ISO/IEC 27033-3:2010

INTERNATIONAL ISO/IEC
STANDARD 27033-3
First edition
2010-12-15
Information technology — Security
techniques — Network security —
Part 3:
Reference networking scenarios —
Threats, design techniques and control
issues
Technologies de l'information — Techniques de sécurité — Sécurité de
réseau —
Partie 3: Scénarios de réseautage de référence — Menaces,
techniques conceptuelles et questions de contrôle

Reference number
©
ISO/IEC 2010
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved

Contents Page
Foreword .iv
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Abbreviated terms.2
5 Structure.3
6 Overview.4
7 Internet access services for employees .6
7.1 Background.6
7.2 Security threats .7
7.3 Security design techniques and controls.7
8 Business to business services .9
8.1 Background.9
8.2 Security threats .9
8.3 Security design techniques and controls.10
9 Business to customer services .11
9.1 Background.11
9.2 Security threats .11
9.3 Security design techniques and controls.12
10 Enhanced collaboration services .13
10.1 Background.13
10.2 Security threats .14
10.3 Security design techniques and controls.14
11 Network segmentation.15
11.1 Background.15
11.2 Security threats .15
11.3 Security design techniques and controls.15
12 Networking support for home and small business offices.16
12.1 Background.16
12.2 Security threats .16
12.3 Security design techniques and controls.17
13 Mobile communication.18
13.1 Background.18
13.2 Security threats .18
13.3 Security design techniques and controls.19
14 Networking support for travelling users.20
14.1 Background.20
14.2 Security threats .20
14.3 Security design techniques and controls.20
15 Outsourced services.21
15.1 Background.21
15.2 Security threats .21
15.3 Security design techniques and controls.22
Annex A (informative) An Example Internet Use Policy.23
Annex B (informative) Catalogue of Threats.27
© ISO/IEC 2010 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27033-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
ISO/IEC 27033 consists of the following parts, under the general title Information technology — Security
techniques — Network security:
⎯ Part 1: Overview and concepts
⎯ Part 2: Guidelines for the design and implementation of network security
⎯ Part 3: Reference network scenarios — Threats, design techniques and control issues
The following parts are under preparation:
⎯ Part 4: Securing communications between networks using security gateways — Threats, design
techniques and control issues
⎯ Part 5: Securing virtual private networks — Threats, design techniques and control issues
There may be future parts to cover topics such as local area networks, wide area networks, wireless and radio
networks, broadband networks, voice networks, Internet Protocol (IP) convergence (data, voice, video)
networks, web host architectures, Internet email architectures (including outgoing online access to the Internet,
and incoming access from the Internet), and routed access to third party organizations.

iv © ISO/IEC 2010 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27033-3:2010(E)

Information technology — Security techniques — Network
security —
Part 3:
Reference networking scenarios — Threats, design techniques
and control issues
1 Scope
This part of ISO/IEC 27033 describes the threats, design techniques and control issues associated with
reference network scenarios. For each scenario, it provides detailed guidance on the security threats and the
security design techniques and controls required to mitigate the associated risks. Where relevant, it includes
references to ISO/IEC 27033-4 to ISO/IEC 27033-6 to avoid duplicating the content of those documents.
The information in this part of ISO/IEC 27033 is for use when reviewing technical security architecture/design
options and when selecting and documenting the preferred technical security architecture/design and related
security controls, in accordance with ISO/IEC 27033-2. The particular information selected (together with
information selected from ISO/IEC 27033-4 to ISO/IEC 27033-6) will depend on the characteristics of the
network environment under review, i.e. the particular network scenario(s) and ‘technology’ topic(s) concerned.
Overall, this part of ISO/IEC 27033 will aid considerably the comprehensive definition and implementation of
security for any organization's network environment.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27033-1, Information technology — Security techniques — Network security — Part 1: Overview and
concepts
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27033-1 and
the following apply.
3.1
malware
malicious software
category of software that is designed with a malicious intent, containing features or capabilities that could
potentially cause harm directly or indirectly to the user and/or the user's computer system
NOTE See ISO/IEC 27032.
© ISO/IEC 2010 – All rights reserved 1

