The technological revolution which wooed so many into thinking that
they could set up in business at low cost and compete with
established companies, is foundering on the rocks of internet
anarchy and lack of trust by 2015. Government failed to provide the
structure by which technologies and people could communicate
securely and efficiently. Fraud, failure, and low quality make
people unwilling to contract more than strictly necessary. Social
fragmentation accompanies economic fragmentation. Criminally based
or linked activity constitutes a large proportion of both the
physical and internet based economy. Falling tax revenues restrict
the ability of the Government to pay for public goods and
services.'
This image is of a society that is both morally and financially
bankrupt. But it is not a picture painted by the feverishly
over-imaginative mind of a sci-fi writer - it is a scenario painted
by the DTI. Internet anarchy? Fraud, failure; a government unable
to pay for public goods and services? One could get very, very
worried.
'But, frankly, I welcome this kind of comment,' responds Peter
Cox of Borderware Technologies, a manufacturer of secure internet
appliances. 'It focuses the mind. So long as we are aware of what
could happen, we can take the steps to ensure that it doesn't. It
is possible, with a little thought and effort, to run a secure
e-commerce server.' What we need is web security - and that's what
this article is all about.
Web security for IBM users
The first problem for IBM users is that IBM systems are pretty
secure on the web. CIAC, the Computer Incident Advisory Capability,
has no RS/6000 advisories, and there are no known viruses for
either it or the AS/400. If anything at all is needed, there is a
tendency to think, well, we'll add a firewall, and everything will
be fine.
This is so wrong. It is poor security. And there is a maxim in
security that poor security is worse than no security, because it
is false security. The main reason is that people think of security
as an application. When we need to write letters we buy a word
processor. When we need to store data we buy a database. When we
need to safeguard data we buy a firewall, or anti-virus software,
or better still, both.
But security isn't an application - it's a process. And it is
only when it is considered as such and handled as such that we can
get close to achieving it. We should actually think of the
application of security as the final step in a three-step process.
First we need to go through the process of risk assessment. From
this we need to draw up a security policy. And from the security
policy we need to select products and procedures that can implement
and enforce that policy. Web security, then, is the application of
the results of risk assessment.
Risk assessment
'Web security should surely start with a risk assessment
exercise looking at all elements of the business which relate to,
depend on, or support the internet. What 'events' could occur
within or to those elements which would have a negative impact on
the business or impair its ability to do business?' comments Paul
Gunstone, the e-continuity director of the Guardian iT Group.
This is not the correct place to go into discipline of risk
assessment, and of course it will cover much more than just the
risk to data on our servers. Let us just say that its purpose is to
put security into perspective. We can always achieve perfect
security by removing our systems from the internet and all other
comms connections, and by operating them in secure rooms under
armed guard. But that's not realistic. We need to quantify the
risk, so that we can apply a realistic solution. The basic rule is
that we should not spend more on security than the value of the
data it secures. Risk assessment tells us where to spend, and how
much.
Security policy
A security policy is a formal document that specifies how an
organisation provides security services to protect sensitive and
critical system resources. This will include both staff procedures
and security products. For example, the policy might include a rule
stating that staff must not use offensive language in their
e-mails, and specify a content management application that is used
to enforce the rule in practice.
Its value is that it stops us thinking purely in terms of
security products and helps us to concentrate on security
procedures. 'Barclays Bank was in the news just recently over
security issues,' explains Gunstone. 'Not hackers or theft of data,
but some form of software or access issue which gave details of
private account data to the wrong customers.
'In such circumstances, the amount of money or effort spent on
bolstering perimeter security, or on detecting and preventing DoS
attacks would not have lessened the problem.'
The result was that Barclays suffered unquantified damage - it
had to shut down its system and it lost business; and it will
undoubtedly have lost some potential or even actual customers. This
was a security problem; but not one involving security hardware or
software, but a failure in the security policy. Matthew Pemble, an
'ethical hacker' who tests systems for IS Integration, comments:
'Why is it there are so few procedures when it comes to IT and
access? When it comes to real money, security is divided by having
individual A being allowed only to take money, and individual B
being allowed only to give money.'
It is the formal security policy that will highlight our lack of
overall procedures. The security policy is fundamental to the
provision of actual data security - but it is perhaps the most
misused and omitted aspect of the whole security process.
