Is Your e-Security Watertight?
A version of this article first appeared in Computers & Finance, a magazine published 10 times a year in London by TBC Research. Through its comprehensive portfolio of magazines, events and research, TBC Research is dedicated to helping senior business professionals make more informed technology decisions.
When NASA admitted recently that a hacker attack had compromised astronauts' safety as its shuttle was docking with the Mir space station in 1997, the seriousness of threats to Internet security should have been realized once and for all.
But last month the issue was again at the top of the agenda as first Powergen and then Barclays suffered what appeared to be hugely damaging security compromises. The public's confidence in conducting e-commerce transactions suffered a heavy blow as consumer groups came out with all guns blazing, and corporate adoption of and adherence to adequate security measures was also thrown into question.
Some say that Barclays' and Powergen's problems are only two very public examples of a much deeper malaise in the IT industry which is liable to strike time and again. Industry commentators doggedly point out that these incidents could be avoided through more stringent adoption of security policies, better testing and firmer adherence to quality procedures in e-business projects. Whether the industry is capable of such robustness is another matter. Internal projects, always buggy, unreliable and inevitably insecure, are now out in the open for everyone to investigate and attack. Such incidents also show the immaturity and inadequacy of traditional e-business security measures, such as firewalls, encryption, authentication and access controls.
Watertight security may well be on its way. The recent passing of communications bills in the U.K., the U.S., and elsewhere in the world put digital signatures on the same legal footing as physical ones. Public key infrastructure, a method for authenticating data encryption, is finally gaining widespread acceptance, with some organisations using it in anger, and others in a limited form as secure messaging.
But the pressure to gain first mover advantage is pushing many others to forge ahead unprotected. Nowhere is this more evident than in retail banking. Security experts are at the same time delighted and horrified. Mike Groves is European marketing manager for Hewlett Packard's (HP) Internet security division, which claims its Virtual Vault Web Server as the most widely used security platform in the world. Although it counts more than 120 banks among its customers, Groves says there are many other sites that lack security. "People have rolled out projects without sufficient regard to security, or they are not aware of how they're able to protect themselves properly."
John Alcock, head of ICL's information security practice, adds: "You have to recognize that people make mistakes and systems are flawed."
Pinpointing the precise failing in specific cases is difficult, but e-business testing companies insist that with proper care, the recent compromises need never have taken place. It was apparently a botched upgrade at Barclays online that led four users to access each others' account details. The bank immediately suspended the service while it reverted to its pre-upgrade version and continued testing. At the time of writing, the bank had still not managed to guarantee its functional robustness.
Gareth Evans, e-commerce specialist at testing tools vendor Cyrano, believes the problem for Barclays probably came somewhere between load testing and functional testing. Because most load testing products capture transactions at a noise level, they do not test for functional problems; Cyrano's product, he claims, does, as it creates a testing script which is then turned into the load test, so he believes it would have caught the problem in time.
But the Barclays case is only the latest in a string of online banking fiascos. All too often, it seems, security policies are either inadequate or are simply being ignored. "Many of our clients recognize they need to... refresh and change their security polices. Some at the leading edge have," but others have not, says Alcock.
With a hierarchy of policies in both the physical and IT arenas, it also becomes a matter of risk management. "Policies and processes [and their deployment] are worthless if you don't understand the risks you're taking," warns Sheryl Nixon, head of security at e-commerce specialist Rubus.
The complexity comes in understanding the different capabilities of security products, and in piecing together a layered consistent architecture across the enterprise. Nixon divides it into five pieces - the network and communications layer, host platforms and operating systems, data stores, applications and user clients. She sees policy and processes as horseshoes that go around these, with security an integral part. "Unless the security architecture addresses all of these, then it's not secure. If there are any weaknesses, or if there's a piece missing, you don't have a jigsaw."
Testing specialists also put the problems down to a compression of the final stage of a project in the rush to be up and running. Projects can be separated into requirements, design, development and testing phases, and it's all too easy to compress the latter piece. "Testing is on the critical path in terms of elapsed time," says Bob Bartlett at Sim Group, the independent testing arm of Gresham Computing. "In general, companies don't bring in a security review until they're ready to deploy," agrees HP's Groves.
