– the state of protection against possible damage, the ability to contain or parry dangerous effects, as well as to quickly compensate for the damage. Security means maintaining a system of stability, sustainability and self-development. One of the most popular topics for discussion is the security of e-commerce.
But until now, despite all the valuable opinions and statements, there is no practical, “terrestrial” benefit to what is still a matter of e-commerce security. In this article some points of view on this question are given, and an attempt is made to separate the myths from reality. Let’s try to answer some basic questions that are obvious to specialists.
Systems can be made protected.
Systems can only be protected against known threats, with a reduction in the number of risks associated with them to an acceptable level. Only you can determine the right balance between the desired level of risk reduction and the cost of the solution. Security in general is one of the aspects of risk management. And information security is a combination of common sense, business risk management and basic technical skills under the management of decent management, the wise use of specialized products, capabilities and expertise and the right development technologies. At the same time, a web-site is just a means of delivering information to a consumer.
Site security is an exceptionally technical issue.
Too often, security is more relevant to the proper control of the development process, proper management of the operating system configuration and overall consistent site management. Real security is under your direct control – what is acceptable when developing internal systems may not be suitable for services that are fully shared. Problems in systems that affect only a few trusted employees inside the enterprise become apparent when moving to shared environments.
The media regularly report on all weaknesses and risks in the field of security.
Often, the media only reports about problems that can attract general attention and do not require special skills to understand the problem in them. Such reports rarely reflect real threats to business from the point of view of security and are often not related to security at all.
Information on credit cards on the Internet is not protected.
In fact, information on credit cards is much less likely to be stolen when transmitted over the Internet than at a nearby store or restaurant. Unauthorized use of such information may be of interest to unfair business, and how you work with it – via the Internet or not – is not so important. Increase the security of the information that is actually transmitted by using secure transmission channels and reliable sites. An essential component of many e-commerce systems is the need for reliable identification of consumers. The method of identification directly affects not only the degree of risk, but even the type of criminal prosecution.
Passwords identify people.
Passwords provide only basic verification – that someone is logged in to use a particular system. People tend not to hide their passwords from others – especially from close relatives and colleagues. A more complex authentication technology can be much more cost-effective. The level of authentication used must reflect the risk of access to information of random persons, regardless of the consent of its actual owner.
Once a configured and installed security solution remains reliable over time.
Enterprises do not always install systems as it should, business is changing, as are threats.You need to make sure that the systems maintain security profiles, and that your profile is constantly re-evaluated in terms of business and the environment. Technology is equally important, but it should be considered as an integral part of a wider range of security controls. Typically, as a solution for protecting the content of electronic commercial sites called firewalls, but even they have their weak spots.
Firewalls are impenetrable.
By implementing a firewall, you can rest on your laurels in the belief that intruders will never get through it. The problem is that they need to be configured in such a way that some traffic flows through them, and in both directions. You need to think carefully about what you are trying to protect. Preventing an attack on the main page of your site differs significantly from preventing the use of your web server as a path to your server systems, and the requirements for the firewall in both cases are very different. Many systems require complex multi-layered protection to provide access to more sensitive data only by authorized users. A key role in any e-commerce site is, as a rule, e-mail. Nevertheless, it brings with it a number of security problems, which are unacceptable to ignore. These problems fall into two main categories: Protecting e-mail content – it can be distorted or read. Protect your system from attacks through incoming e-mail. If you intend to work with confidential or sensitive information, there are a lot of products to protect it.
Viruses are no longer a problem.
Viruses are still a serious danger. The last hobby of the creators of viruses is the files enclosed in the letters, when executing the macro, which performs unauthorized actions by the recipient. But other means of virus propagation are being developed, for example, through HTML web pages. You need to make sure that your antivirus products remain relevant. If they were designed to search for viruses, it may turn out that they are only able to detect viruses, but not eliminate them.
A company that holds a public key certificate from a reputable Certification Authority (CA) itself is already trustworthy.
The certificate simply means something like: “At the time of the certificate request, I, CA, have made certain actions to verify the identity of this company.You can satisfy it, or it may not .I’m not familiar with this company and I do not know if it can be trusted , and even – what exactly is her business.As long as they do not disclose that the public key is discredited, I do not even find out that he, for example, is stolen or transferred to someone else, and it’s up to you to check, I am limited to the provisions of the document, describing the (Policy Statement), which you should read before using the keys associated with this company. ”
Digital signatures are the electronic equivalent of handwritten ones.
There is some similarity, but there are a number of very significant differences, so it is unreasonable to consider these two types of signatures to be equivalent. Their reliability also depends on how strictly established that the private key is really in individual use. The key differences are also: – Handwritten signatures are completely under the control of the signer, while digital ones are created using a computer and software that can work, or may not work so that the actions they perform can be trusted. – Handwritten signatures, unlike digital ones, have an original that can be copied. – Handwritten signatures are not too closely related to what they sign, the contents of the signed papers can be changed after signing.Digital signatures are complexly related to the specific content of the data that they are subscribed to. – The ability to perform a handwritten signature can not be the subject of theft, unlike a private key. – Handwritten signatures can be copied with different shares of similarity, and copies of digital signatures can be created only by using stolen keys and have a 100% identity of the signature of the real owner of the key. – Some authentication protocols require signing the data with a digital signature on your behalf, and you will never know what it was signed for. You can be forced to sign a digital signature almost anything.
Security products can be evaluated according to their functionality, like business packages.
They also require an assessment of the security of their implementation and those threats from which they can not protect (which may or may not be documented). In general, business applications are selected based on their functionality and ease of use. It is often taken for granted that functions are performed as intended (for example, the tax calculation package correctly calculates taxes). But this is unfair for products that provide security. The biggest question here is how the protection functions are implemented in them. For example, a package can offer powerful password authentication of users, but at the same time store passwords in a simple text file that almost anyone can read. And it would not be obvious at all and could create a false sense of security.
Security products are easy to install.
Most products come with default settings. However, organizations have different policies and security and the configuration of all systems and workstations rarely match each other. In practice, the installation must be tailored to the organization’s security policy and each of the specific platform configurations. Checking the maintenance mechanisms of a rapidly growing number of users and other attributes of creating a secure environment for hundreds of existing users can be a very complex and time-consuming process.
PKI products protect e-commerce without additional configuration.
PKI products are a basic tool to help implement security solutions, but only as part of the entire package, which also includes legal, procedural, and other technical elements. In practice, this is often much more complicated and expensive than installing a basic PKI.
Security consultants are absolutely trustworthy.
Remember that security advisers will have access to all of your most sensitive processes and data. If the invited consultants do not work in any reputable firm, you need to obtain information from a disinterested source about their competence and experience – for example, talk to their former customers. There are a lot of consultants who claim to be professionals in the field of information security, but in fact have virtually no idea what it is. They can even create a false sense of security, convincing you that your systems are more protected than they really are.
So before you flip through the most up-to-date safety brochures, lay out the main points: – Thoroughly calculate the types of risks that threaten your e-commerce business and what they cost you, and do not spend more on protection than this is the expected price of the risk. – Keep a balance between procedural and technical security controls. – Develop a project in its entirety, in which security would be one of the fundamental components, and not post-factum, after some reflection. – Select the security products that correspond to this project.