Online Security: What’s your approach?

In the rush to get online, many companies consider security as an afterthought. The hurry to develop an online presence causes them to overlook the obvious… they could be compromised. Many companies are willing to accept this. They consider themselves too “low profile” to be at risk. The reality is, you don’t have to be an e-Bay, Yahoo, or e-Trade to get attacked. Systems are compromised for several reasons. First, intruders need multiple points of access across the Internet that cannot be tracked. These systems are used as hops. An intruder will generally hop through many compromised systems before attacking their primary target. Another thing intruders want is bandwidth. Any system sitting on a high-bandwidth connection can be targeted to get access to their services. The conclusion here is that anyone can become a target. You simply don’t know how high your risk really is. Many homeowners have experienced this with the proliferation of high bandwidth connections to the home, in the form of cable or DSL access. So, how important is your security?

I consider myself very blessed. I have a beautiful home, my second actually. For both of these homes I was actively involved in the building process. I stopped by almost daily to check on progress and chat with the guys who were pounding all the nails. It’s amazing watching a home be built, and you quickly understand the priority of the men doing the construction-¦ Get it done quickly! One crew comes in to pour the foundation, then the floor joists get laid in, quickly followed by walls, ceiling, roof. You get the idea. The last thing they did was put locks on the doors. I guess since there was nothing inside yet, they weren’t concerned about security. Unfortunately, many companies take this approach to developing their online solution. Build it first, get it done quickly, and worry about the security later.

I had the opportunity recently to see a small bank being built near my home and I noticed something very interesting. Immediately after pouring the foundation they built the vault. In retrospect this makes perfect sense. The core of a banks business is money, so they built the bank with the security of their most critical asset in mind. This model should be applied to developing an e-commerce solution as well. First, build a solid foundation. In the world of InfoSec, this means you first develop your policies. After all, policies are the foundation of good security. The next step is to build the vault. In this case, that would translate to your data store. This is a bit more complex. You will probably have some form of database as the vault itself. The vault needs a door with a complex locking system to provide a secure method of access control. Most safes or vaults have ratings that indicate how difficult it will be to breach. This is usually measured in terms of time and methodology used to break in. How will is secure your vault? Do you have any idea how long it will take the average script-kiddy to penetrate your defenses? How long will it take a dedicated intruder? Do you actually have any defenses?

Now, like a bank, you need some way to monitor the security of this vault. You need some way to control and log access, and you need to know if any of these measures have been compromised. You need firewalls that are properly positioned and configured for the environment. You also need proper authentication and access controls to properly manage who gets access, and log all activities that take place. Finally you need some form of Intrusion Detection System (IDS) to monitor activities and generate alerts if your system has been compromised. Getting the idea?

This covers the security from a defensive point of view. In order to be properly prepared, you need to have procedures in place to outline the steps taken in case of a compromise, attack, or system failure. Simply put, you need Incident Response procedures, and a Business Continuity Plan to help insure your ability to continue functioning after some form of incident. Security by itself is weak if you don’t have a plan to react or recover.

Once all these security measures are in place, there is one more thing to consider. These measures are all fine, but they need to be revisited on a regular basis as part of a good Security Life Cycle. The basic Security Life Cycle is well defined by the British Standard BS7799 (I believe this has also been released as an ISO standard 17799, but haven’t been able to confirm this yet). This is a standards-based methodology called ADDME, which defines an ongoing cycle of continuous assessment and review. ADDME consists of five discrete steps:

Your security cannot remain static. New exploits and vulnerabilities are discovered, and new exploits are developed on a daily basis. What is secure today is vulnerable tomorrow, so design today, but plan for tomorrow.