|
(cont. from page 1)
There are many risks associated with electronic commerce, from hacking and viruses to fraud. A Carlos Felipe Salgado Jr. was arrested at San Francisco Airport after he sold a diskette with personal data on more than 100,000 credit card accounts to undercover FBI agents. He used packet sniffers to intercept this information as it passed over the Internet.
Hacking is a serious threat to firms which connect to the Internet, however the greatest threat to organizations are their own employees.
62% of companies that participated in the survey believed that malicious actions from employees was their major concern. Few companies were concerned about industrial espionage. However with increasing dependence on computer systems, it is impossible for some companies to separate their technology from their business. An attack on a rival's network can prove very worthwhile to an industrial espionage hacker.
Most companies had implemented a wide range of hardware security measures to offer network protection and business continuity. However, few companies
had implemented file encryption for stored information, public key cryptography, telecommunication encryption, and digital signatures/sender authentication. These technologies are essential for businesses that
wish to conduct electronic commerce. Figure 4 at left shows the types of electronic applications implemented on the web by survey respondents. Click on figure 5 to see the security measures implanted in their
corporate networks.
Only 55% of companies had a formal security policy and nearly all were far from adequate. Very few companies educated all members of staff. It is
essential that all members of staff are aware of company threats and company security policy. Employees are often the weakest link in companies because they inadvertently reveal or create company
vulnerabilities. A simple, clear, company security policy will make companies considerably more secure.
No company should become complacent, your network will never be one hundred per cent secure, continual risks assessment is required to stay one-step ahead of would be attackers.
Figure 6 shows that not enough firms conduct risk analysis on a regular basis.
Only 12% regularly assess their software for security flaws. Security evaluation software should be used to find weaknesses in their firewall configurations and networks. SATAN (Security Analysis Tool for Auditing Networks) is a good evaluation software and it can be found on the Internet as freeware. Automated risk analysis tools which generate detailed questionnaires to survey users on security measures, can provide an efficient way of ascertaining more information regarding company threats/vulnerabilities.
Firewalls are an important network security tool, however problems arise with configuration and IP address management.
No matter what firewall you buy, a firewall is only as good as its' configuration. To ensure effective firewall configuration, it is essential that risk assessment of company assets, threats, vulnerabilities, losses and safeguards, is carried out. Firewalls will increasingly be bought for internal as well as external use, offering significant access control/monitoring services for corporate networks. Every medium to large sized organization should have a member of staff solely dedicated to information management and security (an IM manager). This manager will have to make decisions on what information should be freely shared and what should be protected. The majority of firms that took part in the survey had implemented intranets, which if not properly designed and monitored can create many problems regarding information integrity and confidentiality.
Turn to Page 3 © 1998 Colin Germain, updated 2000 MediaGraphics
|
