Special report: Safe and sound

Are your security procedures failing to bite? Expert witness Peter Sommer to shares his top 10 lessons in Internet security

Are your security procedures failing to bite? Expert witness Peter Sommer to shares his top 10 lessons in Internet security

Peter Sommer is one of the country's premier experts on computer security. His expert opinion is regularly sought, and he is often called upon as a witness to interpret failures in security for the courts. Sommer was also a key adviser to the Department of Trade and Industry Select Committee in its discussions on the government's attempt to foster electronic commerce.

Sommer has identified 10 failure scenarios, where security is critical, eight of which are management-related, the remaining two of which are technical. The scenarios below are based on cases in which Sommer has given evidence as an expert witness. Many of the security breaches occurred in early attempts to drive business via the web, where investment funds were plentiful but few companies, in their rush to be first to market, gave much thought to their security and business risks.

Management failings

Failure to realise that security is an integral part of the service you are offering
Many companies set up in the last two or three years to take advantage of the web revolution failed to consider that offering suitable security around their offerings was an integral part of the service. One financial services company, a startup that was set up by people with considerable experience in financial services and management consultancy, had approached investors with the plan which ultimately said, 'We're going to make lots of money.' Yet, in searching for insurance, they had not managed to nail down any of the contracts on which their services depended.

Unfortunately, having been given money on the basis of their business plan - admittedly in heady times - they could hardly go back to their investors and say the business plan wouldn't work without insurance in place. But without insurance in place, they couldn't trade. The entire venture was based on a flawed business plan, with no consideration of risk.

Failure to include an adequate security budget in the initial business plan
The failure discussed above could equally apply to the security considerations of bricks-and-mortar companies at any time. More and more dotcoms were set up in a culture of speed, fuelled by rapid application development, and using products such as FrontPage to get up and running quickly. Systems would be based on two or three PCs, and could equally be up and running in two or three weeks.
But security operates on the 10:90 rule, where the equipment provides only 10% of the solution and the other 90% is provided by the need to do adequate testing to ensure the products work effectively. There is a world of difference in offering a service to 500,000 customers as opposed to 50.

Companies fell into two categories: those that continued to offer their services amid a catalogue of security scares, such as Egg; and those that decided not to offer their services until they believed their systems were sufficiently robust, such as Halifax, which received unwelcome publicity as a result of pulling its launch date.

Failure to allow sufficient time for testing for security resilience
Many of these lessons have a knock-on effect. Inadequate thinking time for security, followed by inadequate budgeting, is likely to lead to inadequate testing. Because all companies wanted to be first to market, their products were rarely tested to breaking point. So, customers became the testers and the services fell over, as you would expect if they were insufficiently robust.

As traditional bricks-and-mortar companies have entered the market, with brand names to protect and customer service to consider, the services have become better tested. Occasionally, as in the recent example involving the release of personal data from the Consumers Association website, even the established names can get it wrong.

Failure to understand the extent to which you are reliant through outsourcing on third parties, with consequent liabilities
The use of outsourcing and hosted services has placed the onus on organisations to ensure that their offerings to customers appear seamless, even if they are hosted elsewhere. The customer will not care who is hosting the service; he or she just believes it is the company they are using.

If you are using third parties to provide services, their security has to be as robust as yours because the customer will hold you responsible. If you are delivering via a third party to a customer, and the order or the goods go missing, it is not the third party who will be blamed by the customer, it is you.

Failure to design systems so they can collect evidence of what is happening within them
In the systems of traditional bricks-and-mortar companies, systems which have been built up over years have a structure that enables them to capture evidence of the history of transactions. In other words, there is an audit trail. But in many e-commerce systems, this trail is lacking.

It all comes down to the confidence of the customer in the systems they are using. If, because of inadequacy in the way a system is designed, a customer's transactions are lost, there is a risk not only of a ruined reputation, but also of litigation.

If the systems cannot capture an adequate trail, in other words evidence of how the transaction was completed from stage to stage, then the customer would be justified in having little confidence in using it.

The trail should include elements such as emails sent to confirm orders; even something as simple as an email confirming an order or subsequent delivery is evidence of a well-designed system.

Failure to verify the CVs of those you employ, and to have a monitoring scheme that will alert you to harmful situations
The rise of the quickly built dotcom or even bricks-and-mortar based e-commerce offerings has led to a worrying rise in risks based on inadequate staff monitoring. Instead of IT departments, where a series of psychological checks and balances over staff are more likely to be in place, companies have taken on very young staff, based on the skills they have. And because they have the kind of web-based skills that other members of the IT staff may lack, they have the power to do a lot of damage.

While older members of the technology staff may be known, and any problems (drink, drugs, etc) spotted, the rise of quickly built companies and systems gives less opportunity for those balances to be in place. There is an onus on managers to know their staff and to spot any changes in working habits before they learn the hard way that the disaffected employee has hurt the business.

Failure to rely on the right sort of security consultant
Ethical hacking or penetration-testing is fashionable and, when done properly, can be useful. But there is more to security than that. Ethical hacking is popular now, and has become the 'sympathetic magic' approach to security. You might be tempted to think that all your security worries have been resolved. But you should remember that penetration-testing is just that - penetration-testing. It's good to do it, and can be useful in spotting some weaknesses. But there is still a need to do the boring stuff, like put security policies in place.

Failure to have a contingency plan in place
If you have a problem with your website providing e-commerce, or if there is an inadvertent release of customer data, such as has occurred recently, then you run the risk of a large number of enquiries.

There were a lot of unfavourable situations like these 12 months ago, where some users were unable to access sites with their browsers, while others had Internet Explorer with all the bells and whistles. That led to a lot of calls to the helpdesk, which was overwhelmed. And although many of the customer service had staff using scripts to deal with queries, they were unable to solve every problem. You have to plan for things to go wrong, and put contingency plans in place to cope with them when they do.

Technical failings

Basing your system on products that have been released without sufficient testing
Too many strategies for e-business have been based on the latest whizzo technology that either has just been released or is due for release. You may have a beta copy of the latest application program, but it would be unwise to base your business around it.

Unfortunately, in many cases, that is just what happens. The 'e-step product in a box' is more often a marketing concept than a reality. Everybody is full of optimism that XYZ product will do the trick, but you should stick to your business plan and base it on tried and trusted technology, not on hype.

Not keeping up with the latest patches
The case of 19-year-old Welsh hacker, Raphael Gray, demonstrated that even companies such as Microsoft can fall behind with adopting patches to ensure their own systems are secure. Gray famously hacked into Microsoft's systems through a weakness in Internet Information Server 4 and sent its chairman, Bill Gates, some Viagra. You have to keep up to date with the latest patches to cover security weaknesses and put a system in place to ensure they are adopted swiftly.

Read more on IT legislation and regulation