented via an industrial software applica-
tion case study.
The quantified self: a threat to enterprise security?
Wearable technology is getting
smarter and pundits predict
that the launch of the Apple Watch
will propel wearable technology into
the mainstream in 2015.
The ‘quantified self’ trend has already
driven massive uptake of personal
devices that measure heart rate and
activity and link to health and fitness
apps, which in turn link with entire
communities of people comparing and
contrasting their activity. This sector
is likely to grow much bigger very fast
and will have an impact beyond the
strictly personal, as it has the potential
to threaten enterprise security. Tracey
Caldwell reports.
Come and visit us at:
www.computerfraudandsecurity.com
8
UK citizens hit hard by cybercrime says Government
Half of the UK’s citizens have fall-
en victim to cybercrime, and half
of those victims were traumatised by
the experience, according to research
by the Government.
As part of Get Safe Online Week in
late October 2014, the Cabinet Office
issued the results of two surveys. The
first, by Vision Critical, which was
undertaken specifically to tie in with the
event, found that of those people who
had been victims of cybercrime – defined
as: online fraud or cases resulting in eco-
nomic loss; ID theft; hacking or deliber-
ate distribution of viruses; and online
abuse – half felt they were ‘very’ or
‘extremely violated’ by the experience.
Continued on page 3…

Editorial Office: Elsevier Ltd
The Boulevard, Langford Lane, Kidlington,
Oxford, OX5 1GB, United Kingdom
Fax: +44 (0)1865 843973
E-mail: cfseditor@elsevier.com
Web: www.computerfraudandsecurity.com
Publisher: Greg Valero
E-mail: g.valero@elsevier.com
Editor: Steve Mansfield-Devine
E-mail: smd@contrarisk.com
Editorial Advisors:
Silvano Ongetta, Italy; Chris Amery, UK;
Jan Eloff, South Africa; Hans Gliss, Germany;
David Herson, UK; P. Kraaibeek, Germany;
Wayne Madsen,Virginia, USA; Belden Menkus,
Tennessee, USA; Bill Murray, Connecticut, USA;
Donn B. Parker, California, USA; Peter Sommer, UK;
Mark Tantam, UK; Peter Thingsted, Denmark;
Hank Wolfe, New Zealand; Charles Cresson Wood,
USA; Bill J. Caelli, Australia
Production Support Manager: Lin Lucas
E-mail: l.lucas@elsevier.com
Subscription Information
An annual subscription to Computer Fraud & Security includes
12 issues and online access for up to 5 users.
Prices:
E1139 for all European countries & Iran
US$1237 for all countries except Europe and Japan
¥151 620 for Japan
(Prices valid until 31 December 2011)
To subscribe send payment to the address above.
Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971
Email: commsales@elsevier.com,
or via www.computerfraudandsecurity.com.
Subscriptions run for 12 months, from the date payment is
received. Periodicals postage is paid at Rahway, NJ 07065,
USA. Postmaster send all USA address corrections to: Computer
Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA
Permissions may be sought directly from Elsevier Global Rights
Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865
843830, fax: +44 1865 853333, email: permissions@elsevier.com. You
may also contact Global Rights directly through Elsevier’s home page
(www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright
& permission’. In the USA, users may clear permissions and make
payments through the Copyright Clearance Center, Inc., 222 Rosewood
Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978
750 4744, and in the UK through the Copyright Licensing Agency Rapid
Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P
0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other
countries may have a local reprographic rights agency for payments.
Derivative Works
Subscribers may reproduce tables of contents or prepare lists of arti-
cles including abstracts for internal circulation within their institutions.
Permission of the Publisher is required for resale or distribution outside
the institution. Permission of the Publisher is required for all other
derivative works, including compilations and translations.
Electronic Storage or Usage
Permission of the Publisher is required to store or use electronically
any material contained in this journal, including any article or part of
an article. Except as outlined above, no part of this publication may
be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording or
otherwise, without prior written permission of the Publisher. Address
permissions requests to: Elsevier Science Global Rights Department, at
the mail, fax and email addresses noted above.
Notice
No responsibility is assumed by the Publisher for any injury and/
or damage to persons or property as a matter of products liability,
negligence or otherwise, or from any use or operation of any meth-
ods, products, instructions or ideas contained in the material herein.
Because of rapid advances in the medical sciences, in particular, inde-
pendent verification of diagnoses and drug dosages should be made.
Although all advertising material is expected to conform to ethical
(medical) standards, inclusion in this publication does not constitute a
guarantee or endorsement of the quality or value of such product or
of the claims made of it by its manufacturer.
02065
Pre-press/Printed by Mayfield Press (Oxford) Limited
editorial
2
Computer Fraud & Security November 2014
Editorial Office: Elsevier Ltd
The Boulevard, Langford Lane, Kidlington,
Oxford, OX5 1GB, United Kingdom
Fax: +44 (0)1865 843973
E-mail: cfseditor@elsevier.com
Web: www.computerfraudandsecurity.com
Publisher: David Hopwood
Editor: Steve Mansfield-Devine
E-mail: smd@contrarisk.com
Editorial Advisors:
Silvano Ongetta, Italy; Chris Amery, UK;
Jan Eloff, South Africa; Hans Gliss, Germany;
David Herson, UK; P. Kraaibeek, Germany;
Wayne Madsen,Virginia, USA; Belden Menkus,
Tennessee, USA; Bill Murray, Connecticut, USA;
Donn B. Parker, California, USA; Peter Sommer, UK;
Mark Tantam, UK; Peter Thingsted, Denmark;
Hank Wolfe, New Zealand; Charles Cresson Wood,
USA; Bill J. Caelli, Australia
Production Support Manager: Lin Lucas
E-mail: l.lucas@elsevier.com
Subscription Information
An annual subscription to Computer Fraud & Security includes
12 issues and online access for up to 5 users.
Prices:
E1314 for all European countries & Iran
US$1426 for all countries except Europe and Japan
¥174 800 for Japan
(Prices valid until 31 December 2014)
To subscribe send payment to the address above.
Tel: +44 (0)1865 843687
or via www.computerfraudandsecurity.com
Subscriptions run for 12 months, from the date payment
is received.
Permissions may be sought directly from Elsevier Global Rights
Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865
843830, fax: +44 1865 853333, email: permissions@elsevier.com. You
may also contact Global Rights directly through Elsevier’s home page
(www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright
& permission’. In the USA, users may clear permissions and make
payments through the Copyright Clearance Center, Inc., 222 Rosewood
Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978
750 4744, and in the UK through the Copyright Licensing Agency Rapid
Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P
0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other
countries may have a local reprographic rights agency for payments.
Derivative Works
Subscribers may reproduce tables of contents or prepare lists of arti-
cles including abstracts for internal circulation within their institutions.
Permission of the Publisher is required for resale or distribution outside
the institution. Permission of the Publisher is required for all other
derivative works, including compilations and translations.
Electronic Storage or Usage
Permission of the Publisher is required to store or use electronically
any material contained in this journal, including any article or part of
an article. Except as outlined above, no part of this publication may
be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording or
otherwise, without prior written permission of the Publisher. Address
permissions requests to: Elsevier Science Global Rights Department, at
the mail, fax and email addresses noted above.
Notice
No responsibility is assumed by the Publisher for any injury and/
or damage to persons or property as a matter of products liability,
negligence or otherwise, or from any use or operation of any meth-
ods, products, instructions or ideas contained in the material herein.
Because of rapid advances in the medical sciences, in particular, inde-
pendent verification of diagnoses and drug dosages should be made.
Although all advertising material is expected to conform to ethical
(medical) standards, inclusion in this publication does not constitute a
guarantee or endorsement of the quality or value of such product or
of the claims made of it by its manufacturer.
12986
Digitally Produced by Mayfield Press (Oxford) Ltd
Editorial
Whatever side you stand
on the Edward Snowden
debate, it’s clear that his leaks
of government secrets and dis-
closures about mass surveillance
programmes have certainly raised
awareness about privacy – or
rather, the lack of it – on the
Internet.
It’s probable that before the stories
about the likes of PRISM broke, the
vast majority of people hadn’t given
privacy a second thought. Just witness
how eager people have been to spill
their lives onto the likes of Facebook
and Twitter.
Of course, they still do. There
is something of a disconnect here.
There’s a sizeable portion of the
population that will complain about
government snooping while pasting
on to social networking sites precisely
the kind of information that the intel-
ligence services are being castigated for
hoovering up.
But then, I guess that’s their choice.
And that’s the nub of the matter –
whether we should be able to use
the Internet while still choosing to
be private. This would be the same
kind of expectation we have with the
phone system. We all know that our
conversations are going down wires
and through exchanges operated by
private companies and to which law
enforcement and other bodies can
have access in certain circumstances.
But we have a reasonable expectation
that the privacy of our communica-
tions will be not breached without
good cause and due process of law. In
other words, if you want to listen in,
get a warrant.
Things become more difficult for
those who like to add a bit more cer-
tainty about their privacy. For most
people, telephone scramblers have
always been exotically out of reach. In
terms of our Internet privacy, there are
technologies out there that can help –
such as Tor – but they are often tricky
to use if you are not an IT expert.
And, as we’re discovering, they’re often
not as effective as they seem. Only
recently it was discovered that rogue
Tor exit nodes had been inserting mal-
ware into people’s communications.
And, as we know from Snowden, US
and UK intelligence agencies have
been working hard to undermine the
technology used by Tor.
You’ll hear people say that if you
have nothing to hide, you have noth-
ing to fear. Normally, this platitude is
spouted by those living in (relatively)
safe (more or less) democracies like the
US and UK. For those living under
more repressive regimes it’s a lot harder
to be quite so smug.
The problem with having both those
who are supposed to be protecting us
(the intelligence agencies) and the bad
guys (cyber-criminals) undermining
technologies like Tor is that it weakens
privacy for those who need it most –
those whose very lives might depend
on it.
There are some highly knowledge-
able and influential people taking up
the banner of privacy. Next year will
see the launch of a new think-tank and
campaigning group, Code Red (see
News in Brief, pg.4). With any luck,
this will help dispel the idea that those
seeking to be private on the Internet
are paranoid, weird or dubious. It’s
something we should all consider a
right and expect, perhaps, as a default
condition.
The problem that will remain,
however, is how to achieve it techni-
cally. The Internet’s many protocols
were never designed with privacy or
security in mind. And that’s prob-
ably a good thing as it helped fos-
ter the notion of the Internet as a
medium for connecting and sharing.
Of course, the likes of Vint Cerf and
Bob Kahn (creators of the Internet)
and Sir Tim Berners-Lee (father of
the web) couldn’t have foreseen the
many dark directions their inven-
tions would follow. We can only hope
similarly gifted people will be able to
retro-fit their progeny with technolo-
gies that make it safe for everyone.
– Steve Mansfield-Devine

