Is poor security worse than no security at all?

The technological revolution which wooed so many into thinking that they could set up in business at low cost and compete with...

The technological revolution which wooed so many into thinking that they could set up in business at low cost and compete with established companies, is foundering on the rocks of internet anarchy and lack of trust by 2015. Government failed to provide the structure by which technologies and people could communicate securely...

and efficiently. Fraud, failure, and low quality make people unwilling to contract more than strictly necessary. Social fragmentation accompanies economic fragmentation. Criminally based or linked activity constitutes a large proportion of both the physical and internet based economy. Falling tax revenues restrict the ability of the Government to pay for public goods and services.' This image is of a society that is both morally and financially bankrupt. But it is not a picture painted by the feverishly over-imaginative mind of a sci-fi writer - it is a scenario painted by the DTI. Internet anarchy? Fraud, failure; a government unable to pay for public goods and services? One could get very, very worried.

'But, frankly, I welcome this kind of comment,' responds Peter Cox of Borderware Technologies, a manufacturer of secure internet appliances. 'It focuses the mind. So long as we are aware of what could happen, we can take the steps to ensure that it doesn't. It is possible, with a little thought and effort, to run a secure e-commerce server.' What we need is web security - and that's what this article is all about.

Web security for IBM users

The first problem for IBM users is that IBM systems are pretty secure on the web. CIAC, the Computer Incident Advisory Capability, has no RS/6000 advisories, and there are no known viruses for either it or the AS/400. If anything at all is needed, there is a tendency to think, well, we'll add a firewall, and everything will be fine.

This is so wrong. It is poor security. And there is a maxim in security that poor security is worse than no security, because it is false security. The main reason is that people think of security as an application. When we need to write letters we buy a word processor. When we need to store data we buy a database. When we need to safeguard data we buy a firewall, or anti-virus software, or better still, both.

But security isn't an application - it's a process. And it is only when it is considered as such and handled as such that we can get close to achieving it. We should actually think of the application of security as the final step in a three-step process. First we need to go through the process of risk assessment. From this we need to draw up a security policy. And from the security policy we need to select products and procedures that can implement and enforce that policy. Web security, then, is the application of the results of risk assessment.

Risk assessment

'Web security should surely start with a risk assessment exercise looking at all elements of the business which relate to, depend on, or support the internet. What 'events' could occur within or to those elements which would have a negative impact on the business or impair its ability to do business?' comments Paul Gunstone, the e-continuity director of the Guardian iT Group.

This is not the correct place to go into discipline of risk assessment, and of course it will cover much more than just the risk to data on our servers. Let us just say that its purpose is to put security into perspective. We can always achieve perfect security by removing our systems from the internet and all other comms connections, and by operating them in secure rooms under armed guard. But that's not realistic. We need to quantify the risk, so that we can apply a realistic solution. The basic rule is that we should not spend more on security than the value of the data it secures. Risk assessment tells us where to spend, and how much.

Security policy

A security policy is a formal document that specifies how an organisation provides security services to protect sensitive and critical system resources. This will include both staff procedures and security products. For example, the policy might include a rule stating that staff must not use offensive language in their e-mails, and specify a content management application that is used to enforce the rule in practice.

Its value is that it stops us thinking purely in terms of security products and helps us to concentrate on security procedures. 'Barclays Bank was in the news just recently over security issues,' explains Gunstone. 'Not hackers or theft of data, but some form of software or access issue which gave details of private account data to the wrong customers.

'In such circumstances, the amount of money or effort spent on bolstering perimeter security, or on detecting and preventing DoS attacks would not have lessened the problem.'

The result was that Barclays suffered unquantified damage - it had to shut down its system and it lost business; and it will undoubtedly have lost some potential or even actual customers. This was a security problem; but not one involving security hardware or software, but a failure in the security policy. Matthew Pemble, an 'ethical hacker' who tests systems for IS Integration, comments: 'Why is it there are so few procedures when it comes to IT and access? When it comes to real money, security is divided by having individual A being allowed only to take money, and individual B being allowed only to give money.'

