Security Considerations in Electronic Business
While the Internet and electronic business may the hottest topics in the world today, security is always listed at the top or near the top as the chief concern or barrier for those charged with installing and maintaining such e-solutions. Moreover, electronic business is elevating security from a departmental issue to a core business issue. Worse, because the Internet is the gold rush of the latter 1990s, it brings with it its own brand of charlatan and criminal.
The threats are broader than they used to be, given the ubiquitous nature of access points. Previously, areas of potential attack were usually quantifiable, and the IT professional knew how to address the issues with existing techniques.
It is easy to be overwhelmed. If, as the Internet industry says of itself, the speed of change and development is measured in "dog years," then Internet security must be measured in something like "fruitfly years" – with its 10-day life cycle – because of how quickly news on security multiplies.
Hackers, Hackers, Everywhere
Hackers have their own conferences, such as last July’s DefCon VII Las Vegas convention that drew 3,000. The most conspicuous hacking clan? Cult of the Dead Cow, which is 15 years old. Hackers have their own trade journals; check out www.2600.com as an example. And there are ethical hackers (white hat) and not-so-ethical hackers (black hat).
Perhaps the most famous hacker is Kevin Mitnick who, in 1994 and 1995, broke into the home computer of Tsutomu Shimomura, noted security expert at San Diego’s Supercomputing Center, amongst many commercial sites, including ones at Sun Microsystems. His punishment was meted out in August 1999 – a $4,125 fine and 46 months in prison, which was virtually his time already served; in fact he was released this past January.
Then there is the now-jailed Russian mathematician, working with inside accomplices, who transferred $10 million out of Citibank, with all funds but $400,000 being recovered. The bottom line: Do not count on law enforcement as your sole protection or remedy.
A Web site can suffer damage in any number of ways. Examples include disclosing sensitive data, accepting a transaction from unauthorized individuals, modifying or destroying the site’s data, denying service (e.g., flooding the site with the intention of crashing it), surreptitiously monitoring the site, counterfeiting the site, or allowing improper, though accidental, actions by legitimate users.
A Perception Problem
While security is incredibly important, it is also a perception problem. There is a little joke about corporate management that goes, "It’s not whether you win or lose, it’s whether you are perceived as winning or losing." By analogy, even the most obtuse security flaw in a browser can make front-page headlines across the nation, such as the Microsoft Internet Explorer security flaw publicized last year. The flaw made it possible to expose a user’s files to a malicious Web site operator – even if the files resided behind a firewall. The security hole, discovered early in September, was fixed in that same month.
Although security issues can be a perception problem, still, the most important piece of advice is do not leave security to the neophyte. Unless you are well versed in the known techniques of hacking, even the best security product can be cracked if not installed in its optimum configuration.
Another piece of sage advice is to not spend more to protect the information than the information is itself worth. Certainly, protecting a trade secret, such as how to make Coca-Cola, is more important than protecting the company’s telephone list. However, it gets murkier when deciding "how far to go" to protect the company’s employee salaries.
Given infinite need and infinite resources, anything can be compromised. Thus, the job in security is to either raise the bar of obtaining the information higher than the information is worth, or make it more difficult than someone else’s site having similar information.
Raising the Bar
Raising the bar is not trivial and requires experts to identify all weaknesses. However, even experts sometimes get caught: in late September 1999, Newsweek reported that the Russians breached American Department of Defense computer security, grabbing classified naval codes and information on missile-guidance systems.
Security requires eternal vigilance (monitoring) and strict adherence to the security policy. It is a process that evolves and grows and cannot be static.
Always start with a security policy – what to protect and from whom. A policy’s table of contents should include physical, administrative, auditing and audit trail, authentication, personnel, accountability, authorization, confidentiality, availability, operational, encryption, hardware, network, data (integrity), redundancy, backup and software security.
It should include metrics on prevention, detection, authorization (something you are [fingerprint], something you have [badge] and something you know [password]), and hardware, software, development, testing, operational and maintenance assurances. If you are a financial institution, also check out what requirements the government has, such as in the Financial Institution Letter FIL-68-99 titled, "FDIC Issues Paper on Information System Security Issues."
By the Numbers
A joint security report on 163 organizations by the Computer Security Institute and the FBI states losses of $124 million in 1998. If that seems low, remember that only a small fraction of organizations actually report security breaches for fear of investor consequences and vulnerability "advertisement."
In an August 1999 General Accounting Office report to the House banking subcommittee on monetary policy, 44 percent of banks, thrifts and credit unions surveyed had not enacted strict enough measures to keep their computer systems safe from hackers.
Although not necessarily a reaction to this report, the Financial Services Information Sharing and Analysis Center (FS/ISAC) has been formed to allow financial firms to quickly and anonymously share information on computer system security threats – a sort of early warning radar screen. A sampling of its members include Citigroup, Bank of America and Fidelity.
