Security & eCommerce in 2003

Many businesses were given a sharp wake-up call in January with the arrival of most devastating Computer ‘Worm’ attack for eighteen months, in the shape of ‘SQL-Slammer’, which in the space of twenty-four hours, made international news and forced the shutdown of over 200,000 Windows Servers. Included among its many high-profile victims, was The Bank of America, which had 13,000 of its ATM machines temporarily put out of action.



Regular attacks such as this, illustrate only too clearly that the requirement for reliable security architecture in the virtual world of the Internet is as real as that demanded in the physical world. If there is a fundamental difference between them, then it is that the former works well and is built on a solid foundation of steel, concrete and paper and the latter relies on compromise, a clumsy mix of standards and interoperable software which offers security much of the time but not all of the time.

In November of last year, I made a speech at an event inside Westminster, which marked the launch of the Quizid card, a two factor authentication device, promoted as a possible solution to the government’s digital identity challenge. At the time, I remarked that the continued absence of a universal recognized and accepted ‘architecture of trust’, threatens the credibility of the eGovernment agenda and with it, any hope of building the knowledge economy that the Prime Minister has mandated. To quote Richard Barrington from the Office of the e-Envoy, “The digital certificates market has so far failed to deliver robust certification that meets government needs”. This issue of a missing and universal digital identity mechanism and with it, the much broader and more complex problem of information security, applies equally to the private sector, where the present information infrastructure very much represents “The soft underbelly of the developed world”.

Today, the institutions that govern society stand behind documents that remain authenticated on paper. This well-established, paper-based, trust system that supports our lives took generations to develop to the point of relative transparency that we now take for granted. But if the grand plan that lies behind the future of eCommerce and eGovernment is to succeed and become equally ‘transformative’, then we must be able to deliver the equivalent ‘Trust’ architectures in cyberspace, developing solutions that offer organizations and individuals the confidence required to conduct on-line transactions, with Barclays Bank, Amazon.Com or even local and central government, while simultaneously minimizing the expense or performance burden which security demands.

The OGC’s ambition of receiving 100% of tenders electronically by December of last year was never remotely achievable without the presence of a consistent authentication mechanism on which to build the service. Earlier in 2002, the chief secretary to the Treasury Andrew Smith, admitted that the OGC’s pilot project TenderTrust, demanded revision and, “shows that further work is needed to maintain the right level of security and to increase take-up of the service across government”.

Any organization, private or public sector, attempting to deliver a transactional or eCommerce-based solution over the Internet faces two clear problems in 2003, the first of which is a sizeable reality gap between what technology promises and what technology can deliver in terms of information assurance. The second is represented by consistently poor security policy in the presence of a dramatic increase in the number of Internet-based attacks against business networks and websites.

The evidence of the last twelve months clearly shows that attacks on both public and private sector on-line operations are steadily growing, month on month. Symantec’s most recent ‘Internet Security Threat Report ’ (Feb 2003) gives the total number of new, documented vulnerabilities in 2002 as 81.5% higher than in 2001. This rise was driven almost exclusively by vulnerabilities rated as ‘severe’.

This catalogue of misery continued, with the National High Tech Crime Unit (NHTCU) suggesting that as many as 97% of UK companies have been attacked or ‘threatened’ in some way and eGov monitor reporting that government departments have experienced more than 9,000 digital attacks on their IT systems in 2002. Over half of the attacks on UK government systems were directed towards the Cabinet Office and its agencies, which last year, reported some 5,857 attacks, with 1,167 of these occurring in October alone. This security threat to government was revealed through responses by Ministers to a series of parliamentary questions.

While most people would look to Microsoft as the most prominent influence behind the evolution of eCommerce, the same group, thinking of January’s SQL-Slammer attack, would probably identify the company as the one selling the most vulnerable platform and products on the market. However, The Aberdeen Group, in a recent report, suggests that this is untrue.

"Contrary to popular misperception”, the report says, "Microsoft does not have the worst track record when it comes to security vulnerabilities . Also contrary to popular wisdom, UNIX and Linux-based systems are just as vulnerable to viruses, Trojans and worms. Furthermore, Apple's products are now just as vulnerable, now that it is fielding an operating system with embedded Internet protocols and UNIX utilities. Lastly, the incorporation of Open Source (Linux) software in routers, Web server software, firewalls, databases, Internet chat software, and security software is turning most Internet-aware computing devices and applications into possible infectious carriers."

What the Aberdeen report suggests is that while reported vulnerabilities on different systems can vary on an annual basis, the Symantec figures clearly demonstrate that the overall vulnerability and incident trend continues to increase, with eCommerce activity representing 19.4% of the target activity for hackers between July and December of 2002. However, while Microsoft claims to be doing everything in the company’s power to strengthen the security of all its current and future products and has recently been awarded ‘Common Criteria’ security certification for Windows 2000, the company carries a legacy of millions of Windows 95 and Windows NT customers with businesses connected to the Internet with inadequately configured firewalls or weak or non-existent passwords.

According to Microsoft’s Chief Security Strategist, Scott Charney, speaking at the eCrime Congress in London in December, “More than half of all computers operate in an unmanaged environment”. While it’s hard to arrive at accurate figures, a significant percentage of systems are protected by either limited security or are accessible through default passwords, such as “Administrator”. The British hacker, Gary McKinnon, caused at least $1.3 million dollars worth of damage among United States government systems through the relatively simple exercise of installing a remote access‘ PC Anywhere-type’ program on inadequately protected Servers.

The argument in favour of eCommerce and eGovernment cannot be sustained without the foundation architecture of trust available and deployed, on which it has to be built. Even Microsoft’s new vision of trustworthy computing means very little without serious and often expensive attention to people, policies and procedures. The outline of this architecture isn’t a mystery and is already built into the BS7799 standard that many companies now follow in an attempt to better secure their online presence.

From a transactional perspective, Government has quite correctly encouraged industry to develop the initiatives that will allow us to conduct tomorrow’s eCommerce with something more secure than a PIN number or a password but industry, as Richard Barrington suggests, has failed to live-up to Government’s expectations and instead of a single solution, has created a number of small islands, which have bought us no closer to achieving consistent information or transactional security. This failure rather begs the question of whether, as a nation, with ambitions of being a world leader in both eCommerce and eGovernment, whether, we should be looking for a single and absolute, end-to-end security solution from the beginning or do we lower our sights and deal with the fundamental challenge of authentication as a first priority.

Comments

Popular posts from this blog

A Short Guide to Collecting your Iranian Travel Visa in London

Plus Ca Change

Nothing New Here Folks