Advertisment

Secure Your E-Business From E-Holes

author-image
DQC Bureau
New Update

With Internet enabling B2C to B2B transactions, a genuine concern for e-security has become necessary, if only due to the enormous amount of money involved. Even as developments in the world of information technology continue to grow at breakneck speed, threats from electronic loopholes or ‘e-holes’ are already making their presence felt.



E-holes? Oh no!



Oh yes! E-holes are here to stay and they can be ignored only by the suicidal. That’s where e-security comes in. By definition, e-security means protecting online or offline information. It deals with the prevention and detection of unauthorized actions by computer users. Lately, it has been extended to include privacy, confidentiality and integrity.



Talking about e-security, the first thing that comes to the mind is login name and the password. Most companies adopt the ‘user-name-and-password’ method to prevent initial breach of security. However, very few are actually serious about security beyond this point. The percentage of security breaches are very high worldwide, while the number of breaches that gets reported is very less, simply due to the fear of losing customer goodwill. A lot of them are blissfully ignorant about ways to prevent attacks.



Wherever critical information is stored, huge money transactions are involved or confidential exchange of information is involved, rogues tend to get attracted. For example, breaking into multinational banks while conducting online transactions would be every cracker’s dream mission. Similarly, B2C or B2B sites with credit card transactions are also at risk. A link on a corporate website where press releases are posted is at risk of getting attacked. The attacker can actually alter information on the link meant for press releases.



The implications of all such an attack will hit the company’s stock badly if it has listed on the exchange. Far from finding any sympathy, investors and shareholders may actually take the company to court for furnishing false information. One only has to imagine the outcome if stock quotes on online exchanges were to be altered by hackers hired by rival companies.



As Brian Bigley, Sr VP of Computer Associates puts it, "Companies that launch e-business initiatives without appropriate security strategies can suffer from loss of sensitive corporate or customer information, cyber vandalism, theft, industrial espionage and sabotage from internal and external sources.































Critical elements in e-security



Threats



Motives/Goals



Methods



Security Policies



- Employees



- Malicious


- Ignorant


- Non-employees


- Outside attackers


- Natural disasters


- Floods


- Earthquakes


- Hurricanes


- Riots and wars









- Deny services



- Steal information


- Alter information


- Damage information


- Delete information


- Make a joke


- Show off






- Social engineering



- Viruses, Trojan horses, worms


- Packet replay


- Packet modification


- IP spoofing


- Mail bombing


- Various hacking tools


- Password cracking







- Vulnerabilities



- Assets


- Information and data


- Productivity


- Hardware


- Personnel









 



 







Source: Microsoft



Hackers and Crackers Inc.

For emerging Charles Sobhrajs of the digital economy,

e-business initiatives would be easy meat. Even youngsters with unhealthy curiosity and access to right skills can wreak havoc on e-businesses. One does not have to be a visionary to foresee a situation where large hacker communities who commune daily in chat rooms exchanging passwords and tricks decide to target a particular bank’s site.



A common attitude among CIOs is "If no secret work is being done, why bother to implement any security." They would change their minds if only they did some casual surfing and came across any number of sites where hacking is taught. There are also sites from where hacking tools can be freely downloaded.



A password policy that allows users to use blank or weak passwords is a hacker's paradise. Lack of firewalls or proxy protection between an organization's private local area network (LAN) and the Internet makes it a sitting duck for cyber criminals. Besides, when a half-hearted security plan is put into action, it can result in unexpected disaster. Often half secure can be more dangerous than not being secure at all.





Types of threats



Threats can be broadly classified into human threats and natural disasters. Natural disasters caused by flood, fire, earthquake, etc cannot be stopped. However, human threats, malicious or non-malicious, can be prevented as well as stopped. ‘Non-malicious threats’ are also threats all the same, though the term itself may sound anachronistic. Such kind of threats tend to be caused by ignorant employees who themselves are not aware of the results.



Though serious security threats can come either from malicious hackers or crackers, the biggest threat comes from disgruntled employees or former insiders, because they usually know codes and security measures which are already in place. Insiders are likely to have specific goals and know how to gain legitimate access to the system.



Employees are the people most familiar with an organization's computers and applications, and they are most likely to know what actions might cause the most damage. Insiders can plant viruses, Trojan horses or worms, and can browse through the file system.



"If prison sentences are short, hackers might feel relatively safe to commit cyber crimes. To electronically steal, all you need is your brains and with a solid IT execution plan and methodology. A small team with no physical weapons is enough, and of course, the Internet," says Brian.





Online credit-card



Such heists happen when a hacker breaks into system and steals the file storing credit-card number and passwords. The hacker plants software tools either on the server or on the user’s system, thereby giving control to hackers. ‘Social engineering’ is a technique used by crackers or people within an organization to trick people into revealing their password or some form of security-related information.





Denial-of-service attacks



This is a kind of attack, which many email service providers’ web sites have been facing lately. Such attacks stop e-mail users from accessing their accounts. It could also deny users to access any web site. It is a growing trend on the Internet. Web servers can be flooded with junk communication in order to keep it busy. In such type of attacks, it is difficult to trace the culprits.





Defacing web sites



Here, hackers control or deface websites. They may simply replace them with links to their site, or substitute them with either disinformation or controversial propaganda. Like it happened with the VSNL site on Independence Day where hackers had put messages say "Wish you a very bad Independence Day". Similarly, even the Indian Defence Ministry site was altered with pro-Pakistani slogans.





Viruses and data thefts



By attaching viruses or worms or malicious codes to e-mails or its attachments, hackers target user’s PCs. Some codes even have the capabilities to execute on its own just while viewing an e-mail or its attachments.

Nelson Johny



In Mumbai

Advertisment