Security Considerations in Electronic Business, Part 2

So now that you have the firewall and intrusion detection systems installed, you are still not done...

Monitoring and Management

Eternal vigilance is the security mantra, and it applies to a firewall and intrusion detection solution. Security monitoring allows immediate response to suspicious activity, including, and up to, shutting down Internet access. Firewall management relates to reviewing the continuous stream of patches released by the operating system, firewall and utility vendors, reviewing them for applicability and correctness, and updating the corresponding systems as the patches are released. This last item is crucial, since hackers are usually the first to read security flaw reports and then probe sites using the flaws.

When considering realtime firewall monitoring, the staffing requirements for a 24x7 in-house operation is daunting, usually mandating four to five skilled employees minimum, considering shifts, weekends, holidays, vacations and illness. Conversely, outsourced security monitoring and management is usually available at a moderate monthly fee. It keeps IT infrastructure requirements to a minimum, controlling the costs for hardware and software. Furthermore, skilled in-house information security experts are scarce, difficult to hire, expensive to train internally, and even more expensive to retain. Worse, a mistake by a newly trained, though inexperienced, security "expert" can be quite costly.

All of these reasons lead to why network security monitoring outsourcing is growing at almost 50 percent annually, to ultimately account for about one-third of all network security-related services spending. According to a recent survey, almost half of the organizations surveyed plan to use an outside vendor for the design and implementation of their security system, and closer to two-thirds will outsource to a network security monitoring service.

Look for a complete offering that supplies, aside from the proactive realtime 24x7 monitoring, a coordinated security architecture development service, event and attack signature tracking, audit log reviews, periodic and frequent incident and usage profiles and reports, alarm notification, intrusion response strategies, multiple redundancies, nightly backup capability, event escalation procedures, regular patch updates, and inclusion of market-leading products. Other more uncommon and specialized features included in the service offerings can be Web filtering (content blocking) and prosecution assistance.

Incident Response

According to security experts, many companies lack both a comprehensive response program and the expertise required to respond to critical incidents. Regardless of whether you choose remote monitoring or choose to handle the monitoring yourself, an incident response plan is mandatory. Why? When an incident occurs, you will have precious few minutes to react, and it is best to have previously thought through the plan under less trying circumstances.

The incident response plan should focus on quickly restoring operations, secondarily concentrating on aspects of prosecution. The procedures should include immediate notification of the information security officer. The security officer is the one who, then, has the central responsibility for contacting and dealing with appropriate law enforcement officials. Relevant data must be collected and preserved; this can be challenging, due to the often dispersed nature of where the data resides.

Remember that proper information security is represented by a life cycle. Once an incident has occurred and the response is complete, steps must be taken to assess the event and response, and design and implement procedural and physical changes to prevent reoccurrence of similar incidents.

Make sure you consider employees, partners, customers, the computer emergency response team, information and business processes, alignment with the corporate security policies, procedures to shorten response time, training of IT staff and executives, reliance on internal versus external response resources, computer forensics and aspects of litigation.

Encryption

Another major topic essential for implementing secure electronic business is encryption. Encryption is the process of taking a "clear text" message or piece of data and scrambling it electronically so that the original text cannot be determined by looking at the encrypted string, even when the algorithm used in the encryption process is known.

Encryption is used just about everywhere: password validation, disk data protection, transmission of a bank’s electronic funds transactions, secure e-mail, and making purchases over the Web.

The difficulty in cracking a coded string is exponentially proportional to the number of bits in the "key" used to scramble the string. The larger the key size, the more difficult it is to decrypt the information. Use of a 56-bit key is more secure than use of a 40-bit key, with a 128-bit key being the strongest commercially available encryption today.

Encryption can be broken. There is shareware that can recover stored passwords protecting many Windows applications. It is reported that a 40-bit encryption string, having over one trillion possible different keys, can be broken using a brute-force attack in under four hours. The 56-bit U.S. Department of Defense’s present data encryption standard (DES), with more than 72 quadrillion different keys, has also been broken, most recently in just 22 hours. Because of this, a DES replacement with 128-bit keys (minimum) is now being sought, called the AES, or Advanced Encryption Standard.

Since each bit added to a key doubles the number of possible combinations, the stronger 128-bit encryption requires 4.7 trillion billion times as much work to break as the 56-bit DES.

The White House recently wrote a letter recommending the elimination of export restrictions for encryption technology greater than 56-bit keys, which would pave the way for true international support of an electronic business infrastructure. This would free U.S.-based software vendors to export products protected by any key length, though still with government technical review, and sales to countries such as Cuba, Libya, Iran, Iraq, North Korea, Syria and Sudan would still be forbidden.

Shared-Key Encryption

There are two types of encryption of interest for e-business. One is shared secret key cryptography, also referred to as private key, single key and symmetric key cryptography. And the other is public key cryptography, or asymmetric keys.

Sharing secret keys works by using the same key, kept secret, to both encrypt the data at the originating location and to decrypt it at its destination (see Figure 3). The U.S. government’s DES is an example of this form of cryptography.

The biggest problem with a shared secret key is distributing the secret key, called a session key, to all locations participating in the encryption/decryption process. This is particularly a problem in e-commerce, when a secure transaction between you and your customer must occur in 10 seconds.

Another problem is managing the potential for a number of shared secret keys. Imagine a buyer making purchases from 20 different vendors; 20 different secret keys would be required. These problems are actually solved by the next form of encryption discussed, public key encryption.

Public Key Encryption

Invented and patented in 1976 by Whitfeld Diffie and Martin Hellman, public key encryption was developed to solve the key-management problems. In this form of cryptography, everyone is given two keys. One is a public key "advertised" to anyone you plan to conduct business with. The other is kept secret.

The two keys are complementary. When one is used for encryption, the other is used for decryption. You are also assured that for a given public key, there is only one secret key that complements (works with) it, and vice versa.

Here is an example. When Harry wants to send something securely to Sally, he encrypts the message using Sally’s public key and sends it. When Sally receives it, she decrypts it using her secret key. Only Sally can decrypt the message, since only she has her secret key.

This solves the secret-key distribution problems described above: The secret key for the session can be sent as the message.

Since either a public or a secret key can be used to start the encryption process, suppose Harry encrypts the message using his secret key and sends it to Sally. By doing this, the message could be decrypted by anyone using Harry’s public key. However, when Sally does decrypt it with Harry’s public key, she has unequivocal proof that the message was, in fact, sent by Harry.

Here is an illustration combining the use of both the public and private keys. First, Harry encrypts the message using Sally’s public key, as before, but then encrypts that resultant string with his secret key. When Sally retrieves the message, she decrypts it using Harry’s public key, and then as before, decrypts that resultant string using her own secret key (see Figure 4). Thus, only Harry could have sent the message, since it was successfully decrypted using Harry’s public key, and only Sally could have received it, because she decrypted it with her private key.

There is one additional step often used during the encryption process: A "hash" is created of the clear-text or encrypted message and sent along with the message. The hash is like a fingerprint of the message, assuring that message contents were not modified, either intentionally or unintentionally, in transit.

Digital Signatures & PKI

The previous examples present the basics of digital signatures, demonstrated by the following example. First, Harry encrypts the message using Sally’s public key, as before, but then creates a hash of the message, and encrypts the hash with his secret key. The encrypted hash is attached to the encrypted message as the "digital signature" and sent to Sally. When Sally retrieves the message she recreates the hash of the encrypted message and also decrypts the digital signature using Harry’s public key. If the two hash values are equal then only Harry could have sent the message. Sally can now decrypt the message itself with her private key and use it for its intended purpose, being also assured that the contents are unmodified.

This multi-step encryption process provides authentication (a digital signature), nonrepudiation (it had to be from Harry, and Harry cannot deny that he sent it), and assurance that the message was not tampered with. However, this is also why public-key algorithms tend to be much slower than symmetric-key algorithms. Usually, the slower public key cryptography is used to exchange a secret key, and secret key cryptography is used during the bulk of the communications.

A digital certificate is your public key (and corresponding secret key); only the public key is in the certificate. Furthermore, the public key is not just any public key; it is one issued by a "trusted" certificate authority (CA).

Netscape version 4.7 lists several CA agencies: Equifax, GlobalSign and VeriSign. Your certificate is tied to a higher certificate owned by the issuing authority, the top-level certificate being called a root certificate.

Digital certificates are also referred to as digital IDs, digital passports and public-key certificates. They are defined in the International Telecommunication Union (ITU) standard X.509. They have expiration dates and can be renewed, or reinstated if lost.

Digital certificates are particularly useful for securing e-mail, validating access via virtual private networks (VPNs), and for validating partner access to an extranet. They are also applicable for validating that clients of financial institutions are who they claim to be.

Digital certificates form the basis of a public-key infrastructure, since they serve the same purpose as your passport, being irrefutable proof of who you are. On the server side, implementing a PKI requires two pieces: a certificate authority and a certificate repository. The selected client software must also be capable of using certificates. The CA can be outsourced to a trusted agency. However, an organization can also run its own CA, but note that this is, in actuality, running a 24x7 online operation. The U.S. government has its own Federal Public Key Infrastructure Project (visit http://gitssec.treas.gov/oofpkisteer.htm). However, be forewarned that not all PKI approaches interoperate.

Legal Implications

Currently, many corporations use digital certificates infrequently. This may be due to, in part, legal and political issues regarding a PKI and certificates, that can often be more challenging than the technical ones. Furthermore, the success of e-business between organizations depends on the interoperability of the PKIs, certificates and corresponding directories; not all vendors’ solutions work well together. Ultimately, digital certificates will be used as legally binding instruments of an organization, and, thus, it is important to fully protect them.

A digital signature bill, the Millennium Digital Commerce Act, has cleared the U.S. Senate. The U.S. is not the only country considering electronic signature laws; legislation in France, for example, will give electronic signatures the same status as a signature on paper.

Other Encryption

Secure Sockets Layer (SSL) is an open Internet standard for providing encrypted and authenticated services over the Internet. It uses public certificates to exchange a 40- or 128-bit session key to encrypt all traffic between the Web server and the client’s browser.

A virtual private network is an application of encryption for creating an end-to-end "tunnel" for secure access and data transmission over public networks, such as the Internet. Since the end user must load special software to enable a VPN, VPNs are best suited for internal uses, such as for mobile workers and for trading partners for extranet validations. IP Security (IPSec) is a cryptographic protocol that applies particularly to VPNs.

Authentication Populations

Three populations require authentication: consumers, extranet partners and employees. Authentication varies with the category. Passwords and digital certificates apply to all three categories. Smart cards are appropriate for extranet partners and employees. And PIN tokens and biometrics (fingerprints and retinal patterns) are additionally appropriate for employees.

Ultimately, where possible, select single sign-on products based on the user population, also enforcing strong password.

E-Business Insurance

Entering electronic business opens an organization to new risks and more opportunities to exploit those risks. Consequently, it is a good time to review insurance coverage.

Regarding liability insurance, review it for copyright and trademark infringement, invasion of privacy, accidental disclosure of private, confidential or proprietary information, libel, slander and protection from suits made by others that rely on your e-business infrastructure.

Taking a look at first-party coverage, review coverage for loss or theft as a result of a network security failure, business interruption (Web site failure) and public relations to handle negative publicity.