Good (on-line) fences make good neighbors

It’s 9 a.m. Do you know where your business partners are?

Perhaps one is logging in to your secure business-to-business Web site and ordering US$2 million worth of widgets. Then again, someone at that same partner company could be exploiting a hole in your Java server that you haven’t had time to fix, gaining root access and running direct SQL queries on your pricing database.

It’s 9:30 a.m., and someone from that trusted, valuable partner firm just discovered that you sell to its direct competitor for 20 per cent less per item. And unless you do some quick price matching, it’s going to find a new supplier.

Call it the New Economy paradox: you partner with a company, allow your computers to communicate via secure connections and open exclusive marketplaces to trade new or excess inventory, all to save time and money.

But at the same time, in a different market, that partner is also a competitor. The result is that you’ve opened your systems to an organization that’s trying to put you out of business.

Of course, overly curious business partners aren’t the only threat when translating business-to-business partnerships into real-world network and computer connections – there are always hackers and competitors. So when creating partnerships, security experts recommend taking a line from the poet Robert Frost – “Good fences make good neighbors.” Partners should agree on thorough security policies and watch everything.

Trust no partner

Business-to-business security models are only as secure as the weakest link. An attacker doesn’t have to break into your network. He can break into a partner’s and then use the secure connection to launch a devastating attack on your site. So experts caution that trusted business partners shouldn’t be trusted security partners – in fact, there’s no such thing.

“There’s no one outside your organization that you should be trusting,” says John Lucich, international president of the High-Tech Crime Network, a West Caldwell, N.J.-based computerized network of law enforcement agencies from 15 countries. Treat partners as if they were hostile, he says – because they might unintentionally let hackers attack you.

“It’s not that you can’t trust him or her individually,” says Lucich. “You can’t trust what they’re doing about their network security or who works for them.”

Given the special ports to which business partners sometimes have access, it’s even more important to isolate your network from theirs and fine-tune the firewall to let only what is essential through, says Lucich.

But good security starts inside your own company. “Tools enforce compliance to a security policy,” says Lucich. Accordingly, companies need good and thorough security policies. Lucich recounts asking to see the security policy for a company with US$400 million in annual revenue. “It was a five-page document,” he says. “It should be 30 to 100 pages, depending upon what they do.”

A good policy alerts the information technology department to what it can and can’t do from a security standpoint. “It also alerts your employees to what is allowed and what isn’t allowed,” Lucich says.

For prospective business partners, examining each side’s written security policies is often the first step.

“(Both companies) need to have consistent levels of access control and security so that there can be an exchange of information under a single seam of security,” said Drew Williams, security segment manager at BindView Corp. in Houston, which makes IT risk-management software.

Agreeing on a security model is difficult; there is no widely accepted standard. “One of the big items that people are looking at is (British Standard 7799), a framework for security,” said George Kurtz, CEO of Foundstone Inc., a security training and consulting company in Irvine, Calif.

But until a standard is available, companies are on their own. Thus, when forming partnerships, Kurtz recommends first analyzing the prospective partner’s security framework and then sending in a team to make sure its security is comparable to your company’s. If the security is inadequate, “put the brakes on it,” said Kurtz, and don’t plan on partnering anytime soon.

Companies may soon find their larger partners setting standards for them. “Visa (recently) issued 10 commandments for its business partners,” said Robert Clyde, vice-president of security management at Axent Technologies Inc. in Rockville, Md., which makes security software. “It’s a classic B2B partnership: ‘Together, we’re going to create this community of trust about using Visa on-line; we’re going to have rules everyone has to follow to ensure security on-line.’ ”

The e-mail threat

E-mail is often overlooked as a security risk. “I know a leading security company that gets eavesdropped on by another leading security company because their e-mail is (not encrypted),” said Williams. Unencrypted e-mail is plain text, so messages that are intercepted are easy to read. Accordingly, many companies are using public-key infrastructure (PKI) technology to encrypt e-mail while relegating all business-to-business transactions and communications to virtual private networks (VPN).

They also use digital certificates to authenticate every order so they can’t later be repudiated. Breaking into a VPN is extremely difficult, unless you’re a home user with VPN access and are connected to the Internet. That’s why experts recommend personal firewalls for laptops and home computers, so hackers can’t use them to leapfrog onto a secure VPN.

Secure Sockets Layer (SSL) is another way to secure communications, noted Clyde. “You can do enabling without PKI. You can use SSL – which is just PKI under the covers – and passwords as means of authentication over an encrypted session. It’s probably the most common form of security for business-to-business commerce today,” he said.

SSL does have a downside. “Many (companies) are concerned because SSL only relies upon passwords,” says Clyde. Instead of this one-password approach, Clyde recommends requiring a physical object to get a one-way password for each user session. That object can be a smart card or a laptop with a digital token stored on it. Using a physical object increases the difficulty level for hackers.

“It’s much harder for the bad guys – they have to steal something as well as guessing something,” said Clyde. “Many hackers out there aren’t going to be interested in doing physical crimes as well as hacker crimes.”

From a security standpoint, don’t forget the lawyers – because business-to-business exchanges are a world of legal pain just waiting to happen. If a hacker uses your site to leapfrog through secure connections into a partner’s site, that partner could sue you for negligence.

“I think this will be the biggest area for lawsuits going forward – hooking up with ‘trusted partners,’ ” said Lucich.

Contingency plans and nondisclosure agreements can also prevent a lot of aggravation. If a hacker breaks into your partner’s site and starts an attack that you discover, what do you do? You contact the partner, of course, but you also need to be kept in the loop as it closes the security hole. Otherwise, your options are limited. “If you decide to take down some of the links (between B2B networks), just taking down a link because you can’t get a hold of someone might stop the intrusion, but it might have business implications, too – what if that link generates millions of dollars per day?” asked Kurtz. Besides potential lost revenue, there are legal risks as well, he said.

Pandora’s box

But that begs another question: How do you know when a partner company has been broken into? This is especially important, because when business partners tie networks together, they often use ports that no security manager in his right mind would ever use without the defensive equivalent of Fort Knox in front of it first.

Some ports even make the top 10 security threat list from the SANS Institute in Bethesda, Md. Under “ports to disable,” the SANS Institute recommends disabling the two ports most often used for business-to-business transactions – 80 and 443, which allow outside HTTP and SSL TCP access to a Web server. If a good hacker gets TCP access, you can kiss your site goodbye for a while.

Accordingly, you need to know if and when there’s a security breach. “Though most partners won’t let you install monitoring equipment on their premises or network, you can still use intrusion-detection systems to monitor every packet that comes at your network,” said Kurtz. “If it looks like anomalous traffic is taking place, (you) need to step in quickly.” Kurtz says a common attack begins with hackers trying many ports on a machine to find one that’s open.