E-Business: Security for Your E-Business

Business is about risk and making calculated decisions. Security is about reducing risk. The two are inseparable, but oftentimes the business and technical management in a company is at odds with how to have an e-business and how to take reasonable security measures to mitigate unnecessary risks. Operating systems and products are riddled with holes and end users, as well as vendors, tend to be rather complacent about security. Security personnel do not like to take risks.

The business team, on the other hand, is typically used to taking risks, and may not be concerned with security at all. Often, this means the intentions of the security team can collide with the business team. So, what is an e-commerce company to do? The answer is to implement a process that creates and maintains a security posture for your enterprise that is complementary to your business goals, while reducing unnecessary security risks.

Good security is accomplished through processes, and not through a series of measures, policies or technologies. And it is not a product. My intent here is to communicate a useful process for analyzing your risks, determining reasonable measures to mitigate those risks and then to leave you with a process to maintain the security posture of your enterprise, all while still making it possible to do business.

This process is circular; that is, you have to repeat the entire process on a regular basis and break it into seven distinct steps. The seven steps to the security process are Analysis, Create Policies, Secure, Monitor, Test/Review, Improve and Repeat.

Analysis. Security is a useless exercise if you do not look at from whom you are trying to secure something, what it’s worth and what reasonable measures should be taken to protect it. The first thing you should do, before spending any time or money on any security measure, is to define what you are trying to secure and from whom. Is your threat internal, external or both? What sort of tools or methods does your attacker have at their disposal? How determined are they?

Once you have done that, you need to analyze the various methods that can be used to thwart your security measures and the costs borne by the attacker and you the defender. "Attack trees" provide an excellent tool for doing this. Bruce Schneier has written an excellent, in-depth paper on attack trees and how to use them that I will defer to on the specifics – the paper is available at www.counterpane.com/attacktrees-ddj-ft.html.

Attack trees, as their name indicates, are a tree structure where the root of the tree is the goal and the leaf nodes represent various routes to, or methods for, achieving that goal. Attack trees provide a formal method for analyzing the security posture of your enterprise and provide you with the information you need to understand what you should do and can do to protect your enterprise.

Policies. It’s a good idea to involve as many departments as possible to ensure that the policies you create make sense to the business and can be properly enforced.

Securing the Enterprise. This step involves implementing what you have learned from your analysis and putting your policies in place. This includes installing system patches, firewalls, intrusion detection systems, virus protection and other measures to lock down the enterprise. You will need sufficient technical expertise at your disposal to ensure that this step is executed precisely. A lack of expertise can spell disaster, so make sure your staff or contractors are qualified to do the work before proceeding.

Monitoring the State of Your Security Posture. This is a crucial step that many organizations take for granted. It does you no good to have filters on your routers, tripwire installed on your servers, firewalls and intrusion detection in place if you don’t know who is monitoring those systems. In short, how would you know if your security had been breached? Simple, by monitoring it.

You need to have good information consolidation and filtering in place so that it’s simple to monitor your enterprise and so that you do not overwhelm the people that have to do the monitoring. Far too often, when inundated with too much information, it’s easy to miss something, or worse, stop paying attention altogether. Automated tools, like log consolidators, coupled with automated intrusion detection and response systems can go a long way toward both reducing the time to respond to an incident (through automated means) and the volume of data that will have to be digested to determine if a problem exists.

Testing Your Security Posture. There are three types of tests you should conduct: in-depth security posture assessment, personnel readiness tests and business rules tests.

An in-depth security posture assessment involves probing every device in your enterprise; checking all the services running on those systems for vulnerabilities, misconfigurations and services that should or should not be turned on; and generally collecting technical information about what is on your network, what services are available in your enterprise and its security state. In short, hit all of your security measures and systems with every attack and probe out there. This will tell you if you missed something in your technical analysis, if your policies make sense, if your secure process was a success and if your monitoring systems work. This sort of test can produce a lot of information, so plan accordingly so that you have adequate time to analyze the results.

The second form of testing you need to conduct is personnel readiness testing. The intent of this test is to determine the responsiveness of the personnel tasked with monitoring the security of the enterprise and whether your security policies are being properly followed by your staff. Attacks on your enterprise should be as realistic as possible during this phase.

You’re not trying to find out if a system is patched; you did that during the in-depth security posture assessment. In this phase you are testing the personnel monitoring your enterprise and whether or not they will notice and properly respond to your attacks within an effective period of time.

The last phase of testing is business rules testing. This is important if you want your security model to survive the best intentions of those personnel tasked with making sure your business works. Basically, this is where you need to make sure your users have the capacity to complete their tasks and whether your staff can properly support your business goals. Put yourself in the shoes of the customer and those personnel tasked with supporting the customer during these tests. In short, can you still do business or have your security measures made it impossible to get things done?

Improving Your Security Posture. This is the part of the process where you have to go back, revisit your assumptions, patch your systems, turn services off (or on, as they case may be) and to basically repeat the entire process.

Repeat. Your security posture is not static. New patches to systems can open up old holes and turn on services you thought you had turned off. Furthermore, your staff may change the configuration of a system and install unauthorized programs on those systems or their workstations that further degrades the security posture of your enterprise.

Therefore, the best way to adapt to the inevitable changes in your enterprise is to make the security process a regular part of your organization’s best business practices. Revisit your analysis and its assumptions, check the relevance of your policies, install new security measures, monitor new additions, regularly test the security posture of your enterprise (weekly if possible), improve upon it and repeat the process again. Once you have this process in place, you will find that not only does it work, but it makes it easier to maintain both your business and your security posture.

About the Author: Michael T. Shinn is the CTO of eTantrum Inc. He has worked as a Senior Systems Architect on the U.S. Securities and Exchange Commission Internet EDGAR project, as well as part of the White House technology staff. He can be reached via e-mail at mike@etantrum.com.