3.2
opacity
protection of information that might be derived by observing network activities, such as deriving addresses of
end-points in a voice-over-Internet-Protocol call
NOTE Opacity recognizes the need to protect actions in addition to information.
3.3
outsourcing
acquisition of services by an acquirer to perform activities required to support the acquirer's business
functions
3.4
social engineering
act of manipulating people into performing actions or divulging confidential information
4 Abbreviated terms
AAA  Authentication, Authorization and Accounting
DHCP  Dynamic Host Configuration Protocol
DNS  Domain Name Service
DNSSEC DNS SECurity extensions
DoS  Denial of Service
FTP  File Transfer Protocol
IDS  Intrusion Detection System
IP  Internet Protocol
IPsec  IP Security Protocol
OAM&P  Operations, Administration, Maintenance & Provisioning
OSI  Open Systems Interconnection
PDA Personal Data Assistant
PSTN  Public Switched Telephone Network
QoS  Quality of Service
SIP  Session Initiation Protocol
SMTP  Simple Mail Transfer Protocol
SNMP  Simple Network Management Protocol
SSL  Secure Socket Layer (Encryption and authentication protocol)
VoIP  Voice over Internet Protocol
VPN  Virtual Private Network
2 © ISO/IEC 2010 – All rights reserved

5 Structure
The structure of this part of ISO/IEC 27033 comprises:
• an overview of the approach to addressing security for each reference scenario listed in this part of
ISO/IEC 27033 (clause 6);
• a clause for each reference scenario (clause 7-15), which describes
o threats for the reference scenario,
o a presentation of the security controls and techniques based on the approach in clause 6.
The scenarios in the document are ordered per the following framework where the objective is to evaluate a
given scenario as a function of the:
• type of user access, whether the user is inside an enterprise, or the user is an employee who is
accessing enterprise resources from outside, or the user is a consumer, vendor or business partner, and,
• type of information resources accessed, open, restricted or outsourced resources.
Thus, the framework helps present a consistent structure, and makes addition of new scenarios manageable,
as well as justifies the need for the various scenarios presented in this part of ISO/IEC 27033.
Table 1 ― Framework for Ordering Network Scenarios
Users
Inside Employees Outside
from outside
Open - Internet access - Business to customer
services for services
employees
- Business to
business services
Restricted - Enhanced - Mobile - Enhanced
collaboration services communication collaboration services

- Business to - Networking - Business to business
Accessed
information business services support for services
travelling users
resources
- Network - Business to customer
segmentation services
- Networking support
for home and small
business offices
Outsourced - Outsourced - Outsourced services
services
© ISO/IEC 2010 – All rights reserved 3