NEWS
November 2014 Computer Fraud & Security
3
…Continued from front page
Figures issued by the National Fraud
Intelligence Bureau (NFIB) to tie in with
Get Safe Online Week put the amount
lost to the top 10 Internet-enabled frauds
at more than £670m for the year end-
ing 31 Aug 2014. This includes all fraud
where the initial contact was via an online
function. However, the NFIB pointed out
that a high percentage of Internet frauds
probably go unreported, so the real figure
is likely to be much higher. The research
suggests that only around a third (32%)
of victims actually report the crime.
More than half (53%) of the people sur-
veyed now regard cybercrime to be as seri-
ous as ‘physical world’ crimes, and many are
now adapting their behaviour accordingly.
For example, 45% say they have adopted
stronger passwords and 42% claim to be
‘extra vigilant’ when shopping online.
However, not all changes are for the
better. When it comes to protecting their
personal devices with a PIN or password,
more than half have failed to do this
with their mobile phones (54%) or PCs
(59%), and two-thirds (67%) haven’t
done this with their tablets. Laptop own-
ers are slightly better – only 37% have
failed to use a password.
“It’s sad but not surprising that 53% of
British people have fallen victim to cyber-
crime,” said George Anderson, director
of product marketing at Webroot. “The
Internet has become assimilated into our
daily lives, from banking to retail, to the
point where it’s easy to forget how haz-
ardous it is if the proper security measures
aren’t taken. They key to making the UK
a safe Internet user zone is education. As
a country, as communities and as indi-
viduals we should be actively promoting
awareness of Internet safety and security
issues. The government’s research should
not scare people away from online activi-
ties, but rather start serious and continu-
ous conversations whereby we evaluate
the online precautions we take both at
home and at work. Education should
start young, with parents and education
bodies working to ensure security savvy
future generations.”
However, the rise in security awareness
might have less to do with fraud than
with other high-profile incidents, said
Chris Boyd, malware intelligence analyst
at Malwarebytes: “While there have been
many notable attempts to place the threat
of hacking and data breaches in the public
eye, it’s possible that the recent celebrity
iCloud hacks have had more of an impact
on public perception than any cyber-
security awareness week ever could. There
is a significant amount of apathy among
the average person when it comes to pro-
tecting themselves online, which is com-
pounded by the ever-evolving complexity
and success of cybercrime; so while educa-
tion is important, it’s also difficult.”
The Get Safe Online public-private ini-
tiative has guidelines that individuals can
follow to protect themselves. There’s more
information here: www.getsafeonline.org.
Retailers under
sustained attack
The publicity surrounding the
high-profile breach of US retailer
Target’s point of sale (PoS) systems
has done nothing to prevent the
rise of such attacks, according to
research by security firm Damballa.
Infections involving the Backoff mal-
ware used to breach Target’s systems – and
those of other big-name victims such
as Supervalu and UPS – are still rising.
Damballa says it recorded a 57% rise in
Backoff detections in August 2014, and
according to US Secret Service estimates,
this has resulted in 1,000 US firms being
hit. Damballa also saw another 27% rise in
September. Typically, infections are achieved
by brute-forcing weak passwords on remote
desktop (RDP) applications in order to
drop the malware onto the PoS systems.
“In many cases, the PoS systems
are free-standing from the corporate
network,” said Brian Foster, CTO at
Damballa. “They connect to local net-
works, which have limited security.
Without this visibility, it’s impossible to
discover the device is communicating
with criminal command and control.”
Any business that uses RDP protocols
to enable remote support on PoS solu-
tions needs to implement much stronger
security now, according to Curt Wilson,
senior research analyst for Arbor Networks’
ASERT team. “If a PoS provider is com-
promised, the attackers typically obtain
access to all their customer deployments
via remote access capabilities, leading to
complex, distributed compromise,” he
said. “Strong authentication may provide
an extra layer of defence in such a case,
unless the strong authentication process
is also compromised. Organisations, espe-
cially smaller to mid-sized organisations,
should be aware of the potential of remote
support being compromised.”
Meanwhile, researcher Brian Krebs has
reported that there are continuing repercus-
sions of the Home Depot breach. US banks
have logged a large number of fraudulent
transactions related to payment card details
stolen from the firm. Most of these fraudu-
lent transactions are coming from Brazil.
An interesting twist is that the transac-
tions claim to be chip-based ones, even
though the affected banks have only just
started rolling out EMV cards to their
customers. It’s currently not clear how
the fraudsters have managed to make
the transactions appear as though they
are EMV-based payments. One theory is
that they have a payment terminal and
are using encrypted data from a genuine
EMV card and injecting other data using
stolen card details into the data stream.
There is more information here: http://
krebsonsecurity.com/2014/10/replay-
attacks-spoof-chip-card-charges/.
One consequence of this is that the
banks are probably liable for the fraudu-
lent payments: if they weren’t EMV-
based, the liability would more likely
have fallen on their insurers.
According to Luther Martin, chief secu-
rity architect at Voltage Security: “The
possibility of fraud resulting from hackers
exploiting a flaw in the implementation
of the EMV protocol demonstrates a few
interesting points,” he said. “First, it was a
flaw in the implementation of cryptography
that was apparently exploited by hackers,
not the cryptography itself. Cryptography
can provide essentially unbreakable security
for sensitive information, but it’s very hard
to implement correctly. Even a fairly simple
flaw in an otherwise-secure implementation
can provide hackers all that they need to
exploit a system.”
He added: “Next, it demonstrates that
EMV is not proof against all payment
fraud. While it may reduce card-present
fraud by a considerable amount, EMV is
not a ‘silver bullet’.”

NEWS
4
New venture to boost privacy
Some of the top names in encryption and
security are banding together to promote pri-
vacy. Security guru Bruce Schneier, Tor devel-
oper Jacob Appelbaum (who was involved in
the Edward Snowden disclosures) and public
key cryptology pioneer Whitfield Diffie are
joining forces with a number of privacy advo-
cates to create the Code Red project. Starting
in January, this aims to become a “strategic
think tank and campaign clearinghouse to
provide new resources and tactical advice to
human rights groups across the world”. As well
as promoting privacy at an individual level, it
will also offer resources for whistleblowers and
activist groups. According to a blog post by
Privacy International founder Simon Davies:
“The initiative will be committed to a range
of objectives, but foremost among these is to
mentor the development of new and innova-
tive projects that directly engage the surveil-
lance menace.” The project’s steering group
includes MI5 whistleblower Annie Machon,
former US Congress member and presiden-
tial candidate Cynthia McKinney, former
Wikimedia general counsel Mike Godwin, the
Electronic Frontier Foundation’s international
rights director Katitza Rodriguez and the
former editor of Index on Censorship Judith
Vidal-Hall. There’s more information here:
www.privacysurgeon.org/blog/incision/one-of-
the-worlds-most-ambitious-privacy-initiatives-
launches-in-january/.
Industrial infections
For the past three years, a number of industrial
control systems (ICSs) have been infected
via the BlackEnergy malware toolkit, and
the attack is said to be both “ongoing” and
sophisticated. The ICS solutions that have
been compromised – from GE Cimplicity,
Advantech/Broadwin WebAccess, and Siemens
WinCC – all have Internet-facing interfaces.
The malware delivered by BlackEnergy is
modular, and the exploits that have been deliv-
ered vary from system to system, according to
US CERT. BlackEnergy was first identified in
2007 by Arbor Networks, and in September
2014, Finnish malware researchers noted that
it was being used by the Quedagh political
hacking group.
Image hides Android malware
Researchers Axelle Apvrille of Fortinet and
Ange Albertini of Corkami have discovered
that malware can be sneaked on to Android
systems disguised as images. In what they’ve
dubbed the AngeCrypt attack, a malicious
APK file can be made to look like a perfectly
normal PNG image – and other image formats
can be used too. The technique was presented
at Black Hat and more information is available
here: http://bit.ly/201411angecrypt.
UK citizens dislike snoops
Research by F-Secure shows that UK citizens
are becoming increasingly concerned about
state surveillance. It says that 86% of people
do not agree with the way intelligence agen-
cies are indulging in mass surveillance, such
as snooping on the general populace, includ-
ing their emails, phone calls, web searches,
social media interactions and geo-location
data. With the future use of the collected data
uncertain, people are showing their concerns,
said F-Secure. The research suggests that 78%
of respondents are worried about the conse-
quences of having their data tracked. There is
more information here: http://safeandsavvy.f-
secure.com/.
Firms failing audits
Research by Axway and Ovum suggests that
many organisations are failing to meet data
security and governance requirements. In fact,
23% of organisations have failed a security
audit in the past three years and 17% lack con-
fidence in their ability to pass a security com-
pliance audit today. The study also revealed
that the average cost of a data breach was
$3m. At the heart of the problem is the grow-
ing complexity of governance and compliance
initiatives. The top priorities for CIOs, CISOs
and chief risk officers are business continuity
and disaster recovery (87%), protecting against
cyber-threats (85%), managing insider threats
(84%) and compliance monitoring (83%).
The research also found that the majority
of organisations (71%) have little synergy
between integration strategy and data security,
privacy and governance frameworks and poli-
cies. And more than half (56%) reported a
fragmented integration infrastructure. Nearly
half (46%) expressed frustration with their
existing Enterprise Service Bus (ESB) stating
it offered less flexibility than expected and is
difficult to maintain. And there are concerns
about existing file transfer solutions, with reli-
ability (84%), compliance (77%), visibility
and monitoring (75%), and integration (74%)
ranking as the top issues. There’s more infor-
mation available here: http://www2.axway.
com/PR-Ovum-report-en.
Poor passwords cost a fortune
It’s hardly news that poor password practices
put organisations at risk, but according to
Centrify Corporation they also impose a direct
cost on businesses. According to its research in
the UK, the average employee wastes £261 a
year in company time on trying to manage
multiple passwords, which for a company
with 500 staff is a loss of more than £130,000
annually. The security risks may be greater
than many firms realise, too. While around
half of employees (47%) use their personal
mobile devices for business purposes, one in
three (34%) admit they do not actually use
passwords on these devices even though they
keep office email, confidential documents,
customer contact information and budget
information on them. The research also shows
that more than a third of workers (38%)
have accounts they cannot get into any more
because they cannot remember the password,
28% get locked out at least once a month due
to multiple incorrect password entries, one
in five change their passwords at least once a
month and 8% change them every week. Only
15% believe their passwords are ‘very secure’.
There’s more information here: www.centrify.
com/Password-Survey.
Outdated systems fail to detect fraud
Despite a rise in global fraud, two-thirds of
European insurers saw the volume of detected
fraud increase by less than 4%, according to
new research from SAS. Those insurers that
do not use automated detection, or only use
‘business rules’, saw significantly lower lev-
els of detected fraud than their peers using
advanced analytics. Among insurers using
business analytics, 57% had seen the amount
of fraud they detected year-on-year increase
by more than 4%. In contrast, only 16%
of those with no solution, or using only a
business rules based approach, saw a similar
increase. Almost 20% of insurers stated that
they did not use any technology to assist
with fraud detection, relying on manual
review of thousands of claims. In the face of
widespread organised fraud, such as ‘cash for
crash’ schemes, automation can help rapidly
alert insurers to suspicious claims or networks
of claims. Some 81% of insurers surveyed
say they are using some form of automated
detection technologies with 49% in total
using advanced analytics. When it comes to
organised fraud, over a quarter of respond-
ents confirmed they already have detection
systems in place, or are in the process of
implementing a solution. An additional third
do not currently have a solution but have a
project set up. However, a significant propor-
tion of European insurance providers (40%)
have no detection systems in place or imme-
diate plans for such a solution. Results for
opportunistic fraud were similar but imple-
mentation of solutions to tackle this type of
fraud tracked slightly behind organised fraud
(10%). Worryingly, 28% of insurers indicated
that they do not have precise metrics around
detecting fraud within their organisation.
Also concerning is that only 21% of insur-
ers are currently monitoring fraud levels in
real-time while 64% are only measuring these
levels on a monthly or quarterly basis. The
report is available here: www.sas.com/en_gb/
offers/14q4/insurance-companies-combat-
fraud.html.
In brief

Feature
5
The dark side of
advertising
How it works
For the cyber-criminals, malvertising has
the advantage that no website needs to
be hacked or compromised in any way.
The attack is delivered in the same way as
legitimate ads, without the knowledge of
the host site and with the site having little
in the way of defences. This means that the
malware operates within a trusted context.
“It can be impossible to
know where or when the
infection occurred. It could
be at any point in their
recent browsing history”
In some cases, the adverts themselves
deliver the malware – or at least the
first stage of an infection. This is most
commonly achieved through the use of
maliciously crafted Flash (.swf) files.
Adobe claims that at least one bil-
lion Internet users have a Flash plugin
installed in their browsers. Given that
most malvertising simply performs
redirects – which is normal behaviour –
there is no malicious activity to detect
at that stage.
Alternatively, the adverts may simply
contain links to other websites that con-
tain malware-laden pages, often using
drive-by exploit techniques, or may host
other forms of exploit, the least offensive
and dangerous of which are simply sur-
veys for which the attackers receive pay-
ment for each one completed.
Given that many victims will be infect-
ed just as part of their normal browsing
activities, it can be impossible for them
– or any forensic analyst – to know where
or when the infection occurred. It could
be at any point in their recent browsing
history. And because ads are ephemeral,
even examining previously visited pages
won’t help because the ads shown on
them will be different, such is the nature
of how these ad networks operate.
Flash in action
Security firm Bromium recently presented
a report at the Virus Bulletin 2014 event
that showed how YouTube, Yahoo and
several top-ranking websites had been
tricked into running malicious banner
adverts through obfuscated JavaScript
code carried by Flash-based ads.1
“Bypassing ad network defences
provides the perfect opportunity for
attackers to target millions of users, so
it is no coincidence that there has been
an uptick in the number of malvertise-
ments,” said Rahul Kashyap, chief secu-
rity architect, Bromium. “The scale of
this problem is as large as the Internet
itself.”
According to the report, the procedure
used by the attack was:
1. Detect which browser is in use.
2. If the browser is Microsoft Internet
Explorer or Opera, continue.
3. Add obfuscated redirect JavaScript
code to an obfuscated URL.
4. Call Flash’s ExternalInterface() func-
tion, passing it a parameter consisting
of a call to deobfuscate() which itself
has a parameter of the obfuscated
URL and JavaScript code.
5. This codes adds an iframe to the
Document Object Model (DOM) of
the web page containing a URL point-
ing to an instance of the Styx exploit kit.
According to Bromium: “All the
exploit kits to date rely on JavaScript to
perform such tasks as browser/plugin
fingerprinting, exploit selection and
data obfuscation. Flash is used either
to exploit a vulnerability in the Adobe
Flash Player or to support other exploits
in building ROP shellcode. However in
the banner networks Flash movies are
the most popular media and security
policies for SWF files are pretty loose.”
In other words, Adobe has provided
exactly the tools malicious advertisers
need, including the ability to carefully
check the environment and run arbitrary
JavaScript code.
Genuine sites
The really pernicious aspect of all this
is that the site the victim first visits is
likely to be entirely genuine and even
well-known and popular. The adverts
are delivered via a third-party optimiser
or advertising network. The host sites
employ these kinds of services to gen-
erate revenue by simply placing some
source code (typically JavaScript) within
a page. The best known of these kinds
of network is Google’s AdSense and
Google’s subsidiary DoubleClick.net,
although there are many others, some
with less than perfect reputations.
Steve Mansfield-Devine, editor, Computer Fraud & Security
Advertising is pervasive on the Internet these days. It’s usually the primary income
stream for many of the services, such as Facebook and Google, that we take for
granted. But it’s also a source of serious threats to our security. Malicious adver-
tising – or ‘malvertising’ – is an increasingly common way for cyber-criminals
to either spread malware or lure victims to sites where malware and other scams
lurk. And the shift to mobile platforms is only making this problem worse.
Steve Mansfield-
Devine

