Everyone has a stake in the security of transactions on the web. Customers must have confidence in the transmission of sensitive financial and personal information to web merchants. Businesses must be certain in the knowledge that payment information collected over web storefronts is indeed valid. Furthermore, merchants must undertake additional precautions to ensure that databases with confidential information from their customers are not compromised by hackers or malicious employees.
The challenge of operating a secure web site is very real. The number of companies that have been attacked by hackers has grown dramatically the past few years. The losses from security breaches, in terms of the time and effort expended and lost productivity, are mounting. CERT, which monitors reports of computer network security breaches from around the world has registered a steep rise in the number of reported incidents in the past few years (see table below).
Netscape summarizes security threats as follows:
- Unauthorized access: accessing or misusing a computer system to intercept transmissions and steal sensitive information;
- Data alteration: altering the content of a transaction — user names, credit card numbers, and dollar amounts — during transmission;
- Monitoring: eavesdropping on confidential information;
- Spoofing: a fake site pretending to be yours to steal data from unsuspecting customers or just disrupt your business;
- Service denial: an attacker shuts down your site or denies access to visitors.
- Repudiation: a party to an online purchase denies that the transaction occurred or was authorized.
The current mainstay for securing web transactions is the Secure Socket Layer, or SSL, developed by Netscape and embedded in standard browsers. The SSL security protocol is used to create a secure session between a user and a web server using digital certificates. SSL provides for the encryption of data transmitted between client and server, allows for server authentication, ensures the integrity of messages, and can also provide for client authentication. It is very likely that the browser you are using provides SSL security when needed. The cryptographic strength (that is, how secure it is) depends on the length of the key used.
SSL uses public key cryptography to send data between client and web server during a secure session. Public key cryptography is based on a pair of asymmetric keys used for encryption and decryption. Each key pair has a public key and a private key. The public key is just that — made publicly available on a key server. The private key is kept secret by the owner. Data encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key.
The asymmetric nature of public key cryptography makes it a valuable encryption tool for messaging on the web because it means the two parties (sender and receiver) do not need to share a single key. When you encrypt a message with your private key, then a recipient using your public key to decrypt the message will know that it is in fact from you. When someone uses your public key to encrypt a message to you, they will know that only you (as the holder of the private key) will be able to decrypt and read it.
What can managers of digital enterprises do to secure their web operations? The former head of the FBI cybercrime unit, James Settle, offers the following advice, which he calls the “magnificient 10 steps to a secure network.”
Best Practices for Enterprise Network Security Management
(A.C.T.I.O.N.S)
Authentication | Implement processes and procedures to authenticate, or verify, the users of the network. This may include techniques such as PKI using smart cards, secure tokens, biometrics, or a combination of efforts. |
Configuration management | Plan enterprise architecture and deployment with security in mind. Manage configurations to know exactly what hardware, operating systems and software are in use, including specific versions and patches applied; create robust access and software change controls, segregate responsibilities; implement best practices; and, do not use default security settings. |
Training | Train all employees on the need for IT security and ensure that security is factored into developing business operations. Foster an enterprise culture of safety and security. |
Incident response | Develop an enterprise capability for responding to incidents, mitigating damage, recovering systems, investigating and capturing forensic evidence, and working with law enforcement. |
Organization network | Organize enterprise security management, IT management, and risk management functions to promote efficient exchange of information and leverage corporate knowledge. |
Network management | Create a regular process to assess, remediate, and monitor the vulnerabilities of the network; consider developing automated processes for vulnerability reporting, patching, and detecting insider threats. Internal and external IT security audits can also supplement these efforts. |
Smart procurement | Ensure that security is embedded in the business operations and the systems that support them. Embedding security is easier than “bolting it on” after the fact. |
President’s Critical Infrastructure Protection Board, National Strategy to Secure Cyberspace