Securing your e-business
by Tony Spinelli
This tip is excerpted from an online event that took place on Feb. 16. Tony Spinelli is Vice President of Online Services for eSecurityOnline.com.
Q: From your point of view, what is the number one barrier to enabling secure e-business?
A: A lack of security knowledge is the number one barrier to enabling secure e-businesss. New security threats pop up daily and budgets are limited. So you need to have a knowledge-based solution for the threats that are most important and need to be fixed first and those that aren't as critical. You need to subscribe to a knowledge-based authority of security information.
Q: What are the challenges facing e-commerce today, and what can a company do to protect its brand and secure its revenue stream?
A: The key challenges to secure e-commerce are keeping your systems free from vulnerabilities, taking a best practices approach to securely configuring your systems, and keeping your systems free from viruses.
Q: We currently have an Intranet that allows our corporate employees to enter a restricted area of our Web site for employee-only information. We want to make this data available to our other divisions. What security risks should we keep in mind when deploying this?
A: The best tenet to keep in mind when securing your Intranet solution for other divisions is how should I protect the data and what are the risks to this particular data. The data should always determine the security solution to be put in place not the solution itself (i.e. the Intranet). I would first determine the type of data to be displayed and classify it. Is the data public, business information, business confidential, or trade secrets? Once the data has been classified select security solutions on your Intranet that are appropriate to the classification. For example, multilayer firewall, multifactor authentication, ACL's, and encryption techniques should be used for information classified as trade secrets, but for information that is public you should use minimal security controls to be cost-effective.
Q: What are the major vulnerabilities that we should be most concerned about?
A: The vulnerabilities to be most concerned about are those that can compromise your systems and enable them to be used for malicious activities. To classify a vulnerability as Critical, High, Medium, or Low is how we at eSecurityOnline determine the seriousness of the threat. For example, we have over 3000 vulnerability fixes in our Online Vulnerability Service, but if we did not risk rank the vulnerabilities or tell you what vulnerabilities affected which systems the data would be of no use. We use a formula to determine which vulnerabilities are major. Our formula consists of three factors ranked 1 to 10. Those are Impact (40 percent of the score), Popularity (30 percent), Simplicity (30 percent). Impact deals with whether the vulnerability simply pings an IP (1) or can go directly to root and take over the system (10); Popularity means whether this a vulnerability that was discovered in our lab and is not in the wild, and therefore contained (1) or is one that everyone on the Internet knows (10); and Simplicity is the measure of whether the vulnerability is easy to exploit in a script (10) or whether it requires extensive programming (1). So to answer your question we make if very simple for you and your teams to boil the worst vulnerabilities to the top and remove the worst threats first. That's one of the key values of our vulnerability service.
Read the entire chat transcript.
Delivering Security and Privacy for E-Business
Author : Anup Ghosh
Publisher : John Wiley & Sons
ISBN/CODE : 0471384216
Cover Type : Soft Cover
Pages : 256
Published : Feb. 2001
This book examines the external threats to a company's system and explains how to react if your system and business goals diverge. It also presents a nuts-and-bolts guide to enhancing security and safeguarding gateways. Readers will find an extensive reference section for the many tools, standards, and watchdog agencies that aid in the security/privacy effort.