SECURITY AND TRUST: Secure e-business? It's 'a people issue'

Feature

posted 9 Jan 2002 in Volume 5 Issue 6

SECURITY AND TRUST:Secure e-business? It’s ‘a people issue’

Robin Dahlberg Internet Security Systems’ Managing Director for UK and Ireland operations discusses the whys and wherefores of e-business security and argues for an holistic approach that places as much emphasis on management techniques and insider threats as it does on technology and external attackers.

When network resources are not available the online business cannot make money. Employee productivity evaporates until operating systems can be reinstalled networks rebuilt and data integrity verified. Business opportunities move on to other organisations. Even limited or sporadic service interruptions can seriously damage the return on investment in a corporate portal delaying profitability and limiting future growth. When data is corrupt and systems are under attack - whether from outside the organisation or theinside - customers take their money elsewhere. In other words no organisation can deliver reliably available e-business systems if it is not actively monitoring the e-business security environment.

There are other questions to consider when it comes to information security besides its impact on earnings. In online businesses information is usually the basis for competitive and strategic advantage. Therefore managing the risk of exposure for online information can assume legal importance. Organisations that adhere to a strict regimen of security policy development management and compliance do more than improve corporate financial performance. They also reduce the chance of legal exposures and liabilities due to negligent protection of key corporate assets.

Until relatively recently e-business security was built primarily on browser-based encryption systems such as secure sockets layer (SSL) and username/password authentication. Both methods are relatively easy to implement and both come bundled as basic components in web browsers and servers. Unfortunately neither method provides much of an obstacle to attack and misuse.

Adding to the confusion is the ‘open’ nature of internet connectivity. With 65 000 communications ports on any given network device attackers have many avenues for subverting security infrastructure. Perfect security would effectively mean watching 65 000 doors and windows simultaneously - 24 hours a day every day and never blinking.

According to traditional network security methodology point solutions are sufficient to protect the e-business environment provided a sufficient number of devices are deployed in a sufficient number of places. This is the department store equivalent of placing security guards in every department tags on all the goods sensors on all the doors to detect tags leaving the store improperly and surveillance cameras to watch all employees and visitors.

While we are on the subject of ‘watching’ people the online business organisation is well advised to be as careful with its own staff as it is with visitors. Surveys in the UK and the US indicate that insiders perpetrate many more costly security breaches than external attackers. This is not to suggest for a moment that every organisation’s employees are hell bent on malicious online activity. While the occasional breach may occur because of the actions of a disgruntled worker it is far more common for security incidents to result from simple ignorance.

Typically employees expose their organisation to risk by opening unsolicited email attachments loading unauthorised software from suspect diskettes or CDs or adding unauthorised modems to their PC. When they do these things it is because they just do not see the harm in it. No amount of security technology will ever by itself enable organisations to deal with such instances. Management techniques such as policy development and education are far more effective.

To return for a moment to our department store analogy big stores learned long ago that risk cannot be eliminated. Instead it must be managed. Thus stores keep strict control of overstocking mix styles to hedge against changing tastes and use sales to move stale inventory. Static physical security is used where it makes practical cost-effective sense protecting the goods that cost the most to replace. Staff will generally be held accountable for theft and misuse.

Most importantly department store managers see security as a continuous process. As new needs arise the system adapts and grows to meet changing circumstances. Part of the goal is to contain losses due to theft and vandalism but a significant amount of security is in place to protect the store’s brand equity.

Managing the human element

In the online business world firewalls encryption servers card keys virtual private networks and similar technologies do not eliminate risk so much as shift it from one part of the network to another. Human interaction with systems can in any case render such technologies useless. If for example employees are left to their own devices and allowed to choose poor passwords borrow card keys or reconfigure their PCs then access control and authentication technologies lose their functional utility.

Internet encryption technologies can also be inadequate unless their deployment is careful managed. It is not uncommon for networking staff to rely on strong encryption to protect customers’ financial details while in transit where they are at their least vulnerable without considering whether human error might leave those details exposed to threats before or after transmission. Credit card data for example is routinely encrypted when it is transmitted. However there have been several well-publicised cases in which credit card numbers have been stolen by an attacker or revealed to other online customers by careless merchants who once they received that data stored it in unencrypted form.

Responsibility for protecting online assets tends to devolve over time from the people working with the data to information technology staff physically removed from the data creation process. IT staff all too frequently attempt to put all their security resources on the network perimeter leaving data exposed to internal misuse. If they ‘wall-off’ functional groups within their organisation from one another network performance can degrade and system users perceive the barriers as unnecessary. Vigilance begins to wane as limited numbers of employees with limited resources find they cannot cope with all needs and eventualities. System users frustrated with performance obstacles begin to actively subvert the organisation’s security safeguards and breakdowns in protection become inevitable.

Secure e-business management principles

So if traditional point solutions and IT security methodologies are inadequate how should the online business set about protecting its digital assets from compromise by insiders as well as outsiders? Secure e-business follows a simple set of management principles:

• Strive to understand your networks and the business objectives they support. Some systems and information resources are more valuable than others and not all of them need to be protected equally.

• Develop a thorough and achievable security policy implement it and update it at regular intervals being sure to keep all members of staff abreast of its contents so that ignorance does not result in internal security compromises. Use this process to streamline and automate operations and enhance cross-platform integration and distribution.

• Enhance point solutions such as firewalls authentication and encryption with adaptive technologies that maximise effectiveness and help prevent premature obsolescence.

• Purchase infrastructure products and assessment tools from different manufacturers. An independent source of assessment products is much more likely to provide an unbiased evaluation of overall e-business security performance.

• Consider outsourcing some or all security management operations. Doing so allows you to focus internal resources more directly on core business competencies and overcomes the almost inevitable gap between your security policy and availability of the skills needed to implement it.

• Keep it simple: “Shun complexity. Set dirt-simple policies and use measures that are invisible to end-users. Obsess about ease-of-management to reduce the risk of misconfiguration.” (Turning Security On Its Head Forrester Research 1999).

Conventional businesses spend a great amount of time and effort developing partner investor and consumer trust in the physical marketplace. Secure e-business brings that same level of assurance to online interconnected economies. Organisations wishing to adopt e-business face a stark obvious choice. Without secure e-business they face limited adoption of Internet intranet and extranet technologies and expensive incomplete security implementations. By applying secure e-business management principles not simply looking for technology-based solutions companies can move online with assurance enhancing current market relationships while driving aggressively into tomorrow’s markets and opportunities.

Useful technologies for secure e-business

Vulnerability assessment and intrusion detection technologies can play an important role in the management of secure e-business. Below we provide a brief overview of the technologies available.

There are as many ways to hack into an organisation’s network as there are hackers. Some attacks come from outside the firewall others come from inside. Some attacks affect the network itself others affect specific servers. To fully assess network vulnerability the online business needs a comprehensive set of applications that look at its network in all these ways. At the highest level vulnerability assessment products should deliver three benefits:

• Predicting risk - What is the current state of the network? Where are security failures likely to occur (or where are they already occurring)?

• Quantifying risk - What failures will cause the most harm and what objectives will reduce or eliminate the likelihood of this happening?

• Managing risk - Are these objectives being met? Is the risk to the organisation increasing or decreasing? Is security improving or degrading?

Organisations rapidly moving to new e-business models need a cost-effective process for the continual long-term management of their information security risk. Vulnerability assessment solutions should enable this by automating the most difficult part of information security - security measurement.

By utilising scanning technology organisations can quickly gain the knowledge of exactly where their weak links are and manage the constant and efficient improvement of these weaknesses. This provides organisations not only with the assurance that their digital assets are being protected but considerable cost and time savings by applying automatic security intelligence to their computing infrastructures.

Most scanners fall into one of two basic types: network scanners and host scanners. Network scanners provide a ‘hacker’s eye view’ of the network automatically testing to probe the network and identify the systems applications and vulnerabilities that are present in the organisation. This should provide an accurate up-to-date ‘snapshot’ of the organisation’s assets as well as the potential failures - such as downtime due to accidental or malicious system crashes - that might impact the business.

One of the keys to good network security is making sure policies are adhered to. For example if the organisation has decided that passwords must be changed monthly yet the marketing department’s server isn’t set up that way then there is potential for a security incident. This is where a host-based scanner comes in. A good host-based scanner will ensure that enterprise IT systems are compliant with the requirements of the enterprise security policy. While network scanners are ideal for an external view of vulnerabilities across the entire network host-based scanners provide a much more detailed look at local enterprise-critical resources such as e-business servers.

Databases frequently contain an organisation’s most sensitive and valuable digital assets yet are often unprotected and vulnerable to compromise by intruders. Furthermore databases are not typically subjected to the same level of security scrutiny as operating and network systems. Finally database systems are extremely complex and difficult to correctly administer and secure and data integrity and improper access can be compromised by many factors including insecure password usage misconfigurations and unrecognised system backdoors. A scanner dedicated to database vulnerability assessment will help the online business deal with these issues analysing configuration settings and password usage detecting potential misuse by intruders and providing detailed reports on fixing security vulnerabilities.

Intrusion protection

No network is ever totally secure. While scanner products help managers develop and maintain robust security policies attacks will still occur. The best intrusion protection solutions are designed not only to identify attacks as they occur but if possible to shut them down as well.

As is often the case with business problems there are no intrusion protection silver bullets. Many attacks are best spotted by watching traffic on the network itself. Other attacks can be best seen by examining security logs on the servers themselves. And sometimes it is best to watch the server in real time. The most effective intrusion protect systems therefore offer sensors that watch the network in all of these ways. This comprehensive approach ensures that attacks are spotted before they have time to damage the network.

Originally published in e-mmerce