“It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct-wired terminals, put the machine and its terminals in a shielded room, and post a guard at the door.”
– F. T. Grampp and R. H. Morris
Of course almost no one today would contemplate running a computer system in an “unwired” mode. Connectivity is a necessity, whether it’s through local area networks, wide area networks or the Internet.
With connectivity, however, comes risks – risks that can be internal or external. Most companies seem to pay more attention to external threats, although surveys suggest that close to 80 per cent of security violations come from internal sources. The challenge is to deploy appropriate defences that are proportional to the magnitude of risk perceived and the importance of the information that needs protection.
The tremendous surge in E-commerce transactions over the Internet has spurred great interest in the safety of doing business over the net. With the abundance of hacker stories in the press, it is not hard to see why businesses need to be very wary of Internet security threats. Since the hacker threat will not go away any time soon, businesses should approach the issue head-on. Indeed, even as security defences increase in sophistication, so also do hacker skills.
Surveys from the Gartner Group, Forrester Research and others project a continuing boom in E-commerce, especially over the Internet. The Aberdeen Group estimates that by next year business-to-consumer and business-to-business electronic commerce will stand at US$88 billion and $2 trillion respectively. Aberdeen contends that price may not be the only differentiator in a market where each segment is dominated by at least three competitors. Aside from providing timely delivery, winners will be companies that offer assurances of secure transactions, protection of personal information, and ethical use of this information.
IS INFORMATION SECURE?
Key issues to consider with respect to security of information are: authentication, access control, confidentiality and privacy, data and message integrity, non-repudiation, and denial of service.
These form the core components for secure transactions – specifically, how well a site implements secure transactions that meet industry standards such as SET (secure electronic transaction).
Authentication pertains to how accurately a system can verify the identity of a user, resource or program. In the context of E-commerce, the issue is that of verification of customers’ and suppliers’ identities or processes associated with customers, suppliers and other system users.
In traditional systems, reliance on such identification items as driver’s licences, social insurance numbers and passports was enough. In the electronic world the story is different. Two issues are critical to a reliable authentication system: the nature of the identification and how well these identifications can be verified.
In selecting authentication systems, one must ensure that the systems are reliable. Meanwhile, users must be assured that customers do not risk the chance of being billed for someone else’s purchases.
Passwords are perhaps the most well-known means for authentication. However, password management has an Achilles heel. Typically, users choose easy-to-remember passwords (which are usually easy to break); system administrators fail to enforce periodic password changes; and there is a failure to enforce minimum password lengths.
Two-stage authentication systems, such as Secure-ID, use a passcode which combines a user’s password and a randomly generated number. This makes it inherently more difficult for hackers to crack.
Certificate authorities (CAs), a third party that can “vouch” for a given identity, can offer reliable authentication systems. At the strategic level, the issues of standards arise. For example, how does the choice of a CA affect the business? Will the company act as its own CA or will it outsource the service? If the latter, how reliable is the outsourced CA? What liabilities does this arrangement present? What is the nature of agreement governing this outsourcing?
Outsourcing has the advantage that one can trade with many others in the same group that use the CA for the same purpose.
Privacy & confidentiality
Privacy concerns an individual’s right to control and influence the way personal information is collected, stored, used, and to whom it is disclosed. Confidentiality involves ensuring data is used for the intended purpose and disclosed only to authorized users. Customers will have confidence and trust in businesses that assure their information will be used for purposes it was intended for. Likewise, they will be wary of potential abuse of private and confidential information.
Other concerns involve how well businesses protect customer information to ensure it is not accessed by unauthorized users. For example, would a hacker get hold of one’s credit card numbers once they have been used to pay for goods and services?
Access controls form a key component for protection of information. In protecting information, public key infrastructure (PKI), where information is encrypted, can enhance confidentiality of information.
Now that we have information pertaining to customers, how do we protect this from unauthorized disclosure? For a long time to come, privacy will remain a major concern.
Once a user is authenticated, the question is: what information can she or he access? Do access controls allow systems to limit the information that a user can access? Typical access control systems use access control lists that are attached to various pieces of information. Others, like military security systems, use information classification and user clearance. Today, however, more and more systems are being designed with access control managed through the use of roles. A system user will be given only as much privilege as is necessary for the role that the person has.
It is important that businesses delineate these roles clearly, ensuring that customer roles do not overlap administration roles in terms of privileges. Moreover, no role should have the ability to change its own privileges in any system.
Once a transaction has been successfully executed, it is important that none of the parties back out or claim they were not involved in the deal. How does a system ensure a customer or vendor does not repudiate an already concluded transaction? Non-repudiation is enforced with the use of digital signatures that one cannot deny. Digital signatures are usually implemented using cryptography, specifically public key cryptography that is also employed in PKI systems.
Data & message integrity
How does the system ensure that a message’s integrity remains intact while in transit? The Internet is full of potential masqueraders who use such tactics as spoofing. Encryption using such systems as public key infrastructure, coupled with certificate authorities, can mitigate this factor. A PKI combining the use of a secure message digest can assure message integrity. A message digest is a component derived from the content of the message and appended to it when it is transmitted.
It is vital to ensure that the contents of an item (message, file, record, program) have not been changed, accidentally or intentionally, in an unauthorized manner. Changes to information must be authorized and trusted. Usually systems use secure hashes to determine whether there have been any changes. Auditing tools, such as audit trails, associate the changes with system users to ensure changes to information are authorized. Audit trails, however, can be a challenging matter to manage. System administrators often grapple with how much information they need to log and for how long. A balance must be struck between the volume of logging and the value of the information being protected.
Denial of service
Denial of service is defined as the condition of being unavailable for use when required. A system attack that makes resources unavailable causes denial of service. Denial of service is not just an issue of external malicious attacks, but also that of bandwidth, availability and response times. Denial of service can also be due to undercapacity. For example, a website that takes several seconds to respond to a click can be a taxing element for customers. In the eyes of the customer, such a service is unavailable. For the business, this disillusionment will mean lost business.
Traditionally, businesses traded with other businesses in the “neighbourhood” – usually in the same time zone. Today, however, the neighbourhood is global. Customers in the Far East may be just as important as those in Europe and North America. Businesses that will succeed will offer a 24/7 service with appropriate response times.
Apart from ensuring that externally accessible systems are properly protected from potential denial of service attacks, businesses must ensure enough bandwidth for 24/7 availability.
Attack & penetration
Once a business has planned and implemented a system, it is important to carry out independent reviews to ensure the robustness of the system security in place. This can be done by a business’s own security team or an outside firm. The advantage of using an outside firm is that it comes in with a fresh pair of eyes and can unearth vulnerabilities that would not otherwise be apparent. Moreover, such a firm would also give an indication of industry-leading practices that could be a form of benchmark for a firm.
A further consideration is that given the rate of technological changes, weaknesses to systems appear almost on a daily basis. It is important to keep up with advisories on systems (both hardware and software) used by businesses. This assures that the business is not unduly exposed to potential violations.
In the growing E-commerce world, the success that businesses enjoy will greatly depend on the confidence the public has in doing business with them. Should things go wrong, the impact on the business can be substantial, especially given the speed at which word spreads on the Internet. It is important that businesses get their act right the first time, and perform periodic reviews to assure conformance with business standards.
Matunda Nyanchama is a senior consultant with the Ernst & Young eSecurity Services practice and can be reached directly at (905) 803-6857 or by email at [email protected].