Feature
6
Too many advertising networks fail
to fully analyse the ads that are dis-
tributed through them. As long as the
banner advertisement appears to look
and behave like a normal ad, it will be
distributed.
Even the most professional and
trusted ad networks can be exploited.
DoubleClick has been misused this
way on numerous occasions. For exam-
ple, in September 2014, security firm
Malwarebytes warned that ads sup-
plied by major advertising agency Zedo
and distributed by DoubleClick were
delivering the Zemot malware.2 The
Jerusalem Post and The Times of Israel
were the most high-profile websites tar-
geted by the campaign.
The host sites don’t directly control
the content of the ads – that’s usually
handled dynamically every time the
page is loaded and depends as much
on the user as the website. This means
even big names can be subverted, as
revealed recently by Proofpoint.3 The
campaign detailed by the security firm
used malvertising to infect victims with
the CryptoWall 2.0 ransomware via the
FlashPack Exploit Kit. Proofpoint found
the malicious adverts being run on
sites run by Yahoo, AOL, The Atlantic,
Match.com, The Sydney Morning
Herald and at least a dozen other firms.
According to Proofpoint, the attackers
may have made as much as $25,000 a
day. The three advertising networks that
were carrying the ads were The Rubicon
Project, Right Media/Yahoo Advertising
and OpenX. Even though the ads had
to pass through several stages – includ-
ing exchanges, optimisers, ad networks
and the host networks – they were never
detected as malware.
Ransomware is a common type of
infection. Malvertising played a major
role in the spread of the notorious
CryptoLocker malware. And in the first
half of 2014, Cisco tracked the use of a
new exploit kit, RIG, to perform drive-
by infections of CryptoWall ransomware
on a number of legitimate websites. This
was documented in the firm’s ‘Cisco
2014 Midyear Security Report’, which
explained that the exploit kit was able to
use flaws in Java, Flash and Silverlight to
perform its infections.4
Mobile exploits
The problem is, in many ways, even
worse on mobile platforms. On iOS,
Apple allows the use of only one adver-
tising network – its own – which it
polices very thoroughly. Although it
would be possible to slip malicious ads
into the network, the cost of setting up
accounts to do so – which would neces-
sitate creating fake identities – makes
the prospect unattractive to cyber-
criminals. That’s because a malvertising
campaign may run for only a short time
before being discovered, at which point
Apple could quickly shut it down.
However, on Android, developers –
many with a poor grasp of security issues
– can embed advertising from any one
of a number of third-party advertising
networks, not all of which are rigorous
about the provenance or reliability of
the ads they accept. And on a mobile
platform, unlike with a desktop browser,
you can’t hover a mouse pointer over a
link to see where you’re going to be redi-
rected should you click (not that enough
people do that anyway).
Brand damage
The people whose computers are
infected are not the only victims. Many
malvertising campaigns, such as the
one detected by Proofpoint, use stolen
‘creatives’ – the images and text – from
legitimate adverts. In this case, firms like
Microsoft Bing and Case Logic found
their adverts being exploited in this way
and were therefore in danger of having
their brands damaged.
The Cisco report notes that advertis-
ing online now outstrips all other media
in terms of spend, but that this industry
could be threatened by the potential dam-
age to users’ trust caused by malvertising.
It also highlights the fact that, just as
Malvertising inserted on a Yahoo page. Source: Proofpoint.

Feature
7
advertising is usually targeted to specific
portions of the population, so is malver-
tising. “A malvertiser who wants to target
a specific population at a certain time
– for example, soccer fans in Germany
watching a World Cup match – can turn
to a legitimate ad exchange to meet their
objective,” says the report. The cyber-
criminals also often show great confidence
in the effectiveness of their campaigns by
paying up-front for their ads – $2,000
per ad run is not uncommon.
Bromium’s report also showed how
cyber-criminals can exploit the otherwise
legitimate targeting abilities of ad networks
and the information supplied by users’
browsers to focus their campaigns on
people in certain territories or countries,
running specific browsers or operating sys-
tems, using specific languages or devices,
or according to the topic of a web search
or page. This greatly enhances their chanc-
es of achieving a successful infection.
Malvertising campaigns often show
trends towards specific subjects or tech-
niques. It’s common to see malicious
adverts focusing on significant events,
such as sports tournaments (World Cup,
Olympics) or news stories (the Ebola
outbreak and other major disasters).
Among the trends spotted this year have
been fake technical support and phony
weight loss products, although these
were mainly fraudulent products rather
than attempts at malware infections.5,6
There was also an interesting case
recently where malvertising appears to have
been targeted at three firms in the military/
defence sector in the US.7 Security firm
Invincea said it spotted a campaign that
it believed was intended to steal military
secrets and intellectual property. In one
two-week period alone, the firm said it
tracked six campaigns targeting a single
aerospace contractor. And these may have
been mounted by someone more sinister
than mere cyber-criminals.
“In the past, we have seen organised
cybercrime learn attack techniques from
advanced nation state actors,” the firm’s
chief executive Anup Ghosh told Reuters.
“This is a case where advanced state
actors would be learning from cybercrime
in terms of methods and tactics.”
Industry response
One organisation that keeps a careful
eye on trends is Trust in Ads, estab-
lished by Google, AOL and Yahoo in an
attempt to maintain the reputation of
online advertising.8 This is one of several
responses by the industry to the problem
of malvertising.
“Cyber-criminals can exploit
the otherwise legitimate
targeting abilities of ad net-
works and the information
supplied by users’ browsers
to focus their campaigns”
Not surprisingly, Google is taking this
threat very seriously. While many people
still view Google as a search service, it is
primarily an online advertising company.
Its business model depends on website
operators embedding its advertising
services such as AdSense on their sites.
Anything that discourages sites from
using third-party ad services is clearly not
in Google’s interest.
The company has also set up the site
Anti-Malvertising.com, a small, simple
website that offers advice to website
operators, advertising networks and the
general public on the dangers of malware
and what to do if you’re affected by it.9
In addition, the Online Trust Alliance
(OTA) was established by Epsilon
Interactive, Email Senders and Provider
Coalition (ESPC), The Direct Marketing
Association, Microsoft, Symantec and
Sendmail to fight the scourge of spam. But
it has extended its brief to include malver-
tising and offers a brief ‘Malicious Ads &
Content Response & Remediation Guide’
aimed primarily at the advertising and
marketing communities.10
Mitigations
Bromium’s report suggests that malver-
tising can’t be tackled through conven-
tional means, and it gives three main
reasons for this:
1. The web advertising business is just
too big for every item of media to be
checked.
2. It’s impossible to ‘prove’ that an
item of media is definitively clean
(an example of the classic Halting
Problem).
3. It would be easy for content to hide
its malicious behaviour under test
conditions (some traditional malware
already does this), and perform its
intended actions only when triggered
by certain conditions in the wild.
Normal endpoint security is ineffective
because the malicious nature is hidden
from the user’s machine by things like
the obfuscation capabilities of Flash’s
Action Script.
As mentioned earlier, Google’s Anti-
Malvertising.com site does offer some
advice, although little that deals direct-
ly with protection. For advertising
distributors, for example, the best practices
outlined on the site revolve largely around
how to respond to malvertising once it is
discovered on the network.
For website operators, Google’s advice
is to pay close attention to the adver-
tising networks you use. However, it’s
virtually impossible for site owners to
audit or monitor the networks in any
meaningful way. And given that Google
itself has been know to carry malvertis-
ing, it’s unclear how useful this advice
really is. It also suggests carrying out
“comprehensive QA” on all creatives.
But again, given that much advertising
content is dynamically delivered, this
advice is of limited usefulness.
Finally, for end users, the site basically
offers the same advice you’d give for any
kind of malware threat – that is, keep
all your software up to date and use an
anti-malware product.
Conclusion
With such poor defences against this
threat, we can expect malvertising to
increase. It has proved to be extremely

Feature
8
effective for cyber-criminals. And it is
hard to track and even harder to pros-
ecute. For the time being, it seems, our
protection lies largely in the common
sense of individual web users.
About the author
Steve Mansfield-Devine is a freelance
journalist specialising in information
security. He is the editor of Computer
Fraud & Security and its sister publica-
tion Network Security. And he blogs and
podcasts on information security issues at
Contrarisk.com.
References
1. ‘Optimized Mal-Ops: Hack the ads
network like a boss’. Bromium, Sep
2014. Accessed Oct 2014. www.bro-
mium.com/sites/default/files/bromi-
um-report-optimized-mal-ops.pdf.
2. ‘Large malvertising campaign under
way involving DoubleClick and
Zedo’. MalwareBytes blog, 18 Sep
2014. Accessed Oct 2014. http://
blog.malwarebytes.org/malvertis-
ing-2/2014/09/large-malvertising-
campaign-under-way-involving-dou-
bleclick-and-zedo/.
3. ‘Malware in Ad Networks Infects
Visitors and Jeopardizes Brands’.
Proofpoint, 22 Oct 2014. Accessed
Oct 2014. www.proofpoint.com/
threatinsight/posts/malware-in-ad-
networks-infects-visitors-and-jeopard-
izes-brands.php.
4. ‘Cisco 2014 Midyear Security
Report’. Cisco, Aug 2014. Accessed
Oct 2014. www.cisco.com/web/offer/
grs/190720/SecurityReport_Cisco_
v4.pdf.
5. ‘Bads Ads Trend Alert: Shining a
light on tech support advertising
scams’. Trust in Ads, May 2014.
Accessed Oct 2014. http://trustinads.
org/wp-content/uploads/2014/08/
Bad_Ads_Trend_Alert_Tech_
Support_Scams.pdf.
6. ‘Bad Ads Trend Alert: False claims in
online weight loss advertisements’.
Trust in Ads, June 2014. Accessed
Oct 2014. http://trustinads.org/wp-
content/uploads/2014/08/Bad_Ads_
Trend_Alert_Weight_Loss_Scams.pdf.
7. ‘Malvertising’ targets U.S. mili-
tary firms in new twist on old
web threat’. Reuters, 16 Oct
2014. Accessed Oct 2014. www.
reuters.com/article/2014/10/16/
us-cyber-security-military-idUSKC-
N0I529H20141016.
8. TrustInAds.org home page. Accessed
Oct 2014. http://TrustInAds.org.
9. Anti-Malvertising.com home page.
Accessed Oct 2014. http://Anti-
Malvertising.com.
10. ‘Malicious Ads & Content Response
& Remediation Guide’. Online Trust
Alliance. Accessed Oct 2014. https://
otalliance.org/system/files/files/best-
practices/documents/malvertisingre-
mediation_guide.pdf.
Embedding dependability
attributes into component-
based software development
Component-Based Software
Development (CBSD) is a software
development approach that focuses on
the use of existing software code. Hence,
the method of constructing software
applications from scratch is replaced by
integrating reusable software code. This
method simplifies software development
to fit time and budget constraints. The
CBSD approach has been successfully
applied in many domains.1
However, the ability of CBSD to
develop secure software applications
remains inferior. Previous studies have
stated that CBSD products face security
issues. The central problem lies in the
lack of standards to ensure the security
and other non-functional requirements of
the components, thereby making CSBD
incapable of assuring specific applica-
tion attributes.2 Several software security
attributes have been identified as the key
factors in solving the problem of the lack
of security in the CBSD process. These
attributes are dependability, trustworthi-
ness and survivability.3,4,5 However, the
extant literature shows that dependabil-
ity attributes are essential in addressing
Hasan Kahtan, Nordin Abu Bakar, Rosmawati Nordin, Mansoor Abdullateef
Abdulgabber, Universiti Teknologi MARA
An increasing competition among companies specialising in software production
and services has emerged over the years. Today, companies compete even on trivial
matters, aiming to produce dependable, reliable and affordable software applica-
tions. To achieve this goal, the software application must either be developed more
efficiently or large portions must be reused. The component approach leads to
the production of cheaper, faster and more reliable software. Consequently, many
industries have begun to focus on software development using the reuse approach.

