Be E-fraid... Be Very E-fraid: Protecting Your Network from the Dangers of E-Commerce.
That's an interesting admission from me--that the Internet is not a fluke. A few years back I actually told a friend of mine that I didn't think the Internet was really going to take off. Odd, coming from a twenty-year computer industry veteran. Boy was I wrong. I guess I didn't anticipate the business use of the Web. Nonetheless it's here to stay and it has created a completely new business model.
Companies are rushing to get their virtual storefronts up to take advantage of the droves of customers lining up at their computers. For consumers, e-commerce means flexibility in shopping, better prices, and more selection. For e-tailers it means a globe-full of consumers, less cost per transaction, and lower overhead. But business-to-consumer is not the only model. Business-to-business is also blooming across the Internet.
Security is a major concern of e-commerce participants. Consumers have long been concerned with sending their credit card (or any personal) information over the Internet. Funny, they don't have that much concern giving their credit card number over the phone to a catalog sales rep. For some reason they are more concerned about shoving it directly into the e-tailer's computer with no human middleman. Let's look at the evolution of e-commerce for the business-to-consumer (B2C) model. I think this will give us a clearer picture of the danger points along the path.
In Figure 1 we see the old catalog order model. This involved the consumer looking through a thick catalog and picking out all those wonderful fluffy slippers as holiday gifts. A call is made to a customer service representative. This CSR has a computer screen that allows them to take customer information, take orders, and possibly generate an invoice. The customer provides a credit card number to the CSR who enters it into the company computer. All the credit card processing is handled on the back-end. When all processing is complete the customer has a box of fluffy slippers and the company has its money from the credit card company. Then, a few weeks later the customer receives their bill from the credit card company.
This model puts the transaction participants at a fairly low level of risk. Let's take a peek at all the possible points of risk. Assuming the consumer is not using a wireless phone, the likelihood of having the credit card number intercepted by an unauthorized party is very low If the consumer is using a wireless phone the likelihood of intercept is much higher, but still too low to be concerned with. The greatest risk is with the CSR. This person has access to thousands of credit card numbers. An unscrupulous CSR could record credit card numbers and either sell or use them. Internal security controls should be in place to monitor this type of activity and penalties made very well known to deter such activity. There is always the possibility of credit card fraud, which is a risk to the company and the credit card company. A fraudulent consumer with a stolen credit card can call and pose as a valid card user. There are protections in the industry for this type of activity.
In Figure 2 we see the e-commerce model so prevalent today. Like the previous model we still have consumers, credit card in-hand, eager to make their product purchases. However, unlike the previous model, this consumer will not talk to a CSR. Instead, they will charge headlong into some web server dishing up middleware that will allow them proxied access into ABC Company's back-end computers. Customers are getting used to this model and are even starting to prefer it over talking with a CSR because they can see what they are about to purchase. Companies love this model because they are not paying a CSR to talk with you about the size and shape of Aunt Matilda's feet and the color of fluffy slippers she got last year.
In this e-commerce model there are new points of risk to both the consumer and the business. The first, and most obvious, is the exposure of the credit card number as it floats, bit-by-bit, over the public Internet. The credit card information is also at risk of exposure even after it arrives and is stored at the company's computer. The company is exposed to new security risks because it has opened its back-end network of systems to the public Internet.
Let's summarize the e-commerce model risks:
1. The consumer is at risk of having their credit card information intercepted as it travels across the Internet.
2. The consumer is at risk of having their credit card information stolen from the ABC Company's computers.
3. The company is at risk of having hackers attack their newly opened systems and gaining access to critical, back-end systems and:
a. stealing sensitive information
b. altering data
c. making systems unavailable.
Now I realize that I have not shown any of the security measures that are generally in place in such a model. I did this on purpose to help show the exposures. Now let's overlay some of the security solutions that will help reduce the risk described above.
First, let's protect the consumer. This is a very important step since it will provide confidence and thus increase revenue. The transmission of the credit card information across the public Internet is of the greatest concern to the consumer. There is a simple solution for this--encryption. Using the built-in capabilities to the popular web browsers such as Microsoft Internet Explorer and Netscape Navigator we can provide 128-bit key encryption. The protocol for this is known as Secure Sockets Layer (SSL). See box titled, "How SSL Works" on page 44.
With SSL we can feel reasonably assured that the consumer's sensitive credit card and order information is protected from unauthorized viewing and use by anyone intercepting communications between the browser and the server.
The next challenge is protecting the consumer's sensitive information after it is received, decrypted, and stored on the company's computers. The solution to this problem is not as simple as activating a feature built into the browser such as SSL. Instead, it involves a number of measures including:
* Proper firewall configuration
* Server hardening
* Data storage encryption
* Strong access controls
* Intrusion detection
Generally speaking, if a company has its e-commerce infrastructure correctly configured, the web server that consumers actually connect to is not inside the trusted portion of the company's network. It is usually located in a safe zone often referred to as the demilitarized zone (DMZ). See Figure 3 showing a typical DMZ. In many cases, the web server that consumers connect to is actually located at a hosting facility controlled by a web site hosting company such as an Internet Service Provider (ISP).
What this whole DMZ thing really means is that the web server, where information from consumers is first collected, is most likely more exposed than the rest of the company's network. It is more likely to get hit with hacker attacks. Therefore, it must be more rigorously protected.
