Security Survival Guide
The Love Bug virus did more than cause billions of pounds worth of damage and cripple countless company systems worldwide. It also put hacking, cybercrime, and network security back at the top of every IT manager's priority list.
The ecommerce boom has prompted companies to rely on technology for mission-critical processes, which means it is not just email viruses that threaten a corporate's system and data.
'By its very nature, ecommerce forces companies to externalise their operations, so security has to become much more of an infrastructure issue,' says Jeffrey Mann, vice president of analyst Meta Group.
'Before, a company could look at its individual applications and decide what it needed to do to secure each one. That isn't practical these days.'
So, just what is practical? Computing magazine* have put together a quick security survival guide to remind you of the basics - then when the board asks you if the company's ecommerce operation is secure as possible, you know you haven't missed anything.
Ensure you have a solid security plan in place before opening your systems to a world of users and hackers. 'The first stage should be a vulnerability assessment. Where are you most accessible and where can people do the most damage?' says Yag Kumani, partner in secure ebusiness at Deloitte and Touche.
Remember, it's not just the systems facing the public that you need to think about, you should also assess the other systems they can access at the back-end. 'For instance, if a hacker gained access to your mail server, he may be able to set up an account on it, which could be used to access other internal systems,' warns Kumani.
Set the level of risk you are willing to take. Security systems take time and money to implement, and can make an ecommerce site harder to navigate. For instance, you may want a simple password system just to allow subscribers to access an information service, but more complex clearance procedures to allow purchases to be made.
Firewalls - you know you need them but there's more to just popping the odd one here and there on external connections to your local area network.
Too much control, and you defeat the purpose of the connection, too little and you remain vulnerable. A badly-configured firewall could be more dangerous to your organisation than no firewall at all. Make sure you check the configuration properly with a stringent testing procedure, this should reveal any loopholes, which you can safeguard against.
Have an access policy and keep to it. In an ecommerce environment you will want different levels of access - you want customers to buy goods online, but not provide hackers with an open door to your system and data.
When Hansard Financial Trust set up an extranet for its broker clients, access control was very important. 'We were opening up core applications to our customers, so it was very important that only they had access, and then only to the data relevant to that customer,' says Mark Syme, IT project manager for Hansard. 'We looked at passwords, but they weren't secure enough, people have a tendency just to write them down on post-it notes and leave them lying around.' Hansard opted for a system based on unique user name, passwords, and keyfobs supplied by RSA Security which generate a random number that changes every 60 seconds, synchronised with a central server.
Keep monitoring security - and actually look at the results. This may sound obvious, but companies often don't check security procedures once they're in place. Regular monitoring should also help identify any changes that need to be made as your web site functions and capabilities evolve.
'Plan it carefully, have it properly tested and make sure it isn't forgotten about after day one, and that way you can make sure you never get in a position where somebody spots a problem before you do,' said Acklam.
Have plans in place for when it all goes wrong. This should be a natural progression from the vulnerability assessment, but is often forgotten about.
All organisations should have contingency plans, covering areas such as who should be contacted in the event of a breach, backup system requirements or disaster recovery provisions.
Back to top
Please feel free to email us - firstname.lastname@example.org
Images and content are copyright to Cipher-IT Ltd
Site designed by Cipher-IT Ltd