Security on
the Internet
Security on
the Internet
Introduction
E-Commerce Security
Security Policy
Software configuration
Hardware configuration
Secured Online Technologies
Resources
Security on the internet or even internal company networks in general is one of those IT components that everyone would love to ignore however must not. If you don't do it, you may be compromising your entire company, and if you do it, it still does not guarantee you nothing will happen to your site or your internal networks. It's a continuous battle that should never be over-looked.
This module introduces the student to the various issues and questions that should be understood by the individual as well as it allows the individual to ask the right questions if they are setting up an e-commerce site either by themselves, through the help of a consultant or outsourcing it completely.
You will find that on-line security is not just a product install and then maintaining it with up to date fixes. It also has to do with a company wide security policy and very informed users. For example, no mail filter or anti-virus product can guard about the most current virus (not until a fix is available anyway) however security conscious users may notice an e-mail or string of e-mails exhibiting similar subject lines - thus refusing to open those messages until the e-mail are investigated properly. Also, practice has shown that vigilance and careful system auditing are very critical components of any good security plan as is the speed of response.
The SANS Institute (short for System Administration, Networking and Security organization (www.sans.org) lists the top 10 IT security mistakes as being:
1.Connecting
systems to the internet before hardening them.
2.Connecting
test systems to the Internet with default accounts and
passwords
3.Failing to
update systems when security holes are found
4.Using Telnet
and other unencrypted protocols for managing systems,
routers, firewalls, and PKI
5.Giving users
passwords over the phone or changing user passwords in
response to telephone or personal requests when the requester is not
authenticated
6.Failing to
maintain and test backups
7.Running unnecessary
services, especially ftpd, telnetd, finger, rpc, mail and
rservices
8.Implementing
firewalls with rules that don't stop malicious or dangerous
traffic - incoming or outgoing
9.Failing to
implement or update ant-virus software
10.Failing to educate
users on what to look for and what to do when they detect
a potential security problem.
Also, here are the 7 Top Management Errors that Lead to Computer Security Vulnerabilities (again from the SANS institute)
1.Pretend the
problem will go away if they ignore it.
2.Authorize
reactive, short-term fixes so problems re-emerge rapidly
3.Fail to realize
how much money their information and organizational
reputations are worth.
4.Rely primarily
on a firewall.
5.Fail to deal
with the operational aspects of security: make a few fixes and
then not allow the follow through necessary to ensure the problems stay
fixed
6.Fail to understand
the relationship of information security to the business
problem -- they understand physical security but do not see the
consequences of poor information security.
7.Assign untrained
people to maintain security and provide neither the
training nor the time to make it possible to do the job.
(As determined by the 1,850
computer security experts and managers meeting at
the SANS99 and Federal Computer
Security Conferences held in Baltimore May
7-14, 1999)
Another organization is CERT: The CERT organization's mission is to study Internet security vulnerabilities, provide incident response services to sites that have been the victims of attack, publish a variety of security alerts, research security and survivability in wide-area-networked computing, and develop information to help an organization improve security at their site. www.cert.org
Here is a list of some more security specific organizations:
www.first.org - Forum of Incident
and Security Response
www.hert.org - Hacker Emergency Response
Team
www.icsa.net - ICSA.net - formerly
the International Computer Security Association
a recent announcement by Visa International Corp.
AUGUST 09, 2000 14:49
Visa sets new rules for online purchases
By Jim Wolf
BETHESDA, Md., Aug 9 (Reuters)
- Visa, the world's biggest payment card
network, said on Wednesday
it was setting 10 new security rules for transactions
done over the Internet by
its more than 21,000 member financial institutions and
their merchant partners.
Visa tied the moves to combating
online fraud -- running at more than three times
the rate of card fraud overall
-- as well as to boosting consumer confidence in
electronic commerce. It
said it was also eager to head off possible new
government regulatory action
by policing itself.
John Shaughnessy, senior
vice president for risk management for VISA U.S.A.,
said the new requirements
-- including a network "firewall" to protect data
accessible from the Internet
-- will be phased in worldwide over the next year after
they are spelled out in
detail in a "few weeks."
Visa will work with members
to monitor compliance and use outside experts to
test firewalls, starting
at Internet service providers and similar "gateway" portals
that provide card payment
services for commercial Web pages they host, he told
a Bethesda conference on
business solutions to cybercrime.
