... ... until ... security was very much like teenage sex in that it was typified by lots of talk but no action. ... declared their sites as secure simply because the
Up until recently, security was very much like teenage sex in that it was typified by lots of talk but no action. Companies declared their sites as secure simply because the credit card payment page was protected by SSL (Secure Socket Layer). Even now, there is an overwhelming sense of complacency across the industry.
However, Etailers, are reportedly still finding that web shoppers are still very concerned about security. It is becoming increasingly essential that Etailers gain the trust and confidence of their customers in order to gain competitive advantage over their competition, but also, simply to stay in business.
With the increasing use of Ebusiness for enabling business processes and operations across the internet, it is critical for organizations to recognize information as a valuable business asset and implement controls to secure it, to ensure the privacy of their customer’s data, the integrity of that data and to ensure that they do not lose it!
General Security Issues
The aim of a good security strategy for an Ebusiness organization should be to combine maximum flexibility, performance, and scalability with the highest availability and security. The goal of a security strategy is to protect information assets through:
•Authentication – identifying the parties involved in communications and transactions •Access – provide access to appropriate levels of information (with as little inconvenience as possible) to those who should have access, but prevent access to anyone who should not have access, and prevent access beyond the level of information that is appropriate to the user’s ‘class’ •Confidentiality – ensuring that information is not accessed by unauthorized parties •Non-Repudiation – ensuring that transactions, once committed, are legally valid and irrevocable •Availability – ensuring that transactions or communications can be executed reliably upon demand.
Top management needs to understand that security is a hygiene factor: when it is there, and is effective and efficient, people hardly notice it at all; however, when it is not there it can mean the end of business overnight. It is essential to get it right, particularly for transactions placed over the Internet.
Further, management needs to understand that security is a never-ending process. Security policies and measures should be under constant review, network support teams should monitor newsgroups etc for information about the latest threats to security (e.g. the latest virus attacks, hackers , security loopholes in software products, etc), security audits must take place to ensure procedures are working, logs of unauthorized access should be reviewed, and disaster recovery plans should be tested out regularly.
Many companies have now either been bitten by the problems inherent in having no real built in security policies, or have seen media reports about others who have been bitten.
MSNBC reported cases in which large numbers of credit card numbers and associated information had been stolen from sites in March 2000. Visa had earlier announced that around half its disputes concern internet based credit card transactions, despite these only making up 2% of its total revenue . The Melissa virus caused an estimated $80 million damage, and the Love Bug similarly wreaked havoc across the world. Denial of Service attacks have hit big names like Amazon.com, Ebay and Yahoo, causing loss in terms of revenue and public image.
There is much evidence to suggest that reported cases are simply the tip of a very large iceberg as many security breaches go unreported due to the embarrassment caused by admitting to them and the risks to future business of doing so.
For the consumer, there is not only the worry that personal information such as credit card data could be stolen, but there is also the worry that anyone they appear to be dealing with on the internet could be untrustworthy – and even when dealing with a company known and trusted there is the risk that in reality the consumer is dealing with an imposter. Thus, it is up to those with integrity who are running websites to find ways to reassure the consumer that it is safe to use their websites – for example, by providing Digital Certificates verified by a trusted third party such as Verisign .
It is very difficult for Governments and the Legislation systems to protect the consumer from internet fraudsters and conmen because national boundaries are very difficult to establish or enforce on the internet as content is accessible from everywhere. The US and UK, among others, are investigating the possibility of policing the internet using national ‘cybercrime units’. Financial regulators such as the SEC in the US and the FSA in the UK are looking at measures to help them in controlling websites within their own jurisdictions. International bodies like the OECD and the European Union are working on standards for Ecommerce to be implemented and enforced at a national level by governments, but progress is very slow because industry opposes the idea of government intervention, preferring to rely on self-regulation.
At last, many large organizations are now taking security fairly seriously. However there is still a great deal of misunderstanding about what security really means for an organization that uses Internet technologies to trade.
Organizations deploying internet technologies tend to focus on the technologies rather than the procedures behind the technologies. Having solid security procedures in place is often much more important than the technology which is used to implement security. The benefits of using SSL to gather credit card information from a consumer over the web could be nullified if it is common practice within the organization to subsequently email them from one department to another. Putting virus scanning technology into place in an organization is only useful if the virus scanner is updated regularly as new viruses are found. Procedures are required to ensure that the technologies are being used effectively to meet the organizational security goals.
Such procedures should include clear divisions of responsibility for the different areas of security: backup procedures, disaster recovery procedures, physical security (security card control, building security, etc), password procedures, system access levels and authorization procedures, virus control procedures, firewall policies, and all other traditional areas of security which an organization should have under control.
