|
|
Be Prepared in the Event Computer Disaster Strikes
Computers Businesses and individuals alike have all grown to rely on computers. The reliance is never more apparent than when something happens to the horrid little box that makes our lives easier. We expect computers to react a certain way, in...
Choosing a Web Host
These days, there are so many web hosting companies out there.
All of them offer roughly the same options, but what makes a
great web host? The indirect answer is that it depends on your
needs. The purpose of this article is not to discuss the...
MicroWorld Antivirus (MWAV) Toolkit Utility.
MicroWorld Antivirus (MWAV) Toolkit Utility. The features of MWAV 1. New features to detect Porno Dialers, Adware, Spyware and Riskware. 2. MWAV can now updated itself automatically so that it can scan for all the new viruses 3. Facility to...
Screenshots Vista Windows
Features Additionally, Vista will include many other new features. Aero Vista will include a completely re-designed user interface, code-named Aero. The new interface is intended to be cleaner and more aesthetically pleasing than previous Windows...
Spyware: What It Is and How to Combat It
Spyware is software or hardware installed on a computer without the user's knowledge which gathers information about that user for later retrieval by whomever controls the spyware.
Spyware can be broken down into two different categories,...
|
|
|
|
|
|
|
|
ESecurity
ESecurity
Current Situation
Up until recently, security was very much like teenage sex in that it was typified by lots of talk but no action. Companies declared their sites as secure simply because the credit card payment page was protected by SSL (Secure Socket Layer). Even now, there is an overwhelming sense of complacency across the industry.
However, Etailers, are reportedly still finding that web shoppers are still very concerned about security. It is becoming increasingly essential that Etailers gain the trust and confidence of their customers in order to gain competitive advantage over their competition, but also, simply to stay in business.
With the increasing use of Ebusiness for enabling business processes and operations across the internet, it is critical for organizations to recognize information as a valuable business asset and implement controls to secure it, to ensure the privacy of their customer’s data, the integrity of that data and to ensure that they do not lose it!
General Security Issues
The aim of a good security strategy for an Ebusiness organization should be to combine maximum flexibility, performance, and scalability with the highest availability and security. The goal of a security strategy is to protect information assets through:
•Authentication – identifying the parties involved in communications and transactions •Access – provide access to appropriate levels of information (with as little inconvenience as possible) to those who should have access, but prevent access to anyone who should not have access, and prevent access beyond the level of information that is appropriate to the user’s ‘class’ •Confidentiality – ensuring that information is not accessed by unauthorized parties •Non-Repudiation – ensuring that transactions, once committed, are legally valid and irrevocable •Availability – ensuring that transactions or communications can be executed reliably upon demand.
Top management needs to understand that security is a hygiene factor: when it is there, and is effective and efficient, people hardly notice it at all; however, when it is not there it can mean the end of business overnight. It is essential to get it right, particularly for transactions placed over the Internet.
Further, management needs to understand that security is a never-ending process. Security policies and measures should be under constant review, network support teams should monitor newsgroups etc for information about the latest threats to security (e.g. the latest virus attacks, hackers , security loopholes in software products, etc), security audits must take place to ensure procedures are working, logs of unauthorized access should be reviewed, and disaster recovery plans should be tested out regularly.
Many companies have now either been bitten by the problems inherent in having no real built in security policies, or have seen media reports about others who have been bitten.
MSNBC reported cases in which large numbers of credit card numbers and associated information had been stolen from sites in March 2000. Visa had earlier announced that around half its disputes concern internet based credit card transactions, despite these only making up 2% of its total revenue . The Melissa virus caused an estimated $80 million damage, and the Love Bug similarly wreaked havoc across the world. Denial of Service attacks have hit big names like Amazon.com, Ebay and Yahoo, causing loss in terms of revenue and public image.
There is much evidence to suggest that reported cases are simply the tip of a very large iceberg as many security breaches go unreported due to the embarrassment caused by admitting to them and the risks to future business of doing so.
For the consumer, there is not only the worry that personal information such as credit card data could be stolen, but there is also the worry that anyone they appear to be dealing with on the internet could be untrustworthy – and even when dealing with a company known and trusted there is the risk that in reality the consumer is dealing with an imposter. Thus, it is up to those with integrity who are running websites to find ways to reassure the consumer that it is safe to use their websites – for example, by providing Digital Certificates verified by a trusted third party such as Verisign .
It is very difficult for Governments and the Legislation systems to protect the consumer from internet fraudsters and conmen because national boundaries are very difficult to establish or enforce on the internet as content is accessible from everywhere. The US and UK, among others, are investigating the possibility of policing the internet using national ‘cybercrime units’. Financial regulators such as the SEC in the US and the FSA in the UK are looking at measures to help them in controlling websites within their own jurisdictions. International bodies like the OECD and the European Union are working on standards for Ecommerce to be implemented and enforced at a national level by governments, but progress is very slow because industry opposes the idea of government intervention, preferring to rely on self-regulation.
