No need for a siege mentality

Does good e-security have to cost a fortune? Nick Booth argues that thinking through the problems can ensure maximum protection...

Does good e-security have to cost a fortune? Nick Booth argues that thinking through the problems can ensure maximum protection for less than you thought

A perceived lack of security can hit an e-business very hard. The recent downturn in cyber-attack victim Yahoo!'s previously buoyant shares and an estimated $300,000 in lost business is most likely just scratching the surface. In the UK security scares are less likely to deter potential customers but they do raise a lot of questions for growing e-businesses.

Any e-business operating in the business-to-business market has to be aware that, by joining a supply chain, they are inheriting all the weaknesses of the other links. You can spend limitless amounts of money on security but this can be rendered worthless by the weakest link in the supply chain network.

For e-businesses selling to consumers,thesecurity money pit presents a different problem. Electronic commerce is a marketing-intensive operation and customers have to be bought at great expense. According to Bob Apollo, VP of e-Gain (an e-commerce customerservice provider) some online share trading companies are estimated to have spent $300 for each customer they acquire.

The fledgling e-business then, has two equally cash-hungry functions to fulfil, each of which can only partly-satisfied. Whatever is spent on one (marketing) will only detract from the other (security) and vice versa.

The question is, what level of security can you get away with? The answer depends on how seriously you take the threats of hacking. Any IT supplier will stress how life-threatening intrusions can be. Then they'll try and sell you their security package.

Before you can address the threat you need to identify your enemy. Who are the hackers - and how serious is the threat they pose?

"It's no coincidence that the recent denial of service attacks happened at precisely the time that high schools were finishing for the day," says Paul Vixie, senior VP of Internet services for Metro Media Fiber Network. "The fact that the whole underground community knew about it confirms our suspicion that it's schoolkids that are responsible for these attacks, showing people how clever they are."

A subsidiary of Metromedia, Abovenet, hosts online auction site eBay, one of the systems that was denied service byaconcerted attack fromwhat thecompanycalls "black hat" (ie malicious) hackers.

Bombarding the routers that served the eBay service meant that the memory of these devices became full and the traffic spilled over, enabling hackers to temporarily stop genuine customers accessing the service.

This was a highly organised and concerted effort to flood the site with traffic broadcast from multiple nodes on the Internet, many of which belonged to innocent parties and had been taken over by the hackers remotely.

By joining a network and failing to secure its servers against intrusion, an e-business can find itself being used as the platform from which attacks on bigger targets are launched. This illustrates how insecurity affects everyone in a supply chain. Arguably, it also shows that hackers are only interested in damaging the big sites.

Abovenet's technical support staff were able to identify the attack by the unusual traffic patterns that showed up on its monitors, and eventually counter it by blocking the obviously faked traffic. "The hackers must have spent months setting this up," says Vixie.

Phil Ryan, the head of information security consultancy at Peapod, thinks the "teenage hackers" theory is nonsense. Peapod is currently advising the Government on electronic espionage. "I don't think it was kids. I wouldn't even call it espionage. I'm convinced it was extortion," says Ryan. "Electronic attacks are a growth market for extortionists and terrorists and you shouldn't take the threat lightly."

To show how e-businesses can be affected by malicious attacks on their partners in the supply chain, Ryan cites Japanese terrorists who have used a software company as a front to embed thousands of Japanese businesses with suspect code.

To forewarn himself of further innovations in the cyber-terrorist field, Ryan subscribes to a bulletin service from CERTS (Computer Emergency Response Teams). The Australian branch, OZ CERTS, predicted several months ago that denial of service attacks would be a problem e-businesses should guard against. Such intelligence gathering is the first investment he says an e-business security strategist - or whoever defaults to that role in your company - should make.

But does e-security have to cost an arm and a leg? Not necessarily, says Ryan, the trick is to talk to people. "There's a surprising amount you can do to protect yourself without investing in products," says Ryan.