Thus, the order in which the scenarios are listed in this part of ISO/IEC 27033 is as follows:
• Internet access services for employees (clause 7);
• Business to business services (clause 8);
• Business to customer services (clause 9);
• Enhanced collaboration services (clause 10);
• Network segmentation (clause 11);
• Networking support for home and small business offices (clause 12);
• Mobile communication (clause 13);
• Networking support for travelling users (clause 14);
• Outsourced services (clause 15).
6 Overview
The guidance presented in this part of ISO/IEC 27033 for each of the identified reference network scenarios is
based on the following approach.
• Review the background information and scope of the scenario.
• Describe the threats relevant to the scenario.
• Perform risk analysis on discovered vulnerabilities.
• Analyse the business impact of addressing the vulnerabilities.
• Determine the implementation recommendations for securing the network.
In order to address the security of any network, an approach that is systematic and provides an end-to-end
evaluation is desirable. The complexity of such an analysis is a function of the nature and size of the network
in scope. However, a consistent methodology is important to managing security, especially due to the evolving
nature of technology.
The first consideration in a security assessment is the determination of assets that require protection. These
can be largely categorized into infrastructure, services or application assets. However, an enterprise can
chose to define their own categories, but the distinction is important because the exposure to threats and
attacks is unique to each asset category or type. For instance, if a router is categorized an infrastructure asset,
and Voice over IP as an end-user service, then a Denial of Service (DoS) attack requires a different
consideration in each case . Specifically, the router requires protection against a flood of bogus packets on the
router's physical port that can prevent or impede the transmission of legitimate traffic. Similarly, the VoIP
service requires protection of the subscriber’s account/service information from deletion or corruption such
that a legitimate user is not prevented from accessing the service.
Network security also entails protection of the various activities supported on the network, such as
management activities; control/signaling messages; and end-user data (resident and in-transit). For example,
a management GUI can be subject to disclosure as a result of unauthorized access (easy to guess
administrator ID and password). The management traffic itself is subject to corruption due to forged OA&M
commands with spoofed IP addresses of the operations systems, or disclosure by sniffing, or interruption due
to a packet flood attack.
The approach of identifying assets and activities enables a modular and systematic consideration of threats.
Each reference network scenario is examined against a known set of threats to ascertain which threats are
applicable. Annex B provides a list of known industry threats. Although the list should not be viewed as
exhaustive, it provides a starting point for any analysis. Once the threat profile for the network is derived, the
vulnerabilities are analyzed to determine how the threats may be realized in the context of the specific asset
under consideration. Such an analysis will help determine what mitigations are missing and what
countermeasures need to be deployed to achieve the protection objectives. A countermeasure will reduce the
4 © ISO/IEC 2010 – All rights reserved

likelihood of the threat being successful and/or reduces its impact. Risk analysis that analyzes the risk represented
by discovered vulnerabilities. Business impact analysis consists of arriving at a business decision regarding how
to address each vulnerability: remediate, accept risk, or transfer risk.
Designing countermeasures and implementing controls for protecting vulnerabilities against threats is part of
any security assessment methodology. In accordance with the ISO/IEC 27000 series standard, the selection
and implementation of relevant controls is critical to asset/information protection. The standard requires the
preservation of confidentiality, integrity and availability of information, and specifically states that in addition,
other properties such as authenticity, non-repudiation and reliability can also be involved.
The following is a set of security properties that is used in this part of ISO/IEC 27033 to develop mitigations
and countermeasures in an objective manner. The rationalization for the need for each security property (in
addition to confidentiality, integrity and availability) is described below.
• Confidentiality is concerned with protecting data from unauthorized disclosure.
• Integrity is concerned with maintaining the correctness or accuracy of data and protecting against
unauthorized modification, deletion, creation, and replication.
• Availability is concerned with ensuring that there is no denial of authorized access to network elements,
stored information, information flows, services, and applications.
• Access Control provides, through the use of authentication and authorization, control to enforce access to
network devices and services, and ensures that only authorized personnel or devices are allowed access
to network elements, stored information, information flows, services and applications. For example, in an
IPTV deployment, one of the known security recommendations, disabling the debugging interface on
subscriber set top boxes, is derived from a consideration of the access control property. A review of
confidentiality, integrity or availability will not result in some other recommendations.
• Authentication is concerned with confirming or substantiating the claimed identity of a user or
communicating parties when used by access control for authorization, and provides assurance that an
entity is not attempting a masquerade or unauthorized replay of a previous communication. For instance,
an individual may gain access to a network management system, but will need to be authenticated in
order to update subscriber service records. Thus the ability to perform network management activities
cannot be assured by simply addressing confidentiality, integrity, availability, or access control.
NOTE In Role-Based Access Control, authorization takes place by virtue of the user being assigned to a role.
Access control then verifies the user has the role prior to granting access. Similarly, access control lists grant access to
anything that satisfies the policy, so if you satisfy the policy requirements you are authorized access. The authentication
and authorization functions are null in this case.
• Communication or Transport Security is concerned with ensuring that information only flows between
authorized end-points without being diverted or intercepted.
• Non-repudiation in concerned with maintaining an audit trail, so that the origin of data or the cause of an
event or action cannot be denied. Identifying the authorized person that performed an unauthorized action
on protected data has nothing to do with the data's confidentiality, integrity, availability.
• Opacity is concerned with protecting information that might be derived from the observation of network
activities. Opacity recognizes the need to protect actions in addition to information. Protecting information
is addressed by confidentiality. Protecting the conversation in a phone call between Person A and
Person B protects their confidentiality. Protecting the fact that Person A and Person B had a phone call
ensures opacity.
In all the scenarios described in this part of ISO/IEC 27033, the above-stated security properties are reviewed
as part of the security design technique and control phase. Table 2 below shows examples of network security
mechanisms that can be implemented for security properties that are selected for mitigating the potential risk.
© ISO/IEC 2010 – All rights reserved 5