The rules are meant to be
respected ultimately by all merchants accepting VISA
cards, the world's most
widely accepted form of "plastic" payment, Shaughnessy
said.
"If you're a merchant, this
is stuff you want to do," he said. "It's just good business.
It's as simple as that."
Enforcement could involve
fines, restricting the dollar amount of sales that
individual merchants could
process through the network or terminating their VISA
membership. The new requirements
include keeping security systems up to date,
encrypting stored data accessible
from the Internet, encrypting data sent across
networks, and using and
regularly updating anti-virus software. Also, those
accepting VISA payments
must not use vendor-supplied defaults for system
passwords and other security
passwords. They must assign unique IDs to each
person with computer access
to data; track access to data, including "read only"
material, by unique ID;
regularly test security systems and processes; and
immediately investigate
and report to VISA any suspected loss of cardholder
data.
VISA U.S.A. announced in
February that its overall fraud loss had dropped to an
all-time low of six cents
per $100 in transactions, down from seven cents in 1998
and 18 cents in 1992.
But fraud in "card-not-present"
transactions -- such as telephone and mail-order
sales -- totaled about 15
to 20 cents per $100 in 1999 and the Internet-related
part of that is typically
higher, Shaughnessy said. He said the biggest source of
such fraud was stolen account
numbers.
"We feel like we can take
a leadership role" in managing such fraud, making it
unnecessary for the government
to get involved, he said. "We want to do it this
way." In 1998 about $1.4
trillion in products and services were purchased using
the 600 million VISA cards
accepted at more than 17 million places worldwide,
according to VISA.
Of the total VISA U.S.A.
card volume of $724 billion in 1999, about 2 percent
involved online purchases.
VISA projects this will quintuple to 10 percent by 2003,
according to Angela Grothoff,
a spokeswoman in New York. With more merchants
doing business online than
any other card company, "Visa is in a position to really
impact the security of online
commerce" with its new rules, she said.
The internet was not initially designed with security in mind, however
over the last number of years, that has changed with the advent of many
new security technologies and policies. It must be re-iterated again and
again, that security is not just a piece of technology but it is also,
proper maintenance, policy, user education and due diligence on a continuous
basis.
Security risks should be understood by all, even if you never intend
to set-up your own internal website, you should still be able to articulate
and ask the questions on security to your host provider. You should also
be in a position where you can assess the security needs of your business
needs as well as what is offered and
done by the hosting company. Also, if you do hire consultants to create
your on-line store, as part of your review of their skills you should be
able to ask the proper questions.
Once that is done, there is still the question of public perception - is your store safe and secure to deal with?
It is important to realize
that a hosting company may not be totally responsible for
security without your direct
involvement. And if the online store is totally in-house,
then all security falls
on to your set of responsibilities. An example of this type of
involvement in a different
type of field is home renovations. A contractor can
repair or change a way a
house looks however if you are not involved, it may not
be the way you want it -
and ultimately, who pays the price?
Another way to think about
security on the internet is to compare it to security in
the physical world. How
much due diligence and money spent is there on security
for a physical store. Are
the doors or cash registers left open as you leave for
night? Do retailers install
security cameras and for what purpose? Is inventory
closely monitored and tagged
with electronic devices?
Basically, why should this
change if you move your retail channel to an on-line
store?
If you are using a service
provider, be very cautious of the workmanship of the
offerings as service providers
work on razor thin margins and are usually in a
hurry getting customers
up and running that they sometimes forget to address
security concerns properly.
It's usually very important to check the reputation,
press releases, consumer
reports of the service provider you are dealing with -
and security probably should
be one of your main criteria's for choosing one
service provider over another.
It's really up to you.
Security is a very complex
piece of the IT puzzle. No matter what decision you
make in creating an online
store, in house or outsourced, security questions
should be asked. Also, for
a service provider, never assume they pay proper
attention to security. Ask
the questions!
Next, here is a list of questions
or points that could be addressed. It's not an
exhaustive list however
it will get you started. Also, some questions are more
relevant than otherwise
depending on how you are going to implement your
e-commerce store. The questions
have been broken down into three catagories:
1.Start with
the most obvious question - do you or your company have a
security policy in place currently?
