Dress Your E-Security in Layers

All the internal and external threats pounding at the walls of your company's security system are enough to make you long for a simpler time, no? Well, your system can benefit a lot by returning to security principles from the Middle Ages. We'll take you back and show you how.
Posted June 25, 2001
By

Beth Cox


Eastern European hackers steal more than a million credit card numbers by exploiting Windows NT vulnerabilities.

A well-known online computer products retailer is forced to issue an embarrassing press release saying that no, not all of our 3.7 million credit card accounts were hacked.

Even the FBI has seen its site knocked off the Web, by hackers irritated about -- what else? -- a crackdown on hackers.

Doing e-business in the Dot-Com Age is enough to make you long for a simpler time, no?

Today the threats to e-business systems come from hackers exploiting weaknesses in defenses, your own employees exploiting their trusted status, and brute-force attacks on passwords.

So it's ironic that one of the strategies for protecting your customers' credit card accounts online takes its impetus from a time, the Age of Citadels, when massively redundant forts were sometimes constructed to keep out the bad guys.

What to do? Well, you could try an old-fashioned layering approach that was used by fortress builders.

According to a new white paper on e-commerce security entitled "An Electronic Citadel -- A Method for Securing Credit Card and Private Consumer Data in E-Business Sites," military fortification designers in the early 1800s used layers of barriers to weaken and stop attackers, while creating an impenetrable stone fortress at the heart of the citadel.

The white paper was written by Tom Arnold, chief technical officer at online security firm CyberSource Corp., for the technology working group of the e-business division of the Software and Information Industry Association, which is the principal trade association of the software code and information content industry.

"Unfortunately, many of today's e-businesses implement the direct opposite of a citadel," Arnold writes. "This can be viewed as an 'eggshell' security model: hard outer shell, soft in the center."

Businesses following the eggshell model fortify the outer shell using filtering routers and firewalls. Defense against internal attack is defended by simple user name and password logins. Some companies implement more secure password protection mechanisms and compartmentalize sensitive data. These are all good, but once someone penetrates the outer shell, they are functioning at the soft center of the organization and may only have to guess at a directory name to gain access to the most sensitive data.

Arnold says that the Electronic Citadel approach is a method and system for managing encryption keys to allow secure storage of sensitive data that can always be validated (necessary for e-commerce transactions) "but limits retrieval of the original data to a specified lifetime."

"The Electronic Citadel security model is the result of assembling a set of standard cryptographic methods coupled with a new approach for creating and destroying keys according to a recovery period schedule," he writes. In essence, the encryption keys change over time -- one of the unique, distinguishing features of the Electronic Citadel.

There's a lot more of a technical nature, and if you're up for it the complete white paper is available here.

CyberSource, meanwhile, has put out a list of 10 tips for e-businesses that wish to secure consumer information and credit card data:

1. Approach security as a system. Security is more than just a firewall or a user-name and password login. There are numerous interacting systems involved including access control through encryption of sensitive data.

2. Establish policy. Have a clear policy related to security and the handling of sensitive data. Communicate internally. Make everyone aware of their responsibility for security. This includes conducting policy education for all facets of security from facility instructions to reporting breeches.

3. Implement a "layered" security model. Most organizational security models can be described as an eggshell; hard on the outside, soft in the center. According to a 2000 FBI and Computer Security Institute survey report, over 70 percent of the loss of confidential information comes from within. The security model must be layered, where internal assets are secured, partitioned, and monitored.

4. Use secure message digest. For security of credit card numbers, use the secure hashing algorithm (known as SHA-1) in order to make a unique surrogate value that can be referenced, but not used to charge against the account.

5. Use advanced encryption. When encrypting sensitive data like credit card numbers, use at least the Triple-DES algorithm with a 168-bit key.

6. Manage encryption keys. Use either a hardware device or secure key storage system to store encryption keys. Rotate the keys frequently and provide the physical control over who can access these keys.

7. Destroy data when no longer needed. Physically destroy disks or use a wipe algorithm to completely destroy sensitive data that is no longer needed. Where encrypted data no longer needs to be recovered, completely destroy the key.

8. Look for new developments. Criminal behavior and attacks on company data have become increasingly complex and deceptive because of new tools readily available to cybercriminals.

9. Subscribe to information services and react to new developments as they are reported.

10. Monitor compliance. Track compliance against security policy and report exceptions to senior executives of the company.

Beth Cox writes for ECommerce-Guide.com, an internet.com site.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.