Table 2 ― Example Network Security Techniques
Security Considerations Security Mechanisms / Techniques
Access Control Physical badge system, Access Control Lists (ACL), Separation of
duties
Authentication Simple log-in/password, Digital certificates, Digital Signatures,
TLSv1.2, SSO, CHAP
Availability Redundancy & back-up, Firewalls, IDS/IPS (for blocking DoS),
Business continuity, Managed network & services with SLAs
Communication Security IPsec / L2TP, Private Lines, Separate networks
Confidentiality Encryption (3DES, AES), Access control lists, File permissions
Integrity IPsec HMACs (e.g. SHA-256), Cyclic redundancy checks, Anti-Virus
Software
Non-repudiation Logs, Role based access control, Digital signatures
Opacity Encryption of IP headers(for example: VPN with IPSec tunnel
mode), NAT (for IPv4)
In this part of ISO/IEC 27033, the above considerations are inherent in the design and implementation
discussed in the context of each reference network scenarios. Typically, an organization will select the
relevant ISO/IEC 27002 controls to meet their business objectives, and the guidelines in this part of
ISO/IEC 27033 are intended to provide the network level considerations required for the implementation of the
chosen controls.
7 Internet access services for employees
7.1 Background
Organizations that need to provide Internet access services for their employees should consider this scenario
so as to ensure access for clearly identified and authorized purposes, not general open access. Organizations
need to be concerned about managing that access to avoid loss of network bandwidth and responsiveness as
well as exposure to legal liability when employees have uncontrolled access to Internet services.
Controlling employee access to the Internet is a growing concern given the number of emerging Internet case
laws. Thus an organization is responsible for establishing, monitoring and enforcing an unambiguous Internet
Use Policy by evaluating the following scenarios, and providing relevant claims in the policy:
• Internet access is allowed for business reasons;
• if Internet access is also allowed in (limited) form for private purposes, which services are allowed to be
used;
• if enhanced collaboration services are allowed;
• if employees are allowed to participate in chat channels, forums etc.
6 © ISO/IEC 2010 – All rights reserved

Even though often a written policy acts as a significant deterrent to unacceptable Internet usage, the
organization is still subject to substantial information security risks. In the clauses below, the security threats
and advice on security design techniques and controls to mitigate those risks are described for internal, and
internal plus external, usage.
7.2 Security threats
Security threats related to Internet access services for employees are:
• Virus attacks and introduction of malware:
o employees using the Internet are also a prime target for malware which may lead to, loss or corruption
of information and loss of control of IT infrastructure, and a huge risk to an organization's network
security;
o user downloaded files or programs may contain malicious code. Given the ubiquity of applications
such as instant messaging, peer-to-peer file sharing, and IP telephony, employees can inadvertently
download and install a malicious application that can evade network defences using such techniques
as port agility (jumping around among open ports) and encryption. In addition, peer-to-peer
applications can be exploited to serve as covert channels for botnets;
o vulnerabilities in web browsers or other web applications may be exploited by malware, and result in
virus infections and installation of trojans. Once infected, availability can be severely impacted due to
virus propagation activities leading to network overload. Trojans can enable unauthorized external
access leading to confidentiality violations.
• Information leakage:
o applications that allow upload of information to web-based servers, may lead to uncontrolled transfer
of data from inside an organization to the Internet. If encrypted sessions are used (e.g. TLS) then
even logging of such activity may not be possible. Similar security risks are introduced when
unauthenticated portable code is executed on systems inside an organization.
• Unauthorized usage and access:
o loss of control of infrastructure, systems and applications can result in fraud, denial of service, and
abuse of facilities.
• Liability due to regulatory non-compliance:
o legal liability due to non-compliance with legislation or regulatory obligations;
o non-conformance with an organization's use policy can lead to regulatory non-compliance.
• Reducing network availability due to inadequate bandwidth or stability problems:
o excessive use of high bandwidth services such as streaming media or peer to peer file sharing may
lead to network overload.
7.3 Security design techniques and controls
Security design techniques and controls related to employee internet access services are discussed in
Table 3.
For a given security risk, each security property is reviewed for applicability in reducing the risk, and then a
corresponding technical implementation example is presented in the second column. For example, integrity,
access control, and authentication are applicable for protecting against malicious code.
© ISO/IEC 2010 – All rights reserved 7

Table 3 ― Security Controls for Employee Internet Access Scenario
Applicable Security
Implementation Design and Technologies
Properties for Identified
Threats
Virus attacks and Introduction of Malware
• Integrity • Only provide the business relevant internet services towards the
• Access Control employee. Use of blacklists for authorized services, so as to not allow
• Authentication chat channels or web mail services, or peer-to-peer networking protocols.
• Use of antivirus software on the gateways to the Internet for scanning all
traffic from and to the Internet. Scanning should include all network
protocols authorized for use. Ensure that anti-virus updates are
automatically installed or the user is alerted to the fact that updates are
available.
• Use of antivirus software on all client systems, especially those used for
internet access by employees.
• Scan files and all stored information for viruses and Trojans and other
forms of malware.
• Data/file integrity verification using algorithms such as hash/checksums,
certificates.
• Blocking pop-ups and web advertisements.
• Routing of traffic used for Internet access services through a small
number of controlled security gateways.
• Active content authentication.
Information Leakage
• Communication security • Implementing Filters for mobile code on the gateways to the Internet.
• Integrity • Accept mobile code only from uncritical, white listed sites.
• Access Control • Accept only digital signed mobile code signed from approved Certification
Authorities or from approved vendors, enable the respective
configuration options on the client side, e.g. by actively manage and
implement a white list of allowed code signing Certification Authorities.
Unauthorized Access and Usage
• Access Control • Only provide the business relevant internet services towards the
• Non-Repudiation employee. Use of blacklists for unauthorized services, e.g. chat channels
or web mail services. Implementation of filters for non authorized
protocols, e.g. peer-to-peer networking protocols.
• Restrict the use of services which easily enable the transfer of big
amounts of data.
• Ensure that proper logging and monitoring is in place for all services
which allow the possibility to transfer data towards the Internet.
• Clearly define authorized and unauthorized usage of internet access in a
dedicated policy (see sample template in Annex A).
• Ensure user awareness through adequate education and training.
• Only provide the business relevant internet services towards the
employee. Use of blacklists for unauthorized services, e.g. chat channels
or web mail services. Implementation of filters for non authorized
protocols, e.g. peer-to-peer networking protocols.
Liability due to Regulatory Non-Compliance
• Non-Repudiation • Usage logs, time stamps.
• User awareness and training.
8 © ISO/IEC 2010 – All rights reserved

