Get a good grip on Web security

Origin: TechRepublic (http://www.techrepublic.com)
By: John McCormick
Date: 02/06/2003

You've gone along for years battling the same old security problems, and you've gotten pretty good at it. Every new employee is aware of the penalty for bringing a floppy disk into the company--the Draconian rules are important to prevent the introduction of a virus from home. You also have secure e-mail and a strong firewall to keep people from sneaking in.

Then, just as you're getting really comfortable, management wakes up to the fact that if it doesn't move the business to the Internet, they'll soon be out of business. Now you're faced with an entirely new set of challenges: How do you protect a Web page? Even tougher, how do you protect a catalog Web page that takes orders?

Bulletproofing a company's Web-presence page isn't that difficult. It doesn't need updating too often and doesn't contain any secure data. After all, it's similar to a display window or a billboard, not a cash register on a store counter.

Of course, you don't want crackers to sneak offensive links onto your page or commit similar vandalism, but that's a relatively simple job. The real challenge comes when you start taking orders online--especially with credit card numbers.

When the executives decided that they wanted to become a B2B or B2C player, they figured they'd need new software, and they probably expected you'd have to buy some new hardware. Perhaps they also realized they'd either need to pay for a chunk of cyberspace on an ISP or for a new, probably wider, data pipe if they wanted an in-house server. So how do you tell management that you also need to double the size of your MIS staff?

Start by explaining that the support of additional systems requires additional resources. Document the hours each IT staff member devotes to tasks, and consider building a spreadsheet that breaks down IT staff members' workdays by function.

Armed with such quantifiable data, you're more likely to convince others that your resources are stressed. I don't need to tell you that upper management always loves to hear solutions, so be prepared to recommend another head to manage the Web security effort. You also might want to list all the tasks and attribute appropriate timeframes in man-hours that the individual would oversee.

Give credit where it's due

If you're in retail (B2C), you've got an additional security challenge. From a customer trust standpoint, the protection of credit card information is a monster issue. It doesn't matter that the credit card companies already protect the consumer.

The solution is simple. Get credit card numbers off Web servers and into a separate, secure system. Do it on a daily, or even hourly, basis. This is more than a question of embarrassment. It could eventually save you a ton of money.

Banks are changing credit card numbers when large blocks of them are hacked, and they're keeping relatively quiet about it. But does anyone think that banks, which have fees for everything else, will always be this accommodating? Even if no fraudulent charges are involved, merely changing 250,000 customer numbers costs money.