Over the course of the past year, security breaches left customer trading account data, passwords and bank account records vulnerable to electronic piracy at both E*Trade and Charles Schwab. The hacking of Egghead.com resulted in a number of banks and other credit card issuers undergoing the expensive, tedious process of canceling accounts and issuing new cards to former Egghead customers even before investigators determined what had actually been lost in the cyber heist.
Of course, the almost total system crash that took online auction giant eBay out of the bidding for 10 hours was not a fourth quarter failure--it occurred on January 3. Equally true, that collapse--which dumped eBay's main system, primary backup system and secondary backup system--was not charged to external hacking or internal sabotage. According to recent company announcements, while eBay knew for a while that a potential problem existed in its shared-disk hardware, the company chose to delay the recommended upgrade. Put another way, eBay detected the threat to their system but decided not to fix it right away. Once the threat became reality and they were forced into firefighting mode they discovered that their key hydrants--both backup systems--had run dry.
If nothing else, the sound of mighty eBay crashing should have been a serious wakeup call for executives and IT managers who think of "security threats" only in terms of disgruntled or disloyal employees, electronic intrusion and virus infection. Not having stress-tested and ready-to-run backup systems that mimic the primary server in access control, authentication procedures or virus blocking, for example, is as much a form of poor security as putting your customer database on your Internet server.
Internal, external, or mechanical, security failures generate both tangible (lost sales, damage repair) and intangible (decline in customer confidence, loss of overall credibility) costs. And for any number of reasons, these costs will probably increase in the future. Based on a recent Datamonitor release, a staggeringly small number of online businesses take security seriously enough with most spending just 5 percent of their IT budgets on securing their assets.
Know Thine Enemy
How and where companies spend that 5 percent is crucial. Companies that are unable to afford adding a full-time security expert to their IT staff may be better off turning to an outside integrator. In a recent report on security issues, GartnerGroup analysts predicted that 50 percent of all small to midsize enterprises that implement and supervise their own network security systems would become victims of information attack by 2003.
As the incidents with Egghead and eBay illustrate, threats to operational security can be both external and internal. According to a recent survey by CyberSource and Mindwave Research, fraudulent credit card transactions--a common external security threat--are a major source of tangible losses, with online purchases accounting for 5 percent of all pay-by-plastic transactions and 50 percent of the fraudulent ones. On average, e-tailers lose 4 percent of their income to credit card fraud. That's about triple what their brick-and-mortar competitors lose and a nasty bit of additional overhead.
No wonder in May, Visa International will begin to monitor e-commerce sites to determine the presence of such rudimentary security devices as firewalls and encryption technology. Companies failing to meet "minimum" standards may be forced to pay higher discount rates, maintain larger holdbacks, or lose their Visa accreditation.
Many experts, such as Forrester Research analyst Frank Prince, believe the intangible dollar cost of internal information attacks by employees and business partners are even larger than those caused by customers or external attackers. "The disgruntled employee who damages stuff rather than steals it seems to be the most common type," Prince says. "The next most common are those who, disgruntled or not, take information for economic use..."
According to Datamonitor statistics, costs from malicious inside attacks can be staggering. A hole in a firewall allowing a low-level employee to impersonate a system administrator could enable that individual to set up denial of service overruns, bypass virus detection systems, and even create a counterfeit version of the company's Web site disseminating false and damaging information
Prince says the best protection against internal security threats starts with proper business practices. "In the gaming industry they have this concept of people watching people watching people. In business there are long-time auditing rules that the people who write checks shouldn't be signing them," he says. "You design protective mechanisms that make processes, which could cause significant damage, require collaboration. When you have human collaboration you also have greater visibility; when you have greater visibility, you have greater likelihood of prevention."
Prince goes on to say that while there are electronic spins to that in Internet environments, it is good process design cast in terms of the electronic environment that ultimately is the best protection organizations have. An example would be to require that the setting or changing of new business rules--such as ones determining which clients get credit breaks--be electronically authenticated by more than one person before the system will accept the instruction.
Even technologically advanced security systems operating under intelligently designed and rigorously maintained business rules can be bypassed if flaws exist in the basic infrastructure.
"Many intrusions are made possible by improperly configured software," says stefan Norberg, author of Securing Windows NT/2000 Servers for the Internet, citing the case of a "benign" hacking that substituted a Microsoft logo for the Apache logo on the Apache Web server site. "The Web server root directory was the same as the FTP server root directory," says Norberg. "The hackers uploaded and executed a shell binary that bound to a high port and enabled them to initiate a connection to that port, gain root access and make their changes."
