The need to secure information is a concern at the forefront of many executives' minds, and for good reason. Every day news reports document information security incidents that cost companies significant time and money to resolve, often at the expense of their brands and reputations:
Public attention has generally focused on preventing harm to networks by creating an impenetrable perimeter to keep unwanted outsiders at bay. Reality demonstrates, however, that the network is highly susceptible to threats that originate within the perimeter as well as threats that make it through a perimeter that is, in today's environment, highly vulnerable and porous and cannot feasibly be made impenetrable. Additionally, the human threats from trusted network users are increasing. For example, an authorized insider might be able to disable certain network security mechanisms to allow a collaborator on the outside to gain access. Alternatively, an insider might be able to transmit large volumes of sensitive information from inside the network to an outside destination without ever being discovered. Perimeter security has typically focused on keeping the bad things from entering the network—not preventing things from going out of the network.
The well-defined perimeter is disappearing, and your network is no longer like a steel fortress protecting against threats—instead it is like a stainless steel sieve. Mobile employees, wireless access, Web-based applications, remote workers, contractors, and business partners who have access to your network have put an end to the perimeter fortress. These factors can innocently or maliciously introduce attacks on the network and jeopardize confidential information and corporate assets. Attacks can come from anywhere at any time. There is no longer a well-defined perimeter.
Today, you need powerful, proactive security practices for all systems that connect to your internal network. New business demands and processes will continue to expand your perimeter, increasing the risks to your network. Without a plan to secure inside the perimeter, employee productivity, revenues, information, computing resources, and your company brand are highly susceptible to being greatly damaged. Internal security has become an obligation and a necessity. Customer confidence relies upon it, and worldwide laws and regulations require it.
Successful security requires the network to imbed security throughout the many network layers, applications, and associated devices as well as instilling effective security practices within the personnel who have trusted access to the network. Technology can be implemented to help discover when trusted network users are attempting to do damage. The time has come to pervasively secure inside the network perimeter.
Businesses have always faced numerous issues with regard to handling and protecting information. The primary issues have not changed much, but the number and types of threats created by computers and innovative technologies continue to grow. Threats to information include:
Having swindlers try to defraud businesses is certainly nothing new; fraud has been around as long as history has been recorded. However, the techniques by which fraud now occurs is much more varied than ever before and takes advantage of new technology and human foibles. The Choicepoint fraud incident from February of 2005 is a perfect example. The fraudsters took advantage of technology to create identities based upon those of other legitimate persons, then took advantage of the vulnerabilities within the Choicepoint identity verification process to perpetrate a fraud against the company while compromising the security of 145,000 of the individuals within the Choicepoint databases. Phishing is another example of using technology (emails and Web sites) to commit fraud against people to whom bogus messages are sent.
The occurrences of employees with authorized access to network resources committing fraud are likely to continue to increase—although it's difficult to ascertain the current numbers for such crimes because they are under-reported to law enforcement and prosecutors (Source: National Research Council, Computer Science and Telecommunications Board, Summary of Discussions at a Panning Meeting on Cyber-Security and the Insider Threat to Classified Information, November 2000). Organizations are often reluctant to make such reports because of insufficient level of damage to warrant prosecution, a lack of evidence or insufficient information to prosecute, and concerns about negative publicity.
Employees with authorized levels of trust pose a great threat to the network when they become dissatisfied with their jobs or are otherwise motivated to take advantage of their extensive access capabilities and have a desire to cause damage on the network. Growing numbers of cases of disgruntled IT systems administrators modifying files and making business networks unusable have been reported.
Mistakes, errors, and omissions by insiders within the network perimeter are some of the most prevalent causes of information security problems. Accidentally sending email to the wrong person can lead to a loss of confidentiality if these messages are not protected, and loss of availability to the intended person. The most commonly cited example of this type of security breach is when an Eli Lilly employee accidentally sent an email to all Prozac users subscribing to a prescription service with all the names of the recipients clearly visible within the message heading.
A particularly common threat is through incorrectly configured or out of date security controls or exploitable software such as operating systems (OSs) and databases without up-to-date patches. Although these errors are usually accidental, programming errors can cause systems to crash. Application security cannot be delegated to the network administrator; it must be an integral characteristic of an application's overall architecture. A truly well-built application will inherently be secure. A poorly constructed application may be impossible to secure—effective security can't simply be tacked onto an application after it has been written. Application security must be addressed throughout the entire development process, not as an afterthought.
Oftentimes in the rush to get a system or application into production, the implementation teams either inadequately test the security or assume someone else has performed testing for security issues. If errors or omissions are made during the software development, maintenance, or installation process, the integrity, reliability, confidentiality, and availability of the information processed could be threatened.
Using commercial off-the-shelf software does not guarantee error-free software. Hotmail had a bug that allowed anyone to read the accounts of their subscribers without a password. Microsoft Outlook and Outlook Express software had a bug that allowed malicious code to run on a computer without the knowledge of the user and cause Outlook and Outlook Express to fail. In addition, this bug allowed unauthorized individuals to utilize user access rights to reformat the disk drive, change data, or communicate with other external sites.
Many organizations do not adequately communicate their security policies and procedures to their personnel or train them for how to integrate security within their job activities. If personnel do not know how to properly implement security, they can easily perform activities in ways that put the network at risk. For example, if an employee does not know they need to secure the computer screen when away from the work area, an unauthorized person can access that system in the user's absence and commit fraud or maliciously delete or alter files—all under the authorized user's name.
After a company has reduced staff, it is common for people who have been laid off to be upset. Often they are given 2 weeks notice while retaining all the same rights to the network. When people know they will soon be unemployed, and are upset, they may maliciously use their access rights to wreak havoc on the network. For example, Omega Engineering suffered $10 million in losses after a network engineer, upset about being laid off, detonated a software time bomb that he had planted in the network he helped to build. The bomb made the Omega network unusable and brought the manufacturer of high-tech measurement and control devices used by the United States Navy and NASA to a standstill. When the bomb went off in the central file server that housed more than 1000 programs as well as the specifications for molds and templates, the server crashed, erasing and purging all programs. The incident resulted in 80 layoffs and the loss of several clients.
The third parties to whom you give access to your network may not have the motivation or knowledge to adequately secure their activities. Also, if you connect an outsourced organization to your network, their security threats, vulnerabilities, and risks then become yours. You also risk having your information inappropriately used by employees who have no motivation to secure the information that comes from another company. For example, in 2005 a British newspaper, the Sun, reported purchasing credit card and other confidential details about hundreds of British citizens for just $5 each from an employee of an outsourcing organization in New Delhi.
Environmental threats include natural disasters, such as floods, earthquakes, tornadoes and other environmental conditions. These threats result in the loss of availability of information that could lead to an inability to perform critical tasks, financial loss, legal liabilities, and even loss of public confidence or image. When these threats are coupled with inadequate physical security, there is also risk of loss of confidentiality of information.
Organizations must focus on securing their internal network with the same vigilance that is applied at the perimeter. Organizations can apply similar information security techniques developed for the perimeter to their internal networks including the following:
There is an increased urgency to address old problems with new solutions. Businesses have always had to face the problems of technology evolving faster than the associated security solutions. Keeping employees vigilant with their security practices as new computing devices become ever more mobile and affordable has been challenging business leaders since the introduction of the desktop computer. What used to work is no longer effective.
Security incidents are causing increasingly larger financial impacts. New destructive threats continue to emerge. For example, it is widely estimated that the Slammer worm alone caused more than US$1 billion in damage. Protecting against and containing worms is currently the most pervasive problem driving investment in internal security solutions. However, there are dozens of other problems that cause significant financial impact.
Security vulnerabilities are now communicated much more proactively and quickly by vendors than ever before. As a result, the time from vulnerability announcement to active exploits has shrunk dramatically. It never seems as though the patches for security holes can be applied quickly enough. Businesses are continually trying to find new and better ways to protect their network resources while they are susceptible to the exploits until the software security patches can be applied.
New types of technologies and devices are creating cavities within the network perimeter often without the notice of the organization. Organizations must realize that endpoint devices—such as personal computers, PDAs, Blackberries, and smart phones—must be secure on the networks as well as when they are connecting from outside the perimeter, such as through a VPN or wireless connection. If these endpoints are not secure, they can easily inadvertently introduce malicious code and other security threats to the organization.