Feature
9
security threats, abnormal behaviour and
untrustworthiness issues in a software
system.6,7 Moreover, the dependability
attributes should be considered to over-
come the lack of poor software develop-
ment, which leads to security issues in
current web application systems.8 Indeed,
dependability attributes should be embed-
ded into the process to solve the problem
involving the lack of security.9
“The objective is to dem-
onstrate the embedding of
dependability attributes into
the four phases of the CBSD
process – namely, require-
ments, design, implementa-
tion and testing”
Our previous work introduced a guide-
line for embedding dependability attrib-
utes into CBSD.10 Created with the assis-
tance of expert software developers and
security consultants from a local industry
in Malaysia, the guideline is designed to
overcome the lack of security trust in the
CBSD process. The guideline consists of
a set of best practices that are designed to
embed dependability attributes into the
CBSD process. The objective is to dem-
onstrate the embedding of dependability
attributes into the four phases of the
CBSD process – namely, requirements,
design, implementation and testing. The
guideline also specifies a set of techniques
for the design phase, which requires
developers to compose dependability
attributes in every code line written.
Another issue addressed by the guide-
line is a well-defined coding standard that
can help developers ensure that a large
number of dependability attribute bugs
are avoided as the code is being written.
The guideline details for embedding
dependability attributes into the CBSD
process are summarised in Figure 1.
To implement the guideline, we per-
formed a case study to test the process,
with the aim of developing an industrial
web application. The implementation
process should involve the embedding of
dependability attributes into the CBSD
phases. This article presents the guideline
implementation process by demonstrat-
ing the development of an information
and communications technology (ICT)
portal that follows the guideline and uses
a CBSD approach.
Methodology
A rigorous implementation of a guideline
requires its application despite the actual
demands of real software applications.
Ideally, a guideline would be applied to
numerous systems; however, this ideal
situation is not a feasible experimental
method. Therefore, addressing these
problems requires the application of
such a guideline in a case study.
This case study aims to construct an
industrially feasible software application
system using the CBSD approach. The
guideline implementation process high-
lights the industrial practicality to ensure
that the dependability attributes of the
software components are applied in the
experimental context. Developing a web
application system using the CBSD
approach is possible. The question lies
in whether a guideline can significantly
contribute to resolving the lack of secu-
rity trust in the web application system
production using the CBSD approach.
Demonstrating the ICT portal develop-
ment, which follows our guideline and
uses the CBSD approach, can ensure the
proper integration of the dependability
attributes and the generalisation of the
results of a single-point case study.
Collaboration with a local company in
Malaysia was established for the appli-
cation of the ICT portal development
guideline. Due to the competitive envi-
ronment among software development
companies, the company name was kept
confidential for commercial reasons.
Therefore, we refer to the company as the
Software Development Company (SDC).
The ICT portal was developed by a soft-
ware development team, which consists
of six members currently working at the
SDC. The SDC is a leader in ICT inno-
vations in Malaysia, and has pioneered
new market creation for partners through
patentable technologies for economic
growth. With over 25 years of experience,
the SDC contributes its core technologi-
cal competencies to the industry towards
raising Malaysia’s local, regional and inter-
national market competitiveness.
Figure 2 presents the methodology
diagram for the guideline implementa-
tion process. First, related industries were
identified and a list of software develop-
ment companies was created. Then, a
formal letter to the companies was sub-
mitted to request collaboration. Upon
receiving feedback from the companies,
an agreement was made with one
Figure 1: Embedding dependability attributes into the CBSD process.

Feature
10
software company, which was chosen
due to its position as the industry leader.
Then, a kick-off meeting was conducted
with the head of the software development
department, during which the priorities of
academic institutions and company poli-
cies were discussed. Subsequently, the cur-
rently planned projects were discussed with
the company representatives.
Next, the creation of an ICT portal
for the guideline implementation was
proposed, and then a team was assigned
to develop this portal based on the
guideline. The guideline’s process was
discussed, after which the reliability
of the guideline’s implementation was
discussed. If the investigation reveals a
positive response, the guideline’s process
was finalised; otherwise, the approach
was refined. Afterwards, the guideline
was implemented by developing an ICT
portal using the CBSD approach. The
implementation involved embedding the
dependability attributes into four phases
(requirements, design, implementation
and testing). The functionality of the
developed system was evaluated using
Vulnerability Assessment Tools (VATs),
and then the evaluation’s report was
generated. In addition, on-going consul-
tations and supervision were conducted
with representatives of the academic
institutions and the industry for the pur-
pose of monitoring the results.
The developed ICT portal provides var-
ious applications and related information,
which enable the users to improve their
social community life. Moreover, the ICT
portal is equipped with an intelligent ser-
vice delivery platform (ISDP). This was
constructed based on the CBSD approach
and organised by SDC to help members
of the community obtain useful informa-
tion related to science, technology and
innovation. Apart from providing access
to government online services, the portal
also serves as an online advisory centre for
information on new technologies, such as
agricultural, industrial, e-commerce, and
e-services.
The ICT portal facility aims to
develop and educate members of the
community, specifically rural youngsters,
and help them become skilled ICT vol-
unteers. Consequently, these youngsters
become assets to community develop-
ment by contributing in the improve-
ment of social and economic life. The
ICT portal facility emphasises the use
of ICT as an important foundation in
the development of society. Note that
the guideline implementation process is
performed by the software development
team, which works at the SDC.
Guideline implementation
process
The guideline implementation process
involves embedding the dependability
attributes into four CBSD phases – name-
ly, requirements, design, implementation
and testing. The following sections present
detailed discussions of the guideline imple-
mentation by going through each develop-
ment phase in the ICT portal.
Requirement phase
A thorough analysis of the requirements
is the foundation of the ICT portal. A
correctly executed requirement-gathering
and analysis process provides a strong
base for the rest of the development
process. Each additional phase produces
a negative effect when the requirements
Figure 2: Guideline implementation methodology.

Feature
11
are not met, and this can jeopardise the
production process. The dependability
attributes in the CBSD are also affected;
hence, these attributes were applied. The
following points explain the require-
ments analysis pertaining to the depend-
ability attributes of the ICT portal.
To achieve the requirement of the
dependability attributes, the software
developer team defined and analysed the
dependability attributes based on the ICT
portal services. Moreover, the team identi-
fied and finalised the methods of achieve-
ment, along with the required tools
associated with predefined dependability
attributes. Figure 3 shows the analysed
dependability attributes, methods and
tools used to achieve specific dependabil-
ity attributes.
General objectives: There are general
objectives set for the analysis of depend-
ability attributes. These objectives are as
follows:
• To establish and sustain a qualified
work environment that meets the
dependability needs, and to gain a
comprehensive understanding of the
environment to support, or at least
allow, specific design decisions.
• To establish and sustain the require-
ments of the dependability attributes
(eg, the integrity levels), as well as to
design the products and services to
meet them.
• To estimate, determine, and moni-
tor the consequences of each risk
associated with the dependability
attributes, and to develop a risk miti-
gation plan to attain an acceptable
level of risk.
In addition, objectives of each depend-
ability attribute are presented, and these
are described below.
Availability and reliability objectives:
Availability ensures that data and services
are available when required by the author-
ised entities, whereas reliability refers to
the assurance of continued provision of
services. The objectives of these attributes
are as follows:
• To meet the non-repudiation
requirements, which specify that
a party within a transaction should
not deny involvement in that
particular transaction.
• To identify the availability
requirements that must be met
by the system.
• To identify the performance require-
ments that must be met by the
system.
• To ensure that the system can pro-
vide information services for 99% of
requests within one hour.
• To identify system services that are
considered extremely critical for a
business enterprise.
• To determine how these system ser-
vices might be threatened.
• To determine the minimal quality of
service that must be sustained.
• To ensure that the system can recover
quickly in case the services become
unavailable.
Confidentiality objectives: This
attribute ensures that information is
accessible only to duly authorised enti-
ties. Confidentiality applies to service
components and interactions. The objec-
tives of this attribute are as follows:
• To ensure that authorisation require-
ments specify the access permissions
Figure 3: Methods and tools to achieve specific dependability attributes.
Figure 4: Risk analysis and assessment of the dependability attributes.