Procedures
At last, many large organizations are now taking security fairly seriously. However there is still a great deal of misunderstanding about what security really means for an organization that uses Internet technologies to trade.
Organizations deploying internet technologies tend to focus on the technologies rather than the procedures behind the technologies. Having solid security procedures in place is often much more important than the technology which is used to implement security. The benefits of using SSL to gather credit card information from a consumer over the web could be nullified if it is common practice within the organization to subsequently email them from one department to another. Putting virus scanning technology into place in an organization is only useful if the virus scanner is updated regularly as new viruses are found. Procedures are required to ensure that the technologies are being used effectively to meet the organizational security goals.
Such procedures should include clear divisions of responsibility for the different areas of security: backup procedures, disaster recovery procedures, physical security (security card control, building security, etc), password procedures, system access levels and authorization procedures, virus control procedures, firewall policies, and all other traditional areas of security which an organization should have under control.
Procedures should ensure that whenever not in use, server consoles should be locked using passwords, that all access attempts to all systems are logged and audited and that passwords are not easily guessed and are changed regularly.
They should ensure that all network systems and web servers are kept in secure locations, and that redundancy systems exist for all key hardware – not only the network systems themselves (including servers, firewalls, hubs and routers) but also air conditioning and power systems.
In addition, it is key that proper testing procedures, source code/change control and defect tracking procedures are in place.
It should go without saying that internet applications which carry out transactions should be thoroughly tested and yet it is incredible how many ‘holes’ are created on Ecommerce web sites due to shoddy programming and testing. Preferably web applications should be tried out by ‘professional hackers’ who can look for loopholes in programs written on the web. Silicon.com reported in October that Marks and Spencer’s website (marksandspencer.com) had an error on it caused by a broken link, that when activated caused an error message which contained confidential material such as passwords, credit card dummies and other log-in information.
Testing of internet applications should be supported by systems which enable changes to code to be made easily and effectively, so that unauthorized/untested changes do not slip through into the production system and that changes made to source code are not later ‘undone’ accidentally due to poor source code control.
Internet Specific Issues
While security should be a concern for any IT organization, there are some aspects of security which are specific to internet-based activities.
Authentication, non repudiation, encryption, privacy, and integrity of data are all issues made more important by the use of web technologies, inherently an open and anonymous form of communication.
The internet provides added security issues, because there is no centralised infrastructure, it operates 24 x 7, over a huge global scale and therefore has millions of potential users, of whom any one could at any time attempt to access non-public information. Some will do so by accident, some just out of curiosity and some using malicious intent will relentlessly test out every aspect of your system until they find a security hole through which they can create havoc.
Security is also a moving target, as new methods become available to hackers all the time, with technology increasing rapidly. By its very nature, the internet was developed to allow openness and this makes it all the more complex to implement security over the top of the internet without making it difficult for authorized parties to access data you wish them to be able to access. Severe damage is often detected too late.
Technologies
Access controls and cryptography can help to prevent unauthorized access to information, but they are only part of the picture.
Organizations are now employing complete PKI and CA infrastructures, such as Onsite Managed Trust Services provided by Verisign, in order to provide them with the flexibility and control they need throughout the enterprise, allowing them to issue their own digital certificates, secure access to extranets/intranets, secure transactions, encrypt email and to carry out authentication.
Access Controls
Hidden URLs –one easy way to restrict access to information and services is to put the information at unpublished URLs and provide the URL only to those who should have access to the information at that address. Clearly this is not a high security option and is unacceptable for most purposes. There are various tools open to serious hackers that enable them to ‘find’ hidden URLs (spiders etc.), and of course it is possible that the locations of the URLs are passed on to others by those who are authorized to access the URLs.
Host-based Restrictions – it is possible to restrict access to a web address (or to a web server, if using a firewall) by IP address or DNS hostname. This method can enforce that only web users operating from within a particular domain or network can access the web page. This is useful if an external web site contains some pages which should only be accessed by employees of the company, as it can be used to deny access to anyone not operating from within the company’s network. This method is not totally foolproof as it cannot deal with unauthorized access due to ‘spoofing’ (whereby a user ‘pretends’ to come from an authorized network address).
Identity-based Controls The most common method of access control on websites is via usernames and passwords. However, passwords are so easily shared/forgotten, often users select easily-guessed passwords and there are a number of tools available to serious hackers to enable them to easily guess most passwords. Thus, alternative identity-based controls have been developed. Many companies now implement a VPN (Virtual Public Network) to enable employees to connect to internal networks from outside of the company, though these can be costly and troublesome to implement. Smart cards, or software, containing an encrypted public key, to identify valid users are one of the many other options in this area.
Authentication Single Sign-on – this technology allows the same user to sign on to multiple Ebusiness applications without having to type in their userid/password for each site. There are a number of offerings of this kind of technology. The most common names in this field are Netegrity SiteMinder and X at the top end, and Gator Ewallet and RoboForms at the lower end of the market.