Even something as "benign" as the Melissa virus in March 1999 caused companies like Microsoft, Lucent and Unisys to shut down their e-mail systems for a time. As Fred Matteson, Executive Vice President Technology Services at Charles Schwab & Co, says, "Security must be built in from the beginning," – yet still support the IT goal to "delight our most demanding customer at the peak hour of the busiest day." Let’s now turn our attention to several of the main technologies required to support electronic commerce.
To protect assets, typical network security focuses on perimeter security – guarding the gates – and that is what a firewall does. It is similar to a home security system with magnets on the doors and windows; the network funnels all external, unverified traffic through the firewall.
However, threats can originate from the inside, and firewalls do not protect against those. This is where intrusion detection systems, discussed later, come in, being akin to the infrared sensors of a home security system; these also protect against the unlikely event of someone cracking the firewall.
While firewalls are generally used to shield corporate assets from Internet-originated attacks, firewalls can also be used in intranet implementations to shield particularly sensitive data from the general corporate population.
Web server content is usually made available to Internet browsers through the firewall, across a portion of the network called a free trade, or demilitarized zone (DMZ). It is, sort of, a semi-trusted and semi-untrusted separated network segment (see Figure 1).
There are three different types of firewalls. Packet filters, also called filtering gateways, are the most basic kind of firewall and are usually implemented in routers. They look at the message routing information in the TCP/IP packets, such as source IP address, destination IP address and port number, to decide whether to pass the message. Packet filtering firewalls usually offer fast throughput, but are weaker in management characteristics.
Application gateway firewalls, popularly known as proxy servers, are the strictest guardians, analyzing not only the IP routing information, but also information in the application layer. They are more complex and potentially slower than packet filters.
Proxy servers translate an internal IP address into a valid (registered) Internet address. Thus, an internal user never makes a direct connection to the Internet; hence the term proxy server – acting on behalf of the user. A host receiving a request from such a protected user is aware only of the proxy’s address, not the user’s actual address.
Stateful inspection firewalls combine advantages of application gateways with the speed of packet filters. They are also very flexible when making changes. They understand data in the IP packets intended for all the network layers, thereby providing a "stateful" context, securing applications more effectively than other types of firewalls that examine data only in certain layers. Stateful inspection integrates the information gathered from all layers into a single inspection point for speed.
Firewalls operate under a set of rules entered by the security administrator that determine who or what on one side of the firewall can talk to whom or what on another side. Make sure you change the standard default on most firewalls to something other than anyone-to-anyone, and change the initial default passwords.
Use firewalls for controlling enterprise perimeter security and for implementing "zone" perimeter security – for example, for business units, and even down to the department level, depending on the size of the organization.
If your budget allows, a proper, secure network design can and should include all three types of firewalls, with the various firewalls protecting different areas of the network and information stored on its servers (see Figure 2). As with all security projects, the more devices you connect in sequence to protect your network, usually, the more secure your network will be. However, managing multiple firewalls, especially from different vendors, can be daunting, even for the experienced.
On the flip side, you may be tempted to run multiple applications on a single Web server to save costs, or to perhaps combine a firewall with other functions. In a word, don’t. As applications get piled onto a system, interactions can have unsuspected implications and, consequently, vulnerabilities. Think of it this way.
It is much easier to understand how the 20,000 lines of code work, constituting a single application, than it is to understand how two independently developed applications work, let alone how they interact with one another and with the server operating system.
Many people think that they are done once they have installed a firewall. However, that is not the case. Another crucial piece of protection is the intrusion detection system.
Intrusion detection products are the infrared detectors of a larger infrastructure of information security measures. Intrusion detection analyzes and determines the potential for threats, monitors activity on networks and computing resources for suspicious activity, and detects and responds to attempts to gain unauthorized access.
If you are familiar with antivirus tools, then you already have the basics to understand how intrusion detection products work. Just as every virus has a signature, so do hackers’ tools and attempts at cracking a system or network. Intrusion detection products monitor the network traffic looking for these signatures that indicate an attack is in progress.
An important aspect of intrusion detection systems is to minimize signaling false alarms, also known as false positives. If this occurs, the intrusion detection system could wind up being ignored, frequently crying "wolf," as it were. Fortunately, they generally do not generate false positives because they "understand" what an attack signature looks like.
The biggest strength of intrusion detection systems is that they are realtime, being also, necessarily, fast. The biggest weakness of intrusion detection is that, as with antivirus tools, the intrusion detection engine cannot detect something for which it does not have a signature. Intrusion detection systems must also be updated when a new signature is added to the list.
Intrusion detection products are usually connected on the critical network segments behind the firewall – that is, somewhere inside the organization, on its LANs. This is because, should a firewall ever be breached, or should an attempted intrusion originate from within the organization, then the intrusion detection product is optimally positioned to detect such an intrusion.
