ANALYST REPORT: Good Security Puts Policy First

RFG believes e-commerce applications require special security considerations to protect them from attack or misuse. IT executives should evaluate the security requirements for their companies' e-commerce applications, and design security policies that take into account factors such as custom development, administrator access, and inter-application communication.

Business Imperatives:

E-Commerce security starts with policies, not technologies. IT executives should establish solid security practices that address proactive issues such as application and system design, security patch installation, and system documentation. IT executives should further establish procedures administrators will follow should a security breach occur to minimise the attack's effects.

When properly implemented, firewalls can provide one level of security protection for e-commerce applications, but they cannot block every possible intrusion point. IT executives should verify that firewall products are properly used and that development staff and administrators use security best practices for e-commerce applications.

There are many forms of intrusion detection systems (IDSs), and all have the potential to contribute to e-commerce application security. IT executives should use a mix of host-, network-, and file-based IDS implementations to protect e-commerce applications.

Over the past few years, corporate exposure to attacks from the Internet have increased at a faster rate than some might have expected given the pace of e-commerce application deployment. Part of this problem has to do with an increased desire on the part of hackers to compromise e-commerce sites, either for political reasons, vendettas, or simply personal fame. For example, Chinese and American hackers recently waged a battle over which side could deface more of the others' Web sites.

However, an equally important issue has been a noticeable lack of firm security policies and best practices in many business-critical environments. Systems operating without security patches, administrators using common or default names and passwords for accounts, and poor development practices have contributed to many of the high-profile hacks that have recently received a great deal of media attention. The table below lists several best practices IT executives should consider when protecting e-commerce applications.

E-Commerce Application Security Best Practices

—Install vendor-issued patches immediately upon release, regardless of employee resources required.

—Designate specific employees to monitor vendor notification sites as well as industry security portals.

—Avoid using administrator accounts for common tasks. Rename or disable common accounts where possible, and use remote access tools only when absolutely necessary.

—Use separate firewall layers to divide the Internet from specific applications, and applications from internal systems.

—Employ multiple IDS techniques, combining host-based, file-based, and network-based methods wherever possible.

—Create a document that details specific actions administrators should follow when responding to a successful attack. This document should be part of the system's disaster recovery documentation package.

—Balance security convenience against security risks when selecting platforms for new applications. Be prepared to devote additional dollars and employee resources where necessary to implement a secure platform.

—Always document and report attacks that lead to a serious compromise of data, loss of revenue, or other damages to local authorities as well as incident reporting centres.

—Developers should be given guidelines for developing secure code as well as tools to help them check e-commerce applications for possible problems.

One of the critical elements in any security policy is keeping current on vendor patches. This often requires significant enterprise resources, and is sometimes considered a task to be performed after other, "more important" work is completed, or on a weekly or monthly basis. However, many recent system compromises were the result of automated attacks scanning for systems behind on their security updates - not the result of determined hackers exploiting flaws only known to the underground community. To stay on top of security-related patches, IT executives should allocate employee resources to actively monitor software vendor security bulletins as well as other news sources.

Likewise, IT executives should realise that it is not sufficient to simply run automated update tools on an infrequent basis. For example, Microsoft recently announced that it would be adding product-specific security updates to its Windows Update site, startling administrators who had erroneously believed that the site already provided those patches. Administrators should also monitor other security portals, such as the Computer Emergency Response Team (CERT), PacketStorm, SecurityFocus.com, SecurityPortal.com, and the System Administration, Networking, and Security Institute (SANS Institute).

IT executives should understand that staying up to date on security patches is a critical system administration task. This is because automated tools to exploit these security flaws are now being released only hours or days after software vendors announce the availability of a patch. Therefore, rather than installing updates on a weekly or monthly basis, they should be installed as soon as they become available.

Moreover, security policies should also cover system usage, user accounts, and remote access. For instance, it is rarely necessary to login as a system administrator to update records in a database. Altering the username of the administrator and setting strict policies on password length and content will help reduce the system's exposure to brute-force password guessing attacks. Additionally, eliminating remote control tools such as Secure Shell (SSH) or PC Anywhere where they are a convenience, but not a necessity, can also reduce a system's exposure. Those tools often receive more attention by hackers because the compromise of such a tool can lead to intrusion possibilities for many systems, not just one. IT executives should eliminate any unnecessary paths into a system, regardless of how secure that path is considered to be.