Integrated Authentication – The best known offering in this area is Nt/Windows 2000/3 authentication. This, in effect, provides single sign-on to Microsoft applications that support it – such as SQL Server and any of the Windows operating systems.
Cryptography
Cryptography can be implemented through the encryption of data sent to and from a website and through digital signatures and certificates which ‘prove’ that the sender and recipient are who they claim to be.
Non-repudiation – cryptographic receipts are created so that the author of a message cannot falsely deny sending the message.
Code Signing – a digital certificate can be enclosed within a Jar file (for java code) or a Cab file (for activex controls) to indicate that the code was created by a trusted party and has not been tampered with since being created.
Confidentiality- encryption can scramble information sent over the internet so that eavesdroppers cannot access the data’s content.
Integrity – digitally signed message digest codes can be used to verify that a message has not been modified while in transit.
To read this complete article go to http://mishj.brinkster.net/intranet/esecurity.doc
About the Author
Michelle Johnston is an Ebusiness expert. She is currently Ebusiness Director of Apogee Interactive Inc. in Atlanta USA.
|
|
|
|
|
Tom's Hardware |
: Tom's Hardware Guide is the Internet's premiere resource for hardware news and reviews. |
www.tomshardware.com |
  |
HardwareCentral - Your source for in-depth computer hardware info. |
HardwareCentral is the #1 Hardware Information Resource on the 'Net. Featuring over 600 pages of Hardware information, including advice on System ... |
www.hardwarecentral.com |
  |
Apple - Hardware |
Find your favorite Mac, iPod and other Apple accessories. |
www.apple.com |
  |
Ace Hardware |
Nationwide (United States) hardware and home improvement retailer. Includes products, dealer locator and corporate information. |
www.acehardware.com |
  |
Computer hardware - Wikipedia, the free encyclopedia |
The hardware of a computer is infrequently changed, in comparison with software and ... Personal computers, the computer hardware familiar to most people, ... |
en.wikipedia.org |
  |
Hardware - Wikipedia, the free encyclopedia |
Hardware is the general term that is used to describe physical artifacts of a technology. ... In a looser sense, hardware can be major military equipment, ... |
en.wikipedia.org |
  |
Open Directory - Computers: Hardware |
Hardware Central - Computing-centric community providing vital information, support, tools and interaction facilities for power computer users and ... |
dmoz.org |
  |
Microsoft Hardware – Home Page |
Learn about Microsoft mice, keyboards, desktop sets, webcams, media center peripherals, gaming products, fingerprint readers and presentation tools. |
www.microsoft.com |
  |
AnandTech: your source for hardware analysis and news |
Independent hands-on reviews of computer hardware such as motherboards, graphic cards, and CPUs. |
www.anandtech.com |
  |
hardware.com - Routers, switches, firewalls, servers, memory ... |
Supplier of new and refurbished networking hardware and approved and compatible network accessories. Located in the United Kingdom. |
www.hardware.com |
  |
Slashdot: News for nerds, stuff that matters |
From the article: "Although the news caused barely a ripple of reaction in the audience of software and hardware engineers, there are industry analysts who ... |
hardware.slashdot.org |
  |
InformationWeek HardwareTech Center |
Our hardware coverage ranges from mobile computers and PDAs to servers and supercomputers, and the infrastructure issues enterprises deal with every day. ... |
www.informationweek.com |
  |
What is hardware? - A Word Definition From the Webopedia Computer ... |
This page describes the term hardware and lists other pages on the Web where you can find additional information. |
www.webopedia.com |
  |
Google Directory - Computers > Hardware |
Hardware Central - http://www.hardwarecentral.com/ Computing-centric community providing vital information, support, tools and interaction facilities for ... |
www.google.com |
  |
Gifts: Unique Gifts & Gift Ideas at Restoration Hardware |
At Restoration Hardware, you'll explore an exceptional world of high quality unique gifts. Browse our products to find gift ideas & more at Restoration ... |
www.restorationhardware.com |
  |
HwB: The Hardware Book |
HwB provides you with circuits, pinouts, cable/adapter descriptions and other technical information. |
www.hardwarebook.net |
  |
Reg Hardware: Product News and Gadget Reviews from The Register |
More Gadgets Stuff. 5th December 2006 12:09 GMT. Author: Reg Hardware ... 27th November 2006 15:31 GMT. Author: The Hardware Widow ... |
www.reghardware.co.uk |
  |
red hat hardware compatibility lists |
hardware.redhat.com/ - Similar pages |
|
  |
TrueValue.com |
Here's our tip to hang strands of lights with ease. Jeanenne & Jim Tucker Plantation True Value Hardware Richmond, TX ... |
www.truevalue.com |
  |
A complete illustrated Guide to the PC Hardware |
A complete illustrated Guide to the PC Hardware, Logic and Architecture. 500 easy-read articles about the modern PC. Understand the basic architecture of ... |
www.karbosguide.com |
  |
|