The Art of Trusted E-Commerce

The problem is not inside - it's on top!

"He whose generals are able and not interfered with by the ruler will win.
Hence it is said that enlightened rulers deliberate plans while capable generals execute them."
Sun Tzu - The Art of War

How badly do your users want security?

The most troubling problem encountered while performing a network security audit is the lack of commitment on the side of many users.

The single most important aspect of security in an enterprise is the security framework upon which everything else is built.
Users need to understand the meaning and intent of disclaimers and warnings on their desktops before just clicking on the OK button.

Administrators need to have detailed guidelines explaining the procedures that need to be followed during a system installation, as well as the implications to security if proper procedures are not followed.

Unfortunately, the first people to look at, when enterprise security is compromised at a policy level, are management.

Walk quietly, and carry a big stick

The problem is that, while policies and procedures may be ever so carefully designed, the implementation is constrained by the limits of the power granted to the individual(s) in charge of security.

It is very rare for the chief executive of a company to be a security expert; there is therefore a need, especially in larger enterprises, for a Chief Security Officer.
The CEO and the CSO of a company must decide upon the policies and procedures that are to be implemented in a corporation.

The CSO of a company must be granted the power to formulate and, more importantly, to enforce security policy.

It is only by getting a mandate, and the power to ensure that the mandate is executed, that the CSO's responsibilities, and therefore ultimately the company's security policy, can be enforced.

Let slip the dogs of war, but get out their way.

A wise senior manager would do well to help determine the initial corporate security policy, specifically with input from business needs, and to then leave the responsibility with the security management staff to ensure that procedures are put in place. Once these procedures are in place, leading by example would also be expected from senior management, in security as with any other policy.

Turn the tables

"The highest form of generalship is to attack the enemy's strategy.
 The next highest policy is to disrupt his alliances
 The next best is to attack his army.
 The worst policy of all is to besiege walled cities.
 Besiege cities only when there is no alternative."
Sun Tzu - The Art of War

While not all hackers follow the tenets of The Art of War, virtually all of the more successful ones would agree with it's applicability to any attempt to compromise a system.

Translating the above quote into a stratagem for compromising a company's site we see that professional hackers would:

Attack our strategy

Remember the dot com boom, and remember those annoying sharks that registered domains without publishing sites, because they knew those domains would become sought after? Well, cyber squatting is a prime example of attacking strategy. This attack also requires some amount of business savvy, and is very rarely fundamentally technical in nature.

Disrupt our alliances

Try to attack the communication structures external to the company; this would include the Internet, as well as trying to compromise a system outside of the company that is trusted by the target (suppliers etc.). This also includes compromising client's computers (e.g. the recent keystroke logging incident that suddenly made banks aware that their security needs reach far beyond that of their own systems).

Attack our army

This is one of the most commonly encountered security compromises. One's own workforce may be compromised, whether it be through blackmail or bribery, a disgruntled employee, careless handling of sensitive information, or even lax physical security policies. The prevalence of e-mail based attacks that rely on user ignorance / incompetence is also an indication on the effectiveness of this style of attack.

Lay siege to our walls

Try to penetrate a company's (presumably) secured network from the outside. It was the least effective strategy two and a half thousand years ago, and is no better today. The only people that attempt it are generally script kiddies (Trusted e-Commerce, Test Focus Magazine, May/June 2003), because they have too much time on their hands. The only people who fall prey to these attacks are those that have not bothered with the absolute basics of securing their IT investment.

Well, Joe Bloggs of XYP (Ltd) has formulated a strict and comprehensive set of security policies and procedures.

These policies are well known and published throughout the organisation. Along with the standard login and e-mail disclaimers and notices, every member of the personnel (especially and including senior management) has been asked to sign a policy document describing the security code of conduct.

These policies and procedures not only outline each and every user's expected conduct as far as security is concerned, but also indicate to system administrators the security levels expected of new system installations, as well as expected system and hardware requirements to system architects.

In short, everyone knows what to do as far as securing their environment is concerned, and everyone knows what will happen to them if they don't.

The company's actions on an internal breach of security range from a disciplinary hearing in most cases, to summary dismissal, with criminal and civil charges in the case of more serious computer fraud.

Next issue we will put this all together and take a look at the future of securing your e-commerce venture.

Jan Holtzhausen

<< September / October 2003

January / February 2004 >>