To serve and protect: want to avoid e-commerce nightmares? Keep your customers' data secure. (Tech Issues).It happens all too often: a business owner gets an anonymous letter containing a sampling of his online customers' credit card numbers and a demand for payment if the business owner wants the thief to keep quiet and not post the stolen information online. If you're new to the e-commerce game, you'll quickly find that keeping customers satisfied with your products and customer service includes making sure that their personal information is kept secure. What can you do to help ensure that your Webmaster, IT manager, or third-party hosting service is taking precautions? Start with the basics: encryption, authentication, firewalls, and certificates, says Joan S. Hash, director of the security management and guidance group for the Information Technology Laboratory, National Institute of Standards & Technology (NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. ) in Gaithersburg, Maryland. * Encryption scrambles data before it travels from the customer's browser to your site. The customer sees a gold key or lock at the bottom of his or her browser that lets them know SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. (secure sockets layer (networking, security) Secure Sockets Layer - (SSL) A protocol designed by Netscape Communications Corporation to provide secure communications over the Internet using asymmetric key encryption. ) or another encryption method is active. "Authentication is a scheme to make sure you know who you're dealing with, such as an account number and password," says Hash. Complex authentication schemes include fingerprint readers and devices that generate new passwords every few seconds. But because these methods aren't practical for consumer e-commerce, strong passwords (a combination of numbers and letters at least eight characters long) are a good start, as is logging the user out of the secure checkout area after a few minutes of inactivity. * Firewalls, both hardware and software, prevent certain types of data from getting in or out of particular areas. This creates some measure of security between the outside world and your network. A hardware firewall should stop all unrequested data from entering your PC or your network. If someone inside a company does a search from a Web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. or polls for e-mail, the requested information can come in, but if a cracker scans for chinks in your company's armor or tries to send in unsolicited codes, a hardware firewall blocks the attempts. But hardware firewalls won't necessarily stop information from leaking out. A good software firewall can prevent software applications from sending information back to their makers invisibly, without even going through your e-mail program Software in the user's computer that can access the mail servers in a local or remote network. Also known as an "e-mail client," "mail client," "mail program," and "mail reader," it provides the ability to send and receive e-mail messages and file attachments. . * Certificates verify legitimacy. Certificates like those issued by a government-approved certificate authority (CA), such as VeriSign Inc. (www.verisign.com) or Thawte Consulting (www.thawte.com), can tell you which Websites are the real McCoy Real McCoy, the probably originally McKay, a Scotch whisky; the term now alludes to the “first or best of its kind” or “the actual one.” [Pop. Culture: Payton, 409] See : Genuineness . "You don't want your customers to be subjected to someone who sets up a bogus site and collects [their] sensitive information," says Hash. "The most popular browsers today employ standard techniques supporting the use of server certificates. Users can check for the presence of a server certificate by looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. the browser tool (try the Tools menu) that includes options for displaying this information. Private information, such as credit card numbers, should not be transmitted to sites where server certificates are not used." It may seem that your customers will be protected from copycat sites only if they choose sites with certificates, but that's not necessarily true, says William J. Orvis, senior security specialist for the U.S. Department of Energy's Computer Incident Advisory Capability See CIAC. (CIAC (Computer Incident Advisory Capability) A group within the U.S. Department of Energy (DoE) that serves as the department's CERT and makes its bulletins and documents available to the public. For more information, visit www.ciac.org/ciac. ) team in Livermore, California Livermore is a city in Alameda County, California, United States. The population was 80,723 as of January 1, 2007.[2] Livermore is located in the San Francisco Bay Area. Livermore is a "major suburb" of the Bay Area. . "Sites that use SSL encryption all have certificates," he says. "In fact, you must have a certificate for the SSL to work. You can issue yourself a certificate, but the certificate won't chain back to a known certificate authority." If that happens, your customer's Web browser will open a dialog box A movable window that is displayed on screen in response to the user selecting a menu option. It provides the current status and available options for a particular feature in the program. and ask if he wants to continue. For a list of trusted CAs in Internet Explorer Microsoft's Web browser, which comes with Windows starting with Windows 98. Commonly called "IE," versions for Mac and Unix are also available. Internet Explorer is the most widely used Web browser on the market. It has also been the browser engine in AOL's Internet access software. , for example, go to the Tools menu, choose Internet Options, then select the Content tab and click