Sören Janstål

Data Research DPU ab Data Research DPU for Evaluation of Information Technology

Sören Janstål

Pages: 151
ISBN: 1-56607-088-0
Published: January 2001

See order form for price!

Svenska

About the report

Although internal threats are prevalent, external attacks are increasing. Available attack tools reduce the skill level needed to mount attacks, thereby increasing their number. Because attacks are frequently more random than targeted, the odds of escaping attack simply through obscurity are decreasing.

Advanced Security Strategies: Protecting Today's E-business Environment scrutinizes common attack methods:

• Reconnaissance. Hackers often build a database of Internet protocol (IP) addresses to scan for open ports or run scanners to discover vulnerabilities. They can also engage in social engineering, dumpster dive for information about an organization's computers and its users' accounts, and review posts in newsgroups and security mailing lists for details such as configuration errors and the location of firewalls.
• Denial-of-service (DoS) attacks. By overloading a network with requests, hackers can cause the network to crash or become unable to respond to legitimate requests.
• Viruses. Viruses are not usually targeted attacks, although they can be. Some viruses are also worms, sending themselves to all users in an address book. Some recent viruses also include Trojans, which replace valid programs with back doors through which attackers can steal files and passwords.

CTR's new report also details how companies can determine whether an intrusion has occurred and how to stop these attacks. Countermeasures such as using firewalls, security scanners, intrusion detection systems (IDSs), and antivirus software are analyzed.

Securing Remote Access

As organizations grow and merge, functions are increasingly being distributed across many local area networks (LANs). In addition, an increasing number of staff is now working remotely, and external partners and customers are accessing internal systems via extranets and Web sites.

This remote access presents new ways to enter the corporate network. Advanced Security Strategies: Protecting Today's E-business Environment delineates effective measures that protect against this remote threat. For example, home office computers should comply with the same security standards as machines in company offices, and remote workers should be subject to more stringent authentication measures, such as tokens, digital certificates, or biometrics devices. In addition, VPNs provide secure access for single users and between networks.

E-commerce Threats

E-commerce sites are more likely than other sites to be attacked and face risks on several levels. A highly publicized hacking incident sullies the site's reputation, deteriorating customer and investor trust and resulting in monetary losses.

The number of recent, successful attacks against high-profile sites reveals the complexity of Web server security problems. Advanced Security Strategies: Protecting Today's E-business Environment explains that Web servers must be secured on three levels: the operating system (OS), the Web server software, and the Web applications layers.

E-commerce companies must also secure online transactions. CTR's new report analyzes the role secure sockets layer (SSL) plays in protecting e-commerce by encrypting data in transit.

Implementing Firewalls

Firewalls are widely used to protect networked systems and VPN architectures. In their simplest forms, they eliminate unwanted traffic. Firewalls typically deny intruder access to corporate data via the Internet by enforcing one of two policy stances:

• Deny all traffic that is not explicitly permitted.
• Permit all traffic that is not explicitly denied.

Advanced Security Strategies: Protecting Today's E-business Environment examines the advantages and disadvantages of three basic types of firewalls: packet filters, dynamic packet filters, and application proxies. The report also demonstrates why firewalls should be used to enforce a written access control policy and why organizations should avoid "punching holes" in the firewall to support new services.

The Benefits of Public Key Encryption

Digital certificate technology is gaining support for internal and external authentication. Advanced Security Strategies: Protecting Today's E-business Environment illustrates the benefits that public key encryption, digital certificates, and public key infrastructures (PKIs) offer beyond authentication, including the use of digital signatures, which are more secure than physical signatures; the ability to prove that a certain party conducted a specific transaction; and preventing information tampering in transit.

To use digital certificates, organizations must create a PKI, which encompasses the policies and procedures for securely exchanging information, issuing certificates to qualified users, and revoking them when access rights are terminated. Advanced Security Strategies: Protecting Today's E-business Environment Strategies explains the creation of a PKI and emphasizes the importance of updating and streamlining directory services to accommodate certificate requests.

Securing Extensible Markup Language

Although proprietary file formats may become obsolete as extensible markup language (XML) implementation increases, their obscurity offers some inherent data protection. XML is a plain-text file format that contains sensitive business data and thus requires security in transit. Advanced Security Strategies: Protecting Today's E-business Environment explains how this security can be achieved by sending XML files via SSL or a VPN.

Developing a Security Strategy

Security technology alone is not sufficient to protect the enterprise. Organizations must evaluate how much security they need, what assets are worth protecting, and the state of their current security levels. Policies and user education are critical components of any successful security strategy.