It is the formal security policy that will highlight our lack of overall procedures. The security policy is fundamental to the provision of actual data security - but it is perhaps the most misused and omitted aspect of the whole security process.

Web security

Once you have been through the first two steps in the process you can start to look at the application of products and procedures to enforce the security policy that has been suggested by the risk assessment. In the rest of this article we're going to look at some of the more common threats to, and possible solutions for, web security. What is required, and how it will be implemented, will be guided by your security policy.

The main threats to security are attacks from the outside and dangers from the inside. Outside threats include:




worms, and;

malicious mobile code.

Inside dangers include:

legal liability for illegal content;

leakage of sensitive data, and;


Let's start with the first outside threat: crackers. (I still prefer to draw a distinction between crackers and hackers. Hackers are computer experts more interested in the thrill of the chase; crackers can be script kiddies armed with standard cracking scripts and little knowledge, but with more interest in the kill than the chase. The greater danger comes from crackers, not hackers.) Crackers could deface your web site, leading to a loss of image and sales - who wants to deal with a company with poor security? They could steal your corporate secrets and project plans, and sell them to your competitors (assuming of course that they aren't already your competitors). Or they could simply instigate a denial of service attack that either crashes your system, or so overloads it that it cannot cope and, grinds to a halt.

Firewalls and anti-virus

The solution? The first step is a firewall - but it mustn't be the last step. Firewalls are designed to allow the acceptable in, and keep the unacceptable out. It is hardware and/or software that sits between the insecure network (the internet), and a secure network (your web server and Lan). But there are ways through a firewall - there has to be, otherwise you wouldn't be able send or receive e-mails, nor use the internet. So crackers can still get through the firewall.

To illustrate, we'll consider two routes. The first is CGI vulnerabilities. CGI is the Common Gateway Interface. It is a method for allowing web pages to interact with web server based applications. Most web sites will include 'forms', used to collect data, compile shopping baskets, and so on. The forms generally pass data to an application on the server. But there is a whole range of associated problems usually caused by sloppy CGI programming. By placing carefully constructed strings of text in the forms, crackers can sometimes get through the firewall, via CGI, and onto the server.

The second route is to use web-enabled e-mail. Outlook is such an application. You could receive an e-mail that looks just like an ordinary message. In reality it could be a disguised HTML frameset - one frame containing the message, and an invisible frame downloading a Trojan (a Trojan is a bad application pretending to be a good application, or a bad application that simply sits there unseen until it is activated). This Trojan could be designed to search out your passwords and anything that looks like a credit card number, and to mail them surreptitiously back to the source; or it could be something more destructive waiting for an outside trigger. In fact, it could be triggered from outside of your firewall by the cracker. This cracker knows who you are (because he sent you the original e-mail) and he knows where the Trojan is located. He could then send a second e-mail tempting you to visit a particular web page. Contained on this web page is an ActiveX sequence that will trigger the application just because you looked at the web page - you visit the web page and he deletes your system files.

All of this, and much more, is possible if you are running Windows 98 without the subsequent Microsoft security fixes - and the frightening thing is that we simply don't know how many other vulnerabilities have been discovered but not disclosed, or are simply waiting to be discovered.

So our first conclusion is simple: a firewall is essential, but not enough. Some of the Trojans and viruses and malicious applets that might adhere to inbound e-mails will be caught by anti-virus software, but you cannot guarantee AV will catch everything. So anti-virus software is essential, but not enough.

Vulnerability scanning

The next step is to set a thief to catch a thief. There is a new category of software called vulnerability scanning, or penetration testing. Many of the founders are ex-hackers, and crackers themselves (allegedly!). The people involved are sometimes called White Hat Hackers (with whom the Force still remains), as opposed to the Black Hats (who have turned to the Dark Side). Vendors of such software maintain extensive databases of all known vulnerabilities, and their software probes your web server from the outside, testing these known weaknesses. The system will invariably generate a report on all the weaknesses that are found - and the better ones, such as that from VigilantE, will even suggest what you should do to solve the problem.

Intrusion detection

A related technology is IDS - intrusion detection. Rather than probing from the outside, intrusion detection is a continuous scanner running inside the firewall looking for suspicious behaviour. Such software illustrates the relationship between the security policy and security enforcement. Your policy, for example, may state that only named executives and road warriors may access the system outside of normal office hours - and an intrusion detection system can enforce that policy. Of course, IDS can do much more. RealSecure from ISS, for example, recognises hostile activity by interpreting network traffic patterns that might indicate an attack. It can review system logs for evidence of unauthorised activity, and if it identifies a threat, it will respond by terminating the connection, setting off alarms or pagers, reconfiguring network devices such as firewalls, and recording the attack for later forensic analysis.

Access control

So far we've looked at security systems designed to keep the bad guys out. But if you want to do business on the internet, you also need to let the good guys (the customers who want to pay you money) in. The problem is in knowing who is which (which is what seems to have failed at Barclays). This is called access control. Basically, you need to know that an individual or organisation is exactly who they say they are - and here PKI comes to the rescue. PKI is public key infrastructure. It is all about the management of public keys. It is probably the security backbone upon which future e-commerce will be built - and it is a massive subject, beyond the scope of this article. But one aspect is relevant. PKI uses digital certificates to prove that a particular encryption key is owned by a specific person or organisation. The digital certificate can be used like an electronic identity card. So, when I turn up at your web site, you can demand to see my digital certificate. Based on this, and systems such as those from Entegrity, you can decide whether you are going to let me in at all, and if you are, what you are going to let me see.

Filtering, content management and encryption

But, of course, not all threats come from outside - and not all dangers stem from malicious intent. If you have access to the internet, then you will probably be using it for e-mails and web based research. Ceos would be amazed to learn just how much illicit, if not illegal, material is hidden away in users' mail folders and browser caches. And they might even be surprised to know that they personally, and the company generally, can be held legally liable for such illegal material. It could be pornography, downloaded accidentally of course, and still stored in the browser cache. Or it could simply be racially or sexually offensive joke material. Either way, it shouldn't be on your system.

The solution here is content management software, such as MIMEsweeper from Content Technologies. This software examines the content of data flowing around your Lan - and blocks messages that contain the sort of material that your security policy disallows. It can also stop browsers going to known dangerous or inappropriate web sites - and it can even prevent the accidental leakage of sensitive information out onto the internet.

Finally, when you know you need to send sensitive information across the internet, you need to use encryption. This, again, is an aspect of PKI. With public key encryption you can build secure messaging that ensures only the correct recipient can see the content of the message. The recipient in turn can prove that the message has not been altered, and will subsequently be able to prove that it was you who sent the message.


All of this is vital to the future of e-commerce. And if you go through the correct steps of analysing your needs (risk assessment), defining your solutions (security policy), and implementing the results (selecting and configuring the necessary systems), then you can and will have sufficient web security for successful and safe electronic commerce. The nightmare scenario painted by the DTI at the beginning of this feature need never happen.


Biodata Information Technology:


Guardian iT Group:

Internet Security Systems:


The Encyclopaedia of Computer Security:

The Smith Group:

Wick Hill:

Case studies

Powergen and Barclays are two major companies that have suffered recent security problems.

At Powergen, a user simply removed part of the URL - a common enough method used by many to get to a higher level of the file structure without having to go right back to the beginning to start again. In this instance he was allowed access to a directory containing files he should never have been able to see: the credit card details of thousands of customers.

At Barclays, a visitor's account details suddenly jumped from his own to that of a Mr Harris, who had £11,000 in his account. The visitor found that he could have transferred money from other accounts to his own.

As far as we know, no actual harm has occurred in either incident - except to the good name and image of Barclays and Powergen - and to the credibility of e-commerce itself. Neither of these incidents should have occurred; and with proper planning and implementation of web security they would not have occurred.

Read more on Hackers and cybercrime prevention