E-commerce applications have different security requirements than internal systems, so security solutions for e-commerce applications should include multiple firewalls. At minimum, two firewall layers should protect each application - one between the company and the Internet, and a second with stricter settings placed in front of internal systems. While the compromise of an e-commerce application could result in a serious problem, the propagation of that compromise into internal systems is more threatening to business continuity and competitiveness, even though it generally involves less exposure to the outside world.

IT executives should keep in mind that firewalls are designed to help enforce existing security policies by controlling the flow of network traffic. Firewalls alone are not sufficient to protect an organisation, because there are many security threats firewalls cannot address. For example, in most cases a firewall cannot examine the contents of an encrypted session. Firewalls are also not particularly effective in blocking attacks that exploit bugs in software code. In addition, internal employees can penetrate firewall security by using back doors or stolen administration passwords.

IDS software, hardware, or both should be used to augment firewall protection. Network-based systems will monitor traffic and evaluate whether an attack may be under way. They can also monitor multiple servers, but, like firewalls, often cannot see the contents of an encrypted session, leaving hackers a method of avoiding detection. Host-based systems only protect the machines they are installed on, but can generally see the contents of an encrypted session. Finally, file-based methods make the best last line of defence, proving whether an attack has succeeded regardless of whether it was identified by host-based and network-based methods. Some file-based IDS packages can automatically replace defaced Web pages with original versions.

IT executives should also ensure that developers are properly trained and equipped to build and deliver secure e-commerce applications. It is true that hackers payless attention to specific applications, since more fame is to be found by exploiting flaws that affect a wide range of locations. However, many successful attacks, ranging from simple shopping cart abuses to retrieval of customer data due to unprotected database value storage, have occurred in the past year alone.

IT executives should address these problems by ensuring that developers are properly trained. Local and regional companies that provide IT education programs, as well as organisations such as SANS, all offer courses that teach developers how to avoid buffer overflow risks, escape characters, and so forth. Following this step up with the regular use of an automated checking tool such as one of the Lint variants will help minimise the risks that developers themselves introduce into e-commerce applications.

Platform selection is not a crucial element in e-commerce application security, but it is an important one. The debate continues to rage over just how secure Microsoft Windows is in relation to its competition, including Solaris, Linux, and other Unix platforms.

The fact is that all platforms have security flaws, and e-commerce applications must communicate with the Internet to do their work, increasing their exposure by default. However, it is also true that Microsoft is a highly political target with more than its fair share of enemies. Many hackers have focused on breaking into Windows-based systems simply because of this reason. Therefore, while platform selection must generally place greater weight on administrative costs, budgetary constraints, and application software utilised, it can also have an impact on e-commerce application security.

On the other hand, IT executives who oversee the management of Unix servers should not be lulled into a false sense of security. Security flaws in Unix platforms abound, and recent exploits of them have been as harsh as those against Windows platforms.

A focus on preventing attacks should never assume they cannot or will not happen, especially given the recent increase of automated vulnerability scanning. IT executives should ensure their companies are prepared for attacks by establishing procedures that administrators will follow should an attack be successful. The procedures should consider various eventualities, including Web site defacement, theft of data, and data tampering or site abuse.

Should an attack be successful, it should be reported to authorities where possible. Companies located in the United States can report to the National Infrastructure Protection Center (NIPC), as well as the Federal Bureau of Investigations (FBI). Attack information can also be shared with SANS through the Internet StormCenter portal. Sharing this information may not always be in the company's best interest due to publicity issues, but it can often be done in a confidential manner, and will help lead to more secure e-commerce application platforms.

RFG believes e-commerce applications require extensive security measures and resources to protect them, and should be a conspicuous line item in all IT budgets. Increased media attention on site attacks, as well as the potential for lost revenues, demand that companies pay careful attention to ensuring the security of e-commerce systems. IT executives should follow best practices for information security when implementing and managing e-commerce applications, allocate resources as required, and prepare responses that will be followed.

Chad Robinson is the Senior Research Analyst at the Robert Frances Group © 2001 Robert Frances Group. All rights reserved.

Join the newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Chad Robinson

Latest Videos

More videos

Blog Posts