If you're doing business over the Internet, you need a solid
infrastructure and the security to go along with it, because large, successful
e-businesses make the juiciest targets
It's been said time and again, that if you're doing business online, then you're
competing internationally - in effect, you have become a global company.
You've also become a global target.
The next person to
probe your company's network might well be a hacker in Russia or the competitor
down the road
Companies are realizing that e-business security is a global issue, and they
have to think global as well. The next person to probe your company's network
might well be a hacker in Russia or the competitor down the road - but they
both want the same thing: to get in.
Strangely enough, the bulk of security breaches don't happen as a result of
an external threat, but because internal security policies simply aren't secure
"Only 15% of listed activity comes from outside," says Brian Bigley,
senior vice-president of the eTrust Global Consulting arm of Computer Associates.
"60% comes from the inside."
Bigley, who conducts "penetration studies" for clients, pointed out
that it was a lot easier for a disgruntled (or bribed) employee to walk out
with sensitive data, than it was to hack into a system.
According to Bigley, when pitting technology against technology in their studies,
the "net penetration was zero".
But the scales were tipped when adding what Bigley calls "social engineering".
Social engineering isn't limited to the purposeful actions of employees - breaches
in security can be accidental as well.
Two wrongs, is two too many
Bigley executes awareness training for clients around the world, and was recently
in Singapore to share with several representatives of the banking and finance
sector how easily their infrastructure could be breached.
works especially well because of the inherent fear that most low-level
employees have of authority figures.
Bigley drew a not-too-unbelievable scenario of how it was theoretically possible
to hack a bank using a little ingenuity and social engineering (not to mention
a crack team of computer programmers).
A critical process in the scenario was for a hacker to pose as a high-level
employee. The imposter would then obtain passwords from one of the lower-level
tech personnel to gain access to the network - a methodology also known as spoofing.
Spoofing works especially well because of the inherent fear that most low-level
employees, such as help-desk personnel, have of authority figures. This is especially
true in an Asian context, noted Bigley.
Part of the solution is for management to realize the potential for such fear
to be exploited - education of both the management and its employees will help
IBM-owned Tivoli Systems provides management solutions and consulting, and
recommends that companies engaged in e-business "appoint a high-level executive
with a company-wide responsibility to develop and enforce security policies
consistently across an organization."
Effective security management and control means making high-level decisions
to guide a security policy across an organization, says Carl Kessler, vice-president
for Tivoli SecureWay.
A secure groundwork
"You're really only as strong as your weakest link," said Bigley.
"Security is a process, it's not just technology."
"You also can't rely on one piece [of security], you need at least two
or three countermeasures."
Create the system
first, and build it from the worst case scenario
There are common misconceptions that all companies need to do e-business, is
a well-configured firewall, however firewalls cannot protect the system from
properly authenticated users i.e. spoofers, or brute-force hackers.
Brute-force hacking occurs when a series of words are tried until the correct
password authenticates the intruder. This technique typically works on systems
that make use of common words as passwords, such as names of people, company
products, or permutations of the above.
Other security components include the use of anti-virus programs, virtual private
networks (VPNs), content inspectors, encryption, Web access control and application
Bigley notes that most e-business executives don't place security high on their
list of priorities.
Executives are used to traditional closed [mainframe] architectures, whereas
e-business is now an open architecture, and therefore requires more thought
into its security infrastructure.
Create the system first, and build it from the worst case scenario, Bigley
recommended, adding that he would spend between 4-6% of the company's revenue
back in security.
Security as a continuum
As technology evolves, new devices and ways of doing business necessitate new
Anytime you provide
access with new technology, you have to control that access
Already, several vendors, including Computer Associates, have already rolled
out security solutions for use with WAP devices.
"Anytime you provide access with new technology, you have to control that
access," says Bigley. "Internet appliances are another 'window'."
These potential vulnerabilities need management, policy, and encryption of
access, said Bigley.
Companies need to constantly re-assess their own security measurements to ensure
their adequacy and that they are up-to-date, explained Bigley, referring to
the process of security for companies.
But there still are certain security concerns that may not be able to resolved
One such concern would be the distributed denial-of-service attack, similar
to the ones that brought down sites like Yahoo! and eBay earlier this year.
"Technology is still trying to answer that one," said Bigley, adding
that CA was working on developing a solution that analyzes patterns of such
attacks before they happen.