A June 2005 study inquired 140 top enterprise and government security executives about their approaches to network security and budget trends. This study revealed the need for tighter user access controls and continued concern about security threats and patching, even though the security budgets had increased in most of the organizations. Surprisingly, the study also found that more than half the respondents are still relying upon the perimeter as the primary way to protect the internal network, providing unmonitored access to the network resources once a user is authenticated. Sixty-two percent acknowledged that their organizations faced intrusions from internal sources that were authorized to be there.
It is essential that the network perimeter must be secured as much as possible. However, just relying upon perimeter security will not save organizations from costly security incidents, such as the attacks that have been widely reported against credit card processing centers and banks. There is an immediate need to make security a pervasive feature of all components of the network, inside and out. Access to the network must be pre-emptive as well as proactive and reactive.
It is also essential to plan ahead how an organization will react to internal security incidents and breaches. Many organizations are not prepared. The ways in which organizations respond to incidents and breaches typically fall into one of approaches:
Most organizations patch the perimeter and external servers much more quickly than the internal network resources. Because the resources are internal, most business leaders assume they can take much more time to apply the security patches because the perception is that the risks are much lower within the perimeter.
Organization leaders need to start thinking about network security from a perspective other than the old outside, perimeter, and internal way. Organizations need to take into consideration the following issues with regard to the components of their network:
Another challenging aspect of today's environments is that the information security market is still in its infancy. There are very few formal standards established for security products or services. Many vendors offer individual solutions such as firewalls that address only one type of security need. Organizations are challenged with making disparate and widely ranging types and qualities of security solutions work together, creating patchwork security across the enterprise. IT staff bears the daunting task of cobbling all these solutions together, constantly deploying an expanding list of products and spending inordinate amounts of time and money completing the integration work to ensure that these components are working together. These immaturity issues create other significant challenges for IT staff:
The nature of the internal network environment presents unique challenges when compared with perimeter security. Quite simply, when considering both, internal security requires significantly greater:
Table 1.1 compares the concerns of internal versus perimeter security.
Thousands of systems to protect
Small number of systems to protect
Hundreds of thousands of Mbps of traffic to monitor
Tens of Mbps of traffic to monitor
Thousands of applications
A dozen or so applications
Hundreds of thousands of protocols
Standardized and well-defined applications
Protocol compliance more lax
Strict adherence to protocols
Dependency on end users for many controls
Hundreds to thousands of user and group roles
Few user and group roles
Monitor the unknown or unusual
Block the unknown of unusual
Large number of IT staff to support
Typically small IT support team
Small ratio of security to network size budget
Large ratio of security to external IT components budget
Table 1.1: Internal vs. external security scalability.
How can an organization position network security solutions to accommodate change while not, or at least not noticeably, impacting network performance? What type of incremental cost for security must be accepted in order to adequately secure all components of the network according to their level of risk? Organizations need to consider the scalability issues involved with security when designing not only their security architecture but also their entire network infrastructure.
Let's look at a few examples of how architecture components within a business network impact the security scalability challenge.
Most organizations buy the least expensive routers to meet their business and security needs of the moment. However, buying modular routers, even though more expensive up front, might be better than buying fixed-configuration routers because it is more efficient and easier to add and modify user and network interfaces, when needed, at a lower incremental cost. Security scalability is impacted by such issues as the type of router used, the size of the network, router configuration files, and the audit files generated.
Most organizations purchase servers to meet their current and existing business processing and security needs. Consider how well the server you choose will scale to handle your company's specific processes, such as online transaction processing (OLTP). It may be better in the long run to invest in a multi-processor-ready server even if you only need one processor for your current business. As your transaction load increases, you can then add more processors as necessary at a lower price. Security scalability is impacted by such issues as access control files and directory permission structures.
Have you integrated all your organization's needs for voice, data, and high-speed dedicated Internet access across your network using an integrated service provider (ISP)? Determine whether the ISP is capable of adding bandwidth for both access and long-haul transport as your business needs change. Determine whether the ISP can support IP, Frame Relay, and ATM as required to meet performance objectives. Security scalability is impacted by such issues as firewall port configurations, instructions detection devices, audit files, and encryption configurations.
Establishing enterprise-wide security zones helps to address the security scalability issues. Security zones not only support the effectiveness of layering security but also decreases the cost of enterprise technology infrastructure and create a scalable environment. Enterprise-wide security zones also support open architectures and encourage more collaboration and teamwork within and across the enterprise, addressing the management challenges of such collaborations. The significant movement toward embracing cooperation across organizations and sectors creates security problems. However, establishing security zones allows organizations to more successfully collaborate with one another while still protecting their valuable information resources.
