Security- today and tomorrow. (Viewpoint).Where does one start when securing an ebusiness system? It would be wonderful to have a green field site and start from the beginning, but most have to start in the real worm with systems already in existence. Moreover, we may have to secure a ebusiness system in an environment where genuine, serious threats exist, alongside the paranoia that arises every time a hacker or virus inflicts major damage on someone else. We also have to keep current with technical advances despite a shortage of skilled staff, and be able to distinguish what measures will genuinely help secure ebusiness systems, from an abundance of security hype. In this feature, I will be looking at the issues surrounding some key risk areas for ebusiness systems such as extranets, VPNS VPNS Virtual Private Network Service (AT&T) , email and distributed denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. (DDOS See denial of service attack. ) attacks, outlining the latest tools and countermeasure coun·ter·meas·ure n. A measure or action taken to counter or offset another one. countermeasure Noun action taken to counteract some other action Noun 1. techniques available, and consider security issues for the future. I will also discuss where high availability Also called "RAS" (reliability, availability, serviceability) or "fault resilient," it refers to a multiprocessing system that can quickly recover from a failure. There may be a minute or two of downtime while one system switches over to another, but processing will continue. and load balancing The fine tuning of a computer system, network or disk subsystem in order to more evenly distribute the data and/or processing across available resources. For example, in clustering, load balancing might distribute the incoming transactions evenly to all servers, or it might redirect them fit into the security equation, as well as examining the crucial role of automation and reporting in the security armoury, The emphasis on business Running an ebusiness systerm is primarily about running a business. All the IT infrastructure which surrounds an ebusiness system needs to be designed to support the business itself and not the other way round. The security of ebusiness systems is not only an IT issue, but also a business and management issue. The security policies that work best for ebusiness are those to which senior management is heavily conmitted. Security works much better (or only works) if it has a champion on the board to promote at the highest level, and show the whole organisation that security is a primary issue in the current business climate. Companies need to foster a culture in which security is seen as a positive activity, which contributes markedly to the prosperity of the business, and helps safeguard jobs. Training in security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. and security processes, praise for staff when security succeeds, good communications between management, staff and IT on security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security are all important in creating this culture. Without it, many security measures are rendered useless. There's an old adage that security is only as strong as the weakest link and it's never truer than when talking about ebusiness. The drive to connect more suppliers, more customers, more remote workers, and more devices to ebusiness systems is ever increasing. Business partners are a key element in the security infrastructure and should be part of a company's culture of security. A policy sufficient for a small number of business partners and remote users, may become woefully woe·ful also wo·ful adj. 1. Affected by or full of woe; mournful. 2. Causing or involving woe. 3. Deplorably bad or wretched: inadequate as more users are added. Suppliers and customers may not have the same concerns about security as your company, so it is sensible to update policies to reflect this. Extranets and VPNs The move towards multiple VPNs is gathering pace. Five years ago people had maybe five VPNS, now they might have 500 and tomorrow they may have 5000. While this brings bring better and more secure communications with formalised Adj. 1. formalised - concerned with or characterized by rigorous adherence to recognized forms (especially in religion or art); "highly formalized plays like `Waiting for Godot'" formalistic, formalized authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. and encryption over the Internet, it also creates a situation with multiple entry points needing continual supervision and management to ensure security. Additionally, VPNS, and especially encrypted VPNS, can become an Internet performance bottleneck, making the managment of this environment a corporate nightmare. In this situation, key VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. features become ease of deployment, ease of management, and the ability to have a comprehensive network and security overview. Centralised Adj. 1. centralised - drawn toward a center or brought under the control of a central authority; "centralized control of emergency relief efforts"; "centralized government" centralized management and troubleshooting become crucial, as does good management reporting. Due to the changing requirements of installing large numbers of VPNS, the product itself has evolved. Combined VPN and firewall appliances A device that provides firewall protection for a network. It includes all the necessary hardware and software in a self-contained package that plugs in between the two networks being isolated. Most firewall appliances are solid state and include a stripped down operating system. , such as that available from WatchGuard, are now more common than software only VPNS, and statistics show this to be a growing trend. Email is probably the biggest single threat to business existence if it is not managed effectively, and needs to be one of the key elements of a security policy. IDC predicts that by 2005 there will be 1.2 billion email boxes (138% compound growth) and 36 billion person-to-person emails daily. Instant messaging Exchanging text messages in real time between two or more people logged into a particular instant messaging (IM) service. Instant messaging is more interactive than e-mail because messages are sent immediately, whereas e-mail messages can be queued up in a mail server for seconds or will grow at a rate of 100% compound, with 150 million business users by 2004. Existing email security problems will be significantly magnified, so we will need to look more carefully at virus defence, email data security, content filtering See Web filtering and parental control software. and SPAM protection. Contextual searching To search for records or documents based upon the text contained in any part of the file as opposed to searching on a predefined key field. will help pick up emails which could lay a company open to legal action for sexual or racial discrimination. It could also pick up whether employees are mailing out sensitive information such as customer lists or research data. There are many solutions available for managing email. The market is moving towards multi-purpose security and management products such as those from Clearswift, including MailGuard and Mimesweeper. Email solutions can help define and enforce an email security policy, as well as providing filtering, monitoring and reporting. They can work in tandem Adv. 1. in tandem - one behind the other; "ride tandem on a bicycle built for two"; "riding horses down the path in tandem" tandem with anti- virus software, providing additional protection on a company-wide basis. They