A demilitarized zone and SSL do not make a sound security plan. You need more, much more, to lock down an e-commerce site. From digital certificates to server log analysis, here's a look at the best ways to keep your business safe.
By MARK GIBBS
Network World, 02/22/99
"Be prepared" is the Boy Scouts' motto. It should also be the motto for every e-commerce site. For example, are you prepared for the potential embarrassment of your company's Web site being modified by hackers?
Phil Gibson, National Semiconductor's director of interactive marketing, says such things can happen all too easily. "We have been touched by hackers ... in one case they were able to flip our front page for two minutes but we were able to detect and correct it without much trouble," he says.
The hackers were apparently just mischief makers, and National Semiconductor was ready for them. But if the company hadn't been set up to detect security breaches, the incident might have been much more damaging.
Virtual graffiti can tarnish your e-commerce image; hackers can go much further given the opportunity. There are endless reports of theft of credit card data and fraudulent funds transfers, which, if made public, can strike a tremendous blow to customer confidence. And industrial espionage poses an even bigger threat to your business.
Serious intruders are hard to catch, and unless you've got a good e-commerce security plan, you might not even know they've visited your site. So, while you've got communications to your server secured with Secure Sockets Layer and the server itself housed in a firewall defended extranet, what else can you do to protect your business?
Paul Hoffman, director of sales and marketing for the Hosting and E-Commerce Group of MCI Advanced Networks in Columbus, says, "Security is achieved by choosing the right technologies as you [build your e-commerce solution], which requires that you look at the data flows and their value so you know at what point you need to add extra security."
Back to basics
There are five main security issues to consider: Physical access to the e-commerce system during which data might be stolen or corrupted, malignant software which could deny or reduce service, network security breaches where users running personal Web servers on PCs could expose data, directed attacks against known problems with operating systems and applications, and protocol attacks where weaknesses in protocols are exploited.
The basic rules of general network security are fundamental to any practical e-commerce security plan. In fact, the only real difference is that your e-commerce platform is easily identifiable as a target. On a regular network, it's usually hard for a miscreant to figure out where the money is without a lot of work.
First, limit access. The fewer people who can get physical and administrative access to server systems, the better your security will be. Second, use available security tools and, third, perform regular audits to verify configuration and expected usage patterns.
Scheduled inspections are extremely important, as their purpose is to ensure that everything is working correctly, including your intrusion detection systems. This is an area where it pays to be extra cautious. Mike Dunn, chief technology officer for Dell Online, says, "We're incredibly paranoid ... we do continuous internal and external audits and we're always looking for problems."
The fourth rule is to protect complex systems with simple ones. A full-blown e-commerce server is very complex while a firewall is relatively less so. Protecting the former with the latter makes sense. And fifth, make backups and have a disaster recovery plan.
To explore e-commerce security issues, let's look at a scenario involving a basic e-commerce system. A supplier of office consumables wants to provide its larger customers with a corporate purchasing system. The system allows the customer to designate department managers, set spending limits and receive purchase reports.
Here are the challenges: how does the supplier the secure the transactions, authenticate the managers, and prevent hackers from getting in?
Securing the area
The first step is to create an extranet. Whether you're building your own site or outsourcing, there's no way to defend an e-commerce server without controlling the communications to and from it. A secure extranet houses the e-commerce server behind a firewall, which isolates the internal network from the outside world and explicitly allows specific protocol exchanges between customers and your e-commerce services.
For example, you might designate Hypertext Transfer Protocol (HTTP) and Secure Sockets Layer (SSL) as the only protocols your e-commerce system will use. In this case, you would specifically block all other protocols and be notified via alarm if someone attempts an unauthorized protocol exchange. This service is a function of many firewalls.
All commercial grade Web servers support basic authentication to ensure that users are who they say they are. Combine that with SSL implementation and you have a sound security foundation. If you keep all software up to date with upgrades and patches, the rest of security comes down to the applications software and how you allow customers to interact with the e-commerce system.
Sonnet Financial, an international funds exchange business in San Mateo, Calif., processes millions of dollars of transactions every day through its e-commerce site. The company relies on a firewall and basic authentication over SSL. "We're not seeing a lot of hacker issues, but we've also done external security audits to make sure we're safe," says Ann Brighouse, director of product marketing. "Our clients are comfortable [with our security provisions]."
But what if you need even more security or you're simply more paranoid than most people. Say you're a supplier specializing in die castings for manufacturers. A hacker placing a bogus order could cost you thousands of dollars while unauthorized access of your firm's design documents lets your trade secrets out of the bag and compromises your competitiveness.
In this case, more robust security would be required. At the very least, you'd want to use SSL version 3, which supports digital certificate-based authentication for the client and server. You could use a third-party certificate authority such as Verisign or else set up your own private certification service. Digital certificates let users digitally sign electronic messages and files.
For even more sensitive scenarios, you could use a hardware token such as Security Dynamics' SecureID card, which generates a code and requires a user password. And if you need even more advanced security, consider using a biometric security system like fingerprint, voiceprint or retinal scans. The downside to biometrics is that the technology is relatively new and often requires custom implementations.
Digital certificates cost thousands of dollars at the server end and range from tens to hundreds of dollars for the client. Hardware tokens cost about $10 to $50 depending on configuration and volume, while server-based token authentication software costs about $5,000. Biometric devices such as retinal scanners are still very expensive, but fingerprint readers are rapidly becoming more affordable. For example, American Biometric's BioMouse costs roughly $250 per user.
In general, your company will foot the bill for its server-based e-commerce security systems. You could require customers to pay for the client end of the system if they want to do business with you, but it might be smarter to cover these costs yourself for your most valuable customers. This shows them that you're protecting their interests and it gives you more control over what they do on your e-commerce system.
The last word
In spite of the array of security technologies available, you'll find the best security on systems that are well organized, well documented and well managed. Knowing what your e-commerce system is supposed to do and using appropriate technologies will prepare your site for safe transactions. The Boy Scouts wouldn't expect anything less.
|
|
Gibbs is a consultant and writer based in Ventura, Calif. He can be reached at (800) 622-1108, Ext. 7504, or mgibbs@ gibbs.com.
World Wide Web Security FAQ
Answers to common questions about securing your Web site.
AntiOnline
Keep up with the latest Web hacks here.
SSLv3 specs
From Netscape.
IETF TLS Working Group
Working to build security into the transport layer.
Anatomy of a friendly hack
How to assess your enterprise security, correct vulnerabilities and thwart attacks. Network World, 2/2/98.
Security expert explains Times site break in
A look at how the N.Y Times Web site was hacked. Network World, 9/17/98.
Dispatches from the hacker wars
Network managers discuss security break-ins. Network World, 11/16/98.
Striking back
Some network managers take matters into their own hands. How far would you go? Read the article, then jump into the forum. Network World, 1/11/99.
Network World Fusion Focus on Security
Archive of our twice-weekly e-mail newsletter.
Advertising section
E-Commerce Vendor Showcase
ICANN board approves reform agenda
House committee subpoenas WorldCom executives
KPMG Consulting to hire Andersen IT staff, not unit
Xerox accounting troubles may total $6 billion
Analysis: Ciena/ONI deal done
All of today's news
A good .plan
Plus: Porn credit-card site hacked.
Prioritizing voice over data in VoIP
Nutter helps a user make sure voice gets priority on a Cisco net.
E-comm Innovator of the Year Award
Know someone with a groundbreaking e-commerce project? Nominate him or her for our annual award.
|