The challenge with creating scalable security architecture is building it effectively to allow the enterprise to function as it needs to meet business goals. The security solution must be scalable to give the organization what it needs for adequate security. Successfully scalable security solutions result from the security planners and implementers understanding both the business and the risk, threat, and vulnerability environments in detail. Many inefficient and rigid security solutions have been built because the organization did not consider the business and built the wrong security architecture.
The mix of security technologies used impacts scalability. Before implementing each separate security solution based solely upon the narrow scope of the task(s) it performs, you should ask some questions:
Business networks are often very limited in scalability because current tools are used with other tools that are not compatible, difficult to implement, a challenge to administer and maintain, and are poorly managed.
Multi-national business drivers are prompting more focus on internal security than ever before, making security within the perimeter a priority. Companies must comply with world-wide regulations to ensure the privacy of their customer information as well as the security of the intellectual property that resides on internal networks. These global requirements drive an increased need for internal security.
There is also an increased awareness about malicious network attacks on internal networks that can be launched from anywhere in the world. Organizations in the past took an approach of not telling when incidents occurred to avoid the publicity and potential resulting negative business impact. However, now it is required by many international laws for organizations to provide proof that they are adequately protecting their entire network and the personal information stored within. This requirement is made even more significant as the number of internal attacks increases.
The Deloitte Touche Tohmatsu 2005 Global Security Survey shows internal attacks on information technology systems are surpassing external attacks at the world's largest institutions. The survey revealed that 35 percent of respondents confirmed attacks from inside their organization within the past 12 months, up from 14 percent in 2004.
There are many legal aspects to ensuring the security of information within the perimeter. Privacy and workplace surveillance issues need to be addressed when determining how, within an organization, to implement tools to decrease the possibility of insider malfeasance.
Technology that produces data (audit logs, for example) that meet acceptable legal and forensic standards must also be addressed. In addition, monitoring and termination requirements for individuals suspected of internal network abuse or misuse must be addressed under the requirements of employment laws while also meeting the needs for systems security. Finally, sophisticated adversaries can take advantage of jurisdictional differences and route their attacks through non-cooperating jurisdictions. The jurisdictional challenges are complicated by the fact that under United States' law search warrants are geographical in nature. The restrictions on cross-border data flow impacts how a geographically dispersed world-wide network can share data among different network segments.
International network controls must ensure that risks are reduced to an acceptable level by taking into account:
Insider attacks might be difficult to prosecute in certain countries. For example, in Australia, an internal security breach occurs when an employee of a company uses the company's information system without authorization or uses it in such a way that exceeds his or her valid authorization. Consider a couple of related court cases:
Because the Internet is easily accessible from any location in the world and most large organizations are now multi-national, it is important to understand and operate in compliance with worldwide regulations. Just a few examples of international legislation that is stricter with regard to data protection requirements than many United States laws include:
An important consideration for business executives to remember is that laws and regulations are generally enacted on a country-by-country basis while electronic commerce is performed globally. As soon as your business uses the Internet to conduct business, you are doing business with the world. This consideration has the tremendous advantages of offering your products and services globally; however, you also need to comply with local regulations. These regulations are by no means consistent, and you could easily find yourself conflicting with one regulation by complying with another.
One major challenge with global electronic commerce and network sharing is that certain countries do not place a high priority on protection of personal information or intellectual property. They might have higher priority issues, such as food or medicine, and might be unwilling or unable to police individuals who are engaged in activities such as software piracy. Computer criminals typically operate freely in these countries without the fear of law enforcement agencies shutting down their operations. Unless business executives put strategies in place to protect their intellectual property and customer information, they run the risk of falling victim to these individuals.
One example of a United States' Federal law is the Sarbanes-Oxley Act that went into effect in July 2002. It is intended to protect investors by improving the accuracy of corporate disclosures. All companies publicly traded in the United States must meet financial reporting and certification mandates for all financial statements. From an information security perspective, it is difficult to achieve compliance under Sarbanes-Oxley without having an effective information security program to protect your vital financial information.