Bartlett insists that rather than leave it until the final stage, companies should start incorporating elements of security testing earlier. "We've found ways you can look at testing more in parallel with development, so you can be preparing for the testing at the same time as you're doing the development before you turn it into code." Groves adds: "If you enter into it at a late stage in the project cycle, it can suddenly turn up as an unbudgeted expense, whereas if you plan security up front, you can actually increase the scope of the project."
HP recently introduced a product, Web enforcer, with which companies can look at their whole set-up automatically. Groves says it often comes down to the way servers are configured. "When servers are delivered... there are a lot of services that are enabled that should not be, a lot of light switches, in effect, that need turning off to make things secure."
Even with products like this, there's still a huge demand for good security professionals to implement them - and it's a demand that is outstripping supply, according to recent reports. "[Security] concerns services more than software. You won't solve all the problems with a great tool," Groves admits. This might go some way to explain some of the apparently bizarre failings of companies' security measures.
In the Powergen case, John Chamberlain, an IT manager from Leicester, allegedly gained access to 5,000 names, addresses and credit card details, simply by backspacing through the Website's URL. The company reacted by taking out ads in the nationals apologizing for the breach, while advising all Internet customers to change their credit cards and offering £50 each for the inconvenience caused. But the damage to consumer confidence had been done, and the company's claims that "at Powergen we take the security of our customers very seriously" now has a hollow ring to it.
Security experts say that in the first instance the company should not have been holding credit card details on a publicly accessible, unprotected server. At the very least they should have been encrypted, and a simple directory file should have meant the user was not searching for the URL in the first place. However, they admit that a firewall, or similar intrusion detection system, would not have detected the problem.
"The difficulty with [intrusion detection systems] is they're looking for someone coming in and doing something odd, or carrying out a denial of service attack. Here people were allowed access to the server, where files should not have been residing, and they should have picked this up," says Evans.
In this case, encryption would surely have helped. A number of banks on the Internet are using public key infrastructure (PKI) to protect their electronic communications. This is a method of authenticating the integrity of a digital signature or certificate, in much the same way as credit cards act as proof of signature in the physical world. "We have not invented a new way of doing things, we have just replicated what happens in the physical world," says Guy Singh, a product manager at PKI market leader Baltimore Technologies.
Baltimore's tools facilitate the administration of the keys in PKI, which is cited by many as holding up the technologies' wider adoption. Despite the passing of digital signature bills around the world, some observers are reporting that companies are holding back from using it on a wider scale for other reasons. "PKI has been an academic, technical exercise looking for a business problem to solve. People are still looking at it from a technical standpoint. Does it have a role to play?" asks Nixon.
ICL's Alcock adds: "Many clients... see PKI as an attractive solution to a number of problems around information integrity, and have done pilots to understand the technology. But they will only progress when they're clear on the legal side of things." Singh admits that until the legislation is proven, while encryption, integrity and authentication can be relied on, it will not be possible to prevent repudiation of contracts, to stop parties going back on e-deals.
Nor is encryption a magic bullet. Companies can encrypt data as it is passed over networks during a transaction, and still leave it open to attack. For Alcock, the solution often lies elsewhere: "It comes back to the rigor of design and the architecture. It's best to ensure that sensitive data is not held and put together in a way that can be accessed across the Internet."
If watertight security is ultimately a matter of good design, it remains to be asked why companies are failing so spectacularly to protect themselves properly. Evans believes that the rigor of IT development is no worse here than anywhere else. "That's the problem. Nothing has changed.... In the non-Web world, when you deployed an application... if it was slow or the system went down, someone would look at it and the number of times it would fall over would gradually reduce. But to track that down to a hit on the bottom line is phenomenally difficult. Here it isn't just a system within a finance department, the real end-users are customers, and it's all very visible. If you're a big company, and the issue is something as sensitive as security of credit card details, it's a very serious matter."