Security is a fundamental part of the business world. No organisation can run its operations without securing its assets against theft, fire and other forms of damage. Unfortunately, the Internet economy has thrown people into confusion and far too many organisations involved in e-business are not protecting their online assets and information. Just one breach in the online world can be hugely damaging in terms of information loss, legal liability, customer and supplier confidence and adverse publicity.
Who can you trust?
Confusion abounds over what exactly the main cybercrime threats are. The US Computer Security Institute (CSI) produces a list of the most damaging online security threats in terms of money lost. Its research also highlights that, contrary to popular belief, external security breaches are just as much of a threat as internal ones.
Security fears in the online world have now risen to such a level that many analysts agree that they are actually holding back the development of Internet-based business.
It's not hard to see why. If supplier partners and customers cannot trust an organisation to maintain their privacy or protect them from damage, it becomes rather difficult to deploy e-commerce or customer relationship management (CRM) systems, or roll out a supplier intranet or business-to-business exchange. To this extent, security is a key e-business enabler. Any online security strategy should consist of two elements: a water-tight security policy and an effective use of security technologies.
As well as leading to the implementation of a secure online IT architecture, a security policy should provide a number of extra benefits. It should make upper management aware of and involved in information security; it should help your company demonstrate that it has tried to meet legal obligations with respect to the confidentiality and integrity of information. It can be used to build trust among business partners, investors or customers when your organisation is rolling out e-business operations; it should form a benchmark for measuring the performance of security technology and the responsibility of personnel and it should define acceptable use of IT equipment by staff who cannot then plead ignorance.
According to BS7799, the British Standard for network security, information security is characterised by the preservation of the following three components:
- Confidentiality Ensuring that information is accessible to only those with authorisation
- Integrity Safeguarding the accuracy and completeness of information and processing methods
- Availability Ensuring that authorised users have access to information and associated assets when required
RSA Security has produced an excellent booklet to guide organisations through the intricacies of operating a security policy. It suggests that a task force is set up with members from departments other than IT and security. The whole process needs to be endorsed by a chief executive or board member.
The first step is to assess your security requirements. This involves listing information and physical assets such as application programmes, reports, product designs, financial records, databases and IT hardware. These should be categorised according to their value, location, cost to replace and user base.
Now assess the threats to these assets, perhaps by an external security consultant. Typical threats include password cracking, network monitoring, abuse of network administrative tools, denial of service attacks (when rogue software programmes are used to overload or crash a network) and viruses. What business risks do these threats pose to your organisation and how much money and time would you be prepared to spend on protecting against them?
Remembering that no security infrastructure is 100% secure, you should also establish at this time a procedure for dealing with security breaches and attacks, which should assign responsibilities for dealing with the incidents and provide detailed contingency plans.
It is only when you have thoroughly looked at your assets, the threats they face, and determined how much you are prepared to spend to protect them that you can start employing the technology architecture to do so.
There are many components to any secure Internet or extranet architecture. Some of the more popular ones are:
- Firewalls A firewall is a barrier between two networks, typically the internal or corporate network, and an external network, usually the Internet. Firewalls can also be used internally to cordon off systems in departments, such as human resources, which may contain sensitive data. They examine incoming and outgoing packets of information and either let them through or block them according to a set of rules defined by an administrator. There are many varieties of firewall offering different levels of security. "We once asked a company if it had a firewall and were told yes. But when we performed a penetration test on them we realised that they had forgotten to turn it on," says Stuart Mort, associate director of the IT security team at Control Risk Group. Whatever firewall you buy, make sure you configure it properly and test it.
- Authentication Used to identify a user or system, so that it can be granted access. Authentication can range from simple passwords to biometric methods such as retina or fingerprint recognition. Internet authentication company Signify produces two-factor auth-entication, which gives users a personal key fob and PIN number, which is used to produce a one-time passcode that enables them to access sensitive systems or information.
- Encryption Encryption is most often used to help protect data while in transit between two computer systems. Two examples are a virtual private network (point-to-point encrypted leased line used to provide a secure connection over an insecure network such as the Internet), or the secure sockets layer (SSL) encryption commonly used to encrypt online credit card transactions over the Web. "Many companies we have dealt with have stored credit card details in unencrypted form on their Web servers. Hackers can then get access to these, obtain the numbers and sell them on," says Mort. "It is a lot easier to hack into an unprotected Web server than try to hack into an encrypted transaction." Peter Dorrington, business solution marketing manager at SAS, agrees: "I've never come across an example of an SSL transaction being cracked by a criminal, it is too much hard work." Make sure that information is either kept offline in a secure environment, or encrypted on the Web server.
- Intrusion detection systems These are used to search for signs of unauthorised access or use, by examining the types and contents of network packets. They can search for known attack 'signatures' in the same way that anti-virus software searches for known viruses, or for unusual behaviour based on profiles of expected user and application activity. IDS is useful to spot hacker attacks, but needs to be constantly updated to cope with new threats.
- Host-based security Even though servers, operating systems and applications may be protected by firewalls, authentication systems and intrusion detection, they should be regularly checked and configured to make sure they are secure. Vulnerability scanning tools can point out where software patches are needed. There are many websites such as www.attrition.org or www.defcon.org that hackers use to keep up to date on host system vulnerabilities that they can exploit.
- Network segmentation This involves the use of 'demilitarised zones' (DMZ) that sit between the outside networks such as the Internet or an extranet and an organisation's internal network. The DMZ contains publicly accessible systems such as Web servers and email servers. Complex e-business operations may use a different DMZ for each e-business application. This enables them to limit the amount of damage and disruption caused by a security breach and allows the configuration of access privileges on each server to be as restrictive as possible. Each DMZ is protected from the outside network by a firewall and is monitored with IDS technology.
Control Risk Group: www.controlriskgroup.com
Security Focus: www.securityfocus.com