ESecurity
Current Situation
Up until recently, security was very much like teenage sex in
that it was typified by lots of talk but no action. Companies
declared their sites as secure simply because the credit card
payment page was protected by SSL (Secure Socket Layer). Even
now, there is an overwhelming sense of complacency across the
industry.
However, Etailers, are reportedly still finding that web
shoppers are still very concerned about security. It is becoming
increasingly essential that Etailers gain the trust and
confidence of their customers in order to gain competitive
advantage over their competition, but also, simply to stay in
business.
With the increasing use of Ebusiness for enabling business
processes and operations across the internet, it is critical for
organizations to recognize information as a valuable business
asset and implement controls to secure it, to ensure the privacy
of their customers data, the integrity of that data and to
ensure that they do not lose it!
General Security Issues
The aim of a good security strategy for an Ebusiness
organization should be to combine maximum flexibility,
performance, and scalability with the highest availability and
security. The goal of a security strategy is to protect
information assets through:
Authentication identifying the parties involved in
communications and transactions Access provide access to
appropriate levels of information (with as little inconvenience
as possible) to those who should have access, but prevent access
to anyone who should not have access, and prevent access beyond
the level of information that is appropriate to the users
class Confidentiality ensuring that information is not
accessed by unauthorized parties Non-Repudiation ensuring
that transactions, once committed, are legally valid and
irrevocable Availability ensuring that transactions or
communications can be executed reliably upon demand.
Top management needs to understand that security is a hygiene
factor: when it is there, and is effective and efficient, people
hardly notice it at all; however, when it is not there it can
mean the end of business overnight. It is essential to get it
right, particularly for transactions placed over the Internet.
Further, management needs to understand that security is a
never-ending process. Security policies and measures should be
under constant review, network support teams should monitor
newsgroups etc for information about the latest threats to
security (e.g. the latest virus attacks, hackers , security
loopholes in software products, etc), security audits must take
place to ensure procedures are working, logs of unauthorized
access should be reviewed, and disaster recovery plans should be
tested out regularly.
Many companies have now either been bitten by the problems
inherent in having no real built in security policies, or have
seen media reports about others who have been bitten.
MSNBC reported cases in which large numbers of credit card
numbers and associated information had been stolen from sites in
March 2000. Visa had earlier announced that around half its
disputes concern internet based credit card transactions,
despite these only making up 2% of its total revenue . The
Melissa virus caused an estimated $80 million damage, and the
Love Bug similarly wreaked havoc across the world. Denial of
Service attacks have hit big names like Amazon.com, Ebay and
Yahoo, causing loss in terms of revenue and public image.
There is much evidence to suggest that reported cases are simply
the tip of a very large iceberg as many security breaches go
unreported due to the embarrassment caused by admitting to them
and the risks to future business of doing so.
For the consumer, there is not only the worry that personal
information such as credit card data could be stolen, but there
is also the worry that anyone they appear to be dealing with on
the internet could be untrustworthy and even when dealing with
a company known and trusted there is the risk that in reality
the consumer is dealing with an imposter. Thus, it is up to
those with integrity who are running websites to find ways to
reassure the consumer that it is safe to use their websites
for example, by providing Digital Certificates verified by a
trusted third party such as Verisign .
How To Make More MoneyThe biggest crime in small businesses today goes unnoticed by most outsiders. It is not reported in the media. There are no police reports .....
It is very difficult for Governments and the Legislation systems
to protect the consumer from internet fraudsters and conmen
because national boundaries are very difficult to establish or
enforce on the internet as content is accessible from
everywhere. The US and UK, among others, are investigating the
possibility of policing the internet using national cybercrime
units. Financial regulators such as the SEC in the US and the
FSA in the UK are looking at measures to help them in
controlling websites within their own jurisdictions.
International bodies like the OECD and the European Union are
working on standards for Ecommerce to be implemented and
enforced at a national level by governments, but progress is
very slow because industry opposes the idea of government
intervention, preferring to rely on self-regulation.
Procedures
At last, many large organizations are now taking security fairly
seriously. However there is still a great deal of
misunderstanding about what security really means for an
organization that uses Internet technologies to trade.
Organizations deploying internet technologies tend to focus on
the technologies rather than the procedures behind the
technologies. Having solid security procedures in place is often
much more important than the technology which is used to
implement security. The benefits of using SSL to gather credit
card information from a consumer over the web could be nullified
if it is common practice within the organization to subsequently
email them from one department to another. Putting virus
scanning technology into place in an organization is only useful
if the virus scanner is updated regularly as new viruses are
found. Procedures are required to ensure that the technologies
are being used effectively to meet the organizational security
goals.
Such procedures should include clear divisions of responsibility
for the different areas of security: backup procedures, disaster
recovery procedures, physical security (security card control,
building security, etc), password procedures, system access
levels and authorization procedures, virus control procedures,
firewall policies, and all other traditional areas of security
which an organization should have under control.
