|
You’re astounded by
the convenience, speed and sleek modernity of the Internet and the World
Wide Web. Suddenly you can connect to customers and suppliers all over the
world. No more heavy expenses manning call centers. No more spending a
fortune on postage and shipping costs for brochures or marketing materials.
Why wait for a check to clear when you can take somebody’s credit-card
information through your Web server? As wonderful as all the bright promise
of the Internet might be, there’s an equally troubling dark side: diminished
security.
Security for the Web Server
One of the best ways to keep external
hackers out of your internal network is firewall technology. Firewall
solutions exist in a number of different forms including packet filters,
which look at each “packet” of data entering or leaving a network and allow
it to pass depending on whether it meets certain specified rules. and
gateways, which limit who gets to specific parts of your internal network
depending on his identity.
The greatest source
for security software updates and patches is probably the CERT Coordination Center.
Based at Carnegie Mellon University, CERT
developed out of the computer emergency-response team created by the U.S.
Department of Defense. CERT has made Internet security
its mission from
the time of its creation in 1988 — the dawn of time in Internet terms.
“Vendors have
become much more responsive about getting security patches out and making
them available,” says CERT’s daily operations manager, Kathy Fithen.
“They’re working harder at trying to meet the demands and the needs of the
security antes issues for their customers.” If there’s a problem, CERT will
likely be the first to identify it. If’ there’s a fix, CERT will tell you
where and how to find it. Most recently, Fithen says, CGI (Controlled
Gateway Interface) scripts have been a soft spot. CGI is an Internet
standard that allows Web servers to run external applications such as search
engines. Using “sniffer” software, hackers can distract a server, then
monitor its traffic and automatically capture and store user name and
password pairs. Once they have that information, of course, nothing on your
system is safe. The best means of protection is to set up the system right
in the first place and keep on top of new problems by getting on an e-mail
list to receive security bulletins. Also, hiring a security consultant to
put a system through its paces before it’s unveiled to the public will help
you find leaks before hackers do.
Protecting Information in Transit
Protecting information in transit is
perhaps more crucial than protecting it when it’s residing on a server. The
same sniffer software that snags user names and passwords can be programmed
to log and store credit-card numbers. The answer to such invasions is
encryption technology — scrambling data into code that both the sender and
the receiver need a key to access.
Secure Electronic
Transaction (SET) protocol, for example, is one of the most important
developments in cyber payment schemes. SET is the mechanism by which
credit-card information may be securely transferred over the Internet.
Developed by a consortium of IT companies and financial institutions, SET
technology uses digital signatures and encryption technology to transmit
credit-card information in a tamper-proof package.
U.S. law currently
forbids the export of so-called strong encryption — codes larger than 40
bits. European software developers such as Ireland’s Baltimore Technologies
and Germany’s SiemensNixdorf Information Systems (SNI) are racing to make a
profit on this technology vacuum.
SNI’s TrustedWeb,
for example, is designed to protect information shuttled around an
organization’s internal network. “Now that companies can keep hackers out by
firewalls, what happens if the thief is inside’?” queries Robert Gogel,
executive vice president at Siemens. TrustedWeb, incorporating 128-bit
encryption technology, uses a “role-based” filtering mechanism. What this
means is that once you sign on to the network, TrustedWeb allows you access
to the documents or sites that you are programmed to be able to access.
Further, adds Gogel, TrustedWeb can be used for extranet systems — that is,
Internet connections among the intranets of trading partners. Once you allow
a trading partner to cross your firewall, TrustedWeb can give it access only
to particular databases, depending on its identity.
“Ultimately,” says
cryptographer Kevin McCurley, “criminals have found uses for every other
technological advance -- the car and the telephone, for example. They’re
finding a use for the Internet too.” The increasing number of Internet
commercial transactions are at stake. Fortunately, the solutions to such
digital shenanigans are multiplying and increasing in sophistication. |
