ESecurity
Current Situation
Up until recently, security was very much like teenage sex in that it was typified by lots of talk but no action. Companies declared their sites as secure simply because credit card payment page was protected by SSL (Secure Socket Layer). Even now, there is an overwhelming sense of complacency across industry.
However, Etailers, are reportedly still finding that web shoppers are still very concerned about security. It is becoming increasingly essential that Etailers gain trust and confidence of their customers in order to gain competitive advantage over their competition, but also, simply to stay in business.
With increasing use of Ebusiness for enabling business processes and operations across internet, it is critical for organizations to recognize information as a valuable business asset and implement controls to secure it, to ensure privacy of their customer’s data, integrity of that data and to ensure that they do not lose it!
General Security Issues
The aim of a good security strategy for an Ebusiness organization should be to combine maximum flexibility, performance, and scalability with highest availability and security. The goal of a security strategy is to protect information assets through:
•Authentication – identifying parties involved in communications and transactions •Access – provide access to appropriate levels of information (with as little inconvenience as possible) to those who should have access, but prevent access to anyone who should not have access, and prevent access beyond level of information that is appropriate to user’s ‘class’ •Confidentiality – ensuring that information is not accessed by unauthorized parties •Non-Repudiation – ensuring that transactions, once committed, are legally valid and irrevocable •Availability – ensuring that transactions or communications can be executed reliably upon demand.
Top management needs to understand that security is a hygiene factor: when it is there, and is effective and efficient, people hardly notice it at all; however, when it is not there it can mean end of business overnight. It is essential to get it right, particularly for transactions placed over Internet.
Further, management needs to understand that security is a never-ending process. Security policies and measures should be under constant review, network support teams should monitor newsgroups etc for information about latest threats to security (e.g. latest virus attacks, hackers , security loopholes in software products, etc), security audits must take place to ensure procedures are working, logs of unauthorized access should be reviewed, and disaster recovery plans should be tested out regularly.
Many companies have now either been bitten by problems inherent in having no real built in security policies, or have seen media reports about others who have been bitten.
MSNBC reported cases in which large numbers of credit card numbers and associated information had been stolen from sites in March 2000. Visa had earlier announced that around half its disputes concern internet based credit card transactions, despite these only making up 2% of its total revenue . The Melissa virus caused an estimated $80 million damage, and Love Bug similarly wreaked havoc across world. Denial of Service attacks have hit big names like Amazon.com, Ebay and Yahoo, causing loss in terms of revenue and public image.
There is much evidence to suggest that reported cases are simply tip of a very large iceberg as many security breaches go unreported due to embarrassment caused by admitting to them and risks to future business of doing so.
For consumer, there is not only worry that personal information such as credit card data could be stolen, but there is also worry that anyone they appear to be dealing with on internet could be untrustworthy – and even when dealing with a company known and trusted there is risk that in reality consumer is dealing with an imposter. Thus, it is up to those with integrity who are running websites to find ways to reassure consumer that it is safe to use their websites – for example, by providing Digital Certificates verified by a trusted third party such as Verisign .
It is very difficult for Governments and Legislation systems to protect consumer from internet fraudsters and conmen because national boundaries are very difficult to establish or enforce on internet as content is accessible from everywhere. The US and UK, among others, are investigating possibility of policing internet using national ‘cybercrime units’. Financial regulators such as SEC in US and FSA in UK are looking at measures to help them in controlling websites within their own jurisdictions. International bodies like OECD and European Union are working on standards for Ecommerce to be implemented and enforced at a national level by governments, but progress is very slow because industry opposes idea of government intervention, preferring to rely on self-regulation.
Procedures
At last, many large organizations are now taking security fairly seriously. However there is still a great deal of misunderstanding about what security really means for an organization that uses Internet technologies to trade.
Organizations deploying internet technologies tend to focus on technologies rather than procedures behind technologies. Having solid security procedures in place is often much more important than technology which is used to implement security. The benefits of using SSL to gather credit card information from a consumer over web could be nullified if it is common practice within organization to subsequently email them from one department to another. Putting virus scanning technology into place in an organization is only useful if virus scanner is updated regularly as new viruses are found. Procedures are required to ensure that technologies are being used effectively to meet organizational security goals.
Such procedures should include clear divisions of responsibility for different areas of security: backup procedures, disaster recovery procedures, physical security (security card control, building security, etc), password procedures, system access levels and authorization procedures, virus control procedures, firewall policies, and all other traditional areas of security which an organization should have under control.
Procedures should ensure that whenever not in use, server consoles should be locked using passwords, that all access attempts to all systems are logged and audited and that passwords are not easily guessed and are changed regularly. They should ensure that all network systems and web servers are kept in secure locations, and that redundancy systems exist for all key hardware – not only network systems themselves (including servers, firewalls, hubs and routers) but also air conditioning and power systems.