As with a firewall, the intrusion detection engine operates with a set of rules. Rules can describe what kind of network traffic is normally expected/allowed on the LAN. This could include, for example, rules to expect the presence of http (browser) and e-mail traffic, but not that of ftp (file transfer protocol). This way, when unexpected traffic passes by, a red flag can be raised.
Intrusion detection products can be divided into three categories, vulnerability scanners, network monitors and server auditors, sometimes available in suites.
Vulnerability-testing scanners assess a network and servers, identify vulnerabilities and report what you already know – that you are, indeed, vulnerable. Vulnerabilities can include missing system patches, improperly adjusted system configurations, weak password and authentication methods, and weak resource access controls for servers. SATAN (Security Administrator Tool for Analyzing Networks) is, perhaps, the best-known example of vulnerability scanners, released in mid-1995 by Dan Farmer.
Some vulnerabilities are more easily exploited, while others are not, requiring significant skill and expense. A vulnerability scan helps prioritize these.
By relying on these types of assessment tools, systems that have had vulnerabilities identified and eliminated are more secure; the more you defend against common hacks by properly configuring the network and systems, the fewer the number of attacks that will be sustained. Vulnerability scans should be run periodically, even after fixing the initially uncovered set of vulnerabilities.
By studying Computer Emergency Response Team (CERT) advisories and notes at www.cert.org and by building awareness among an organization’s user population, security can be further assured. However, after securing systems, network monitors are used to scan for suspicious behavior on a network in realtime.
Network monitors, the second form of intrusion detection products, are configured to look for attacks, "sniffing" packets on the network for anomalous behavior and known malicious signatures. These can include common hacks, such as well-known IP address spoofing and recognized denial of service attacks. Intrusion detection monitors easily detect these common hacks, and they also scan for more sophisticated types of attacks.
Network monitors can be configured for alerts and actions to repel an attack. Today’s monitors are judged with regards to "adaptive network security," which is an expression coined by Internet Security Systems (ISS). The expression refers to a monitor’s ability to cause firewalls, routers and other devices to take action to interrupt an offending packet. This automated reaction is a compelling selling point for monitors supporting the capability.
When reacting to a suspected intrusion, an adaptive approach reduces human involvement and, thereby, response time. On the other side, a monitor should not be configured to react automatically until normal traffic patterns are well-understood.
Automated reactions initiated by the intrusion detection monitor that take place in routers and firewalls may themselves be a cause of unplanned denials of service. This may be especially true during an initial stabilization period, when false positives are being eliminated. Automated reaction can be turned off during this time to allow a network administrator to understand and cope with atypical and suspicious activities.
Take advantage of automated reactions to provide greater control of response to incidents. The bottom line is that human interaction is still required for most security decisions.
Placement of the intrusion detection monitor is important. This determination starts with an examination of the organization’s assets (networks, systems, etc.). Network monitors should be placed on high-risk LAN segments and gateways and near business-critical servers.
Host-Based Intrusion Detection
The third category of intrusion detection products is host-based server audit software. This class of software complements network monitoring and extends the native audit facility of the server, tracking activity. It analyzes logs and responds to alerts with actions. Some products consolidate various forms of audit logs for central reporting.
Host-based devices that should be protected include production servers (both internal and external), domain controllers, administration servers, remote access devices, and other critical network-connected system and devices.
A host-based tool should be able to monitor multiple ports, log multiple items (e.g., source and client addresses), check file and system integrity, and track file, file permission and other configuration changes.
What to Look For
An intrusion detection product should recognize the plethora of attack signatures, now generally acknowledged to be over 150. The signature database should be easily updateable. An intrusion detection product should be able to recognize unpredicted IP addresses and packet sequences. It should be able to create an audit trail of suspicious activity that includes source and destination addresses and the suspected intrusion. It should also determine whether an intrusion was successful and the extent of the intrusion. It must be capable of sending alerts and should have the ability to exclude false alarms.
Intrusion-detection products collect considerable amounts of data and do not do as much as they could to interpret it for the system administrator. This forces human intelligence in the equation to evaluate the significance or severity of events. Furthermore, the alerts generated are not frequently well-integrated into enterprise-level network-management systems.
In 1998, there were $91 million in vulnerability assessment tool sales and $45 million in intrusion-detection software sales. The combined sales for 1999 is forecasted at $262 million, growing to around $1 billion by 2003.
ISS is the worldwide networkbased intrusion detection software market leader. They have almost a 50 percent market share for vulnerability testing scanners.
And they have an over 50 percent market share for network monitors, which is more than double the market share of the nearest competitor. Additionally, the ISS RealSecure network-monitoring product is endorsed by independent organizations, such as the American Banker’s Association, for their Information Security Infrastructure Working Group.