Getting involved with security resellers can be an expensive business in itself, says Ryan. "You'd be surprised how many charlatans there are in this business. Since security skills are at such a premium there are a lot of ex-Web designers who've now decided they're security experts and are charging people for their expertise in choosing security products."

Risk can never be eliminated, argues Ovum analyst Graham Titterington, so it's a question of prioritising risks and devising a strategy around that. "There are twelve broad categories of security products, from fingerprint scanners to firewalls, but the potency of the product is far less important than devising a security policy," he says.

One of the most common mistakes dotcom companies make is in buying security products and doing little to tailor them, says Titterington.

"You can have the full gamut of firewalls and anti-virus software at the periphery - as well as encryption, content filters, traffic monitors, PKI, access control tools and access by fingerprint scanning. But if you don't fully configure them they'll be useless.

"There are a lot of companies that take products out of the box and don't even change the passwords or the default settings. A lot of hackers know the default settings of these devices and how to exploit them," says Titterington.

Lax security is particularly rife in dotcoms where much more priority is given to speed to market. Egg and the Halifax Building Society sharedealing site both cut corners in order to meet deadlines. The upshot was that customers found they could access other people's accounts.

Since blanket security seems to need blanket resources of time and money - the very resources e-business teams don't have in abundanceÊ- security analysts recommend action that identifies and manages the business risks.

The risk is calculated using a formula that gives a value to assets (such as customer lists) and calculates the impact on the business if they were stolen or altered.

Security experts, such as Sheryl Nixon at Nvision, will happily help you to realise the value of your information, the level of risk it is exposed to and the skills required to reduce that risk.

But Nixon says, "The likelihood that your business is under some cyber threat is less than 1 per cent. It's about ten times less likely to happen than credit card fraud by more conventional means."

A study by GartnerGroup seems to back up the contention that the outside threat to e-business UK is over-hyped by people who have a vested interest in selling security devices.

In 1999 GartnerGroup concluded that 80% of e-business downtime is due to operational problems, which is an even split between applications faults and human failings.

The greatest compromise to your security comes from your own staff, says Peapod's Phil Ryan. "A dotcom is frequently a new business which means you're putting strangers into positions of trust. A lot of our business now is in screening staff for clients, and even carrying out surveillance on existing staff who are suspected of stealing secrets."

The consensus is that security is too resource-intensive to be adequately covered in-house. Before you spend money outsourcing security - or indeed trusting an e-commerce host to do it for you as part of its service - you need to identify your weaknesses. "The skills needed for security are so in-demand you won't be able to afford them anyway," says Douglas Hurd of Network Associates product security.

Given an e-business's constraints of time, skills and money, the simplest security boils down to this:

  • Screen your staff

  • Fine tune your applications

  • Assess your needs

  • Then contract them out to someone else to deal with.

    At least then, when the worst-case scenario materialises and you're looking at an expensive American litigation case from one of your new global customers, you can pass the buck on to your supplier. Now that's insurance.

    Are you prepared for the worst

    Steps to take before your organisation's network comes under attack

    Appoint a team to take responsibilty for implementing an emergency response plan.

    Ensure that the emergency response team has the ear of senior management and has the necessary technical skeills to deal with common security threats.

    Considered outsourcing yet? See contact below or proceed to 4.

    Conduct an audit of critical business systems to identify possible vulnerabilities

    Take appropriate action to mitigate any easily-identified risks - like ensureing the operating system is fully up-to-date

    Ensure that security assessment excercises include the identification of any dependencies (such as ISPs and Web-hosting companies) and determine what their level of protection is.

    Test the network design for resilience to security threats

    Take action to mitigate any risks that are discovered. For example, implement a proper security management infrastructure and deploy best-of-breed security applications such as intrusion detection systems, vulnerability scanning, firewalls, virtual private networks etc.

    Send syslog information from routers to an analysis machine to examine for evidence of an attack. by watching for attacks, managers can detect and respond to them early. The earlier incidents are detected, the earlier managers can resoond to them.

    Keep them up-to-date with the latest threats and vulnerabilities and Internet security issues in general by subscribing to information services such as:

  • Read more on IT risk management