Security Online

Posted May 19th, 2007 by admin

How to Think About e-Business Security

First and foremost, you should think of Internet security as part of the overall risk management strategy. Internet security tools are like any other security system in your organization. They help minimize the risk of serious damage in the event of trouble. Traditional common sense and business principles still apply in the online environment.

Physical stores are equipped with locks, alarm systems, bars on the windows, security cameras and, in some cases, guards posted at the doors. Even with all these elements in place, companies still feel the need to purchase theft insurance to protect their investments. They understand the limits of all physical security and therefore plan accordingly.

The same holds true for Internet security, which should be considered an extension of physical security. Simply put, some things are important to secure regardless of whether you are dealing in a physical or electronic environment (for example credit card numbers, employee information, business records, etc.) and these areas must be individually identified and addressed.

Understanding and treating Internet security as an extension of your physical business security is essential. The rationale for security in the physical marketplace is the same as in the electronic marketplace, only the means are different. Done correctly, online credit card processing can be much safer than providing or receiving a credit card number over the phone or giving your credit card to a server in a restaurant.

Key Security Concerns

Understanding the major types of security concerns described in this section will help you assess your security needs and the potential responses.

Consumer and business concerns over Internet security fall into the following categories:

Privacy and Confidentiality: Is my information secure and my privacy protected?

To protect electronic records, files and communications from unauthorized access, transmission and data storage must remain secure and only be accessible to the intended recipient. In the paper world, a sealed envelope prevents others from viewing information in transit and a locked office limits unauthorized access to stored information, while tools such as encryption and firewalls manage electronic security.

Authenticity: Are you really who you say you are?

When sending and receiving a message, placing an order, or submitting a payment electronically, both parties want to validate that the other party is who they claim to be. Each party wants to know the identity of the other to avoid fraud and misrepresentation. One way to ensure authenticity is to limit remote access to a network (for example from home or from a separate corporate location) to trusted parties by using Virtual Private Network (VPN) technology.

There are a variety of ways to authenticate parties by checking "something you know", "something you have" or "something you are".

  • Something you know: such as a password or personal identification number (PIN)
  • Something you have: such as digital certificates issued by a company or trusted third parties
  • Something you are: such as digital signatures or voice recognition technologies

In general, authenticity is established to a higher degree of certainty when a combination of techniques are used. For example, In the case of establishing authenticity for online credit card transactions, most companies now protect themselves from fraud by using Visa's Card Verification Value (CVV) or MasterCard's Card Validation Code (CVC) "something you have" and the actual credit card number "something you know" to increase the degree of certainty that the purchaser is who they say they are.

Data integrity: Can my information be changed or corrupted in any way?

A message received should be identical to the message that was sent. A business needs to be guaranteed that data is not changed in transit, whether deliberately or by accident. A sealed envelope prevents tampering with paper documents and the nature of the printed page makes it difficult to alter without detection. On the Internet, digital signature technology can create virtual envelopes that can be verified by the recipient to ensure that no unapproved changes have been made. To ensure the integrity of stored data, firewalls are used to guard against unauthorized access and anti-virus software protects against virus invasion. In addition, data backups and infrastructure redundancy allow recovery in the event that data or equipment is damaged.

Non-repudiation: What proof do I have of the transaction?

A business needs to be certain that the receiving party cannot deny that a transaction has occurred. In physical transactions, receipts, signatures and third party witnesses are used for this purpose. In electronic transactions there must also be a transaction record that links the sender and receiver. Digital signatures, digital certificates and strong authentication procedures are emerging as the means to address non-repudiation.

Access Control: Will only authorized parties have access to the information or service?

When access to electronic resources is limited to authorized parties only, a business must be sure that no others can access the systems or information. In the non-digital world, access control is provided by lock and key. In the digital world, a variety of techniques are used to control access: firewalls, access privileges, network traffic monitoring, Intrusion Detection Systems (IDS), user identification and authentication techniques (such as passwords and digital certificates) and Virtual Private Networks (VPN).

Availability: Will the information or service be available when I need it?

If a business relies on electronic information or services, it must be available when customers need it. Messages must be delivered reliably, and information stored and retrieved as required. Availability of service is important for all Web sites, but vital for Internet services that are mission critical to a company. In the paper world, registered mail or a courier may be used to ensure that a package is delivered and is protected against damage, theft or accidental loss. Similar measures provide digital security, but additional steps must be taken to prevent disruption of service by power outages, damage to physical infrastructure or failure of systems and communication networks. Data backup, fire-suppression systems, Uninterrupted Power Supply (UPS) systems, virus protection, sufficient capacity to handle the demands posed by heavy network traffic and redundant server computers can help to ensure availability.

