|
Current Situation
Up until recently, security was very much like
teenage sex in that it was typified by lots of
talk but no action. Companies declared their sites
as secure simply because the credit card payment
page was protected by SSL (Secure Socket Layer).
Even now, there is an overwhelming sense of complacency
across the industry. However, Etailers, are reportedly
still finding that web shoppers are still very
concerned about security. It is becoming increasingly
essential that Etailers gain the trust and confidence
of their customers in order to gain competitive
advantage over their competition, but also, simply
to stay in business. With the increasing use of
Ebusiness for enabling business processes and
operations across the internet, it is critical
for organizations to recognize information as
a valuable business asset and implement controls
to secure it, to ensure the privacy of their customer’s
data, the integrity of that data and to ensure
that they do not lose it!
General Security Issues
The aim of a good security strategy for an Ebusiness
organization should be to combine maximum flexibility,
performance, and scalability with the highest
availability and security.
The goal of a security strategy is to protect
information assets through:
•Authentication – identifying the parties involved
in communications and transactions
•Access – provide access to appropriate levels
of information (with as little inconvenience as
possible) to those who should have access, but
prevent access to anyone who should not have access,
and prevent access beyond the level of information
that is appropriate to the user’s ‘class’
•Confidentiality – ensuring that information is
not accessed by unauthorized parties
•Non-Repudiation – ensuring that transactions,
once committed, are legally valid and irrevocable
•Availability – ensuring that transactions or
communications can be executed reliably upon demand.
Top management needs to understand that security
is a hygiene factor: when it is there, and is
effective and efficient, people hardly notice
it at all; however, when it is not there it can
mean the end of business overnight. It is essential
to get it right, particularly for transactions
placed over the Internet.
Further, management needs to understand that
security is a never-ending process. Security policies
and measures should be under constant review,
network support teams should monitor newsgroups
etc for information about the latest threats to
security (e.g. the latest virus attacks, hackers
, security loopholes in software products, etc),
security audits must take place to ensure procedures
are working, logs of unauthorized access should
be reviewed, and disaster recovery plans should
be tested out regularly.
Many companies have now either been bitten by
the problems inherent in having no real built
in security policies, or have seen media reports
about others who have been bitten. MSNBC reported
cases in which large numbers of credit card numbers
and associated information had been stolen from
sites in March 2000. Visa had earlier announced
that around half its disputes concern internet
based credit card transactions, despite these
only making up 2% of its total revenue .
The Melissa virus caused an estimated $80 million
damage, and the Love Bug similarly wreaked havoc
across the world. Denial of Service attacks have
hit big names like Amazon.com, Ebay and Yahoo,
causing loss in terms of revenue and public image.
There is much evidence to suggest that reported
cases are simply the tip of a very large iceberg
as many security breaches go unreported due to
the embarrassment caused by admitting to them
and the risks to future business of doing so.
For the consumer, there is not only the worry
that personal information such as credit card
data could be stolen, but there is also the worry
that anyone they appear to be dealing with on
the internet could be untrustworthy
– and even when dealing with a company known
and trusted there is the risk that in reality
the consumer is dealing with an imposter. Thus,
it is up to those with integrity who are running
websites to find ways to reassure the consumer
that it is safe to use their websites
– for example, by providing Digital Certificates
verified by a trusted third party such as Verisign
.
It is very difficult for Governments and the
Legislation systems to protect the consumer from
internet fraudsters and conmen because national
boundaries are very difficult to establish or
enforce on the internet as content is accessible
from everywhere. The US and UK, among others,
are investigating the possibility of policing
the internet using national ‘cybercrime units’.
Financial regulators such as the SEC in the US
and the FSA in the UK are looking at measures
to help them in controlling websites within their
own jurisdictions.
International bodies like the OECD and the European
Union are working on standards for Ecommerce to
be implemented and enforced at a national level
by governments, but progress is very slow because
industry opposes the idea of government intervention,
preferring to rely on self-regulation. Procedures
At last, many large organizations are now taking
security fairly seriously. However there is still
a great deal of misunderstanding about what security
really means for an organization that uses Internet
technologies to trade. Organizations deploying
internet technologies tend to focus on the technologies
rather than the procedures behind the technologies.
Having solid security procedures in place is
often much more important than the technology
which is used to implement security. The benefits
of using SSL to gather credit card information
from a consumer over the web could be nullified
if it is common practice within the organization
to subsequently email them from one department
to another. Putting virus scanning technology
into place in an organization is only useful if
the virus scanner is updated regularly as new
viruses are found.
Procedures are required to ensure that the technologies
are being used effectively to meet the organizational
security goals. Such procedures should include
clear divisions of responsibility for the different
areas of security: backup procedures, disaster
recovery procedures, physical security (security
card control, building security, etc), password
procedures, system access levels and authorization
procedures, virus control procedures, firewall
policies, and all other traditional areas of security
which an organization should have under control.