Procedures should ensure that whenever not in use, server
consoles should be locked using passwords, that all access
attempts to all systems are logged and audited and that
passwords are not easily guessed and are changed regularly. They
should ensure that all network systems and web servers are kept
in secure locations, and that redundancy systems exist for all
key hardware not only the network systems themselves
(including servers, firewalls, hubs and routers) but also air
conditioning and power systems.
In addition, it is key that proper testing procedures, source
code/change control and defect tracking procedures are in place.
It should go without saying that internet applications which
carry out transactions should be thoroughly tested and yet it is
incredible how many holes are created on Ecommerce web sites
due to shoddy programming and testing. Preferably web
applications should be tried out by professional hackers who
can look for loopholes in programs written on the web.
Silicon.com reported in October that Marks and Spencers website
(marksandspencer.com) had an error on it caused by a broken
link, that when activated caused an error message which
contained confidential material such as passwords, credit card
dummies and other log-in information.
Testing of internet applications should be supported by systems
which enable changes to code to be made easily and effectively,
so that unauthorized/untested changes do not slip through into
the production system and that changes made to source code are
not later undone accidentally due to poor source code control.
Internet Specific Issues
While security should be a concern for any IT organization,
there are some aspects of security which are specific to
internet-based activities.
Authentication, non repudiation, encryption, privacy, and
integrity of data are all issues made more important by the use
of web technologies, inherently an open and anonymous form of
communication.
The internet provides added security issues, because there is no
centralised infrastructure, it operates 24 x 7, over a huge
global scale and therefore has millions of potential users, of
whom any one could at any time attempt to access non-public
information. Some will do so by accident, some just out of
curiosity and some using malicious intent will relentlessly test
out every aspect of your system until they find a security hole
through which they can create havoc.
Security is also a moving target, as new methods become
available to hackers all the time, with technology increasing
rapidly. By its very nature, the internet was developed to allow
openness and this makes it all the more complex to implement
security over the top of the internet without making it
difficult for authorized parties to access data you wish them to
be able to access. Severe damage is often detected too late.
Technologies
Access controls and cryptography can help to prevent
unauthorized access to information, but they are only part of
the picture.
Organizations are now employing complete PKI and CA
infrastructures, such as Onsite Managed Trust Services provided
by Verisign, in order to provide them with the flexibility and
control they need throughout the enterprise, allowing them to
issue their own digital certificates, secure access to
extranets/intranets, secure transactions, encrypt email and to
carry out authentication.
Access Controls
Hidden URLs one easy way to restrict access to information and
services is to put the information at unpublished URLs and
provide the URL only to those who should have access to the
information at that address. Clearly this is not a high security
option and is unacceptable for most purposes. There are various
tools open to serious hackers that enable them to find hidden
URLs (spiders etc.), and of course it is possible that the
locations of the URLs are passed on to others by those who are
authorized to access the URLs.
Host-based Restrictions it is possible to restrict access to a
web address (or to a web server, if using a firewall) by IP
address or DNS hostname. This method can enforce that only web
users operating from within a particular domain or network can
access the web page. This is useful if an external web site
contains some pages which should only be accessed by employees
of the company, as it can be used to deny access to anyone not
operating from within the companys network. This method is not
totally foolproof as it cannot deal with unauthorized access due
to spoofing (whereby a user pretends to come from an
authorized network address).
Identity-based Controls The most common method of access control
on websites is via usernames and passwords. However, passwords
are so easily shared/forgotten, often users select
easily-guessed passwords and there are a number of tools
available to serious hackers to enable them to easily guess most
passwords. Thus, alternative identity-based controls have been
developed. Many companies now implement a VPN (Virtual Public
Network) to enable employees to connect to internal networks
from outside of the company, though these can be costly and
troublesome to implement. Smart cards, or software, containing
an encrypted public key, to identify valid users are one of the
many other options in this area.
Authentication Single Sign-on this technology allows the same
user to sign on to multiple Ebusiness applications without
having to type in their userid/password for each site. There are
a number of offerings of this kind of technology. The most
common names in this field are Netegrity SiteMinder and X at the
top end, and Gator Ewallet and RoboForms at the lower end of the
market.
Integrated Authentication The best known offering in this area
is Nt/Windows 2000/3 authentication. This, in effect, provides
single sign-on to Microsoft applications that support it such
as SQL Server and any of the Windows operating systems.
Cryptography
Cryptography can be implemented through the encryption of data
sent to and from a website and through digital signatures and
certificates which prove that the sender and recipient are who
they claim to be.
Non-repudiation cryptographic receipts are created so that the
author of a message cannot falsely deny sending the message.
Code Signing a digital certificate can be enclosed within a
Jar file (for java code) or a Cab file (for activex controls) to
indicate that the code was created by a trusted party and has
not been tampered with since being created.
Confidentiality- encryption can scramble information sent over
the internet so that eavesdroppers cannot access the datas
content.
Integrity digitally signed message digest codes can be used to
verify that a message has not been modified while in transit.
To read this complete article go to
http://mishj.brinkster.net/intranet/esecurity.doc
About the author:
Michelle Johnston is an Ebusiness expert. She is currently
Ebusiness Director of Apogee Interactive Inc. in Atlanta USA.