One example of state-level security legislation is California Senate Bill (SB) 1386, which went into effect in July 2003. It requires organizations that have customers or consumers in California to disclose any breach of security related to specific types of personal data, including Social Security numbers, drivers' license numbers, and account, credit, or debit card numbers. Security breaches include unauthorized access of computer data that compromises the confidentiality or integrity of that unencrypted personal information. Individuals who are affected by this breach of security must be notified. Most states now have pending similar legislation, and many have already signed similar bills into law.
Public notification and reports to government of security breaches can be embarrassing to companies and can have a direct impact on their brand and revenue stream. However, penalties can be imposed on organizations that do not comply with the notification requirements. These regulations place additional importance on having an effective information security program, including comprehensive internal controls in place.
With the growing number of e-commerce security incidents, the number of regulations will continue to increase. It is important to understand these laws and the restrictions that they can pose to your information security program. Successful business executives will develop strategies that turn these challenges into competitive advantages.
Organizations must have a plan for responding to such legal requirements for reporting and breach notification. They must also educate their employees about how to address such issues as well. Unfortunately, this communication does often not occur, although it is crucial, as evidenced by the 2005 E-Crime Watch survey conducted by CSO Magazine in cooperation with the United States Secret Service and the CERT Coordination Center, which reported "The respondents rated employee security training, education and awareness programs, and regular communication as the most effective strategies for deterring insider threats. These strategies create a culture of security in the organization, where all employees understand that security is a shared responsibility."
With more and more laws requiring breach notifications to impacted individuals, organizations must make it a priority now to plan on how to both identify when a breach has occurred and how the breach response will be handled. Organizations cannot simply hope that a breach will not happen to them.
Although an employee who commits an internal network attack will often face criminal prosecution, the organization might also end up being the subject of a civil lawsuit. A very significant danger exists to organizations regarding insider network security breaches committed by an employee who uses the organization's computer systems to commit electronic fraud or cause damage or loss to third parties. In these situations, it's possible that the company could be held liable for the acts of its employee. This risk is just one more of many reasons the network must be robustly secured within the perimeter.
Many CEOs and CIOs are slow to invest in computer security because they do not think they will get a return on their investment. What they need to consider are the costs of not investing in computer security:
The value of a security breach can be measured by both tangible and intangibles considerations. The tangibles can be calculated based on estimates of:
Intangibles refer to costs that are difficult to calculate because they are not directly measurable, but are still very important for business. Intangibles are often related to a loss of competitive edge that results from the breach. For example, a breach can affect an organization's competitive edge through:
Forrester Research estimated the tangible and intangible costs of computer security breaches in three hypothetical situations (Howe, Carl; McCarthy, John C.; Buss, Tom; and Davis, Ashley. "The Forrester Report: Economics of Security", February, 1998). They found that if thieves illegally wired $1 million from an online bank, the cost impact to the bank would be $106 million. They estimated that if network compromises were used to prevent a week's worth of tires from being delivered to an auto manufacturer, the auto manufacturer would lose $21 million. They estimated that if a law firm lost significant confidential information, the impact would be close to $35 million.
Historically, organizations have used the gumball approach to securing networks, making the perimeter like a hard outer impenetrable shell, while leaving the inside of the network soft and chewy with less vigorous security in place. Most organizations today still primarily use the gumball approach, protecting their networks from unauthorized access by implementing perimeter protection devices, such as screening routers and secure gateways.
The threat of attack comes from two major directions: attacks based outside the corporate network and attacks based from within.
The gumball approach, although at one time effective, no longer works. When the perimeter could be well defined, it addressed the "attack from without" scenario. However, the perimeter is now very porous, with mobile computing devices, wireless access, and peer-to-peer and business-to-customer network connections poking ever more holes into the once hard shell. Even if the perimeter was not so porous, such a model cannot address the attacks from within.
Existing perimeter security does not protect from an attack from within.
IT security administrators have long focused on securing the network perimeter. Focusing on the perimeter is indeed important. However, the internal networks must be secured with the same level of diligence to reduce the risks created from the sharp increase of worms and other attacks specifically introduced inside the network via mobile and wireless devices, in addition to attacks originating from trusted network users.
Although many of the same principles used to establish and implement perimeter security solutions also apply to internal networks, internal security is generally more complex, requires elevated performance, and has requirements completely unique from perimeter security.