Server hardening is one of the most effective means of protecting the web server from successful attacks. Hardening involves several activities including deactivating unnecessary services (such as FTP, SMTP, Telnet, and others) because there are many well-known vulnerability exploits available to hackers for weaknesses previously found in these services. By shutting these services down (they often are configured to run by default) you help minimize your vulnerabilities. Another very effective hardening activity involves keeping the operating system and system applications updated with the latest patches and releases.
In many cases the patches and releases include fixes for security vulnerabilities. Hackers spend their days scanning the Internet, looking for systems that have weaknesses for which they can exploit. They have fully automated tools for doing this and it is very simple to do. If you consider the vast number of systems connected to the Internet, you'll have an appreciation of the likelihood of the hackers finding vulnerable systems. Add to this the ever-growing list of patches required to maintain such popular operating systems as Windows NT, then your appreciation will turn to fear. It can be (and must be) a full-time job just maintaining the current patch levels on web servers.
Other controls to protect the consumer information that may land on an exposed web server include data encryption, strong access controls, and intrusion detection systems. Although SSL provides encryption to the sensitive consumer information as it traverses the Internet, it does not help protect the data on the web server. Separate products must be used to encrypt this information. The benefit of encrypting sensitive information on the server is obvious. The drawbacks include the increased demand on the processing power of the computers involved since encryption and decryption require many CPU cycles.
Strong access controls include trusted user identification and authentication and account privileges. Most e-commerce applications require that the user establish an account. Once established, the user is issued a login ID and some way of authenticating. Authentication is the process of validating that a user is who they say they are. Most systems rely on passwords or passcodes for authentication. These are things that you KNOW", as opposed to other forms of authentication that include things such as biometrics (fingerprints, voice pattern, retinal pattern, etc.)--"things that you ARE" and tokens (devices that you keep which display timed passcodes or store an authentication key)--and "things that you HAVE."
Up until now passwords have been sufficient for most businesses as a means of validating user identities. If SSL encryption is used, the likelihood of intercepting and stealing passwords is minimal. The problem tends to be that users often select poor passwords that are easily guessed by high speed password cracking software. The primary reason that biometrics and tokens have not gained much momentum is that they are costly, require additional infrastructure and seem intrusive. This may change over time, but for now the consumer and the e-tailers seem comfortable with passwords.
After authenticating users, we must make sure that they can only access information for which they are authorized. For example, we don't want a consumer to access information about another consumer's account. Nor do we want the consumer to access sensitive company information. This requires access controls based on user privileges. Well-developed e-commerce applications have the consumer logging in to a middleware application and not into the back-end network or domain. Many companies are beginning to develop and deploy single sign-on solutions for consumers that allow them to login to a central authorization service that issues them a passport-like credential so they can navigate through all the services for which they are authorized. An example might be a financial service firm where you have a 401(k), a brokerage account, and an IRA. In the past you may have had to login to three separate systems to get all of your account balances. With single sign-on you login only once and the service sees that you are authorized to access all three systems to see each of your accounts.
Finally, we should consider deployment of intrusion detection software on the exposed portions of our network. Intrusion detection systems (IDS) are like burglar alarms for your network. They watch system and network activity and compare that activity with a database of known attack patterns. If abnormal behavior is suspected they can alarm network security personnel who can investigate more closely.
So far we have spent our time talking about protecting the consumer only. As you will recall, we identified some new risks for the business as well. The business is taking a security risk by connecting its previously closed, back-end systems to the Internet. In the previous discussion we spoke about a DMZ. This is a critical architecture for protecting the back-end systems.
Many of the same measures used to protect consumer data in the DMZ play a role in protecting the back-end systems as well. Use of a firewall, DMZ, strong access controls, and intrusion detection all are important. Another critical part of e-commerce security is careful application architecture. When planning the deployment of an e-commerce application you must very carefully examine how it will integrate with your existing systems and consider what new vulnerabilities its integration may create.
Most B2C e-commerce applications are simply a replacement of the customer service representative with software and a graphical user interface (GUI). We have eliminated the CSR and put software in the consumer's hands which allows them to see what widgets you have, and order them. To do this the e-commerce application must have access to the databases and other applications you have running on your back-end, trusted network. You must consider the security ramifications of having the ability to reach far back into your network from the Internet.
As you can see there is a great deal to consider when jumping into the e-commerce arena. All of it is important, and lack of attention to any of it is an invitation to disaster. Consider the embarrassment and loss of business some companies have already suffered when it was made public that their e-commerce systems were hacked and thousands of credit card numbers compromised. For some businesses, this kind of news could mean the death of their company.
I suggest that you seriously consider the use of well-trained and highly experienced business assurance and information security professionals before you put your toe into the e-commerce pool. It may seem tempting to put up a web server and start selling your fluffy slippers on the Web, but it can be very dangerous. So, be e-fraid... be very e-fraid.
William Sieglein is a security engineer with Fortrex Technologies located in Gaithersburg, MD.
How SSL Works
Using SSL, the browser accepts a digital certificate from the web server to which it is connected (e.g., ABCCompany.com). the digital certificate is like a set of credentials, issued by a trusted third party. It is signed (digitally) by tht trusted third party as an indiction of its trust-worthiness. The browser checks its list of trusted certificate signers and issuers, and if it finds the one you received, then it alows a trusted connection, using encruption key information in the certificate the browser and the web server establish an encrpted session.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||electronic commerce security measures|
|Date:||Oct 1, 2000|
|Previous Article:||Help for Small and Medium-Size Businesses: A Clear Path Online through the Telecommunications Maze.|
|Next Article:||International Trends: Sales, Use, and Consumption Taxation of E-commerce.|