Procedures should ensure that whenever not in use, server consoles should be locked using passwords, that all access attempts to all systems are logged and audited and that passwords are not easily guessed and are changed regularly. They should ensure that all network systems and web servers are kept in secure locations, and that redundancy systems exist for all key hardware – not only the network systems themselves (including servers, firewalls, hubs and routers) but also air conditioning and power systems.
In addition, it is key that proper testing procedures, source code/change control and defect tracking procedures are in place.
It should go without saying that internet applications which carry out transactions should be thoroughly tested and yet it is incredible how many ‘holes’ are created on Ecommerce web sites due to shoddy programming and testing. Preferably web applications should be tried out by ‘professional hackers’ who can look for loopholes in programs written on the web. Silicon.com reported in October that Marks and Spencer’s website (marksandspencer.com) had an error on it caused by a broken link, that when activated caused an error message which contained confidential material such as passwords, credit card dummies and other log-in information.
Testing of internet applications should be supported by systems which enable changes to code to be made easily and effectively, so that unauthorized/untested changes do not slip through into the production system and that changes made to source code are not later ‘undone’ accidentally due to poor source code control.
Internet Specific Issues
While security should be a concern for any IT organization, there are some aspects of security which are specific to internet-based activities.
Authentication, non repudiation, encryption, privacy, and integrity of data are all issues made more important by the use of web technologies, inherently an open and anonymous form of communication.
The internet provides added security issues, because there is no centralised infrastructure, it operates 24 x 7, over a huge global scale and therefore has millions of potential users, of whom any one could at any time attempt to access non-public information. Some will do so by accident, some just out of curiosity and some using malicious intent will relentlessly test out every aspect of your system until they find a security hole through which they can create havoc.
Security is also a moving target, as new methods become available to hackers all the time, with technology increasing rapidly. By its very nature, the internet was developed to allow openness and this makes it all the more complex to implement security over the top of the internet without making it difficult for authorized parties to access data you wish them to be able to access. Severe damage is often detected too late.
Access controls and cryptography can help to prevent unauthorized access to information, but they are only part of the picture.
Organizations are now employing complete PKI and CA infrastructures, such as Onsite Managed Trust Services provided by Verisign, in order to provide them with the flexibility and control they need throughout the enterprise, allowing them to issue their own digital certificates, secure access to extranets/intranets, secure transactions, encrypt email and to carry out authentication.
Hidden URLs –one easy way to restrict access to information and services is to put the information at unpublished URLs and provide the URL only to those who should have access to the information at that address. Clearly this is not a high security option and is unacceptable for most purposes. There are various tools open to serious hackers that enable them to ‘find’ hidden URLs (spiders etc.), and of course it is possible that the locations of the URLs are passed on to others by those who are authorized to access the URLs.
Host-based Restrictions – it is possible to restrict access to a web address (or to a web server, if using a firewall) by IP address or DNS hostname. This method can enforce that only web users operating from within a particular domain or network can access the web page. This is useful if an external web site contains some pages which should only be accessed by employees of the company, as it can be used to deny access to anyone not operating from within the company’s network. This method is not totally foolproof as it cannot deal with unauthorized access due to ‘spoofing’ (whereby a user ‘pretends’ to come from an authorized network address).
Identity-based Controls The most common method of access control on websites is via usernames and passwords. However, passwords are so easily shared/forgotten, often users select easily-guessed passwords and there are a number of tools available to serious hackers to enable them to easily guess most passwords. Thus, alternative identity-based controls have been developed. Many companies now implement a VPN (Virtual Public Network) to enable employees to connect to internal networks from outside of the company, though these can be costly and troublesome to implement. Smart cards, or software, containing an encrypted public key, to identify valid users are one of the many other options in this area.
Authentication Single Sign-on – this technology allows the same user to sign on to multiple Ebusiness applications without having to type in their userid/password for each site. There are a number of offerings of this kind of technology. The most common names in this field are Netegrity SiteMinder and X at the top end, and Gator Ewallet and RoboForms at the lower end of the market.
Integrated Authentication – The best known offering in this area is Nt/Windows 2000/3 authentication. This, in effect, provides single sign-on to Microsoft applications that support it – such as SQL Server and any of the Windows operating systems.
Cryptography can be implemented through the encryption of data sent to and from a website and through digital signatures and certificates which ‘prove’ that the sender and recipient are who they claim to be.
Non-repudiation – cryptographic receipts are created so that the author of a message cannot falsely deny sending the message.
Code Signing – a digital certificate can be enclosed within a Jar file (for java code) or a Cab file (for activex controls) to indicate that the code was created by a trusted party and has not been tampered with since being created.
Confidentiality- encryption can scramble information sent over the internet so that eavesdroppers cannot access the data’s content.
Integrity – digitally signed message digest codes can be used to verify that a message has not been modified while in transit.
To read this complete article go to http://mishj.brinkster.net/intranet/esecurity.doc