Procedures should ensure that whenever not in
use, server consoles should be locked using passwords,
that all access attempts to all systems are logged
and audited and that passwords are not easily
guessed and are changed regularly. They should
ensure that all network systems and web servers
are kept in secure locations, and that redundancy
systems exist for all key hardware – not only
the network systems themselves (including servers,
firewalls, hubs and routers) but also air conditioning
and power systems. In addition, it is key that
proper testing procedures, source code/change
control and defect tracking procedures are in
place. It should go without saying that internet
applications which carry out transactions should
be thoroughly tested and yet it is incredible
how many ‘holes’ are created on Ecommerce web
sites due to shoddy programming and testing. Preferably
web applications should be tried out by ‘professional
hackers’ who can look for loopholes in programs
written on the web. Silicon.com reported in October
that Marks and Spencer’s website (marksandspencer.com)
had an error on it caused by a broken link, that
when activated caused an error message which contained
confidential material such as passwords, credit
card dummies and other log-in information.
Testing of internet applications should be supported
by systems which enable changes to code to be
made easily and effectively, so that unauthorized/untested
changes do not slip through into the production
system and that changes made to source code are
not later ‘undone’ accidentally due to poor source
code control. Internet Specific Issues While security
should be a concern for any IT organization, there
are some aspects of security which are specific
to internet-based activities. Authentication,
non repudiation, encryption, privacy, and integrity
of data are all issues made more important by
the use of web technologies, inherently an open
and anonymous form of communication. The internet
provides added security issues, because there
is no centralised infrastructure, it operates
24 x 7, over a huge global scale and therefore
has millions of potential users, of whom any one
could at any time attempt to access non-public
information. Some will do so by accident, some
just out of curiosity and some using malicious
intent will relentlessly test out every aspect
of your system until they find a security hole
through which they can create havoc. Security
is also a moving target, as new methods become
available to hackers all the time, with technology
increasing rapidly. By its very nature, the internet
was developed to allow openness and this makes
it all the more complex to implement security
over the top of the internet without making it
difficult for authorized parties to access data
you wish them to be able to access. Severe damage
is often detected too late.
Technologies Access controls and cryptography
can help to prevent unauthorized access to information,
but they are only part of the picture. Organizations
are now employing complete PKI and CA infrastructures,
such as Onsite Managed Trust Services provided
by Verisign, in order to provide them with the
flexibility and control they need throughout the
enterprise, allowing them to issue their own digital
certificates, secure access to extranets/intranets,
secure transactions, encrypt email and to carry
out authentication.
Access Controls
Hidden URLs –one easy way to restrict access to
information and services is to put the information
at unpublished URLs and provide the URL only to
those who should have access to the information
at that address. Clearly this is not a high security
option and is unacceptable for most purposes.
There are various tools open to serious hackers
that enable them to ‘find’ hidden URLs (spiders
etc.), and of course it is possible that the locations
of the URLs are passed on to others by those who
are authorized to access the URLs.
Host-based Restrictions – it is possible to restrict
access to a web address (or to a web server, if
using a firewall) by IP address or DNS hostname.
This method can enforce that only web users operating
from within a particular domain or network can
access the web page. This is useful if an external
web site contains some pages which should only
be accessed by employees of the company, as it
can be used to deny access to anyone not operating
from within the company’s network. This method
is not totally foolproof as it cannot deal with
unauthorized access due to ‘spoofing’ (whereby
a user ‘pretends’ to come from an authorized network
address).
Identity-based Controls
The most common method of access control on websites
is via usernames and passwords. However, passwords
are so easily shared/forgotten, often users select
easily-guessed passwords and there are a number
of tools available to serious hackers to enable
them to easily guess most passwords. Thus, alternative
identity-based controls have been developed.
Many companies now implement a VPN (Virtual Public
Network) to enable employees to connect to internal
networks from outside of the company, though these
can be costly and troublesome to implement. Smart
cards, or software, containing an encrypted public
key, to identify valid users are one of the many
other options in this area. Authentication Single
Sign-on – this technology allows the same user
to sign on to multiple Ebusiness applications
without having to type in their userid/password
for each site. There are a number of offerings
of this kind of technology. The most common names
in this field are Netegrity SiteMinder and X at
the top end, and Gator Ewallet and RoboForms at
the lower end of the market.
Integrated Authentication – The best known offering
in this area is Nt/Windows 2000/3 authentication.
This, in effect, provides single sign-on to Microsoft
applications that support it – such as SQL Server
and any of the Windows operating systems.
Cryptography
Cryptography can be implemented through the encryption
of data sent to and from a website and through
digital signatures and certificates which ‘prove’
that the sender and recipient are who they claim
to be.
Non-repudiation – cryptographic receipts are
created so that the author of a message cannot
falsely deny sending the message.
Code Signing – a digital certificate can be enclosed
within a Jar file (for java code) or a Cab file
(for activex controls) to indicate that the code
was created by a trusted party and has not been
tampered with since being created.
Confidentiality- encryption can scramble information
sent over the internet so that eavesdroppers cannot
access the data’s content.
Integrity – digitally signed message digest codes
can be used to verify that a message has not been
modified while in transit. To read this complete
article go to http://mishj.brinkster.net/intranet/esecurity.doc
About the author:
Michelle Johnston is an Ebusiness expert. She
is currently Ebusiness Director of Apogee Interactive
Inc. in Atlanta USA.
|