can also offer contextual searching, provide protection to help safeguard intellectual property and confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead , and offer a method of dealing with SPAM. Distributed Denial of Service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. A third of all UK businesses will suffer a Distributed Denial of Service (DDOS) attack on their web servers during 2002, costing 54 million [pounds sterling] in lost on-the revenues, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. estimates by Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. specialist, Webscreen Technology. This is forecast to rise to losses of more than 270 million [pounds sterling] by 2005. Most companies believe they are protected by firewalls and the like. This is technically correct. Most firewalls will shut down during a major DDOS attack to protect systems. But because they have shut down, companies are unable to carry on trading, and the web site is unavailable. The attack has succeeded. The majority of attacks, however, are minor ones and will not trigger a firewall to close. They will, however, significantly downgrade performance, giving poor service to staff, suppliers and customers. There are some solutions now that will actually allow trading to continue while dealing with attacks, both major and minor. Webscreen Technology's WS 100 uses `CHARM' technology to assign scores to web site visitors. When a DDOS attack occurs, it will let the best customers in, while repelling the attack. It is possible to continue trading during attacks, while maintaining normal performance for key users, in addition to immediately identifying attacks. DDOS attacks do have to be taken very seriously. At the beginning of 2002, the ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. Cloud Nine ceased trading due to a series of devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. DDOS attacks, which left it unable to provide a service to customers. The role of reporting and automation Security threats to ebusiness are continually increasing, while the number of solutions is growing. Unfortunately, the number of skilled IT security staff is not increasing at the same rate, creating a lot of problems. An answer for companies in this situation, is to employ reporting and automation techniques.. This enables skilled staff to be involved with overseeing and planning security, and not its the day to day details. Looking at how to tackle future threats, instead of loading the latest anti-virus update. The key to good internal security is accurate intelligence, knowing exactly what is happening on a network. Once you understand what is happening, you know where you are most vulnerable, and therefore, which area you need to protect first. Security is not just about the obvious issues like anti-virus, firewalls, hacking, fraud and DDOS attacks. Good security is about maintaining 24x7 availability of ebusiness systems and a good standard of performance. Research by Iowatch, in 2001 established that UK businesses suffer from 57,500 Internet crashes per day. The average UK business experiences 97 minutes of downtime a month and 17 different downtime periods--so repeated non-availability of ebusiness systems is a very real possibility. Poor performance and non-availability of systems (because of ISP failure or perhaps due to equipment failure) will have the same effect as poor performance and non availability due to one of the more obvious security risks. Companies could just as easily lose money, lose customers and potentially lose their business. There are now high availability tools from companies such as Radware and FS which ensure that ebusiness systems can provide continued availability and the best performance. Radware, for example, has failsafe solutions for firewall or ISP failure, which allow companies to switch seamlessly from one firewall to another in the event of failure, or from one ISP to another in the event of an ISP going off line. Internal security is still the most dangerous threat to companies, with FBI statistics regularly showing around 70% of security problems are from within. Solutions providing centralised configuration, implementation, auditing and reporting of the majority of network security issues are available from a number of companies including RedHand. Such solutions can also lock down desktops, as well as preventing unauthorised downloads and uploads. They will also manage laptop security remotely. Some of the automated tools which can lighten the security load are:- * Firewall Reporting Firewall reports can give a blow by blow account of everything that goes through a firewall and can highlight attempts to breach security. Technical and management reports are available from companies such as netIQ. * Vulnerability Testing Vulnerability testing tools, such as netIQ's Security Analyzer, can regularly throw a battery of tests at a system to sec how it responds.. * Intrusion Detection See IDS and IPS. Intrusion detection lets users identify and respond rapidly to intrusion attempts. There are a wide range of solutions available. * Web filtering Blocking access to unwanted Internet content. Businesses can block content based on traffic type. For example, Web access might be allowed, but file transfers may not. Content can also be blocked by site, using lists of URLs cataloged by content that are updated frequently. The legal risks and productivity costs of web abuse means that web filtering is very important Filtering tools are widely available such as the software based solution from WebSense, or the appliance based filtering tool from NetPure. * Honey pot systems One proactive way of ensuring a second line of defence for ebusiness systems is to set up a honey pot trap. Honey pots are decoy DECOY. A pond used for the breeding and maintenance of water-fowl. 11 Mod. 74, 130; S. C. 3 Salk. 9; Holt, 14 11 East, 571. servers or systems set up to gather information regarding an attacker or intruder An attacker that gains, or tries to gain, unauthorized access to a system. See attacker, intrusion and IDS. . Honey pot traps can be set up for internal, external and remote access systems. Conclusions There are some discernible trends in ebusiness security. Appliances are becoming more widespread, with a move away from server-based software. This is because appliances are often easier to protect, easier to deploy and easier to manage, with a low cost of ownership. Maintaining the best possible performance and high availability is becoming increasingly important as businesses apply the same rules to the security of their ebusiness as they apply to the rest of their business. There will be a move towards collating data into one source from all security devices to give an overview of the whole security environment Tools such as netIQ's Security Manager will be increasingly used alongside enterprise products such as OpenView, Tivoli and UniCenter. Absolute security is unfortunately absolutely impractical. No company is ever likely to have all the time and all the resources needed to be 100% secure. You can only do the best you can with the resources and time you have available. Security is always going to be a difficult issue, but it doesn't have to be a total nightmare. Automated tools and reporting will flee IT staff to enable them to take a security overview, rather than focus on details of individual point solutions. They can then ensure that security serves not just a company's ebusiness systems, but the company's business as a whole. www.wickill.com Ian Kilpatrick, Wick Hill Group |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion