To serve and protect: want to avoid e-commerce nightmares? Keep your customers' data secure. (Tech Issues).
* Encryption scrambles data before it travels from the customer's browser to your site. The customer sees a gold key or lock at the bottom of his or her browser that lets them know SSL (secure sockets layer) or another encryption method is active. "Authentication is a scheme to make sure you know who you're dealing with, such as an account number and password," says Hash. Complex authentication schemes include fingerprint readers and devices that generate new passwords every few seconds. But because these methods aren't practical for consumer e-commerce, strong passwords (a combination of numbers and letters at least eight characters long) are a good start, as is logging the user out of the secure checkout area after a few minutes of inactivity.
* Firewalls, both hardware and software, prevent certain types of data from getting in or out of particular areas. This creates some measure of security between the outside world and your network. A hardware firewall should stop all unrequested data from entering your PC or your network. If someone inside a company does a search from a Web browser or polls for e-mail, the requested information can come in, but if a cracker scans for chinks in your company's armor or tries to send in unsolicited codes, a hardware firewall blocks the attempts. But hardware firewalls won't necessarily stop information from leaking out. A good software firewall can prevent software applications from sending information back to their makers invisibly, without even going through your e-mail program.
* Certificates verify legitimacy. Certificates like those issued by a government-approved certificate authority (CA), such as VeriSign Inc. (www.verisign.com) or Thawte Consulting (www.thawte.com), can tell you which Websites are the real McCoy. "You don't want your customers to be subjected to someone who sets up a bogus site and collects [their] sensitive information," says Hash. "The most popular browsers today employ standard techniques supporting the use of server certificates. Users can check for the presence of a server certificate by looking for the browser tool (try the Tools menu) that includes options for displaying this information. Private information, such as credit card numbers, should not be transmitted to sites where server certificates are not used."
It may seem that your customers will be protected from copycat sites only if they choose sites with certificates, but that's not necessarily true, says William J. Orvis, senior security specialist for the U.S. Department of Energy's Computer Incident Advisory Capability (CIAC) team in Livermore, California. "Sites that use SSL encryption all have certificates," he says. "In fact, you must have a certificate for the SSL to work. You can issue yourself a certificate, but the certificate won't chain back to a known certificate authority." If that happens, your customer's Web browser will open a dialog box and ask if he wants to continue. For a list of trusted CAs in Internet Explorer, for example, go to the Tools menu, choose Internet Options, then select the Content tab and click on the Certificates button.
SINGLE PURPOSE SERVER
There's more you can do to protect your customers' credit card information: Don't use the computer that runs the Web server as any other kind of server, such as an FTP or transaction server. "Have one machine on the outside that does Web service and nothing else--even though it means buying more than one computer," says Orvis. "It's easier to tell if the machine is tight." Port 80 is the only port that should be open on the Web server.
Another way to protect your customers is to move their information: "As soon as you get the credit card number, immediately take that chunk of information and move it to a machine behind the firewall," says Orvis. If somebody breaks into your server, the most [they would find] would be the last transaction, rather than thousands [in historical transactions]. Little things like that will tighten security immensely."
CHECK THE WIRE(LESS)
Customer credit card information is still at risk behind a firewall, particularly with wireless networks using 802.11b technology--the most popular wireless LAN (local area network) standard. Wireless networks can radiate data a few blocks beyond the building they're intended to stay in, so a cracker with the same wireless network interface card (NIC) as yours can passively receive all the data from your network from a distance--including customer credit card numbers.
"If a server with credit card information is behind a firewall and wireless access is also behind the firewall, there is the potential for [unauthorized access]," says Joe Jeter, vice president of Enterprise Network Services for Unisys Worldwide, headquartered in Blue Bell, Pennsylvania. "That's why it's important to have both firewalls and intrusion detection. If someone is trying something and not getting in, say, multiple password attempts are coming from the same IP address, intrusion detection will flag it to IT people on the network. Intrusion detection software looks for unusual patterns. It's very important to monitor and audit what happens 24-7, in-house or through outsourcing," he adds.
Audits from an external source are important," says Jeter, who adds that periodic penetration tests from a trusted organization will help point out vulnerabilities in your network. Look for a company that can handle security assessment, implementation, 24-7 monitoring, and maintenance.
KNOW THE HOLES
One important thing to remember and review periodically: Beware of operating system and application vulnerabilities. "Imagine you built a fence around Fort Knox but there was a hole in the ground underneath the building that led outside the fence," says Andrew Ryan, CEO of Andrew Ryan Consulting Inc. (www.andrewryanconsulting.com), and IT consultant for the National Society of Black Engineers (NSBE) in Alexandria, Virginia. "You can do everything you're supposed to do with your firewall and certificates, but an operating system vulnerability will still give an attacker an opportunity to engage in malicious activity," he says. "Using legitimate channels, [crackers] can leverage these vulnerabilities to run arbitrary programs on your system." The solution? Keep up with patches both for your operating system and your applications.
"The misconception of the Internet era is that the most important things are speed, eyeballs, and user-friendliness," says Byan. "[But] your No. 1 priority is security. The only thing worse than a slow connection with a customer is a fast connection with an attacker." To help your IT manager, Webmaster, or e-commerce provider, keep one step ahead, point them to the NIST Website (www.nist.gov).
RELATED ARTICLE: Helpful Hints.
Want a quick way to get started? Check out these sites and products.
* Make sure your e-commerce administrator visits vendor Websites for patches, reads Bugtraq alerts (http://on line.securityfocus .com/archive/1), and subscribes to e-mailed bug bulletins that pertain to your system.
* Want to know if you're open to risks? You can tell which of your ports are open by visiting Shields Up! at https://grc.com/x/ne .dll?bh0bkyd2 and choosing Probe My Ports.
* Firewall protection: for software, consider ZoneAlarm Pro from Zone Labs Inc. (www.zonealarm.com), which makes it easy to grant or deny permission to each program that attempts either an Internet or network connection. Also check out hardware firewalls from D-Link Systems Inc. (www.dlink.com), which cover business and residential needs.
|Printer friendly Cite/link Email Feedback|
|Date:||Oct 1, 2002|
|Previous Article:||In business with the U.S. (Savvy Solutions).|
|Next Article:||Creating human links: Alicia Jones helps at-risk youth use technology to their advantage. (Black Digerati).|
|Database and Network Journal editorial features 2001.|
|Disaster plan: how to protect your information assets.|
|Welcome to the E-Jungle: assorted tech crimes prey on vulnerable business technology companies on the Web.|