Feature
12
and privileges of the identified
users.
• To require the identification of all
system users through a personal pass-
word and username.
• To ensure that the privileges of users
shall be assigned based on user class.
• To ensure that the system shall verify
whether the user has sufficient privi-
leges to access and execute the com-
mand prior to the execution of such
command.
• To prevent users from having multi-
ple, simultaneous logins to the system.
• To protect private and confiden-
tial information, such as photos of
minors and sermons, from exposure
to the general public, and to ensure
that such content shall only be avail-
able to authenticated users.
• To ensure that passwords are kept
confidential by requiring the use
of at least eight characters with the
inclusion of one non-alphanumeric
character.
• To ensure that the privacy require-
ments are specified to the process,
thus ensuring data privacy.
Integrity objectives: Integrity ensures
that assets are not modified without
authority, except for operations involving
personnel information. The objectives of
this attribute are as follows:
• To guarantee information integrity
by securing storage and protection
and by restricting access to informa-
tion distribution.
• To provide specific information on
how to avoid data corruption.
• To ensure that the passwords used by
authors are transmitted to the secure text
editor in a manner that preserves integrity.
• To provide a general hierarchy of
authorisation for administrators, mem-
bers, and general public (anonymous).
• To limit the capabilities of account cre-
ation and role assignment to site admin-
istrators and to ensure that changes to
role assignment are made in real time.
• To ensure that authenticated users
can access additional site content,
pages and navigation.
• To include an automated password
reset/‘forgot password’ capability in
the system.
Safety objectives: This attribute refers to
the absence of catastrophic consequences
that affect the users and environment. The
objectives of this attribute are as follows:
• To monitor, report and analyse
safety incidents, as well as to identify
potential corrective actions.
• To plan and provide for continuity of
activities while considering contingen-
cies for vulnerabilities and hazards to the
infrastructure and all related operations.
• To identify risks and their sources,
which can be attributed to vulner-
abilities and safety hazards.
• To ensure that intrusion detection
requirements can specify which mech-
anisms can detect system attacks.
• To identify all safety-critical data
variables and processing.
• To ensure that changes made to plans
and requirements do not affect safety
negatively.
• To perform immediate corrective
action to address safety issues or
problems as well as to improve safety
processes throughout the life cycle.
Maintainability objectives:
Maintainability refers to the ability to
undergo repairs and modification. This
attribute is related to business service
continuity and reconfiguration. The
objectives of this attribute are as follows:
• To specify the auditing requirements
(ie, to determine how system usage
can be audited and checked).
• To specify the system’s maintenance
requirements (ie, to determine how
an application can be used to prevent
accidentally defeating the dependability
mechanisms from authorised changes).
• To ensure that all variables are prop-
erly defined and data types are sus-
tained throughout the program.
• To ensure that all code documenta-
tions (comments) are accurate.
• To ensure that code and date modifi-
cations identified in the requirements
phase are performed.
• To ensure that processing loops use
the correct criteria for starting and
stopping (ie, indices or conditions).
Risk analysis and
assessment
The software developer team is concerned
with six essential stages for risk assessment
as shown in Figure 4.The first stage is the
implementation of dependability attributes.
The next stage involves identification and
evaluation of assets value and risk. This is
followed by the identification and assessment
of exposure/consequence, and the final stage
involves the identification of control.
Documentation of
dependability
requirements
The software developer team included the
requirements of the dependability attrib-
Figure 5: Use and misuse cases.

Feature
13
utes found in the ICT portal requirement
system documents. The team analysed
the use and misuse cases, along with code
standards and vulnerabilities of the ICT
portal as presented in Figure 5.
Design phase
Most defects are developed during
implementation; however, those defects
in the design phase are considered as
the most expensive ones. Following the
guideline, the software development
team implemented a proactive approach,
which focused on dependability attrib-
utes throughout the design phase to pre-
vent costly redesign. The overall steps for
the design process of the dependability
attribute in the ICT portal are described
below.
The software architecture choice can
profoundly affect emergent system
properties. An unsuitable architecture
compromises the confidentiality and
integrity of system information as well as
the required level of system availability.
Therefore, the software developer team
followed two fundamental architecture
design issues:
• Protection: What are the ways to
organise the system to protect critical
assets against an external attack?
• Distribution: What are the ways to
distribute the system to minimise the
effects of a successful attack?
The software development team
designed an ICT portal with a layered
architecture. In this design, the criti-
cal protected assets at the lowest level
of the ICT portal are surrounded by
layers of protection that safeguard the
records of individual system users, as
illustrated in Figure 6. An attacker has
to penetrate the three ICT portal layers
to access and modify the user records.
These layers are:
• Platform-level protection: The top
level of protection restricts access
to the platform on which the user
record system runs. This level
involves a user signing on from a
computer. The platform also includes
a support system that sustains the
integrity of the system’s files.
• Application-level protection: The
next level of protection is built into
the application itself. This level
involves a user gaining access to the
application, after which the user is
authenticated and authorised to per-
form certain actions, such as modi-
fying or viewing data. Application-
specific integrity management sup-
port is available at this level.
• Record-level protection: This level of
protection is invoked when a require-
ment to access certain records is
encountered. This level involves veri-
fying whether a user is authorised to
perform the requested operations on
that record. At this level, the protec-
tion involves encryption to prevent
unauthorised entities from browsing
through records using a file browser.
Changes made outside the normal
record update mechanisms can be
detected by performing integrity check-
ing through cryptographic checksums.
Design description
Several considerations were made in
designing the system, including architec-
tural issues at the system and individual
component levels. At the system level,
emphasis is given to the techniques that
help reduce software attacks. This level
also analyses potential vulnerabilities
that might affect the design choices.
The component level focuses on the
best means by which to implement each
module. The general steps for the design
process of the dependability attributes
are addressed by the software developer
team, as explained below.
Vulnerability analysis: The attack
scenarios and vulnerability model of
dependability attributes were analysed by
the software developer team. The vulner-
ability model of dependability attributes
was created to determine what should be
protected in particular cases.
Educating the development teams:
The software developer team was
instructed to operate with two primary
goals – namely: 1) to perform the best
practices for secure coding; and 2) to
provide practical education in utilising
the various security tools and services.
Design guidelines for dependability
attributes: The guideline for the depend-
ability attributes was implemented
by the software developer team. For
instance, Figure 7 presents the sequence
diagram of the user actor.
Dependability design documentation:
The software developer team produced a
report on the architecture and design of
the dependability attributes. This report
describes the steps undertaken to mitigate
vulnerability. The software developer
team also included the architecture and
Figure 6: A layered protection architecture.

Feature
14
design of the dependability attributes in
the description of the software design.
Implementation phase
The user needs and business goals that
need to be implemented must achieve
specific operational goals. The soft-
ware developer team implemented the
dependability attributes (Figure 8) as
discussed in the succeeding sections.
Coding standards: The software
developer team considered the coding
standards in writing the code for the
dependability attributes. These stand-
ards involve the methods for handling
temporary files, authentication of code
libraries, safe handling of strings and
integer results, as well as proper error
handling. The latter includes exception
management, input/data validation,
authorisation, configuration manage-
ment, authentication, session manage-
ment, auditing and logging, cryptogra-
phy and sensitive data.
Code reviews: A functional review
focuses on functional issues, whereas a
separate dependability attribute code
review focuses only on the issues that
involve dependability attributes. All
code developed by the software devel-
oper team was reviewed, considering
the dependability attributes. The key
objectives of the code review are as fol-
lows: to achieve the design goals, meet
the dependability attribute objectives,
and ensure robust implementation.
The code review techniques included
automated and manual processes.
The automated steps included code
scanning for the location of the usage
of unchecked return values, non-
constrained methods, methods without
exception handling, and significant
patterns.
Automatic static analysis: A static
analysis process is implemented for the
code of the dependability attributes.
This process is performed to identify
the problem, which is difficult to man-
ually identify.
Defect management: The primary goal
of conducting defect management is to
ensure that all identified dependability
attribute defects are prioritised, meas-
ured and assigned to someone who can
conduct repairs within a specified peri-
od. The dependability attribute defects
were tested again from the regression
perspective using new test cases. These
tests ensure that corrective measures are
properly made, while any existing func-
tionality is guaranteed to be unbroken.
Testing phase
The dependability attributes were
embedded in the ICT portal develop-
ment. This process was performed
during the design and implementation
phases. In the testing phase, the testers
focused on the following processes dur-
ing dependability attribute testing:
• Efficiency and adequacy of system
performance during workload testing
on the developed ICT portal must
meet the requirements.
• Vulnerability assessment (VATs) must
be conducted to uncover and fix crit-
ical vulnerabilities in the developed
ICT portal.
The assessment was performed based
on six dependability attributes – namely,
availability, reliability, confidentiality,
integrity, safety and maintainability.
The assessment tools included Apache
JMeter, OpenVAS, and RATS. Figure 9
summarises the vulnerability assessment
pertaining to dependability attributes.
The results of the vulnerability assess-
ment of the developed ICT portal shall
be discussed in our future work.
Figure 7: Sequence of the user actor.

