HOME | MARKETPLACE | SOFTWARE | RESEARCH | SUPPLIERS | DIGITAL EDITIONS | PRODUCTS | VIDEOS
 





GlobalSpec - The Engineering Search Engine
Browse by Topic
Lean Manufacturing
Calendar of Events
E-Manufacturing
Current Issue
Software Directory
Archive
Newsletters
Exclusives
Links
Industry News
Inside AM
Mission Statement
Contact Us
Advertising
CLB Cardpack
FAQs
Subscribe
Readership Profile
Site Map
Newsletter

To subscribe (or un-subscribe) to our Newsletter,
just click on the link below.

Subscribe




Privacy and security PDF Print E-mail
Protect yourself from the World Wild Web
A former RCMP officer reveals what companies must do to improve their online security and ensure privacy.

Every day we see how the term "network security" is a contradiction. We are faced with new problems, new technical terms, new types of attacks on protected systems and new technology that is supposed to make our work easier. Managers are faced with a wide variety of products and services to buy so they can protect their company's assets. How do you approach e commerce security in this type of environment? You are confronted with a virtual world that plays by its own rules. Is it much different than the physical world? Probably not. But in this new millennium, you have to make your company visible on the World Wide Web if you want to stay competitive, because more exposure and availability of your product equals more profit. But that opens your operations up to threats you'd never have imagined five years ago.


Everybody wants to create their own website and conduct transactions on the Web. One of the consequences of this phenomenon is a lot of small and medium sized businesses install out-of-the-box e-commerce server systems. The installation is quick and very user-friendly. Unfortunately, to accommodate this type of installation, the out-of-the-box product often has weak security features.

 

Present threat

Would you start a business selling computer hardware in a seedy part of town without an alarm system, proper door security, or bars in your windows? Probably not. But every day in cyberspace, numerous business owners are doing exactly that. E-commerce systems are built in a flash in the hope that profits will be generated quickly while the market is hot. You may be lucky enough that your system will not be compromised for a while, but is it worth taking that risk?

A threat that shouldn't be overlooked these days are what we call "script kiddies". A script kiddie is usually a young teen with above average computer skills who will search the Internet for hacking tools and simply try them out. Unfortunately, most script kiddies don't think about the consequences of their actions and will mess around just for the challenge and the hope of gaining status as a cool hacker.

Script kiddies are scanning the Internet for easy preys. If you are an IT security professional who thinks that your systems are secure because nobody knows that you are on the Internet, you are deceiving yourself. Several cable modem users have reported scanning of their systems shortly after connecting to the Web and without previous transactions made on the World Wide Web. Security through obscurity doesn't work.

 

Prevention

There are some basic security steps that you can adopt to prevent and minimize the amount of damage or loss if you are the victim of an attack from a hacker or a disgruntled employee. You will have to look at your whole system and reassess its weaknesses and strengths.

The information stored in your system is more likely to be vulnerable at the access points and not in transit between point A and point B. Your Web server and your clients systems will need more controls and security policies implemented. When the information travels between A and B, it is encrypted most of the time.

Consequently, your resources shouldn't be spent trying to secure something that is already protected. Your system is as secure as the weakest component of your network. Computer hackers know this and they will exploit this environment.

 
Your resources shouldn't be spent trying to secure something that is already protected. Your system is as secure as the weakest component of your network. Computer hackers know this and they will exploit it.
 
 

E-commerce security

 

There are four components that you need to evaluate if you are thinking of building an e-commerce server:

 
 
  • client system;
  • transport protocol;
  • Web server;
  • operating system.
 
 

These components have different types of vulnerabilities and they need to be understood by the manager and/or owner of a website.

In the policies and standards for your company, you will need to follow a security cycle which will help you create a process to protect your information. To protect your business, you will need to create a system that will prevent, detect, respond and recover from attacks. The series of steps will be best implemented if you take into account both education and training. The whole cycle will only work effectively through proper coordination.

Once you have decided on a security policy, you will need to take some basic steps before your system goes online:

 
 
  • implement network intrusion detection systems (NIDS) and/or firewalls;
  • do not keep services that you will not use on your network (i.e. FTP, and mail);
  • shut down Internet control message protocol (ICMP) services when warranted;
  • have a backup Internet Service Provider (ISP);
  • Review default settings of your system and adjust them to meet your security requirements.
 
 

At this point, you should have a fairly secure system and you should be able to keep "script kiddies" away for a while. A similar analogy would be to use a steering wheel "club" device for protection on your vehicle. It doesn't mean that your vehicle will not be stolen but it will keep most car thieves away from it.

Now that your system is running live, you should take the following monitoring actions:

 
 
  • note any intrusion signs such as unusual log-ons outside regular hours or while employees are vacationing, system slow down, remote access log-ons and attempts;
  • record all employee complaints of their system being used while they were away or their system behaving abnormally;
  • use adequate logging features to collect evidence;
  • be conscious of your email conversations on the network about the incident. You could be monitored by the people who attacked your system;
  • do not start your own investigation and evidence collection. You could destroy crucial evidence. Hire trained experts for this task;
  • remember that cleaning your system is no guarantee that you won't be attacked again. Stay alert and proactive.
 
