eSecurity Philosophy
Home
eMarketing
eSecurity
Mobile Comm
Global e-Business
News & Insights
Contact Us

Articles

Security breach at Target part 2
FIDO Alliance Seminar
Security Breach at Target
Myth on Web Service Security
End-to-End Security for Cloud Computing
Optimize Security Services in the Cloud
Data at Rest, Data at Risk
Data Security Best Practices
DOD Common Criteria
Need for Information Security Professionals
Protect Social Security Info
Virtual VPN Gateway
Don't Hack the Ox!
6 eSecurity Pitalls
Data Security at Risk
CCNA Certification
NAC Forum
eSecurity Market
eSecurity Philosophy
PC Security
eSecurity Facts
Encryption Tool
Checking Security
Identity Theft
Home PC Security
eSecurity Training
Security Software
eSecurity & You
Web Security
Browser Security
Spyware & Viruses
448 Bit Encryption
Vital PC Security
Spyware Security
What's PC Security
Optimize eSecurity
Delete Cookies
Basic SB Security
eSecurity 101
Email Security

 e-Security Philosophy - Applying the Concept from The Art of War

By: Szu Chang, eSecurity Columnist/Editor, Internet Journal

12/11/06

e-Security attackers are coming from all directions. Are we ready to defend? How can we win the cyber battle? 

"Rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable." Sun-Tze

Cyber attackers have evolved from amateur hackers to professional criminals. They are now more sophisticated, better organized, and better funded. They are going after where the money is, which means they are not just trying to create havoc, but to steal valuable corporate information or consumer information for financial gains. This is the reason why there has not been a major virus or worm outbreak in the last 18 months, but the theft of consumer identity information is on the rise.

Attacks have evolved as well. They have increased in scale and sophistication and are using blended approach. In addition to virus, worm, and spyware, now phishing attacks, denial of services, and BotNet are also being put in the mix.

Cyber defense have also evolved from perimeter defense like the gateway firewall and host defense like antivirus and antispyware to layered defense or defense in depth.

eSecurity can no longer be just haphazard security tactics or narrowly focused security strategy, it must start with a security philosophy.

Since the cyber attackers are more interested in financial gains now, there is a new threat on the horizon that has not been well known yet - it is the security in the e-Commerce environment.

e-Security Requirements for the e-Commerce Environment

e-Commerce on the Web has evolved from the html/cgi based technology to xml/Web  Service based approach and now to the Web 2.0 AJAX, REST, RSS based technologies. B-B e-commerce involves machine to machine or program to program interactions of the servers of between enterprises using the message passing protocols. Since very large sums of money can be involved, the consequences of a security breach could be very severe. We will discuss the e-Security issues surrounding the e-Commerce environment next.

Since b-b e-Commerce involves business transactions between business entities, therefore, the messages passed between the endpoints must meet the four criteria:

  • Authentication 
  • Confidentiality 
  • Integrity
  • Non-repudiation

Authentication

Authentication ensures that messages are what they purport to be, the message originators are whom they purport to be, and that the intended recipients receive the messages. Authentication is a mechanism to establish the identity of an endpoint whether it is a user or a program to ensure that rogue or malicious entities cannot get access to sensitive or proprietary information and resources.

Confidentiality

Confidentiality ensures that only the authorized people can ready messages transmitted between endpoints. It also ensures that the contents in the message are not readable by the outsiders and cannot be manipulated during the transaction.

Message Integrity

Message integrity ensures that the message has not been tampered with since the originator created it. In the e-Commerce context, message integrity ensures that the contents of a message have not been tampered with in transit, and also ensures that data is unchanged from its source and has not been accidentally or maliciously altered.

 Non-repudiation

Non-repudiation retains proof that a business transaction did take place. Non-repudiation prevents a party from denying its participation in an e-Commerce transaction. It ensures that strong and substantial evidence is available to the sender of message that the message has been delivered and to the recipient of the sender's identity. This evidence must be sufficient to prevent either from successfully denying having sent or received the message.

eSecurity Philosophy

With the increasing sophistication of the cyber attacks and the potential of ever-larger damages that can be caused by these attacks, we need to look not just at the eSecurity technologies and point solutions but also the overall eSecurity philosophy.

We can borrow a page from The Art of War, a book written more than 2,000 years ago by a Chinese military strategist Sun Tze that laid out a wining strategy that can be applied to today's cyber battle against the cyber attackers. 

Sun Tze said: "Rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable."  

To make out position unassailable, we must first have a clear picture of the territory that we are defending and where the potential vulnerabilities are, be that the perimeter, the front gateway, or the hidden backdoors. We also need to know where the potential attackers can originate their attacks, whether it is inside the corporate LAN, wireless LAN, VPN, remote dial up, or through Web Services messages.

The layered defense or the defense-in-depth approach is a step in this direction. This includes perimeter defense, network security, host security, and network access control.

But all these defenses must be governed by a higher level unified security policy that addresses the user authentication, machine compliance, and access privileges; and the enforcement mechanism before unauthorized users or non-compliant machines can get on the corporate network. A flawed policy will result in a flaw defense. A scattered, non-unified security policy also will certainly create security holes and result in security breaches.

 The Wining Strategy

We need an eSecurity framework and a security hiearchy. A comprehensive assessment of the security environment, a unified security policy, a sound policy enforcement methodology, and the layered defense give a much better defense against the ever increasing security threats.

So, always be on guard, be aware of the change in your security environment, and take the proper actions.

About The Author
Szu Chang, CISSP, is the e-Security Columnist/Editor of the of the
Internet Journal. http://www.intnetjournal.com. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any comments about Internet Journal, please send email to editor@intnetjournal.com.
 

[Home] [eMarketing] [eSecurity] [Mobile Comm] [Global e-Business] [News & Insights] [Contact Us]

eMarketing