Feature
15
Conclusion
Today, software applications are essen-
tial in running the machines that
help people perform their daily tasks
smoothly. Software application can be
found in most items used in daily lives,
such as cars, cellphones and kitchen
appliances. By using these items, people
also gain access to financial services, fly
around the world, monitor the weather,
navigate the oceans, and accomplish
virtually any task. Given the neces-
sity of these items in living the 21st
Century life, ensuring the reliability of
these tools in processing transactions all
over the world is important.
This paper presents our ongoing
research on a guideline implementa-
tion of the dependability attributes in
CBSD. The guideline implementation
process is demonstrated by develop-
ing an ICT portal which follows
our guideline and uses the CBSD
approach. The implementation process
involves embedding the dependability
attributes into the phases of the CBSD
process during the ICT portal devel-
opment. Collaboration with a local
company in Malaysia is established as
a case study in applying the proposed
guideline to ICT portal development.
The collaboration allowed for greater
exchange between the academic and
the industrial partners.
“This process uses a well-
defined coding standard,
which helps developers
ensure that a large number
of dependability attribute
bugs are avoided while the
code is being written”
Furthermore, the collaboration assisted
in initiating new research that would
study the lack of security in the CBSD
process, a problem faced by the industry.
Additionally, new research may be trans-
ferred from universities to the industry.
In this manner, both the academic and
the industrial participants can benefit
from the collaboration. Moreover, both
can enhance long-term sustainability and
innovative outputs.
The implementation process of the
guideline is significant in providing key
solutions to the problem of the lack of
security in the CBSD process. This pro-
cess accomplishes the aforementioned
using a well-defined coding standard,
which helps developers ensure that a
large number of dependability attribute
bugs are avoided while the code is being
written. In addition, a set of software
testing tools is specified to determine
whether the dependability attributes are
attained. As a result, the implementation
process of the guideline facilitates and
encourages software developers to adopt
the CBSD approach in software applica-
tion development.
Future work involving vulnerability
assessment on the developed ICT portal
will be carried out. The objective of this
follow up assessment is to examine the
Figure 8: Components with level protection.
Figure 9: VATs pertaining to dependability attributes.

Feature
16
dependability attributes of the devel-
oped ICT portal, and to verify whether
the guideline is capable of mitigating
the vulnerabilities in the developed ICT
portal.
About the authors
Hasan Kahtan , Nordin Abu Bakar,
Rosmawati Nordin and Mansoor
Abdullateef Abdulgabber are based at the
Faculty of Computer and Mathematical
Sciences, Universiti Teknologi MARA,
Shah Alam, Selangor, Malaysia.
References
1. Kahtan, H; Bakar, NA; Nordin, R.
‘Reviewing the challenges of security
features in component based software
development models’. in E-Learning,
E-Management and E-Services (IS3e),
2012 IEEE Symposium. 21-24
October 2012. Kuala Lumpur IEEE.
2. Kahtan, H; Bakar, NA; Nordin,
R. ‘Dependability Attributes for
Increased Security in Component-
Based Software Development’.
Journal of Computer Science 2014.
10(8): p.1298-1306.
3. Gama, K; Rudametkin, W; Donsez,
D. ‘Resilience in dynamic compo-
nent-based applications’. In 26th
Brazilian Symposium on Software
Engineering (SBES), 2012. 23-28
Sept 2012. Natal, Brazil: IEEE.
4. Goertzel, KM. ‘Introduction to
Software Security’. Build Security In,
Department of Homeland Security,
2009. Accessed Oct 2014. https://
buildsecurityin.us-cert.gov/introduc-
tion-software-security.
5. Yi, S; Li, D. ‘The Research of
Component-based Dependable
Encapsulation’. In Proceedings of the
13th International Conference on
Mathematical Methods in Electrical
Engineering and Computer Science.
November 17-19, 2011. Angers, France:
World Scientific and Engineering
Academy and Society (WSEAS).
6. Avizienis, A et al. ‘Basic concepts and
taxonomy of dependable and secure
computing’. IEEE Transactions on
Dependable and Secure Computing,
2004. 1(1): p.11-33.
7. Redwine, S. ‘Software Assurance:
A Curriculum Guide to the
Common Body of Knowledge to
Produce, Acquire and Sustain Secure
Software’. 2007.
8. Kahtan, H et al. ‘Evaluation
Dependability Attributes of Web
Application using Vulnerability
Assessments Tools’. Information
Technology Journal, 2014. 13(14):
p.2240-2249.
9. Kahtan, H; Bakar, NA; Nordin, R.
‘Awareness of Embedding Security
Features into Component-Based
Software Development Model: A
Survey’. Journal of Computer Science
2014. 10(8): p.1411-1417.
10. Kahtan, H; Bakar, NA; Nordin,
R. ‘Embedding Dependability
Attributes Into Component-based
Software Development Using the
Best Practice Method: A Guideline’.
Journal of Applied Security Research,
2014. 9(3).
Tracey Caldwell
The quantified self:
a threat to enterprise
security?
Deloitte predicted that the market for
wearables would reach 10 million units in
2014 and generate $3bn in revenues. It is
widely forecast that this sector is likely to
grow much bigger and will have an impact
beyond the quantified self that has the
potential to threaten enterprise security.
Security firm MobileIron believes the
smart watch will be the first wearable
device to make headway in the enterprise.
Ojas Rege, VP of strategy, says: “We
think it’s a form factor that consumers are
comfortable with, and bringing new capa-
bilities will open a range of innovation.”
Rege expects to see strong early adop-
tion among industries where individuals
are working with their hands and in use
cases where what he calls ‘snack-sized’
data would allow workers to do their
jobs more efficiently. “Healthcare and
field services are perfect examples,” he
says. “It’s easy to imagine a scenario
where a voice-activated device gives
surgeons data while they are operating
or a smart watch that a patient wears
to monitor vital activities. This will
fundamentally shift how healthcare can
Tracey Caldwell, freelance journalist
Wearable technology is getting smarter and pundits predict that the launch of
the Apple Watch will propel wearable technology into the mainstream in 2015.
The ‘quantified self’ trend has already driven massive uptake of (generally)
wrist-worn devices that measure heart rate and activity and link to health and
fitness apps, which in turn link to entire communities of people comparing and
contrasting their fitness.

Feature
17
monitor a patient’s vitals and through
these remote up-to-date statistics provide
prompt care. Other examples are a wrist
wrap that provides an electronic instruc-
tion manual to a field service worker or
battlefield logistics to a soldier.”
Wearables that in turn transmit data to
other devices, such as other wearables or
mobile phones, not only provide another
vulnerability for CISOs to worry about
but also transmit particularly sensitive
personal data.
Catalin Cosoi, chief security strategist
at Bitdefender, says: “In my opinion, the
information collected by the wearable
device is more sensitive than the user’s
name and relationship status. Let’s not
forget that most of these gadgets collect
health and biorhythm-related informa-
tion, they can assess health, show any
traces of the onset of illness and so on.”
Apple Watch
The launch of the Apple Watch in
September 2014 represented a shift from
wearables being all about health and fit-
ness to having wider capabilities, from
sending and receiving emails to enabling
NFC payments. The security industry
was quick to point out the possible flaws.
Tim Erlin, director of IT risk and
security strategy at Tripwire, says: “Near
field communication, or NFC, isn’t as
well tested from a security perspective as
the more common wireless technologies.
If the Apple Watch takes off in the mar-
ket, it will quickly become an interesting
target for attackers. We may see the rise
of the modern-day pickpocket.”
There are real risks for enterprise sys-
tems of data loss and privacy breaches
from quantified self apps and wearable
devices that sit uneasily with the trend
for increased collection and sharing of
very personal information. Paul Steiner,
EMEA MD at enterprise solutions pro-
vider, Accellion points out: “It is only a
matter of time until wearable technology
takes centre stage in the workplace and
there’s no doubt that devices such as the
Google Glass have the power to signifi-
cantly change the way we work. However,
it won’t be plain sailing for organisations
with employees who use these devices,
and as adoption of as the number of
Internet-connected devices increases, so
will the associated security risks.”
BYOD to WYOD
Steiner adds: “Put simply, if IT depart-
ments thought they had a struggle on
their hands in getting to grips with
BYOD [Bring Your Own Device], they
haven’t seen anything yet. Wearable tech-
nology will almost certainly give them
an even bigger headache, as new wear-
able devices will multiply the number of
devices accessing a network. If you don’t
have a WYOD (wear your own device)
policy in place, you’ll need to take steps
now to safeguard your data in order to
minimise security risks.”
Jon Howes, technology director at
Beecham Research, which specialises in
analysing and researching the worldwide
technology challenges of the M2M and
Internet of Things markets, believes the
potential for introducing vulnerabilities
is increasing significantly beyond tradi-
tional BYOD risks.
“One increasing area of risk is in
understanding how such devices can be
integrated securely into security mecha-
nisms and procedures,” he says. “That is
threatened by the typical enterprise secu-
rity team’s lack of familiarity with these
new access and input devices, and more
so the lack of transparency and clarity by
suppliers on the capabilities and protec-
tions within these quantified self and
wearable products.”
Howes adds: “Increasing potential for
risk comes from the way these quantified
self devices are considered both personal
and required to be easy to access with
minimal to zero authentication of the user.
When integrated into an enterprise system,
those features could be highly prejudicial
to security. But even when quantified self
and wearable capabilities are not integrated
with the enterprise or its data, their nature
brings new security issues. The new devices
can be used for insecure storage of enter-
prise system access and user authentication
information, for example.”
Multiple vulnerabilities
Many enterprises are only just getting to
grips with security around mobile phone
and tablet apps. Wearable devices meas-
uring user data add a whole new layer of
security concern. “In the case of quanti-
fied self apps, M2M and wearable tech,
the device network is widely distributed
with low-cost data collection and com-
munication systems. Consequently,
security measures are likely to be both
minimal, and inexpensive, and as a result
any security breach would go unnoticed
for a long time,” says Troy Fulton, global
marketing and product leader at Tangoe.
Fulton points out that quantified apps
and devices can pose a security threat to
enterprise data and systems for a number
of parties – the device manufacturer,
the application vendor, the carrier (cel-
lular and broadband), as well as the end
user’s employer, if the app or device is
communicating with and storing data
locally to a work PC, as well as a tablet
or smartphone used for work that lacks
enterprise mobility management policy
monitoring and enforcement.
Often, he says, there can be a failure of
communication between device manufac-
turers, app developers and cloud service
provider around who is responsible for
data security. This can lead to risks when
data is not encrypted in transit. “There
is a wider danger to the quantifiable self
device manufacturer and/or application
developers if a large number of devices
and apps are compromised,” says Fulton.
Self quantification devices could also
extend the personal information avail-
able to criminals to include health and
movement information that could be
used for blackmail, scams and targeted
spear-phishing emails.
David Calder, security managing
director at IT consultancy and services
provider ECS, says: “Apply this to the
enterprise and the risks to employees and

Feature
18
the business as a whole are considerable.
Consider the scenario where health infor-
mation on high-profile corporate leaders
is available to criminal organisations. For
example, early access to Steve Jobs’ health
state could have allowed an external
party to benefit by shorting Apple shares
in advance of such information being
released to the market as a whole.”
Location
Another risk is posed by wearables trans-
mitting location information, as move-
ment between locations is key to quanti-
fied self apps. Wearable activity track-
ing devices can be tracked or located
through wireless protocol transmissions.
Enterprises may have concern for the
safety of employees whose whereabouts
may be tracked and also for sensitive
commercial information, such as which
potential clients employees are visiting.
Symantec has found security risks in
a large number of self-tracking devices
and applications and found that all of
the wearable activity-tracking devices it
examined, including those from lead-
ing brands, are vulnerable to location
tracking.
Symantec points out that wearable
devices are not designed for location
tracking but data collected by these
devices is generally synced to another
device or computer usually via Bluetooth
Low Energy. Symantec built some cheap
and cheerful portable Bluetooth scan-
ning devices using Raspberry Pi minia-
ture computers and off-the-shelf compo-
nents, which included a Bluetooth 4.0
adaptor, a battery pack and an SD card.
It took the scanners to various busy pub-
lic locations in Ireland and Switzerland
where they scanned the airwaves for
signals broadcast from devices. It found
that all the devices encountered could be
easily tracked using the unique hardware
address that they transmit.
It also revealed that some devices,
depending on configuration, may allow
for remote querying, through which
information such as the serial number or
a combination of characteristics of the
device can be discovered by a third party
from a short distance away without mak-
ing any physical contact with the device.
Andrew Tang, service director of secu-
rity at MTI comments that quantified
self data may be synchronised with cloud
storage, potentially via an enterprise
wireless connection, with privacy reper-
cussions for the enterprise.
“If the wireless connection is not
secured sufficiently, then sensitive per-
sonal information could be lost,” he
says. “Organisations that use Internet
gateway or web proxy solutions could
be gathering the personal information of
their employees, so there may be a need
to not record this session information,
or create a policy highlighting to the
employee that their personal information
will be recorded.”
Encryption lacking
Many quantified self apps are cloud-
based and collect a wide range of per-
sonal information. However, Symantec
has blogged that an unacceptably large
proportion of these apps and services do
not handle sensitive user data securely.
It found that 20% of apps transmit-
ted user credentials in clear text. Many
quantified self apps and services have
a cloud-based component where users
upload and store password protected
data collected from their apps and
services that includes personal informa-
tion such as date of birth, relationship
status, addresses and photos. The prob-
lem, Symantec observed, is that “many
of them transmit user-generated data,
including login credentials, through an
unsecure medium such as the Internet
without any attempt to protect it (eg,
by encrypting it). Users often reuse the
same passwords at home and at work
and use personal email addresses to
transmit corporate information”.
Symantec also highlighted the issue
of unintentional data leakage as apps
contact multiple Internet domains – for
example, to carry out analytics. Weak
session management can be exploited by
cyber-criminals to hijack sessions so that
they can masquerade as other users. On
average Symantec found that the apps
contacted five different Internet domains.
A significant number of apps contacted
10 or more different domains for vari-
ous purposes, creating countless scenarios
where personal data could be leaked
unintentionally, such as through human
error, social engineering or careless han-
dling of data.
Weak session management during data
sharing can be exploited by cyber-criminals
to hijack sessions and Symantec’s research-
ers encountered some sites that did not
handle user sessions correctly: “In one
example it was possible to browse personal
data belonging to other users of the site.
In another instance, it was possible for an
attacker to upload SQL statements, such as
commands to create tables in the database,
to the server for execution.”
The law
Regulators across the globe have been
weighing in on the issue of mobile app
security but have yet to turn their atten-
tion to wearables. Philip James, partner
and Technology and Data Privacy practice
lead at Sheridans, a UK media technology
law explains: “One of the leading regula-
tors in the field of mobile apps and pri-
vacy is the US Federal Trade Commission
(FTC). The FTC has been very active
recently in issuing guidance on privacy
in the context of mobile apps and has
also held a specific event on Consumer
Generated and Controlled Health Data
in relation to the use of mobile apps.1,2
“In addition, the US Food and Drug
Administration (FDA) issued a non-
binding guidance document in relation
to the use of mobile medical apps.3
Regulators in Canada and Europe have
issued or are shortly due to issue similar
guidance. What is clear, however, is that
the primary focus has been on protecting
consumer rights and privacy when data
is collected via medical apps. Little or
no consideration has been given to the

Feature
19
A SUBSCRIPTION INCLUDES:
• Online access for 5 users
• An archive of back issues
www.computerfraudandsecurity.com
8
threats and risks posed to enterprise data
and systems security by quantified self
apps and wearable tech.”
Taking action
Organisations wondering how best to
assess and address the risk from quanti-
fied self apps and wearable devices might
draw a useful analogy with their handling
of social media in the enterprise.
Calder at ECS says: “Those organisa-
tions who simply banned its use didn’t
gain from the massive benefits that such
technology may bring. A better approach
may be to learn about the technologies,
consider them and support or sponsor
employee use with clear education and
awareness. This will allow employees to
benefit from the positive aspects of such
devices without exposing the organisa-
tion to unnecessary risk.”
The data collected by quantified self
devices could be used to strengthen secu-
rity, according to Trey Ford, global secu-
rity strategist at Rapid7. “Quantified self
applications are all about gathering specif-
ic data points about how users live life,”
he says. “As a security professional, I find
myself asking why companies or applica-
tion owners aren’t observing behavioural
patterns and location data to make sure
the human owner of an account is the
only one using that account.”
He adds: “At a minimum, organisations
need to be deploying technology in their
environment that allows them to see what
personal cloud services employees are
using from the corporate network. They
need to subscribe to breach data that will
enable them to see if any of their employ-
ees have been subject to a breach and
whether they are using any of the same
login names for enterprise use.”
Main threats
Rege at MobileIron identifies three main
threats from the quantified self trend
around big data, privacy and spyware. “If
the enterprise is collecting data through
wearables, the sheer amount of data
generating by an employee can increase
dramatically – this becomes a ‘big data’
challenge for analytics and security,” he
says. “The enterprise needs to evaluate
where the data is being stored and how
it is protected from unauthorised access
from other applications on the device.
The information should be securely trans-
mitted regularly to back-end enterprise
systems to ensure there isn’t a new, rapidly
expanding ‘honeypot’ of confidential
information on the device.”
Even if the enterprise is not collecting
data through wearables, the employee most
certainly is through personal apps, even on
corporate devices, so protecting the privacy
of that data is critical, says Rege. “This
means that the enterprise should never
back up or store personal data and, when
wiping a device, should wipe only the
enterprise data automatically.”
While most quantified self apps are
legitimate apps targeted at helping con-
sumers live their lives, Rege highlights
the threat from spyware apps focused on
collecting information about an employ-
ee’s behaviour for corporate espionage,
adware or advertising data collection.
Rege believes employee education must
be at the core of a security programme.
Enterprises can also leverage an app
reputation or app risk management ser-
vice plugin to their enterprise mobile
device management deployment. This can
allow the enterprise to identify risky apps
such as those with location-tracking, and
trigger a quarantine of the device. This
can be a simple alert to the user, block-
ing their access to the enterprise network
until they remove the app, or remov-
ing the enterprise data from the mobile
device through a selective wipe, to miti-
gate a data breach.
“The path to security is a structured,
layered security programme, not fear,”
says Rege. “Each organisation should fol-
low a layered security strategy for mobile.
The enterprise apps on the device do
not share data with personal apps. When
the enterprise apps communicate to the
server, those connections are secured by
per-app VPN and identity is enforced
through the use of certificates. This
Continued on page 20...
Four steps to prepare
for wearables
Mobileron recommends that enter-
prises think of each future employee
as a walking datacentre, with a phone,
tablet and several networked wearable
devices. The four steps to wearable pre-
paredness are:
• Set the expectation that enterprises
will face the question of whether
to support some type of wearable
devices in the future.
• Monitor the consumer market and
employee preferences, so you know
which devices matter most to your
end users.
• Establish a layered security model
that is based on user experience,
trust and data accessibility. It
should apply to wearable devices as
well as smartphones and tablets.
• Establish a mobile management
architecture that gives enterprises a
centralised way to set policies and
access for all these form factors.

CFS November

Recommended

Recommended

More Related Content

What's hot

What's hot (8)

Viewers also liked

Viewers also liked (6)

Similar to CFS November

Similar to CFS November (20)

CFS November