The Best Defense...
Security technology solutions are available in many forms, most highly scalable to grow with the enterprise and many modular to facilitate retrofitting installations with additional protections on an as-needed basis. Some are single-function applications providing services like PKI digital ID authentication or virus interception, others are suites offering end-to-end protection from desktop to mainframe to client.
With over 300,000 Web sites using its Server ID-based programs to protect personal information submitted by customers from being intercepted or corrupted while moving through the Web, VeriSign, is a provider of digital certificate solutions for e-commerce applications.
VeriSign offers two task-specific implementations of its Site Services package, both available in 40-bit SSL or 128-bit SSL versions. Secure Site Services offers site authentication and encryption for intranets, extranets and Web sites that don't require electronic payment capability. Commerce Site Services includes all the authentication and encryption features of Secure Site plus Payflow Pro, which enables secure credit card, debit card and electronic check transactions via a SSL TCP/IP-enabled communications control client.
Falling somewhere between a series of dedicated-task applications and a full single-supplier system, Cisco System's new SAFE blueprint for system security works within the company's Architecture for Voice, Video and Integrated Data initiative.
Under the blueprint, client devices, network infrastructure, routing control, and supply chain and e-commerce applications are analyzed to find the precise point where a given security application, such as Cisco's Secure IDS 4210 intrusion-detection system, should be embedded. In areas where Cisco doesn't offer an appropriate solution compatible third-party applications are recommended instead.
Both Computer Associates, parent company of security solution providers Platinum, Memco, Baltimore Technologies and Content Technologies; and Symantec, which became one of the world's largest full-service Internet security providers with its December acquisition of Axent Technologies, offer complete one-vendor security solutions.
Computer Associates' eTrust system is based on their Unicenter TNG framework, which integrates security planning and implementation into a comprehensive eBusiness Management environment.
Symantec leverages its expertise in anti-virus and secure remote connectivity and Axent's experience in firewall and other anti-intrusion technologies to produce applications like its Enterprise Security System.
Designed to "determine, monitor and enforce security levels and practices," the Enterprise Security System includes network mapping, vulnerability scanning, desktop firewall protection, automatic virus detection, analysis and repair, and rules-based filtering for both e-mail and Internet content.
Netegrity's SiteMinder secure portal management system supports an unusually large range of authentication methods including--in addition to passwords, certificates and tokens--custom forms, combination method "chains" and other types of custom verification schemes. Other features include single sign-on access across applications and Web servers, cross domain sign-on, sharing of user data with applications on affiliate sites, tracking of anonymous users and personalization of Web content accessible to individual users.
SiteMinder also offers extremely fine-grain access control down to a single object or radio button on a Web page. Scalable to millions of users, it integrates directly into most LDAP, NDS and NT directory services, as well as SQL databases.
A highly popular single-task solution, Entrust/PKI 5.1 is an enhanced managed-public key infrastructure application that adds such advanced features as certificate suspension, full-time fully automatic revocation status checking, and all-inclusive key history recovery to the typical PKI digital signing, encryption and permission-management functions.
No matter how many alarm bells, warning whistles and firewall layers a security system has, there are only three ways to prove its efficacy: Wait for an attack and hope for the best, simulate an intrusion, or subject the system to rigorous, all-inclusive testing on a regular basis.
Simulated intrusions, often run by former hackers employed for that purpose, may expose some weaknesses but are a dubious tool at best. Other hackers may use a different approach than the in-house "expert." And a disgruntled employee who is also a known network hacker with deep inside knowledge of your security system is as frightening a potential monster as anything ever created in Hollywood.
Far better to turn to a security-assurance provider like TrueSecure, whose Enterprise service offers quarterly on-site and electronic vulnerability assessments and 24/7 support for IT managers wrestling with security issues. It also offers certification for systems meeting specific objectives in network architecture, connectivity, physical security, redundancy, disaster recovery capability, environmental controls, system configurations and operational policy compliance.
Then there's the human factor. The main enemy of electronic defense systems is human carelessness. For any enterprise security system to be truly effective, each person in the organization from CEO to janitor has to be aware of his or her responsibility in the overall plan. Things like ensuring that doors, which should always be locked, are always locked and that data-bearing discs are never tossed in a wastebasket that will be emptied at a non-secure site are beyond an e-system's scope.
As Gartner analyst Ellen Carney puts it, "optimal security is not a function of how many dollars are invested in an information security solution, but rather that the solution can be implemented and adhered to practicably by the enterprise and its employees."