2.Are people
aware of the policy and its rules?
3.Do you or
your service provider have a process of keeping up to date in
security advances - technology and process
4.Organizations
should run security scanners on their networks to determine if
there are machines built and installed without others knowledge and which
may provide an entrance point for a crafty hacker. There should be an
internal policy that no machine should be connected to the outside world
without proper security precautions in place.
5.Who controls
passwords and user authentication as well as password
resets? Are passwords changed on a frequent basis? How are passwords
assigned?
6.Who actually
has access to the data you store in your databases or flat file?
- Is this done by internal people or through a service providers or a
contractor/consultant?
7.What happens
if an employee leaves the company? Do you have a
processes to eliminate accesses for those employees?
8.What are the
backup policies? Are they done frequently? What's the
Service Level in case a website does go down? Are the backups secure in
themselves?
9.Is there a
way for your store to never see the credit card numbers of
customers. Most services hide those details as really the bank is collecting
the credit card funds and paying them into your business account. The only
times where you may be required to see the credit card number is if there
is
purchase dispute resulting in a chargeback. Some customers like this
option, especially if you tell them that you don't see their credit card
numbers
as its handled by a bank or a dedicated service.
1.It's critical
that IT people track versions of software packages being run on
their machines to know which ones may need a fix to plug a security hole.
Most holes are created un-intentionally by computer code errors by
developers. Do you have a person/process in place to track software bugs
and then updates
2.Eliminate
extraneous services - most operating systems and web server
software come with features and services that are enabled. Turning off
those services or functions not being used reduces that amount of entry
points hackers can get in through. Has this been done with the package
that
you are using?
3.Sniffer programs
are used by hackers to look at information that is passed
between a customer and a merchant. Do you have the proper security
features enabled by the browser and the destination on-line server. Are
you
using encryption as a standard for data transmission? Either SSL (Secure
sockets Layer) or SET (Secure Electronics Transactions). Both will be
described shortly.
4.Consultants
and product installers must be aware of security features of
products and how to configure them properly. Are the shopping cart
software components installed properly.
5.Are the data
repositories (flat files or databases) properly secured or
hidden away from public view? Do they have a separate level of security
around them?
6.Do you have
a way to check for viruses coming in through e-mail or through
people having access to write to your web server? Do you have a policy
and/or an automatic way of update on continuous basis, the virus signature
files?
1.What hardware
technologies are in place to guard against security
breaches or denial of service attacks.
2.Are you using
firewalls and proxy servers and are they properly installed and
configured (a reference to a glossary is found at the end of this section)
3.Firewalls
should be configured to limit the ports through which servers can
be accessed. Has this been done?
4.Strategically,
intrusion detection systems (IDS) should be properly
distributed within your network.. IDS servers should be placed in areas
vulnerable to attack. IDS servers need to have external network cards
operating in promiscuous mode (they see all network packets, even those
not sent to them), in order to operate properly.
5.Most breaches
of security on the internet occur, not from the actual
transmission of credit card data, however it is the result of exposed data
at
the receiving site. Do you have the proper configuration of firewalls and
have secured your data repositories. Hackers tend to target breaking into
a
web site and looking for these repositories which contain customer
information including credit card information.
6.Have you considered
using multiple configurations or other different
hardware products to improve security?
Make sure you get good answers back about security. If anyone dismisses
it or doesn't give you good answers, they may not be security conscious
or it
may not be a priority with them. Once again, this list is not intended
to be the
complete list. It is intended to raise the discussion within your company
or
with your vendors - either consultants or hosting companies.
When it comes to credit cards specifically there are three things one has
to
deal with: encyption, authorization and authentication. Encryption deals
with information traveling along the internet Authorization deals with
stolen
or over drawn credit cards Authentication deals with who the person is
using the credit card
For secure credit card transactions on the, there are currently two
technologies that are available: SSL (Secure Sockets Layer) and SET
(Secure Electronic Transaction).
SSL - (Secure Sockets Layer), developed by Netscape Communications
Corporation, is the standard for web browser and server authentication
and
secure data exchange on the web. All the leading servers and browsers,
including Netscape Communicator, are optimized to enable SSL
encryption. SSL can deal with secure transmission of data across the
internet. Digital certificates encrypt data using Secure Sockets Layer
(SSL)
technology, the industry-standard method for protecting web
communications developed by Netscape Communications Corporation.
