[ formatted version ] [ home ] [ about ] [ forum ] [ RSS ] [ help ] [ search ]




[ Hear the podcast: Audio | Transcript ]

Everyone has a stake in the security of transactions on the web. Customers must have confidence in the transmission of sensitive financial and personal information to web merchants. Businesses must be certain in the knowledge that payment information collected over web storefronts is indeed valid. Furthermore, merchants must undertake additional precautions to ensure that databases with confidential information from their customers are not compromised by hackers or malicious employees.

The challenge of operating a secure web site is very real. The number of companies that have been attacked by hackers has grown dramatically the past few years. The losses from security breaches, in terms of the time and effort expended and lost productivity, are mounting. CERT, which monitors reports of computer network security breaches from around the world has registered a steep rise in the number of reported incidents in the past few years.

Authentication Implement processes and procedures to authenticate, or verify, the users of the network. This may include techniques such as PKI using smart cards, secure tokens, biometrics, or a combination of efforts.
Configuration management Plan enterprise architecture and deployment with security in mind. Manage configurations to know exactly what hardware, operating systems and software are in use, including specific versions and patches applied; create robust access and software change controls, segregate responsibilities; implement best practices; and, do not use default security settings.
Training Train all employees on the need for IT security and ensure that security is factored into developing business operations. Foster an enterprise culture of safety and security.
Incident response Develop an enterprise capability for responding to incidents, mitigating damage, recovering systems, investigating and capturing forensic evidence, and working with law enforcement.
Organization network

Organize enterprise security management, IT management, and risk management functions to promote efficient exchange of information and leverage corporate knowledge.

Network management

Create a regular process to assess, remediate, and monitor the vulnerabilities of the network; consider developing automated processes for vulnerability reporting, patching, and detecting insider threats. Internal and external IT security audits can also supplement these efforts.

Smart procurement

Ensure that security is embedded in the business operations and the systems that support them. Embedding security is easier than “bolting it on” after the fact.

Source: President's Critical Infrastructure Protection Board, National Strategy to Secure Cyberspace


Learning objectives:

Things to read:

Insider Threat Research
CERT | 06.01.2009

Governing for Enterprise Security
CERT | 03.28.2008

Security Guidelines 2.0
TRUSTe | 10.31.2005

The Challenges of Security Management
Richard A. Caralli and William R. Wilson | 08.02.2004

Cybersecurity Today and Tomorrow
National Research Council | 01.17.2002 (read chapter 1)

Secrets to the best passwords
Peter H. Gregory | 07.09.2003

Security of the Internet
Thomas Longstaff, et al. | 02.00.1998

Case study:


Hungry minds:

Defending Against an Internet-based Attack on the Physical World
Simon Byers, Aviel D. Rubin and David Kormann

The Spread of the Sapphire/Slammer Worm
David Moore, et al.

Twenty Most Critical Internet Security Vulnerabilities
SANS Institute

Computer System Intrusion Detection: A Survey
Anita K. Jones and Robert S. Sielken

Why Cryptography Is Harder Than It Looks
Bruce Schneier

Liability for Computer Glitches and Online Security Lapses
Alan Charles Raul, Frank R. Volpe and Gabriel S. Meyer

Security in the Real World: How to Evaluate Security
Bruce Schneier

How to Eliminate the Ten Most Critical Internet Security Threats
SANS Institute

Trust in Cyberspace
National Research Council

Security Basics
Pricewaterhouse Coopers

Network Security Roadmap
SANS Institute

Model Security Policies
Michele Crabb-Guel

Glossary of Terms Used in Security and Intrusion Detection

World Wide Web Security FAQ
Lincoln D. Stein

Evaluating and Selecting Digital Payment Mechanisms
Jeffrey MacKie-Mason and Kimberly White

Guide for Developing Security Plans for IT Systems

Handbook for Computer Security Incident Response
Moira West-Brown. et al.

Places to visit:




SANS Institute


Look it up:



Buffer overflow

Dictionary attack

Keystroke logging

Logic bomb


Script kiddie

Social engineering




Previous topic:


Next topic:


Course information:

© 2010 Michael Rappa
Page last updated: