Safety - the state of protection against possible damage, the ability to contain or parry dangerous influences, as well as to quickly compensate for the damage caused. Security means that the system maintains stability, stability and the possibility of self-development. One of the most popular topics for discussion is e-commerce security.
But until now, despite all the valuable opinions and statements, there is no practical, "earthly" guide to what is still the subject of e-commerce security. This article provides some points of view on this issue, and attempts to separate myths from reality. Let's try to answer some basic questions that are obvious to experts.
Systems can be made secure. Systems can only be protected from known threats, with the number of associated risks reduced to an acceptable level. Only you yourself can find the right balance between the desired level of risk reduction and the cost of the solution. Security in general is one of the aspects of risk management. And information security is a combination of common sense, business risk management and basic technical skills under the control of decent management, wise use of specialized products, capabilities and expertise, and the right development technologies. At the same time, a website is just a means of delivering information to a consumer.
Website security is a purely technical issue. Too often, security is more of a control over the development process, proper operating system configuration management, and generally consistent site management. The real security is under your direct control - what is acceptable in the development of internal systems may not be suitable for services that are fully shared. System problems affecting only a few trusted employees within an enterprise become apparent when moving to shared environments.
The media regularly report on all security weaknesses and risks. Often, the media only report on those problems that can attract everyone's attention and do not require special skills to understand the underlying problem. Such messages rarely reflect real threats to the business from a security point of view and often have nothing to do with security at all.
Credit card information on the Internet is not secure. In fact, credit card information is much less susceptible to theft when transmitted over the Internet than from a nearby store or restaurant. An unscrupulous business may be interested in the unauthorized use of such information, and how you work with it - via the Internet or not - is no longer so important. It is possible to increase the security of the actual transmitted information by using secure transmission channels and reliable sites. An essential ingredient in many e-commerce systems is the need for reliable consumer identification. The method of identification directly affects not only the degree of risk, but even the type of criminal prosecution.
Passwords identify people. Passwords provide only basic verification - that someone authorized to use a particular system is connecting. People tend not to hide their passwords too much from others - especially from close relatives and colleagues. More sophisticated authentication technology can be much more cost effective. The level of authentication used should reflect the risk of access to information by random persons, regardless of the consent of its actual owner.
Once configured and installed, a security solution remains reliable over time. Enterprises don't always install systems as expected, business changes, and so do threats. You need to make sure that the systems maintain security profiles and that your profile is continually reassessed for business and environmental development. Technology is equally important, but it should be seen as part of a broader spectrum of security controls. Firewalls are commonly referred to as the solution for protecting the content of e-commerce sites, but even these have their weak points.
Firewalls are impenetrable. By implementing a firewall, you can rest on your laurels in the assurance that attackers will never penetrate it. The problem is that they need to be configured so that some traffic still flows through them, and in both directions. You need to carefully consider what you are trying to protect. Preventing an attack on your site's home page is significantly different from preventing your web server from being used as a path to your server systems, and the firewall requirements are very different in both cases. Many systems require sophisticated multi-layered security to ensure that more sensitive data is only accessible to authorized users. E-mail is usually the key to any e-commerce site. However, it brings with it a number of security challenges that cannot be ignored, which fall into two main categories:
Protecting email content - it can be garbled or read.
Protecting your system from incoming email attacks.
If you intend to work with confidential or sensitive to the integrity of mail information, there are many products to protect it.
Viruses are no longer a problem. Viruses still pose a serious threat. The latest hobby of virus creators is the files attached to letters, which, when opened, execute a macro that performs actions unauthorized by the recipient. But other means of spreading viruses are also being developed - for example, through HTML web pages. Make sure your antivirus products are up to date. If they were designed to scan for viruses, they may be able to only detect viruses, not eliminate them.
A company that has a public key certificate from a respected Certification Authority (CA) is already trustworthy in its own right. The certificate simply implies something like: "At the time of the certificate request, I, the CA, have performed known actions to verify the identity of this company. You may or may not be satisfied. I am not familiar with this company and do not know if you can trust it, and even - what exactly is her business.Until I am informed that the public key has been discredited, I don’t even know that it, for example, is stolen or transferred to someone else, and it’s up to you to check, not is canceled. My liability is limited to the provisions of the Policy Statement, which you should read before using the keys associated with this company. "
Digital signatures are the electronic equivalent of handwritten signatures. There are some similarities, but there are many very significant differences, so it is unreasonable to consider these two types of signatures equal. Their reliability also depends on how strictly it is established that the private key is actually in individual use. The key differences are also that:
- Handwritten signatures are entirely under the control of the signer, while digital signatures are created using a computer and software that may or may not work in a way that can be trusted to perform.
- Handwritten signatures, unlike digital ones, have an original that can be copied.
- Handwritten signatures are not too closely related to what is signed with them, the content of signed papers can be changed after signing. Digital signatures are intricately linked to the specific content of the data they signed.
- The ability to perform a handwritten signature cannot be the subject of theft, unlike a private key.
- Handwritten signatures can be copied with varying degrees of similarity, while copies of digital signatures can be created only by using stolen keys and have 100% identity of the signature of the real owner of the key.
- Some authentication protocols require you to digitally sign data on your behalf, and you never know what was signed. You can be forced to digitally sign just about anything.
Security products can be rated according to their functionality, just like business suites. They also require an assessment of the security of their implementation and those threats from which they cannot protect (which may not be documented). In general, business applications are selected based on their functionality and ease of use. It is often taken for granted that the functions are performed as expected (for example, the tax computation package calculates taxes correctly). But this is not fair for security products. The biggest question here is how the protection functions are implemented. For example, a package might offer powerful password authentication for users, but still store passwords in a plain text file that almost anyone can read. And that would be far from obvious and could create a false sense of security.
Security products are easy to install. Most products are shipped with default settings. However, organizations have different security policies and configurations of all systems and workstations rarely match. In practice, the installation should be tailored to the organization's security policy and each of the specific platform configurations. Validating maintenance mechanisms for rapidly growing numbers of users and other attributes of creating a secure environment for hundreds of existing users can be a complex and time-consuming process.
PKI products protect e-commerce out of the box. PKI products provide a basic toolkit to help implement security solutions, but only as part of the entire package, which also includes legal, procedural, and other technical elements. In practice, this is often much more difficult and expensive than installing a basic PKI.
Security consultants deserve absolute trust. Remember that security consultants will have access to all of your most sensitive processes and data. If the consultants hired do not work for a reputable firm, it is necessary to obtain information from a disinterested source about their competence and experience - for example, talk to their previous customers. There are many consultants who claim to be information security professionals, but in fact have little or no idea what it is. They can even create a false sense of security by convincing you that your systems are more secure than they really are.
So before flipping through the most up-to-date safety brochures, sort out the essentials:
- Carefully calculate the types of risks that threaten your ecommerce business and how much they would cost you, and do not spend more on protection than this estimated cost of risk.
- Strike a balance between procedural and technical security controls.
- Develop a complete project in which security would be one of the fundamental components, and would not be introduced post facto, after some thought.
- Select security products appropriate for this project.