 

Whether you are performing e-commerce transactions or protecting your intellectual property, you should be familiar with other security features such as digital signatures and certificate authorities.

A good definition of a digital signature can be found at (www.webopedia.com): "A digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be."

 

Digital signatures are used for the following:

 
 
  • to endorse a document;
  • endorsement of identity only;
  • does not certify the authoring of a document;
  • not an approval of the content.
 
 

A digital signature differs from a certificate authority in that a third party will confirm the identity of the parties involved in an electronic transaction.

Webopedia defines a certificate authority as: "a trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be."

Digital signatures, certificate authorities, digest, and encryption are terms constantly used by security professionals dealing with problems such as push/pull technology. The "pull technology" refers to a user surfing the Internet and requesting information to be downloaded to his/her computer system.

For example, if you decide to download the encryption software PGP. You need to go to the (www.pgp.com) website and download the freeware version. Once it is downloaded, you will install the software on your system or you can delete it if you change your mind.

The majority of users on the Internet today use this type of technology. As a user you have the advantage of choosing what will be installed on your system and what kind of changes you will allow on your PC. You are still vulnerable to virus and Malware (malicious software). You are, however, in a better position to monitor and react quickly to an attack if warranted.

The "push technology" is a different threat altogether. You might be familiar already with ActiveX controls and Java applets. In a nutshell, they are little programs executed on your system making Web surfing more interactive. They frequently run in the background while you are surfing the Internet.

A good example would be when you install software asking you if you want future upgrades when they become available. If you responded "Yes", you will automatically receive upgrades from the manufacturer while you are surfing the Web. The installation will occur without you asking to do it.

For example, you can download the newer version of Real Player at (www.realplayer.com). It is a tool for listening to music files. Once the program is installed and you have agreed to let Real Player send you updates, the push technology will take effect every time you sign on to the Internet. Real Player will check its website for updates without you asking for it.

Another great example is the Bullet software from a security company named ISS at (www.iss.net). This software will push an ActiveX control onto your system and check to make that sure you are not infected by a virus before you go on one of their client's website. The software will clean your machine automatically if you are infected by a virus.

You will also find this type of technology when you subscribe to a service that enables you to receive the latest stock quotes on your system every few minutes. When your system is hooked up to the Internet as you are working away on something else, it will automatically download the quotes for you on your computer. This type of service is very useful, but you must be certain that the source of the software is 100 percent reliable. It should be used with care and common sense. Remember that you are allowing an unknown person to install an unknown number of files on your system in several different locations. The source code for the files is unknown to you and you should react accordingly.

 

Stop hackers

The CSI (Computer Security Institute) released a recent survey which revealed that most security violations in businesses are internal problems. The ratio used to be 80 percent internal (ex-employees included) and 20 percent external (hackers). The 2000 survey shows a ratio of 71 percent and 29 percent respectively. The increase of external hits by hackers is primarily due to the technology being easier to use by the "script kiddies" and the population becoming more computer-literate.

Because the threat is now real, we need to focus more attention on security. A proper security cycle includes: prevention, detection, response and recovery. You need to focus on the prevention and detection components to minimize the amount of money spent on response and recovery.

We presently have a very hot market for e-commerce businesses. To secure your e-systems effectively, a proper security assessment and a good system implementation will save you a lot of grief and money. It may be more costly initially but you will be glad that you made the decision when your competitors are shutting down for the day because of a DoS (Denial of Service) attack, while your system is up and running and you are busy taking orders.

  
 


Rene Hamel is a senior manager for the newly formed Technology Investigation Services practice for KPMG Investigation and Security Inc. After more than 15 years in the RCMP, he spent the last three working for the RCMP Vancouver Technological Crime Section where he performed hacker investigations and computer forensic analysis. Rene received training from different agencies specializing in network security and data recovery such as the FBI( Quantico, Va.), Electronic Warfare Associates -- EWA (Ottawa, ON), ASRData( Austin, Texas) and the Canadian Police College (Ottawa, Ontario).
 
< Prev   Next >
[ Back ]


Current IssueSubscriptionNewsletterAdvertisingContacts
© All materials on this web site are copyright protected and the property of CLB Media Inc.
For permission reprinting or reproducing any materials please email your requests.
© CLB MEDIA INC., 2008 Advanced Manufacturing
Privacy PolicyTerms & Conditions
[ Top ]
Advanced Manufacturing | Affaires automobiles | Canadian Auto Dealer | Canadian Electronics | Canadian Kitchen & Bath | Canadian Lawyer | Canadian Occupational Safety | Canadian Security | Design Product News | Electrical Business | Energy Management | Green Business | Industrial Sourcebook | Jobsinlaw | Law Times | Logging Management | MainTrain | Manufacturing Automation | MP&P | Mill Product News | Network & Cabling | PEM | PIQ | REM | Safer Machines | Specialty Wood Journal | SP&T News | Woodworking | Workplace