Security: protecting customer information

By Judith Lamont

When a corporate or government Web site is defaced or experiences a denial of service, it’s embarrassing, but when customer data is stolen, it’s a disaster. In March, the FBI reported that organized hacker groups based in Eastern Europe were targetting U.S. e-commerce activities and had stolen a million credit card numbers.

Although such incidents have not prevented the growth of e-business, they discourage many potential users. In the past, security has often taken a back seat as companies rush to launch e-business applications. Now, a combination of public awareness, legislation and new product capabilities has moved security into the spotlight.

Historically, the primary goal of security was to build a high wall that kept the bad guys out. With today’s complex network of customers and supply chain partners, that goal has changed. A wide variety of users need access, but not necessarily the same level of access. Therefore, application security is receiving new attention. Network security is still a critical part of the picture, but it cannot achieve the granularity needed to discriminate between different types of users.

Also, while various security techniques protect data in transit, customer information is often “data at rest” in back-end databases that are vulnerable to attack. Ironically, conscientious practice of security presents its own set of problems. Security systems that monitor events, for example, produce an immense amount of data, which then has to be summarized and interpreted. Another challenge is to keep up with patches that repair vulnerabilities; some of the new security products help compensate for lapses in making such updates.

Know your customer

A first step in protection is to identify the user through an authentication method such as a password, digital certificate, token or biometrics. The identity is then verified, a process referred to as validation. ValiCert provides security for corporate transactions; its products are typically used in situations where dollar values are large or data is highly confidential. ValiCert Validation Authority validates digital certificates, protecting against “rogue certificates” or improper usage of online credentials.

Many of ValiCert’s customers are in the banking, finance and healthcare industries. In each case, the concern is similar: Can the company identify the person with whom it is dealing? Dion Lisle, director of industry marketing at ValiCert, points out, “Customers, trading partners and others need information, but the enterprise also must meet the U.S. regulatory requirement of ‘know your customer.’ ”

Once an individual’s identity is validated, the next step is to determine what access can be authorized. AssureAccess, a software product from Entegrity Solutions, offers a policy-based access management solution that enables an organization to control access by partners, customers, employees and others involved in the company.

“All companies have policies, whether they are written down or not,” says Justin Potts, director of product marketing at Entegrity. “What’s been missing is a way to apply that policy to e-business initiatives.” AssureAccess can modify the level of access within an application even by the same individual, depending on attributes such as the time of day and the individual’s location. It can use dynamic attributes such as the volume of a partner’s sales to affect access. AssureAccess also offers authentication and single sign-on, which provides access to multiple applications without requiring separate passwords for each one.

“Protecting customer data is a very hot topic among developers,” says Kim Getgen, product marketing manager for RSA Security . “They want to be able to hide certain information such as Social Security or credit card numbers--information that needs to be in the database but should not be readily accessible.” The company’s BSAFE allows developers to incorporate encryption into their applications. RSA also licenses a series of patented encryption algorithms. RSA’s SecurID authentication tool and RSA Keon, a public key infrastructure (PKI) product, give the company a full range of security tools.

Getgen observes that encryption has not been part of companies’ typical thinking about security. She advises companies that are using encyption to take a close look to ensure that it is being implemented correctly, particularly with respect to stored information. Properly employed, encryption can be used for data in storage without causing a degradation in performance. Each layer--the operating system, network and application--should have security built in so they work together to cover different vulnerabilities. Protection can be built into the network layer, for example, that cannot be in the application layer.

Instead of protecting against specific attacks, products are being developed that act against classes of attacks. “Over 50% of computer emergency response team (CERT) advisories deal with buffer overflow,” says Chad Harrington, a security expert at Entercept Security Technologies (entercept.com). Buffers are intended to store data when an application is being run, but if too much data is put in, it can end up in a part of memory that should contain programs. If it does, a malicious program is then in a location that causes the processor to execute the code.

Entercept recently obtained a patent for its technique for preventing buffer overflow exploits. By blocking the execution of any code that has come from an overflowed buffer, Entercept prevents any compromise of the computer and its data. Entercept can also prevent other types of attacks, both known and unknown, that are launched against the operating system, servers or applications. It protects applications by limiting their behavior to authorized activities, so that a hacker could not retrieve credit card data, for example.

Ubizen’s MultiSecure family of products includes DMZ/Shield, which is designed to protect Web servers at the application level. It sits between the Web server and browser, and checks requests from the browser to make sure there are not anomalies that would result in buffer overflow or inappropriate access to files.

“People used to see security as a way of preventing access,” says Doug Graham, director of partners and presales with Ubizen, “but now security is viewed as an enabler that lets companies do things they couldn’t do before.”

One of Ubizen’s customers is in the pharmaceutical supply chain infrastructure business. An important goal was to have a system that could accommodate a variety of customers ranging from large firms having a PKI to small firms with only basic Internet access. Requiring customers to purchase hardware devices was not a realistic option, so the company was seeking a software solution.