The SSL security protocol provides data encryption, server authentication,
message integrity, and optional client authentication for a TCP/IP
connection. Because SSL is built into all major browsers and web servers,
simply installing a digital certificate turns on their SSL capabilities.
For more information on SSL and how it works, please see
Http://home.netscape.com/security/techbriefs/index.html
Over 340,000 Web sites worldwide use Verisigns Secure Server Ids to
authenticate their sites and enable SSL encryption technology.
A FREE guide, "Securing Your Web Site for Business", will tell you
everything you need to know about encrypting your server transactions for
serious online security.
Find solutions for:
Encrypting online transactions
Securing corporate intranets
Authenticating your Web site
For more information, please visit Verisign at www.verisign.com
SET - Secure Electronic Transaction (from www.whatis.com)
SET (Secure Electronic Transaction) is a system for ensuring the security
of
financial transactions on the Internet. It was supported initially by
Mastercard, Visa, Microsoft, Netscape, and others. With SET, a user is
given an electronic wallet (digital certificate) and a transaction is conducted
and verified using a combination of digital certificates and digital signatures
among the purchaser, a merchant, and the purchaser's bank in a way that
ensures privacy and confidentiality. SET makes use of Netscape's Secure
Sockets Layer (SSL (Secure Sockets Layer)), Microsoft's Secure
Transaction Technology (STT), and Terisa System's Secure Hypertext
Transfer Protocol (S-HTTP). SET uses some but not all aspects of a public
key infrastructure (public key infrastructure). SET in its full implementation,
can tell if a person using a credit card is the owner of that card and
thus can
authenticate a purchase whereas SSL can not.
Here's how SET works:
Assume that a customer has a SET-enabled browser such as Netscape or
Microsoft's Internet Explorer and that the transaction provider (bank,
store,
etc.) has a SET-enabled server.
1.The customer opens a Mastercard or Visa bank account. Any issuer
of a credit card is some kind of bank.
2.The customer receives a digital certificate. This electronic file
functions as a credit card for online purchases or other transactions.
It
includes a public key with an expiration date. It has been digital switch
by the bank to ensure its validity.
3.Third-party merchants also receive certificates from the bank. These
certificates include the merchant's public key and the bank's public
key.
4.The customer places an order over a Web page, by phone, or some
other means.
5.The customer's browser receives and confirms from the merchant's
certificate that the merchant is valid.
6.The browser sends the order information. This message is encrypted
with the merchant's public key, the payment information, which is
encrypted with the bank's public key (which can't be read by the
merchant), and information that ensures the payment can only be used
with this particular order.
7.The merchant verifies the customer by checking the digital signature
on the customer's certificate. This may be done by referring the
certificate to the bank or to a third-party verifier.
8.The merchant sends the order message along to the bank. This
includes the bank's public key, the customer's payment information
(which the merchant can't decode), and the merchant's certificate.
9.The bank verifies the merchant and the message. The bank uses the
digital signature on the certificate with the message and verifies the
payment part of the message.
10.The bank digitally signs and sends authorization to the merchant, who
can then fill the order.
It should be understood that SET is still under debate as a solution for
the
industry. It still has not taken hold universally out in the industry.
SET working with SSL seems to be a better solution however as an
alternative - combining SSL with a transaction processing company can
also do the job securely. These are both options that one should be aware
of.
And finally, even after you have installed an e-commerce store, you should
be very wary of the warning signs of credit card abuse. Please check with
your financial institution or the credit card companies directly for a
list of
warning signs.
Model Security Policies:
Compiled by Michele Crabb-Guel as part of her classic SANS course
on "Building An Effective Security Infrastructure."
Http://www.sans.org/newlook/resources/policies/policies.htm
Firewall vendors:
http://www.checkpoint.com/products/firewall-1/index.html
http://www-4.ibm.com/software/security/firewall/
http://www.cisco.com
Anti-Virus Software Vendors:
http://www.norton.com
http://www.drsolomon.com
http://www.mcafee.com
Security Glossary:
http://www.sans.org/newlook/resources/glossary.htm