ESecurity

Written by Michelle Johnston


Continued from page 1

In addition, it is key that proper testing procedures, source code/change control and defect tracking procedures are in place.

It should go without saying that internet applications which carry out transactions should be thoroughly tested and yet it is incredible how many ‘holes’ are created on Ecommerce web sites due to shoddy programming and testing. Preferably web applications should be tried out by ‘professional hackers’ who can look for loopholes in programs written onrepparttar web. Silicon.com reported in October that Marks and Spencer’s website (marksandspencer.com) had an error on it caused by a broken link, that when activated caused an error message which contained confidential material such as passwords, credit card dummies and other log-in information.

Testing of internet applications should be supported by systems which enable changes to code to be made easily and effectively, so that unauthorized/untested changes do not slip through intorepparttar 118768 production system and that changes made to source code are not later ‘undone’ accidentally due to poor source code control.

Internet Specific Issues

While security should be a concern for any IT organization, there are some aspects of security which are specific to internet-based activities.

Authentication, non repudiation, encryption, privacy, and integrity of data are all issues made more important byrepparttar 118769 use of web technologies, inherently an open and anonymous form of communication.

The internet provides added security issues, because there is no centralised infrastructure, it operates 24 x 7, over a huge global scale and therefore has millions of potential users, of whom any one could at any time attempt to access non-public information. Some will do so by accident, some just out of curiosity and some using malicious intent will relentlessly test out every aspect of your system until they find a security hole through which they can create havoc.

Security is also a moving target, as new methods become available to hackers allrepparttar 118770 time, with technology increasing rapidly. By its very nature,repparttar 118771 internet was developed to allow openness and this makes it allrepparttar 118772 more complex to implement security overrepparttar 118773 top ofrepparttar 118774 internet without making it difficult for authorized parties to access data you wish them to be able to access. Severe damage is often detected too late.

Technologies

Access controls and cryptography can help to prevent unauthorized access to information, but they are only part ofrepparttar 118775 picture.

Organizations are now employing complete PKI and CA infrastructures, such as Onsite Managed Trust Services provided by Verisign, in order to provide them withrepparttar 118776 flexibility and control they need throughoutrepparttar 118777 enterprise, allowing them to issue their own digital certificates, secure access to extranets/intranets, secure transactions, encrypt email and to carry out authentication.

Access Controls

Hidden URLs –one easy way to restrict access to information and services is to putrepparttar 118778 information at unpublished URLs and providerepparttar 118779 URL only to those who should have access torepparttar 118780 information at that address. Clearly this is not a high security option and is unacceptable for most purposes. There are various tools open to serious hackers that enable them to ‘find’ hidden URLs (spiders etc.), and of course it is possible thatrepparttar 118781 locations ofrepparttar 118782 URLs are passed on to others by those who are authorized to accessrepparttar 118783 URLs.

Host-based Restrictions – it is possible to restrict access to a web address (or to a web server, if using a firewall) by IP address or DNS hostname. This method can enforce that only web users operating from within a particular domain or network can accessrepparttar 118784 web page. This is useful if an external web site contains some pages which should only be accessed by employees ofrepparttar 118785 company, as it can be used to deny access to anyone not operating from withinrepparttar 118786 company’s network. This method is not totally foolproof as it cannot deal with unauthorized access due to ‘spoofing’ (whereby a user ‘pretends’ to come from an authorized network address).

Identity-based Controls The most common method of access control on websites is via usernames and passwords. However, passwords are so easily shared/forgotten, often users select easily-guessed passwords and there are a number of tools available to serious hackers to enable them to easily guess most passwords. Thus, alternative identity-based controls have been developed. Many companies now implement a VPN (Virtual Public Network) to enable employees to connect to internal networks from outside ofrepparttar 118787 company, though these can be costly and troublesome to implement. Smart cards, or software, containing an encrypted public key, to identify valid users are one ofrepparttar 118788 many other options in this area.

Authentication Single Sign-on – this technology allowsrepparttar 118789 same user to sign on to multiple Ebusiness applications without having to type in their userid/password for each site. There are a number of offerings of this kind of technology. The most common names in this field are Netegrity SiteMinder and X atrepparttar 118790 top end, and Gator Ewallet and RoboForms atrepparttar 118791 lower end ofrepparttar 118792 market.

Integrated Authentication – The best known offering in this area is Nt/Windows 2000/3 authentication. This, in effect, provides single sign-on to Microsoft applications that support it – such as SQL Server and any ofrepparttar 118793 Windows operating systems.

Cryptography

Cryptography can be implemented throughrepparttar 118794 encryption of data sent to and from a website and through digital signatures and certificates which ‘prove’ thatrepparttar 118795 sender and recipient are who they claim to be.

Non-repudiation – cryptographic receipts are created so thatrepparttar 118796 author of a message cannot falsely deny sendingrepparttar 118797 message.

Code Signing – a digital certificate can be enclosed within a Jar file (for java code) or a Cab file (for activex controls) to indicate thatrepparttar 118798 code was created by a trusted party and has not been tampered with since being created.

Confidentiality- encryption can scramble information sent overrepparttar 118799 internet so that eavesdroppers cannot accessrepparttar 118800 data’s content.

Integrity – digitally signed message digest codes can be used to verify that a message has not been modified while in transit.

To read this complete article go to http://mishj.brinkster.net/intranet/esecurity.doc

Michelle Johnston is an Ebusiness expert. She is currently Ebusiness Director of Apogee Interactive Inc. in Atlanta USA.


A top European site enters Canada with Intoko.ca

Written by Janine Vanderhoeven


Continued from page 1

This website was founded in December 2003 by Marktplaats.nl, market leader for online advertising inrepparttar Netherlands whererepparttar 118767 website is more popular than ebay.nl. Intoko.ca appears plain but is nevertheless well laid out and one ofrepparttar 118768 fastest inrepparttar 118769 world.

For more information: ·Email: j.vanderhoeven@intoko.ca ·Visit: www.intoko.ca and www.marktplaats.nl ·Phone: 003-164-613-2914

Site Manager Intoko Canada


    <Back to Page 1
 
ImproveHomeLife.com © 2005
Terms of Use