Applicable Security Implementation Design and Technologies
Properties for Identified
Threats
Reducing Network Availability
• Integrity • Proper vulnerability management and patching of known system
• Availability vulnerabilities within timeframes based on vulnerability criticality.
• Focus of vulnerability management should be all systems receiving
internet traffic, either on transport or application level, which includes all
systems used in the context of the gateways used towards the Internet
as well as end user systems used for accessing internet services,
especially if they use a windows operating system.
• Throttle bandwidth for streaming media (only if permitted per business
policy).
• Network and system resources should be monitored (IDS, logs, audits,
etc.) to detect system, security, and operational events.
8 Business to business services
8.1 Background
Organizations that conduct transactions with other organizations, such as manufacturer, wholesaler, retailer,
should consider this scenario
Traditionally business to business services have been implemented by using dedicated leased lines or
network segments. The Internet and the related technologies do provide more options, but also introduce new
security risks associated with the implementation of such services. The evolved business-to-business
e-commerce model allows organizations to conduct business over the Internet, and the applications focus on
using the Internet, extranet, or both to improve business partnerships in which the entities are known to each
other and all users are registered, unlike the business to consumer scenario.
Typically business to business services have their own requirements. For example, availability and reliability
are very important requirements as frequently organizations are directly dependent on working business to
business services.
When using the Internet as a base network connection to implement business to business services,
requirements such as availability and reliability need to be handled differently than before. Proven measures
such as quality of service assumptions used, e.g. in conjunction with leased lines, do not work any more. The
new security risks need to be mitigated by appropriate design techniques and controls. The focus is on
reinforcing trust between organizations by preventing access to unauthorized data and maintaining separation
of business systems.
In the clauses below, the security threats and advice on security design techniques and controls to mitigate
the associated risks are described for internal, and internal plus external, usage.
8.2 Security threats
Security threats related to business-to-business services are:
• Virus attacks and introduction of malware:
o malware exploits leading to infiltration of systems leading to disruptions or unauthorized access to
sensitive information;
o vulnerabilities in web browsers or other web applications may be exploited by malware, and result in
virus infections and installation of trojans.
© ISO/IEC 2010 – All rights reserved 9

• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks on business to business portals
or extranets.
• Insider attacks by authorized business partners.
• Forgery of transaction contents (messages not reaching the intended recipient or data is tampered during
transmission).
8.3 Security design techniques and controls
Information security design techniques and controls related to business-to-business services are associated
with:
Table 4 ― Security Controls for Business to Business Services Scenario
Applicable Security Implementation Design and Technologies
Properties for Identified
Threats
Virus Attacks and Introduction of Malware
• Integrity • Use of virus checking software on the gateways to the Internet for
• Access Control scanning all traffic from and to the Internet. Scanning should include all
• Authentication network protocols authorized for use. Ensure that anti-virus updates are
automatically installed or the user is alerted to the fact that updates are
available.
• Scan files and all stored information for viruses and Trojans and other
forms of malware.
• Data/file integrity verification using algorithms such as
hash/checksums, certificates.
• Routing of traffic used for Internet access services through a small
number of controlled security gateways.
• Active content authentication.
Denial of Service Attacks
• Availability • Disable unused protocol ports and services to prevent them from
• Opacity responding to unauthorized scans/probes, which has the potential of
causing a traffic flood DoS.
• Excluding descriptive information from warning banners prevents
providing targeting information to attackers.
Insider Attacks
• Access Control • Well defined security policy for access management (for business
• Non-Repudiation relationship management).
• Clearly identified roles and responsibilities.
• Customised warning banners.
• Limit on privileges.
• Logging of all critical/non-critical transactions by users.
Forgery of Transaction Contents
• Non-Repudiation • Detailed logs of transactions.
• Use of digital signatures.
10 © ISO/IEC 2010 – All rights reserved

