It's always a pleasant surprise when a day goes by without another worm or some form of exploitable vulnerability. That's because we're in shark-infested waters, and now is the time to really focus, dedicate resources and re-evaluate our strategic and tactical Web commerce plans. Let's face it, e-commerce is a target (and a profitable one at that), and it's never too soon to obtain executive acceptance for risk management and contingency planning.
E-commerce has a variety of business and technology drivers, and these come with both benefits and risks. Developing an appropriate strategy includes factoring in the benefits while weighing the risks, which include fraud, loss of intellectual property, damaged customer and partner relationships, unforeseen costs, public relations debacles and business disruptions.
Keep in mind that the three dimensions of security -- confidentiality, integrity and availability -- require that a company develop a set of e-commerce policies involving authorization and accountability while simultaneously focusing on potential threats and vulnerabilities. Whew. Well, if it was easy, anyone could do it.
Keeping your site secure
There are a number of ways and means to secure sites and transactions. Among them are the fundamental crypto building blocks that include encryption using symmetric and asymmetric-based key systems. There are also block and stream ciphers, MAC implementations, hash functions and symmetric cipher-based functions.
Key management is critical. When Whitfield Diffie and Martin Hellman, the inventors of public-key cryptography, developed their initial algorithm nearly 30 years ago, little did they realize that it would stand the test of time. Once again we see that simpler can indeed be better. There are several components of the key life cycle worth mentioning, since they essentially mitigate cryptanalysis, exhaustive searches, social engineering and system compromise. These include key establishment, key backup/recovery/escrow, rekeying, key revocation and key expiration. Systems administrators need to have these factors in mind when using a key-based system.
The facts speak for themselves. In the 2003 Computer Security Institute/FBI Computer Crime and Security Survey (US), the average reported loss from computer attacks was approximately $2.7 million per incident, and insiders topped the list of attack sources. For these reasons and others, system managers and organizations as a whole have cause for concern. Before you can even think of developing a strategy, though, you must consider the following:
Who are your adversaries? These might include hackers, script kiddies, hactivists (to achieve some political cause), computer criminals (hacking for profit or financial gain), virus and worm writers, insiders and, last but not least, cyberterrorists targeting critical infrastructure and using attacks as a force multiplier.
What are the targets? These might include information, computer and network resources, enterprise infrastructure and hardware. Some physical vulnerabilities that could lead to unauthorized access to these targets include unlocked doors and cabinets, exposed systems and network links, fragile power sources, limited video surveillance and monitoring, and poor authentication. System vulnerabilities include the infamous unsecured or default "guest" account, ad hoc trust relationships between systems, poor access controls, limited authentication and nonrepudiation facilities, collocation of systems, and unknown and untracked remote access points. (Not knowing your security perimeter is a disaster waiting to happen.)
The development and implementation of encryption, PKI and other authentication, and validation through certificate management, are a step in the right direction and address some of the aspects of enhanced secure digital payment systems.
The risk that goes beyond the company
Let's face it -- the world is hooked on e-commerce. Just about every aspect of business has some sort of Internet-based presence. A global economy seems more likely when the globe is reduced to electronic transactions. Along with any technological advancement comes cause for concern such as security, information warfare and terrorism. Is the corporate world prepared?
E-commerce accounts for trillions of dollars annually, thanks to electronic transaction and payment systems running on computer networks that rely on uninterrupted sources of electric power.
However, Dan Verton, author of the book Black Ice and a Computerworld writer, points out that "deregulation in both the energy and telecommunications industries has helped create the multiple points of potential failure in the support networks that serve the financial community -- support networks that were once operated end-to-end by single providers."
Can a free society ever defeat those who wish to harm it by using the freedoms inherent in the system itself? On the one hand, the chain is only as strong as its weakest link. The Internet is just that chain. It's therefore incumbent upon everyone within the system to remain vigilant about keeping systems secure.
How can an average company contribute to the overall security posture of the nation and protect itself? They must work together, and the current controversy is to what extent government should regulate corporate security. Done correctly, the byproducts will result in a greater united defense in depth for all.
Because of their knowledge and experience with pay management systems and other interconnectivities, IT professionals have an important role. They must ensure that executive management understands the inherent risks of e-commerce. Then the IT folks, who understand the technical aspects, and the corporate folks, who understanding the larger business mission, must work together to decide on a risk posture that best protects the assets of the organization.