Advanced Security Strategies: Protecting Today's E-business Environment also emphasizes these important elements:

• Management support. Essential to the entire information security effort and critical for managing security incidents. If managers do not support security efforts, incidents are likely to be considered a shortcoming of the information systems(IS) staff rather than a problem involving the entire company.
• Third-party perspective. When assessing risks, asking a consultant to evaluate corporate security can be beneficial.
• An incident response plan. A response plan prevents last-minute panic and enables the organization to respond to incidents smoothly and effectively. The plan also establishes the organization's policy on reporting incidents, designates contacts, and details the procedures to follow in the event of an incident.
• Centralizing security. Management splits can exist between physical and information security, but this lack of unity erodes overall security.
• Auditing system activity. Log files must be reviewed continually to ensure that all anomalies are detected. If no one reviews the logs, valuable information can be missed, and intrusions may go undetected.

Conclusion

Security requires vigilance. A carefully secured network can quickly become vulnerable when changes are made, particularly in the fast-paced environment of e-commerce. Threats are also constantly changing. New security holes are publicized on the Internet each week, and security breach attempts inevitably follow. The organization may find itself under attack if security staff is unavailable to monitor the vulnerabilities and patch them as they emerge.

Security is the enabling technology for e-commerce. By dedicating time and money to it, organizations can confidently move ahead with Internet initiatives and gain competitive advantage while protecting vital corporate data.

Report contents

Executive Summary

• What Are the Threats?
• The Increased Vulnerability of E-commerce Sites
• Countermeasures
• The Importance of Policies and Strategies

Internal Threats

• The Extent of the Internal Threat
• Who Is Responsible?
• Addressing the Threat
• Implementing Strong Authentication Methods
• Options for Strong Authentication
• Access Control
• Commercial Access Control Products
• Internal Firewalls
• Human Resources (HR) Strategies
• Educating Employees to Deter Social Engineering Attempts
• Monitoring Employee Internet Use
• Developing and Enforcing a Strong Security Policy

External Threats

• The Growing Role of Attack Tools in Intrusions
• Reconnaissance
• Password Attacks
• After the Hacker Has Entered
• Denial-of-Service (DoS) Attacks
• Java/ActiveX Security Threats
• Viruses
• Protecting the Enterprise from Zone Transfers
• Determining If an Intrusion Has Occurred
• Using Firewalls to Repel Outside Attacks
• Security Scanners
• Using Intrusion Detection Systems (IDSs) to Monitor for and Respond to Common Attacks
• Combating Viruses
• Software Is Not Sufficient
• Managing Java and ActiveX Controls

Securing Remote Access

• Security Threats Related to Remote Workers
• Securing Home Offices
• The Security Implications of Broadband Access to the Home
• Strong Authentication Measures for Remote Users
• Security for Mobile Workers
• Virtual Private Networks (VPNs) for Remote Workers and Branch Offices
• Protecting Remote Users with VPNs
• Using VPNs to Connect Remote Offices
• Placing VPNs Relative to Firewalls
• VPNs: Difficulties Continue

Securing E-commerce

• Web Site Vandalism
• Buffer Overflow
• Exploiting Common Gateway Interface (CGI) Vulnerabilities and Other Application-layer Problems
• Securing the Web Site
• The Importance of Software Patches
• Antihacker Tools
• Using Secure Sockets Layer (SSL) to Protect Online Transactions
• SSL and Server Certificates
• Internet Protocol Security (IPSec)
• Firewalls
• Packet Filters
• Dynamic Packet Filters
• Proxy Firewalls
• What Firewalls Cannot Do
• Firewall Features and Products

Public Key Encryption

• The Market for Public Key Infrastructures (PKIs)
• How Digital Certificates Operate
• Issuing Digital Certificates to Customers and Business Partners
• New Encryption Standards
• The Importance of Directory Services
• PKI: Overall Problems and Potential Solutions
• Keeping Private Keys Private
• Digital Certificate Portability
• Digital Signature Legality
• Shared Workstations
• Certificate Revocation
• Interoperability
• Approaches to Implementing a PKI

Securing Extensible Markup Language

• Banking Initiatives and Extensible Markup Language (XML) Security
• Building Security into a Document Type Definition (DTD)

Creating a Security Strategy

• Conducting Risk Analysis
• Security Assessment Strategies
• Penetration Testing
• Insurance
• Staffing Issues
• Centralizing Security
• Security as Part of E-business Application Development
• The Importance of Security Policy and Auditing
• The Need for Security Education
• Incident Response
• After the Incident

• Bloor Research Group: Internet Security Issues and Solutions
• CTR: E-commerce: Implementing Global Marketing Strategies
• CTR: E-commerce Security Strategies: Protecting the Enterprise
• CTR: E-commerce Success: Building a Global Business Architecture
• CTR: Implementing Next-generation E-business Strategies
• CTR: The Information Technology Security Report for the 21st Century: Security HOTT Guide
• CTR: Reengineering Business for Success in the Internet Age: Business-to-Business E-commerce Strategies
• CTR: Virtual Private Networks: Achieving Secure Internet Commerce and Enterprisewide Communications
• CTR: Web Commerce: Developing and Implementing Effective Business Solutions