Web security
Once you have been through the first two steps in the process
you can start to look at the application of products and procedures
to enforce the security policy that has been suggested by the risk
assessment. In the rest of this article we're going to look at some
of the more common threats to, and possible solutions for, web
security. What is required, and how it will be implemented, will be
guided by your security policy.
The main threats to security are attacks from the outside and
dangers from the inside. Outside threats include:
crackers;
viruses;
trojans;
worms, and;
malicious mobile code.
Inside dangers include:
legal liability for illegal content;
leakage of sensitive data, and;
Viruses.
Let's start with the first outside threat: crackers. (I still
prefer to draw a distinction between crackers and hackers. Hackers
are computer experts more interested in the thrill of the chase;
crackers can be script kiddies armed with standard cracking scripts
and little knowledge, but with more interest in the kill than the
chase. The greater danger comes from crackers, not hackers.)
Crackers could deface your web site, leading to a loss of image and
sales - who wants to deal with a company with poor security? They
could steal your corporate secrets and project plans, and sell them
to your competitors (assuming of course that they aren't already
your competitors). Or they could simply instigate a denial of
service attack that either crashes your system, or so overloads it
that it cannot cope and, grinds to a halt.
Firewalls and anti-virus
The solution? The first step is a firewall - but it mustn't be
the last step. Firewalls are designed to allow the acceptable in,
and keep the unacceptable out. It is hardware and/or software that
sits between the insecure network (the internet), and a secure
network (your web server and Lan). But there are ways through a
firewall - there has to be, otherwise you wouldn't be able send or
receive e-mails, nor use the internet. So crackers can still get
through the firewall.
To illustrate, we'll consider two routes. The first is CGI
vulnerabilities. CGI is the Common Gateway Interface. It is a
method for allowing web pages to interact with web server based
applications. Most web sites will include 'forms', used to collect
data, compile shopping baskets, and so on. The forms generally pass
data to an application on the server. But there is a whole range of
associated problems usually caused by sloppy CGI programming. By
placing carefully constructed strings of text in the forms,
crackers can sometimes get through the firewall, via CGI, and onto
the server.
The second route is to use web-enabled e-mail. Outlook is such
an application. You could receive an e-mail that looks just like an
ordinary message. In reality it could be a disguised HTML frameset
- one frame containing the message, and an invisible frame
downloading a Trojan (a Trojan is a bad application pretending to
be a good application, or a bad application that simply sits there
unseen until it is activated). This Trojan could be designed to
search out your passwords and anything that looks like a credit
card number, and to mail them surreptitiously back to the source;
or it could be something more destructive waiting for an outside
trigger. In fact, it could be triggered from outside of your
firewall by the cracker. This cracker knows who you are (because he
sent you the original e-mail) and he knows where the Trojan is
located. He could then send a second e-mail tempting you to visit a
particular web page. Contained on this web page is an ActiveX
sequence that will trigger the application just because you looked
at the web page - you visit the web page and he deletes your system
files.
All of this, and much more, is possible if you are running
Windows 98 without the subsequent Microsoft security fixes - and
the frightening thing is that we simply don't know how many other
vulnerabilities have been discovered but not disclosed, or are
simply waiting to be discovered.
So our first conclusion is simple: a firewall is essential, but
not enough. Some of the Trojans and viruses and malicious applets
that might adhere to inbound e-mails will be caught by anti-virus
software, but you cannot guarantee AV will catch everything. So
anti-virus software is essential, but not enough.
Vulnerability scanning
The next step is to set a thief to catch a thief. There is a new
category of software called vulnerability scanning, or penetration
testing. Many of the founders are ex-hackers, and crackers
themselves (allegedly!). The people involved are sometimes called
White Hat Hackers (with whom the Force still remains), as opposed
to the Black Hats (who have turned to the Dark Side). Vendors of
such software maintain extensive databases of all known
vulnerabilities, and their software probes your web server from the
outside, testing these known weaknesses. The system will invariably
generate a report on all the weaknesses that are found - and the
better ones, such as that from VigilantE, will even suggest what
you should do to solve the problem.
Intrusion detection
A related technology is IDS - intrusion detection. Rather than
probing from the outside, intrusion detection is a continuous
scanner running inside the firewall looking for suspicious
behaviour. Such software illustrates the relationship between the
security policy and security enforcement. Your policy, for example,
may state that only named executives and road warriors may access
the system outside of normal office hours - and an intrusion
detection system can enforce that policy. Of course, IDS can do
much more. RealSecure from ISS, for example, recognises hostile
activity by interpreting network traffic patterns that might
indicate an attack. It can review system logs for evidence of
unauthorised activity, and if it identifies a threat, it will
respond by terminating the connection, setting off alarms or
pagers, reconfiguring network devices such as firewalls, and
recording the attack for later forensic analysis.
Access control
So far we've looked at security systems designed to keep the bad
guys out. But if you want to do business on the internet, you also
need to let the good guys (the customers who want to pay you money)
in. The problem is in knowing who is which (which is what seems to
have failed at Barclays). This is called access control. Basically,
you need to know that an individual or organisation is exactly who
they say they are - and here PKI comes to the rescue. PKI is public
key infrastructure. It is all about the management of public keys.
It is probably the security backbone upon which future e-commerce
will be built - and it is a massive subject, beyond the scope of
this article. But one aspect is relevant. PKI uses digital
certificates to prove that a particular encryption key is owned by
a specific person or organisation. The digital certificate can be
used like an electronic identity card. So, when I turn up at your
web site, you can demand to see my digital certificate. Based on
this, and systems such as those from Entegrity, you can decide
whether you are going to let me in at all, and if you are, what you
are going to let me see.
Filtering, content management and encryption
But, of course, not all threats come from outside - and not all
dangers stem from malicious intent. If you have access to the
internet, then you will probably be using it for e-mails and web
based research. Ceos would be amazed to learn just how much
illicit, if not illegal, material is hidden away in users' mail
folders and browser caches. And they might even be surprised to
know that they personally, and the company generally, can be held
legally liable for such illegal material. It could be pornography,
downloaded accidentally of course, and still stored in the browser
cache. Or it could simply be racially or sexually offensive joke
material. Either way, it shouldn't be on your system.
The solution here is content management software, such as
MIMEsweeper from Content Technologies. This software examines the
content of data flowing around your Lan - and blocks messages that
contain the sort of material that your security policy disallows.
It can also stop browsers going to known dangerous or inappropriate
web sites - and it can even prevent the accidental leakage of
sensitive information out onto the internet.
Finally, when you know you need to send sensitive information
across the internet, you need to use encryption. This, again, is an
aspect of PKI. With public key encryption you can build secure
messaging that ensures only the correct recipient can see the
content of the message. The recipient in turn can prove that the
message has not been altered, and will subsequently be able to
prove that it was you who sent the message.
Conclusion
All of this is vital to the future of e-commerce. And if you go
through the correct steps of analysing your needs (risk
assessment), defining your solutions (security policy), and
implementing the results (selecting and configuring the necessary
systems), then you can and will have sufficient web security for
successful and safe electronic commerce. The nightmare scenario
painted by the DTI at the beginning of this feature need never
happen.
URLs
Biodata Information Technology:
http://www.biodata.com
Borderware:
http://www.borderware.com
Guardian iT Group:
http://www.guardianit.com
Internet Security Systems:
http://www.iss.net
MATRAnet:
http://www.matranet.com
The Encyclopaedia of Computer Security:
http://www.itsecurity.com
The Smith Group:
http://www.smithgroup.co.uk
Wick Hill:
http://www.wickhill.com
Case studies
Powergen and Barclays are two major companies that have suffered
recent security problems.
At Powergen, a user simply removed part of the URL - a common
enough method used by many to get to a higher level of the file
structure without having to go right back to the beginning to start
again. In this instance he was allowed access to a directory
containing files he should never have been able to see: the credit
card details of thousands of customers.
At Barclays, a visitor's account details suddenly jumped from
his own to that of a Mr Harris, who had £11,000 in his account. The
visitor found that he could have transferred money from other
accounts to his own.
As far as we know, no actual harm has occurred in either
incident - except to the good name and image of Barclays and
Powergen - and to the credibility of e-commerce itself. Neither of
these incidents should have occurred; and with proper planning and
implementation of web security they would not have occurred.