Existing perimeter security solutions, such as patches, antivirus software, switch and router-based solutions, legacy firewalls, and intrusion detection and prevention systems, are inadequate for comprehensive security and leave huge gaps for securing internal systems.
Organizations must increase their efforts to improve the protection inside the walls of their organization. However, the struggle to balance decreasing budgets and personnel resources result in the persistence of reliance upon the gumball approach to securing networks.
In the late 1960s, networks only existed in the sense of huge mainframes and hundreds to thousands and millions of networked dumb terminals connected via hubs and concentrators to the huge central processing units (CPUs) in a central, air-conditioned, properly humidified windowless room. Network security was not really a significant issue. However, in 1973, business leaders started to take note when executives at the Equity Funding Insurance Company used computers to create 64,000 fake customers; a fraud that resulted in losses of two billion dollars, to commit what is widely still considered as the biggest computer crime that has yet occurred (Donn B. Parker, Fighting Computer Crime, pg. 65, Wiley, 1998). This incident illustrates the initial threats to network security, which at the time were strictly internal, but foreshadowed the nature of most threats to come. The environment for network security was evolving.
In 1969, the Defense Advanced Research Projects Agency (DARPA) along with four computer institutions started to design a network through which data could be passed and received. UCLA, the University of California at Santa Barbara, the University of Utah, and the SRI collaborated to create ARPAnet, which evolved to the Internet.
The 1980s introduced personal computers (PCs) and local area networks (LANs), laying the foundation for more network security threats than ever anticipated. The government addressed what they perceived as eminent security issues and created security guidelines published within Trusted Computer Security Evaluation Criteria that mainly dealt with security problems for standalone machines but not network security. In the fall of 1988, the Morris worm was launched, and all of the 60,000 computers on the Internet were crippled for two entire days.
Businesses typically design business infrastructure around network architectures. Global business requires networks that link multiple businesses together. The Internet has grown to connect easily more than two million computers on one massive and primarily uncontrolled network. Corporate networks are merging with the Internet to develop Internet businesses, Webbased business transactions, and much more. Consequently, the security matters are incredibly huge. Securing just the perimeter is not enough; internal security must be robust.
What is internal security? Internal security is a focused effort to appropriately secure all resources on internal networks. Examples of resources include applications, data, servers, and endpoint devices.
Internal security attacks can happen either maliciously or inadvertently. The impact of internal security events will have a negative result on an organization from both a technical and business perspective. Organizations must take the necessary steps to secure their internal networks, not just the perimeter.
Attackers have new techniques for bypassing perimeter security barriers. This is often accomplished in many ways, a couple of which include:
These internal threats in many ways are more dangerous compared with external threats because they are difficult to detect and prevent.
Network perimeter security mechanisms, although necessary and effective in stopping external attacks, cannot provide sufficient protection against all outside threats or internal threats. Several threat categories were described earlier—what specific types of threats are there to the internal network?
It is essential that an organization identify all security requirements in the context of how those requirements impact business with regard to existing risks, threats, vulnerabilities, and legal and contractual requirements. Alternative paths into organizations, along with application-layer attacks, are increasing the threats that emphasize the need to complement perimeter security with a comprehensive and pervasive range of internal security activities and tools. At a high level there are three main ways to identify security requirements inside the perimeter.
Computer security solutions generally use prevention, detection, or response to address threats, reduce risks, and address existing vulnerabilities (see Figure 1.1).
Figure 1.1: Example security measures.
The following is a laundry list of example actions that can be applied to address the security risks within the internal enterprise network:
Every network and organization is unique and must create their own internal security laundry list to incorporate into the security program based upon the requirements and risks.
The assumptions used to improve the effectiveness of a perimeter-oriented security strategy can no longer be used to adequately secure the organizational network. This guide will look at the threats, risks, and vulnerabilities within the internal network and help you to identify the activities that will work best for your environment. To successfully manage these issues, executives need to understand and address the following seven significant challenges:
This chapter discussion demonstrates there are many different security issues involved with securing the network, and they are generally unchanged from the past. However, the number and types of threats continue to grow dramatically. The network perimeter has become so porous it is a bad business decision to depend solely, or even primarily, upon perimeter security to protect your internal network resources and assets. There are many compelling factors to consider that will convince you of the need to secure your network throughout the enterprise and not just at the perimeter. This chapter highlighted these factors at a high level. The next chapter discusses these factors in depth.