Defining Security Needs

Security is a critical concern for consumers and businesses. Establishing trust between all parties in an online transaction is vital for the success of e-commerce. The public wants full assurance that the information they supply is going to the company they think it's going to, will not be misused by that company, and that credit card information or other payment mechanisms are confidential and secure. Businesses share these concerns but also demand that their systems be protected from fraudulent use, intrusion and tampering.

When examining Internet security or when considering the purchase of any Internet security system, there are a few basic factors to consider:

  • What information, processes, records and communications need to be protected?
  • What are the threats to these assets and what are the risks that the threats will occur?
  • Given these needs, what are the potential strengths and limitations of available Internet security options?
  • How will the security system interact with other applications currently in use?
  • What other equipment (hardware or software) will be needed to make it as secure as possible?
  • What type of training will employees need to ensure that the system functions properly?

Answering these questions will help to identify specific Internet security needs, while assessing the strengths and limitations of e-security tools that are being considered. This approach will translate directly into a better understanding of the impact of security issues on a business, which in turn will enable the business to address partner and client concerns. Once an understanding of e-security needs is established, the appropriate solutions can be selected.

Security Solutions

In response to the threats to online businesses, computer hardware and software companies and financial institutions have developed tools to minimize online risks and help build trust between firms offering e-business services, their customers and business partners.

Robust solutions to Internet security concerns are rapidly emerging, driven by major software developers, corporations and banking institutions that have a strong interest in developing a vibrant climate for electronic commerce. Consequently, the Internet has never been a safer place to conduct business. The main challenges remaining are to ensure that solutions are simple and inexpensive enough to implement, while strengthening public confidence.

The following tools are applicable to the needs of small or medium-sized enterprises implementing e-business. While it is vital to ensure as high a level of security as possible to promote an overall e-commerce environment that builds trust between all parties, it is also important to balance the costs and usability with the actual anticipated threats.

> Access and Data Integrity

These tools include anti-virus software, firewalls, network traffic monitoring, Intrusion Detection Systems (IDS), and Virtual Private Networks (VPN).

Anti-Virus Software

Anti-virus software ensures the integrity of the information and data that is received and keeps the data sent clean. Regularly updated anti-virus software is an inexpensive but extremely effective security tool.

Anti-virus software scans your personal computer's hard disk for known viruses and can remove or quarantine them once they are found. Most anti-virus software will use heuristic scanning to detect or protect against unknown viruses. Heuristic scanning looks for certain instructions or commands that are not found in typical application programs. As a result, a heuristic engine is able to detect potentially malicious functionality such as the replication mechanism of a virus, the distribution routine of a worm or the payload of a trojan. These programs can also scan incoming and outgoing email messages to ensure that they do not contain infected data.

Most anti-virus programs include an auto-update feature that enables the program to download profiles of new viruses from the Internet or a designated server so that it can continue to protect against new viruses.

Firewalls and Wireless Network Protection

A firewall is a device consisting of hardware and/or software that controls access between a private network such as a company's internal Local Area Network (LAN) and a public network such as the Internet. Besides providing a secure bridge between internal and external networks, a firewall can also provide a number of other important security mechanisms. A firewall can perform audit and alarm functions that record all access attempts to and from the network, as well as real-time notification of incidents that network administrators determine to be important.

Firewalls are widely used to ensure the privacy and protection of internal processes, data and communications. Moreover, firewalls are a key tool to ensure data integrity by limiting access by unauthorized third parties.

Wireless network protection is important in environments that use Wi-Fi (short for "wireless fidelity") or a wireless local area network (WLAN). Where a wired local area network is generally protected by physical security mechanisms and firewalls, WLANs require extra security precautions because a WLANs radio waves are not necessarily bound by the walls containing the network and are therefore not protected by network firewalls. Any business that has a WLAN should use security safeguards such as the Wi-Fi Protected Access (WPA), Internet Protocol Security (IPsec), or a virtual private network (VPN) all of which use a combination of encryption and user authentication to protect network traffic. Network perimeter protection may even be necessary in LAN environments if there is a significant risk of internal users attaching their own commercial Wi-Fi routers to the network as a convenience option.

WLAN security experts advocate 24/7 monitoring of the airwaves to secure WLANs by identifying rogue WLANs, detecting intruders and impending threats and enforcing WLAN security policies.

Intrusion Detection Systems

An Intrusion Detection System (IDS) analyzes internal network traffic and reports any detected anomalies in real time. An IDS is often used in tandem with a firewall to ensure maximum network security. In the case of wireless network protection, intrusion detection can be performed by setting up lightly protected fake or dummy hot spots (wireless network access points) to entice eavesdroppers to attempt to gain access, thereby revealing their activity.

The two major differences between a firewall and an IDS are:

  • A firewall is designed to prevent intrusions while an IDS reacts to suspected intrusions;
  • An IDS monitors internal network activity.

Private Networks

Internet Protocol Virtual Private Networks (IP VPNs) provide secure transmission of private communications over the Internet. These systems are called "virtual" private networks because messages are transmitted over the public Internet, but are exchanged by parties using compatible security techniques as though the messages were on a private network. IP VPN combines encryption tools and Internet protocol tunnelling to ensure user authentication.

IP VPNs are used primarily when an enterprise wishes to provide mobile or remote workers with secure access to company data that is only accessible over internal company networks.

> Encryption

Encryption involves scrambling a message using a code or "key", so that the message can only be unscrambled with a matching code or key. This ensures messages can be kept private and viewed only by the intended recipient. Encryption (or more correctly "cryptography") is the basis of other technologies such as digital certificates and digital signatures.

Encryption is part of a larger process of encoding and decoding messages to keep information secure. This process, though commonly called encryption, is more correctly called cryptography, is the use of mathematical transformations to protect data.

Cryptography is primarily a software-based solution and, in most cases, should not include significant hardware costs. It is a key tool in protecting privacy as it allows only authorized parties to view the data. Encryption is also used to ensure data integrity, as it protects data from being modified or corrupted.

Key Elements in Cryptography

There are the four essential elements in cryptography:

  1. Encryption: the process of encoding the data — transforming the plain text or an original message into "cipher text", which is unintelligible.
  2. Decryption: the process of decoding the data — transforming the cipher text back to plain text or the original message, thereby making it understandable again.
  3. Algorithm: the mathematical formula applied to the message that both encrypts and decrypts the data.
  4. Key: a particular code that, when applied to an algorithm, encrypts and decrypts the data in a way that allows the data to be traced to a particular person or company.

Private and Public Key Encryption

In traditional cryptography, the same key is used to both encrypt and decrypt a communication. This is known as "private key" encryption. It is a symmetrical system because both encoding and decoding parties have the same key. The challenge is in giving the recipient the key to decode the message safely. To meet this challenge, public key systems were developed. They use two separate keys, one public and one private. This has proven to be well suited to Internet use, as it avoids the difficulty of transmitting the symmetrical key securely. The public key can be published and distributed widely with no need to expose the private key.

Public Key Encryption

In public key or asymmetrical cryptography, one key is made public, and the other is held in private. Data encrypted with a public key can only be decrypted using the private key.

The standard procedure for this type of encryption is:

  • The intended recipient generates a public and private key.
  • The intended recipient transmits their public key to the sender.
  • The sender encrypts and transmits a document to the intended recipient using the public key.
  • The intended recipient decrypts the document with their matching private key.

The public key can be publicly distributed at will, often by posting it to Web sites, placing it in a central network directory or emailing it to potential users. The private key is held in confidence and protected by its owner.

For practical purposes, if the encrypted document is intercepted, the code can't be cracked. While, in theory, the code could be cracked, in reality the hardware and time required to crack a 512-bit encrypted code is so great that it is not feasible. The level of encryption should be proportional to the sensitivity of the data.

Implementing Encryption

Companies wishing to use public key encryption systems can purchase key generation software and certificate management servers, or outsource these functions to a vendor. Outsourcing may be the fastest to set up and the most cost-effective solution for smaller organizations. Purchasing a server may be most appealing for large Intranet applications because it avoids per-certificate charges and may provide more flexibility in managing directory-based access for employees.

Certificate Authority

The use of the public key encryption ensures privacy and data integrity. No one can read or tamper with the message en route or in storage until it is decrypted. But there is one other important step in the use of public key encryption: authentication. The person using a public key wants to be certain that the person with whom they want to communicate is holding the private key.

Authentication is done by having public/private key pairs registered with a Certificate Authority who, like a notary public in the paper world, bears the responsibility for verifying that a certain public key belongs to a specific individual, and issues a digital certificate to that effect.

Web users wishing to use public key encryption can obtain key pairs for general use and register them by visiting the Web site of a certificate authority then following their online procedure. Generally, there is no cost for personal use, but there is a fee for the administration of certificates for commercial purposes. Users may require several certificates, for example, one issued in association with a credit card for secure purchases on the Internet, one for a Web browser, one for signing and securing email, and another for logging in to a company network. There is software, such as digital wallets and browser plug-ins, for managing digital certificates and key pairs.

> Digital Certificates

Digital certificates validate that the person or organization using a particular cryptographic key is who they claim to be. The digital certificate provides information about the user of the key that can be used to authenticate the user and ensure non-repudiation.

A digital certificate identifies its owner to someone who needs proof of the bearer's identity, just like a passport is used as proof of identity. This makes them a valuable tool for Internet security with a wide variety of applications:

  • They can be used to sign an email document to positively identify and authenticate the sender.
  • Certificates can be used to replace passwords and log-in IDs anywhere that access is to be restricted to certain users, such as registered customers. In many applications, certificates may replace "cookies," which have proven unpopular with many Web users.
  • Companies can issue digital certificates to their employees and use the certificates as the basis to allow access to network resources, replacing passwords and log in names.
  • Employees accessing company networks from home or when traveling can use digital certificates to identify themselves to the corporate firewall.
  • Certificates can be exchanged between Web browsers and Web servers using the Secure Sockets Layer (SSL) protocol to identify both the user of the Web browser and the provider of the information or services on the Web server.

Digital certificates involve the use of public key encryption, but they offer a different type of security. While encryption addresses the issues of confidentiality and data integrity, on its own it does not ensure authenticity. Encryption techniques are used to produce a digital certificate that contains critical information (i.e., name, serial number, etc.). The certificate can then accompany messages or transaction information to establish the identity of the sender.

Levels of Certification

A certification authority provides the digital certificate. The authority is responsible for establishing that a given public key does indeed belong to a given individual. The level of confidence that can be placed in a certificate depends on the rigour of the process used to verify identity when the certificate is issued. For most commercial applications the existence of the entity will be verified along with the relationship of the administrator to the business.

Limitations of Digital Certificates

Although versatile, the certificates rely on an infrastructure of services to issue and revoke them, store them and verify their status and ownership. Digital certificates are not yet fully standardized and interoperable. Many different issuing bodies exist and a certificate issued for one popular browser may not work with another one. Each application has its own way of handling the certificates and not all certificates can be exchanged between all applications. This leads to the nuisance and complexity of obtaining and managing numerous digital certificates. The process of getting and using certificates is still difficult and confusing for people, although major players and the browser vendors understand this and are attempting to make the process easier, while also conducting publicity campaigns to increase consumer awareness and confidence.

> Digital Signatures

Digital signatures are the electronic equivalent of a personal physical signature. They don't look the same, but they authenticate the identity of the signer. They are not images of signatures but encrypted information attached by the sender to his message.

A digital signature provides a means by which information cannot be repudiated because it binds the communication to the person who signed it. In addition, any change to the information after the digital signature is affixed can be detected, thereby establishing the reliability and integrity of the information contained in the digitally signed file.

Digital signatures are created by using public key cryptography and message digests. A message digest is a value generated for a message (or document) that is unique to that message. A message digest is generated by passing the message through a one-way cryptographic function; that is, one that cannot be reversed. When the digest of a message is encrypted using the sender's private key and is appended to the original message, the result is known as the digital signature of the message. The recipient of the digital signature can be sure that the message really came from the sender. Changing even one character in the message changes the message digest in an unpredictable way.

Public key encryption can also be used for digital signatures to ensure authenticity. This involves two sets of public and private keys. The sender uses their private key to sign a document and encrypt the message with the recipient's public key. The recipient uses their private key to decrypt the document then the public key of the sender to verify the signature. If the document decodes properly when the public key is applied, then it is authentic.

More Resources

SearchSecurity.com - A broad security information portal, this site covers all security-related topics and features tips, Web casts, white papers and more.

W3C Security Resources - This World Wide Web Consortium (W3C) site covers Internet security standards and contains information and links to network security, authentication services, message validation, personal privacy issues, and cryptography and more.

US-CERT - US-CERT (United States Computer Emergency Readiness Team) coordinates defense against and responses to cyber attacks across the nation to protect the nation's Internet infrastructure.

The PKI page - A valuable reference site, this page contains links to many sites and documents related to Public Key Infrastructure and to Certification Authorities.

WhichSSL - There are several factors that one needs to be aware of before deciding which SSL Certificate to buy. This site provides a full range of information to assist in the buying decision.

How Certificates Work - Maintained by Roedy Green of Canadian Mind Products, this site features a valuable, comprehensive resource on digital certificates.

‹ Panda Anti-VirusupSpam Quiz ›