A complicating factor was that the negotiation process supported by that infrastructure requires digital signatures on contracts, but the database containing the contracts is located remotely from users. Most of the security firms contacted did not even understand the challenges posed by that issue, according to the company’s CTO. Ubizen did, and helped the company develop a solution that has been effective against typical Internet attacks such as the Code Red worm.

Still another approach to security is provided by Whale Communications. Its e-Gap product creates a physical disconnection between the front end and the server on the back end.

“Transactions are broken down when they come in so that the header information is stripped off and the data separated from it,” says Uri Lichtenfeld, senior engineering manager at Whale. Users remain on the outside and transactions are inspected on the inside. In that way a hacker does not have the ability to tamper with the filtering process. Because no intelligence is built into the transfer mechanism, it cannot be programmed by an intruder.

The system uses proactive logic, meaning that only legal URLs are being allowed, rather than filtering out only the known hazards. Code Red and many similar attacks are stopped by e-Gap right out of the box, according to the company. e-Gap provides a single location for authentication, authorization, encryption and application level monitoring. It also allows for the creation of a rule base that determines the portion of the data that any given user can see.

No software product can substitute for vigilance, however, particularly when such a large volume of data is flowing in. “You have to watch network events and take action,” asserts Maria Di Marco of netForensics. The company’s ActiveEnvoy technology powers a security information management (SIM) system that brings together security information from disparate point sources. The result is an integrated view of security from elements such as firewalls, VPNs and application level security.

Today’s security market has some parallels to network monitoring 10 years ago, Di Marco believes. At that point, tools were available to manage various aspects of the network, such as whether routers were functional, but none of them provided a way to see the network holistically until HP OpenView came along.

“In security, you are monitoring an enormous amount of data,” says Di Marco. “A typical busy firewall can generate a million records in a day. If a company has 10 to 20 firewalls and an intrusion detection system (IDS), it can be impossible to monitor and interpret all the data.”

Recently, netForensics received calls from happy customers who had used the product to catch two viruses before they spread—Code Red, a worm that attacks unpatched Microsoft IIS Web servers, causing denial of service, and SirCam, a virus that searches for files in the “My Documents” folder and attempts to send the files to address book recipients. The customers were alerted to abnormal activity through the netForensics console. That activity was spread across unrelated servers and security devices. Using netForensics’ correlation and scoring capability, rapid assessment and response was completed by in-house CERT teams, averting what could have been a very costly and embarassing cleanup. In addition, netForensics’ software is helping the companies to comply with new privacy regulations.

It’s important for enterprises to be realistic in their approach to security. “Most organizations want the advantages of wide open connectivity, but not the down side,” says Marcus Ranum, founder and CTO of NFR Security. NFR’s intrusion detection system monitors networks in real time for attacks, abnormal behavior, unauthorized access attempts and policy infringements. The system also aggregates information for analysis and reporting.

Ranum cautions against overloading critical Web servers. “If running some new whiz-bang application means punching a new hole in the firewall or making your Web server a target, rethink the plan. A lot of security problems result from bugs in Web servers,.” he says, reiterating the importance of downloading patches. Ranum is optimistic about the potential for success, maintainng that good security put into practice really does work.

Application Security is betting heavily on the application security market with its family of products to be released shortly. DbEncrypt, available now for evaluation, encrypts data at the row and column level; DbDetective assesses vulnerability, and DbRadar detects attacks on databases.

“Application Security is the only vendor with an IDS dedicated to discovering database attacks,” says Stephen Grey, manager of product marketing. “Others are working at network level and do not look at application-specific attacks.”

Grey notes that although traffic (data in transit) is encrypted, data residing in databases can usually be accessed through the network. “Disgruntled employees can walk away with confidential information and make it public,” says Grey, “much to the detriment of their employer.”

Even such basic information as how many databases a company has may not be known. By running DbDetective, a telco found that it had 1,600 databases, not just the 900 they were aware of. Each database is a potential point of vulnerability that could provide back doors into the operating system, network and other trusted systems.

Fortunately, recent developments in security technology now provide many new ways of protecting customer information. Although experts agree that a silver bullet has not materialized, the right combination of techniques can achieve a reliable level of protection. Government regulation aims at ensuring privacy

Government regulation is beginning to kick in with respect to online security. The Graham-Leach-Bliley Act (GLBA), passed in 1999, provided new flexibility for the financial services industry but also imposed requirements related to privacy and security. The new rules require companies to identify risks, develop a security plan and implement and test the plan. Because banks and other institutions must monitor the security of customer information both in transit and in storage, software tools that assist in those activities are receiving considerable attention.

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996 to facilitate the transfer and use of healthcare benefits, also has security implications. Processes must be developed for the secure electronic storage and transmission of patient information. As with GLBA, companies must have a means of monitoring the systems to detect any security breaches.

“The regulations are not very specific at this point,” says Chad Herrington of Entercept Security Technologies, “but over time they should evolve to a checklist much like EPA regulations that apply to factories.” The regulations are being phased in over several years, so it’s also important to be aware of the time frame within which each requirement needs to be applied.

Judith Lamont is a research analyst with Zentek Corp., e-mail jlamont@sprintmail.com.