on the Certificates button. SINGLE PURPOSE SERVER There's more you can do to protect your customers' credit card information: Don't use the computer that runs the Web server as any other kind of server, such as an FTP FTP in full file transfer protocol Internet protocol that allows a computer to send files to or receive files from another computer. Like many Internet resources, FTP works by means of a client-server architecture; the user runs client software to connect to or transaction server. "Have one machine on the outside that does Web service and nothing else--even though it means buying more than one computer," says Orvis. "It's easier to tell if the machine is tight." Port 80 is the only port that should be open on the Web server. Another way to protect your customers is to move their information: "As soon as you get the credit card number, immediately take that chunk of information and move it to a machine behind the firewall," says Orvis. If somebody breaks into your server, the most [they would find] would be the last transaction, rather than thousands [in historical transactions]. Little things like that will tighten security immensely." CHECK THE WIRE(LESS) Customer credit card information is still at risk behind a firewall, particularly with wireless networks using 802.11b technology--the most popular wireless LAN (local area network) standard. Wireless networks can radiate ra·di·ate v. 1. To spread out in all directions from a center. 2. To emit or be emitted as radiation. ra data a few blocks beyond the building they're intended to stay in, so a cracker with the same wireless network interface card A wireless network interface controller (WNIC) is a network card which connects to a radio-based computer network, unlike a regular network interface controller (NIC) which connects to a wire-based network such as token ring or ethernet. (NIC (1) (Network Interface Card) See network adapter. See also InterNIC. (2) (New Internet Computer) An earlier Linux-based computer from The New Internet Computer Company (NICC), Palo Alto, CA. ) as yours can passively receive all the data from your network from a distance--including customer credit card numbers. "If a server with credit card information is behind a firewall and wireless access is also behind the firewall, there is the potential for [unauthorized access]," says Joe Jeter, vice president of Enterprise Network Services for Unisys Worldwide, headquartered in Blue Bell, Pennsylvania Blue Bell is a census-designated place (CDP) in Whitpain Township in Montgomery County, Pennsylvania, in the United States. As of the 2000 census, its population was 6,395. . "That's why it's important to have both firewalls and intrusion detection. If someone is trying something and not getting in, say, multiple password attempts are coming from the same IP address, intrusion detection will flag it to IT people on the network. Intrusion detection software looks for unusual patterns. It's very important to monitor and audit what happens 24-7, in-house or through outsourcing," he adds. Audits from an external source are important," says Jeter, who adds that periodic penetration tests from a trusted organization will help point out vulnerabilities in your network. Look for a company that can handle security assessment, implementation, 24-7 monitoring, and maintenance. KNOW THE HOLES One important thing to remember and review periodically: Beware of operating system and application vulnerabilities. "Imagine you built a fence around Fort Knox but there was a hole in the ground underneath the building that led outside the fence," says Andrew Ryan, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Andrew Ryan Consulting Inc. (www.andrewryanconsulting.com), and IT consultant for the National Society of Black Engineers National Society of Black Engineers (commonly known as NSBE), founded in 1975 at Purdue University, is one of the largest student-run organizations in the US, centered on improving the recruitment and retention of African-American engineering students. (NSBE NSBE National Society of Black Engineers ) in Alexandria, Virginia. "You can do everything you're supposed to do with your firewall and certificates, but an operating system vulnerability will still give an attacker an opportunity to engage in malicious activity," he says. "Using legitimate channels, [crackers] can leverage these vulnerabilities to run arbitrary programs on your system." The solution? Keep up with patches both for your operating system and your applications. "The misconception of the Internet era is that the most important things are speed, eyeballs, and user-friendliness," says Byan. "[But] your No. 1 priority is security. The only thing worse than a slow connection with a customer is a fast connection with an attacker." To help your IT manager, Webmaster, or e-commerce provider, keep one step ahead, point them to the NIST Website (www.nist.gov). RELATED ARTICLE: Helpful Hints. Want a quick way to get started? Check out these sites and products. * Make sure your e-commerce administrator visits vendor Websites for patches, reads Bugtraq alerts (http://on line.securityfocus .com/archive/1), and subscribes to e-mailed bug bulletins that pertain to your system. * Want to know if you're open to risks? You can tell which of your ports are open by visiting Shields Up! at https://grc.com/x/ne .dll?bh0bkyd2 and choosing Probe My Ports. * Firewall protection: for software, consider ZoneAlarm Pro from Zone Labs Inc. (www.zonealarm.com), which makes it easy to grant or deny permission to each program that attempts either an Internet or network connection. Also check out hardware firewalls from D-Link Systems Inc. (www.dlink.com), which cover business and residential needs. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion