Defend your site against security breaches with a mix of technology and policy
Here’s a statistic you don’t want your customers to know: According to a March study by the Computer Security Institute, a San Francisco-based association of information security professionals, and the San Francisco FBI Computer Intrusion Squad, 90% of organizations had detected a security breach in their computer networks during the past year.
And some security breaches can be quite dramatic. In early September, for instance, home decor giant Ikea International shut down its Website after discovering that information such as customers’ names and phone numbers was exposed to outsiders. A week or so later, a similar fate befell the now-defunct cosmetics i.merchant Eve.com. Other breaks in security may command less attention but are no less destructive: viruses that corrupt data, for example, or the introduction of fraudulent data to a database.
There is good news, however. Fixes, or patches, are available for 99% of security compromises, says Chad Docherty, technical coordinator with the CERT Coordination Center of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh. So with the proper technology – not to mention effective, well-enforced security policies – you can minimize your risks.
Tech weapons The following are among the technological tools you can use to fend off security intrusions:
* Antivirus software. Viruses are bits of bad code that can replicate themselves and create havoc, says Roger Thompson, an Atlanta-based technical director with TruSecure Corp. (formerly ICSA.net), a Reston, VA-based company that researches and certifies the effectiveness of antivirus and other software. Antivirus software, as its name suggests, detects and disables viruses it encounters.
Thompson recommends investing in antivirus software and running it continually. Equally important, you should update your applications at least monthly, as new viruses are constantly being detected. In many cases, you can download the updates from the antivirus software vendors’ Websites.
* Authentication tools. Ensuring that visitors to your site are who they say they are “is the weakest link in the security chain,” says Ruth Lestina, regional practice director in the information security practice of New York-based Predictive Systems, a network consulting firm.
Authentication relies on at least one of three pieces, says Lestina: what a person knows (such as a password); what a person has (such as an ATM card); and to put it inelegantly, what a person is (such as a fingerprint used in biometric technology). The more of these pieces that an authentication process uses, the more secure the site is.
One authentication tool that experts predict will become more popular in e-commerce is the digital certificate. This is like an electronic credit card that is issued by a third party and verifies the user’s identity.
* Encryption. Encryption refers to converting electronic data into a form that can’t be read by people who shouldn’t be reading it. Most computer operating systems, such as Microsoft, come with an encryption protocol called SSL built in. “You just need to turn it on,” Lestina says. The strength of the encryption algorithm is measured in bits; 40-bit and 128-bit encryption are common standards. The higher the bit number, the stronger the encryption. The use of 128-bit encryption is restricted in some jurisdictions outside the U.S.
* Firewalls. Verena Salsmann, a consultant with marketing analysis company Datamonitor in London, describes firewalls as acting “like border guards. They make sure that no harmful content reaches the company.” They are often a combination of hardware and software.
* Intrusion detection systems. As their name suggests, these systems look for people on a network who shouldn’t be there and are behaving suspiciously. They locate areas where a network might be vulnerable to attack, identify unusual patterns of activity, and help find and repel intruders.
The best policies Hardware and software can’t do the entire job. They need to be supported by sound security policies. Some issues to consider:
* Make security a business issue, not a technology issue, says Daniel Dorr, director of worldwide business development with Hewlett-Packard Co.’s Internet Security Solutions Division in Cupertino, CA. Discussions should focus on potential losses – of revenue, customer confidence, and proprietary information – and assessing how best to minimize the risk of loss.
* Stay on top of new viruses and antivirus patches. Failure to do so is perhaps the most common reason for security breaches. Joseph Wright, director of IT development with iGo.com, a Reno, NV-based multichannel marketer of mobile communication products, does a weekly check of new viruses on the Website of the System Administration, Networking, and Security Institute (www.sans.org), a Bethesda, MD-based industry group.
* Assess security vulnerabilities along and within the network. When sensitive data are being transmitted, are they encrypted? How secure are the applications running on the network? Some software languages (such as Visual Basic) are not as robust as others when it comes to security, Lestina says.
* Assess how securely data are being stored. For instance, you’ll want to make sure private information is not directly connected to the Internet and is behind one or more firewalls, says Jim Magdych, security research manager for PGP Security, a security solutions company in Santa Clara, CA. It also pays to segregate different kinds of data. At iGo, for instance, product, customer, and financial information is spread over multiple servers and multiple databases. If someone does get into the system, he or she won’t be able to get to all the data, says Wright.
* Maintain physical security. Are servers that store sensitive data kept in a restricted area? Are employees reminded not to paste their passwords to the computers?
* Stay on top of vendors. If a third party is hosting your site, monitor its security measures. For instance, Underneath.com, an Atlanta-based online merchant of intimate apparel, recently instituted new procedures with its Web hosting company, says president Jeff Johnson. Johnson learned that the hosting company had been receiving calls from outsiders asking for information such as the number of orders processed in a day. Understandably, he grew concerned that a competitor might be trying to ferret out confidential information.
Now only Johnson and one other person at the firm are authorized to make calls requesting technical information. When Under-neath.com calls for technical assistance, the host firm has to call back Johnson’s office and let him know the information requested. In addition, both Johnson and his colleague have to recite a code before the hosting firm will release data.
“It’s important to have several checkpoints to get to an electronically operated business’s data, since humans aren’t perfect and can sometimes be deceptive,” Johnson says.
* Give people the minimum amount of security privilege needed to do their job. Employees, contractors, and other insiders are responsible for 71% of security intrusions, according to a recent FBI/Computer Security Institute study.
* Invest in security audits. Having a neutral, knowledgeable third party inspect your system is key to finding vulnerabilities. With technology changing so rapidly, you should undergo an audit at least once a year.
Not surprisingly, security doesn’t always come cheap. Wright of iGo estimates that his company has spent $180,000, or about 10% of its IT budget, on security products and salaries during the past two years. That’s about where the firm should be, says Lestina, who recommends that companies earmark 10%-15% of their IT budgets for security expenses.
Unfortunately, most companies spend just 5% or less. “In today’s race to market, it’s very important not to forget about security,” Wright says. “Security won’t make you money, but if you’re hacked into, you can lose the farm.”
When Fairytale Brownies, a Chandler, AZ-based purveyor of desserts, redesigned its Website this past summer, upping security was a priority. The company hadn’t suffered any breaches yet, says David Kravetz, co-owner and director of operations. But as the firm grows to a projected $4 million in sales for fiscal 2001, up from about $2.3 million this year, it wants to reduce its risks.
Among the steps Kravetz took was to stop the common practice of archiving customer information on its server. Now, once orders are sent from the host server to the company’s mail order system, they’re deleted from the server and stored in Fairytale’s encrypted database.
Kravetz also switched Website hosting firms. Fairytale Brownies now uses Rackspace Managed Hosting in San Antonio, TX, where it has its own server. At Fairytale’s previous hosting firm, the company shared a server with other firms. “It had lower security and offered slower responses,” Kravetz says.
If you do share a third-party server, keep in mind that doing so does not necessarily put your security at risk. Without proper controls, however, one company could gain access to another firm’s data. The hosting company is typically responsible for implementing the proper controls, says Daniel Dorr, director of worldwide business development with Hewlett-Packard Co.’s Internet Security Solutions Division. One tool it is likely to use is an access control application, which allows only authorized people to use the system and then only perform specified tasks. That is, if a person needs only to read the information and not change it, that’s all he would be allowed to do. Another tool would be an authentication application that helps to ensure that the person accessing the system is who he says he is.
In addition, you would want your service provider to use audit or session analysis logs. By reviewing the logs, you or your provider would be able to see if another company were accessing your data, says Ruth Lestina, regional practice director in the information security practice of Predictive Systems.