Confident your firewall is guarding your site? What you don`t know may burn you.
By Michael P. Harden
E-commerce relies the Internet for its very being, yet few people realize how incompatible the Internet and e-commerce really are. The Internet, which was built for the exchange of information, is designed to allow people to easily find and retrieve information from computers around the world. E-commerce, on the other hand, requires a high level of security. Bank account information, credit card numbers, business relationships, purchase order information, and quite a bit of other proprietary information integral to e-commerce must be kept secure from unauthorized access. The stringent need for security required in e-commerce cannot be satisfied by the openness of the Internet. In fact, the Internet is actually the antithesis of what an e-commerce platform ought to be. But since the Internet is all that we have, we must learn to live with it—and within its obvious security limitations.
Organizations that seek to protect their proprietary information from the prying eyes of intruders have to take steps to protect themselves from hackers and other Internet-based security threats. Anyone who wants to stay in business is very concerned about protecting their customer and prospect lists, trade secrets, sales figures, credit card information, and new product strategies. Their desire to secure their proprietary systems implores them to install a firewall. Yet most experts in the security industry know how easy it is to breach a firewall.
Certainly a firewall is a good starting point for protecting valuable and confidential information, and in fact, a firewall is the fundamental building block of an Internet or network security program. It is typically the first line of defense in monitoring and disallowing suspicious network traffic.
False security
The problem is that we begin to believe that our systems are safe from hackers and other intruders simply because we have a firewall in place. I’ve lost count of how many times I have been told by systems administrators that their computers are safe because they “have a firewall.” What they fail to understand is that most fire-walls can be easily breached by hackers. In fact, recent surveys show that more than 90% of organizations that experienced an unauthorized intrusion had a firewall in place. Obviously, something is wrong.
Firewalls can do more harm than good when they create a false sense of security. We install them and then carry on as if our systems are safe, when in reality, we may have security holes big enough to drive a truck through. We believed that we had taken adequate steps to protect ourselves, only to find later, perhaps at some great financial loss, just how wrong we really were. Here is why most firewalls fail:
— Many firewalls have known vulnerabilities that hackers exploit: Hackers do their nefarious work by relying on these obvious system vulner-abilities. The tools hackers use are built upon the capability to identify these vulnerabilities quickly and to launch an attack geared at exploiting these weaknesses.
— Firewalls are only as good as their implementation: “Out-of-the-box” firewalls are often installed by staff that is either untrained on the particular firewall, or unfamiliar with the configuration process. When this occurs, a firewall is likely to be installed with numerous security holes that hackers can easily exploit.
— Firewall maintenance is often neglected: Generally, as business needs change, no one person is responsible for updating the configuration, installing upgrades or fixes that will plug holes, or overall clean-up.
— Conflicting decisions are a part of configuring a firewall: Access to systems and information can run from very open to highly restrictive. Depending on the business and security objectives of the organization, the firewall can be configured to make it extremely difficult for anyone to gain access to proprietary systems, but this can also make it difficult for customers or trusted sources to gain access as well. Conversely, opening the system to allow for easier customer access might create numerous openings that hackers can exploit. The configuration process becomes a balancing act as the organization tries to adjust its security parameters between easy customer access and restricted security. Everyone wants a fast site, but they also want a secure one.
— Few organizations ever test their firewalls: The first time a firewall is usually tested is when an unwanted intrusion actually occurs. Installing and maintaining a firewall without having it tested is a huge mistake. If you installed a burglar alarm in your home, you would certainly test it to make sure it works before you rely on it. Yet we often install firewalls, and assume that they will do their job on faith alone. Then, when a breach of security occurs, we scratch our heads and wonder how it happened. After all, we “have a firewall.”
Foolproof your firewalls
If firewalls aren’t that effective, what can we do to ensure that our systems are protected from hackers? Fortifying a firewall is actually easier than one might think. Here are six steps an organization can take with its existing firewalls to make its e-commerce applications safe from malicious hackers and other cybercriminals.
1. Firewalls should never be the single source of protection against unauthorized intrusions. A complete Internet/network security plan should be developed that takes into account various aspects of security. They include internal security, password guidelines, encryption, trade secret protection, and firewall configuration. A good security plan, coupled with a good firewall, is an effective deterrent to hacking.
2. Firewalls should always be backed-up with other means of protection. Intrusion detection systems that can shut down or lock out an unidentified intruder are good supplemental tools for protection. The combination of a firewall and an intrusion detection system is a highly effective means of security.
3. Configuring the firewall should be a careful and deliberate process. The process should take into account the business objectives of the organization, particularly on balancing security needs against customer access. The organization must decide what level of risk it is willing to assume in order to provide adequate levels of customer service.
4. A firewall should never be installed “out-of-the-box” with its defaults in place. Hackers count on this to be successful, and it is the first weakness they look to exploit. Someone experienced with the specific firewall, or at least trained on it, should be responsible for installing, configuring, and implementing it.
5. A trusted employee should be designated to maintain the firewall. Often, upgrades or patches are issued by the vendor to plug security vulner-abilities. Many organizations fail to implement these fixes, and hackers know it. Any upgrades or fixes should be installed as soon as they are available. Always keep the firewall current.
6. Have your firewall tested! There is no other way to determine if your firewall will do its job. You do not want to find out that your firewall has holes in it after some hacker got into your proprietary systems and stole or destroyed your data. Test the system first so you know where the weaknesses are before the hackers do. Then plug the holes.
Hire an independent third-party to perform penetration testing or a vulnerability audit of your system. Don’t try to do this yourself. A third-party that specializes in penetration testing will be able to probe your firewalls for weaknesses that hackers could exploit. Professional security testers will do a much better job of identifying these weaknesses than you could on your own. Just as you would use an independent accountant to audit your financial statements, use an outside professional to audit your security.
Contrary to popular myth, most hackers are not computer geniuses who can crack any system on earth. They are more typically opportunists with too much time on their hands. They tend to exploit known weaknesses in systems and look for obvious vulnerabilities. If they cannot breach a system after a number of tries, they will move on to easier prey.
So the more difficult you can make it to penetrate your firewall, the better the odds that the hackers will decide to seek an opportunity elsewhere. And of course, the best way to dissuade hackers is with a properly configured, well-maintained, and up-to-date firewall that has been tested and adjusted to eliminate any vulnerabilities.
Michael Harden is president of CyberGuardian Inc., Fairfax, Va.
|
