Yahoo Stores features ‘automatic’ PCI compliance for secure payments, among other options.
E-commerce relies the Internet for its very being, yet few people realize how incompatible the Internet and e-commerce really are. The Internet, which was built for the exchange of information, is designed to allow people to easily find and retrieve information from computers around the world. E-commerce, on the other hand, requires a high level of security. Bank account information, credit card numbers, business relationships, purchase order information, and quite a bit of other proprietary information integral to e-commerce must be kept secure from unauthorized access. The stringent need for security required in e-commerce cannot be satisfied by the openness of the Internet. In fact, the Internet is actually the antithesis of what an e-commerce platform ought to be. But since the Internet is all that we have, we must learn to live with it-and within its obvious security limitations.
Organizations that seek to protect their proprietary information from the prying eyes of intruders have to take steps to protect themselves from hackers and other Internet-based security threats. Anyone who wants to stay in business is very concerned about protecting their customer and prospect lists, trade secrets, sales figures, credit card information, and new product strategies. Their desire to secure their proprietary systems implores them to install a firewall. Yet most experts in the security industry know how easy it is to breach a firewall.
Certainly a firewall is a good starting point for protecting valuable and confidential information, and in fact, a firewall is the fundamental building block of an Internet or network security program. It is typically the first line of defense in monitoring and disallowing suspicious network traffic.
The problem is that we begin to believe that our systems are safe from hackers and other intruders simply because we have a firewall in place. I’ve lost count of how many times I have been told by systems administrators that their computers are safe because they “have a firewall.” What they fail to understand is that most fire-walls can be easily breached by hackers. In fact, recent surveys show that more than 90% of organizations that experienced an unauthorized intrusion had a firewall in place. Obviously, something is wrong.
Firewalls can do more harm than good when they create a false sense of security. We install them and then carry on as if our systems are safe, when in reality, we may have security holes big enough to drive a truck through. We believed that we had taken adequate steps to protect ourselves, only to find later, perhaps at some great financial loss, just how wrong we really were. Here is why most firewalls fail:
- Many firewalls have known vulnerabilities that hackers exploit: Hackers do their nefarious work by relying on these obvious system vulner-abilities. The tools hackers use are built upon the capability to identify these vulnerabilities quickly and to launch an attack geared at exploiting these weaknesses.
- Firewalls are only as good as their implementation: “Out-of-the-box” firewalls are often installed by staff that is either untrained on the particular firewall, or unfamiliar with the configuration process. When this occurs, a firewall is likely to be installed with numerous security holes that hackers can easily exploit.
- Firewall maintenance is often neglected: Generally, as business needs change, no one person is responsible for updating the configuration, installing upgrades or fixes that will plug holes, or overall clean-up.
- Conflicting decisions are a part of configuring a firewall: Access to systems and information can run from very open to highly restrictive. Depending on the business and security objectives of the organization, the firewall can be configured to make it extremely difficult for anyone to gain access to proprietary systems, but this can also make it difficult for customers or trusted sources to gain access as well. Conversely, opening the system to allow for easier customer access might create numerous openings that hackers can exploit. The configuration process becomes a balancing act as the organization tries to adjust its security parameters between easy customer access and restricted security. Everyone wants a fast site, but they also want a secure one.
- Few organizations ever test their firewalls: The first time a firewall is usually tested is when an unwanted intrusion actually occurs. Installing and maintaining a firewall without having it tested is a huge mistake. If you installed a burglar alarm in your home, you would certainly test it to make sure it works before you rely on it. Yet we often install firewalls, and assume that they will do their job on faith alone. Then, when a breach of security occurs, we scratch our heads and wonder how it happened. After all, we “have a firewall.”
Foolproof your firewalls
If firewalls aren’t that effective, what can we do to ensure that our systems are protected from hackers? Fortifying a firewall is actually easier than one might think. Here are six steps an organization can take with its existing firewalls to make its e-commerce applications safe from malicious hackers and other cybercriminals.
1. Firewalls should never be the single source of protection against unauthorized intrusions. A complete Internet/network security plan should be developed that takes into account various aspects of security. They include internal security, password guidelines, encryption, trade secret protection, and firewall configuration. A good security plan, coupled with a good firewall, is an effective deterrent to hacking.
2. Firewalls should always be backed-up with other means of protection. Intrusion detection systems that can shut down or lock out an unidentified intruder are good supplemental tools for protection. The combination of a firewall and an intrusion detection system is a highly effective means of security.
3. Configuring the firewall should be a careful and deliberate process. The process should take into account the business objectives of the organization, particularly on balancing security needs against customer access. The organization must decide what level of risk it is willing to assume in order to provide adequate levels of customer service.