9 Business to customer services
9.1 Background
Organizations that conduct transactions with consumers should consider this scenario.
Business to customer services, also referred to as e-business services includes services such as e-commerce,
e-banking, and e-government. In business to customer services, security must balance enabling transactions
with preserving brand and business value.
The information security requirements include those associated with:
• confidentiality (especially regarding e-banking),
• authentication,
• integrity,
• data communications security where the end user expects the business service provide to protect the
transaction path between the user and the provider. Resistance against sophisticated attacks (e.g. ‘man in
the middle’ or ‘man in the browser’ attacks),
• Availability is an important dimension for the e-business provider.
The information security characteristics include:
• security only ‘guaranteed’ on the end platform typically under the control of an organization, providing a
good environment for implementing controls and maintaining a good platform level security,
• security on the customer platform, often a PC, can typically be poor. It is harder to get controls
implemented in such an environment, and thus customer platforms would present significant risks in this
scenario (without a ‘conditions for secure connection’ set of requirements in a contract, which may be
difficult to impose in such an environment).
In the clauses below, the security threats and advice on security design techniques and controls to mitigate
the associated risks are described for internal, and internal plus external, usage.
9.2 Security threats
Security threats related to business to customer services are:
• Virus attacks and introduction of malware:
o malware exploits leading to infiltration of systems leading to disruptions or unauthorized access to
sensitive information;
o vulnerabilities in web browsers or other web applications may be exploited by malware, and result in
virus infections and installation of trojans.
• Unauthorized access:
o unauthorized access of back-end databases (e.g. SQL injection attacks, cross-site scripting attacks);
o account harvesting which is the ability to derive valid account information depending on how a web
application responds to user's authentication attempts. Automated scripts are often used to harvest
valid user ids and account names.
o online identity theft using successful social engineering attacks (through the use of deceptive
techniques), such as phishing attacks and DNS-based attacks that connect users to fraudulent web-
servers that look legitimate but are not;
o unauthorized access to systems or networks with malicious intent to copy, modify or destroy data;
o illegal content decryption leading to copyright violations and theft of content.
© ISO/IEC 2010 – All rights reserved 11

• Denial of service attacks.
• Forgery of transaction contents (messages not reaching the intended recipient or data is tampered during
transmission).
9.3 Security design techniques and controls
Security design techniques and controls related to business to customer services are discussed in Table 5.
Table 5 ― Security Controls for Business to Customer Services Scenario
Applicable Security Implementation Design and Technologies
Properties for Identified
Threats
Virus Attacks and Introduction of Malware
• Use of virus checking software on the gateways to the Internet for
• Integrity
scanning all traffic from and to the Internet. Scanning should include all
• Access Control
network protocols authorized for use.
• Authentication
• Scan files and all stored information for viruses and Trojans and other
forms of malware.
• Data/file integrity verification using algorithms such as
hash/checksums, certificates.
• Routing of traffic used for Internet access services through a small
number of controlled security gateways.
• Active content authentication.
Unauthorized Access
• Limit permissions of web applications when accessing backend
• Access Control
databases.
• Authentication
• Network segmentation and security tiers within a Demilitarized Zone
• Confidentiality
(DMZ) to prevent direction connection paths to corporate data assets.
• Communication Security
• Secure user registration to ensure that access credentials are only
• Integrity
issued to authentic users – such as using an independent Registration
• Opacity
Authority for the process.
• Authentication using digital certificates, passwords, biometrics or
smartcards.
• Firewalls and access control lists to prevent unauthorized user access.
• Role based access control to limit the function the user is permitted to
perform.
• Web application log reviews for attack identification and containment.
• Suitable levels of encryption of stored information.
• Ensuring security between web browsers and web servers using
technologies such as SSLv3/TLS.
• Securing basic Web Service communication using for example SOAP
messages.
• Data/file integrity verification using algorithms such as
hash/checksums, certificates.
• For web application level data integrity of URLs, cookies or hidden form
el
...