e-Security Philosophy - Applying the Concept from The Art of War
By: Szu Chang, eSecurity Columnist/Editor, Internet Journal
e-Security attackers are coming from all directions. Are we ready to defend? How can we win the cyber battle?
"Rely not on the likelihood of the enemy's not coming, but on our own
readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable." – Sun-Tze
Cyber attackers have evolved from amateur hackers to professional criminals. They are now more sophisticated, better
organized, and better funded. They are going after where the money is, which means they are not just trying to create
havoc, but to steal valuable corporate information or consumer information for financial gains. This is the reason why
there has not been a major virus or worm outbreak in the last 18 months, but the theft of consumer identity information is on the rise.
Attacks have evolved as well. They have increased in scale and sophistication and are using blended approach. In
addition to virus, worm, and spyware, now phishing attacks, denial of services, and BotNet are also being put in the mix.
Cyber defense have also evolved from perimeter defense like the gateway firewall and host defense like antivirus and antispyware to layered defense or defense in depth.
eSecurity can no longer be just haphazard security tactics or narrowly focused security strategy, it must start with a security philosophy.
Since the cyber attackers are more interested in financial gains now, there is a new threat on the horizon that has not been well known yet - it is the security in the e-Commerce environment.
e-Security Requirements for the e-Commerce Environment
e-Commerce on the Web has evolved from the html/cgi based technology to xml/Web Service based approach and now
to the Web 2.0 AJAX, REST, RSS based technologies. B-B e-commerce involves machine to machine or program to
program interactions of the servers of between enterprises using the message passing protocols. Since very large sums of
money can be involved, the consequences of a security breach could be very severe. We will discuss the e-Security issues surrounding the e-Commerce environment next.
Since b-b e-Commerce involves business transactions between business entities, therefore, the messages passed between the endpoints must meet the four criteria:
Authentication ensures that messages are what they purport to be, the message originators are whom they purport to be,
and that the intended recipients receive the messages. Authentication is a mechanism to establish the identity of an
endpoint whether it is a user or a program to ensure that rogue or malicious entities cannot get access to sensitive or proprietary information and resources.
Confidentiality ensures that only the authorized people can ready messages transmitted between endpoints. It also ensures
that the contents in the message are not readable by the outsiders and cannot be manipulated during the transaction.
Message integrity ensures that the message has not been tampered with since the originator created it. In the
e-Commerce context, message integrity ensures that the contents of a message have not been tampered with in transit,
and also ensures that data is unchanged from its source and has not been accidentally or maliciously altered.
Non-repudiation retains proof that a business transaction did take place. Non-repudiation prevents a party from denying
its participation in an e-Commerce transaction. It ensures that strong and substantial evidence is available to the sender of
message that the message has been delivered and to the recipient of the sender's identity. This evidence must be sufficient to prevent either from successfully denying having sent or received the message.
With the increasing sophistication of the cyber attacks and the potential of ever-larger damages that can be caused by
these attacks, we need to look not just at the eSecurity technologies and point solutions but also the overall eSecurity philosophy.
We can borrow a page from The Art of War, a book written more than 2,000 years ago by a Chinese military strategist
Sun Tze that laid out a wining strategy that can be applied to today's cyber battle against the cyber attackers.
Sun Tze said: "Rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not
on the chance of his not attacking, but rather on the fact that we have made our position unassailable."
To make out position unassailable, we must first have a clear picture of the territory that we are defending and where the
potential vulnerabilities are, be that the perimeter, the front gateway, or the hidden backdoors. We also need to know
where the potential attackers can originate their attacks, whether it is inside the corporate LAN, wireless LAN, VPN, remote dial up, or through Web Services messages.
The layered defense or the defense-in-depth approach is a step in this direction. This includes perimeter defense, network security, host security, and network access control.
But all these defenses must be governed by a higher level unified security policy that addresses the user authentication,
machine compliance, and access privileges; and the enforcement mechanism before unauthorized users or non-compliant
machines can get on the corporate network. A flawed policy will result in a flaw defense. A scattered, non-unified security policy also will certainly create security holes and result in security breaches.
The Wining Strategy
We need an eSecurity framework and a security hiearchy. A comprehensive assessment of the security environment, a
unified security policy, a sound policy enforcement methodology, and the layered defense give a much better defense against the ever increasing security threats.
So, always be on guard, be aware of the change in your security environment, and take the proper actions.
About The Author
Szu Chang, CISSP, is the e-Security Columnist/Editor of the of the
http://www.intnetjournal.com. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile
communications, eSecurity, and global e-Business. If you have any comments about Internet Journal, please send email to firstname.lastname@example.org.