Security Concerns for Traditional and Web-Based Systems

Security of computer facilities, stored data, and the information generated is part of a successful conversion. Recognition of the need for security is a natural outgrowth of the belief that information is a key organizational resource, as discussed in Chapter “Systems, Roles and Development Methodologies“. With increasingly complex transactions and many innovative exchanges, the Web has brought heightened security concerns to the IS professional’s world.

It is useful to think of security of systems, data, and information on an imaginary continuum from totally secure to totally open. Although there is no such thing as a totally secure system, the actions analysts and users take are meant to move systems toward the secure end of the continuum by lessening the system’s vulnerability. It should be noted that as more people in the organization gain greater computer power, gain access to the Web, or connect to intranets and extranets, security becomes increasingly difficult and complex. Sometimes, organizations will hire a security consultant to work with the systems analyst when security is crucial to successful operations.

Security is the responsibility of all those who come into contact with the system and is only as good as the most lax behavior or policy in the organization. Security has three interrelated aspects: physical, logical, and behavioral. All three must work together if the quality of security is to remain high.

Physical Security

Physical security refers to securing the computer facility, its equipment, and software through physical means. It can include controlling access to the computer room by means of machinereadable badges, biometric systems, or a human sign-in/sign-out system, as well as using closed-circuit television cameras to monitor computer areas, backing up data frequently, and storing backups in a fireproof, waterproof area, often at a secure off-site location.

In addition, small computer equipment should be secured so that a typical user cannot move it, and it should be guaranteed uninterrupted power. Alarms that notify appropriate people of fire, flood, or unauthorized human intrusion must be in working order at all times.

Decisions about physical security should be made along with users when the analyst is planning for computer facilities and equipment purchases. Obviously, physical security can be much tighter if anticipated in advance of actual installation and if computer rooms are specially equipped for security when they are constructed rather than outfitted as an afterthought.

Logical Security

Logical security refers to logical controls in the software itself. The logical controls familiar to most users are passwords or authorization codes of some sort. When used, they permit the user with the correct password to enter the system or a particular part of a database.

Passwords, however, are treated cavalierly in many organizations. Employees have been overheard yelling a password across crowded offices, taping passwords to their display screens, and sharing personal passwords with authorized employees who have forgotten their own.

Special encryption software has been developed to protect commercial transactions on the Web, and business transactions are proliferating. Internet fraud is also up sharply, however, with few authorities trained in catching Internet criminals and a “wild west,” or “last frontier,” mentality clearly evidenced in those instances when authorities have been able to apprehend Web criminals.

One way for networks to cut down on the risk of exposure to security challenges from the outside world is to build a firewall or firewall system. A firewall constructs a barricade between an internal organization’s network and an external (inter)network, such as the Internet. The internal network is assumed to be trustworthy and secure, whereas the Internet is not. Firewalls are intended to prevent communication into or out of the network that has not been authorized and that is not wanted. A firewall system is not a perfect remedy for organizational and Internet security; it is, however, an additional layer of security that is now widely endorsed. There is still no fully integrated way to address security problems with internal and external networks, but they do deserve analysts’ attention when planning any new or improved systems.

Logical and physical controls are important but clearly not enough to provide adequate security. Behavioral changes are also necessary.

Behavioral Security

The behavioral expectations of an organization are implicit in its policy manuals and even on signs posted in work rooms and lunch rooms, as we saw in Chapter “Information Gathering: Unobtrusive Methods“. The behavior that organization members internalize, however, is also critical to the success of security efforts. (One reason firewalls are not attack-proof is because many attacks to information systems come from within the organization.)

Security can begin with the screening of employees who will eventually have access to computers, data, and information, to ensure that their interests are consistent with the organization’s interests and that they fully understand the importance of carrying through on security procedures. Policies regarding security must be written, distributed, and updated so that employees are fully aware of expectations and responsibilities. It is typical that the systems analyst will first have contact with the behavioral aspects of security. Some organizations have written rules or policies prohibiting employees from surfing the Web during work hours, or even prohibiting Web surfing altogether, if company equipment is involved. Other corporations use software locks to limit access to Web sites that are judged to be objectionable in the workplace, such as game, gambling, or pornographic sites.

Part of the behavioral facet of security is monitoring behavior at irregular intervals to ascertain that proper procedures are being followed and to correct any behaviors that may have eroded with time. Having the system log the number of unsuccessful sign-on attempts of users is one way to monitor whether unauthorized users are attempting to sign on to the system. Periodic and frequent inventorying of equipment and software is desirable. In addition, unusually long sessions or atypical after-hours access to the system should be examined.

Employees should clearly understand what is expected of them, what is prohibited, and the extent of their rights and responsibilities. In the United States and European Union, employers are legally obligated to disclose all monitoring that is being done or that is being contemplated, and they must supply the rationale behind it. Such disclosure should include the use of video cameras, software, and phone monitoring.

Output generated by the system must be recognized for its potential to put the organization at risk in some circumstances. Controls for output include displays that can only be accessed via password, the classification of information (that is, to whom it can be distributed and when), and secure storage of printed and stored documents, no matter what their format.

In some cases, provision for shredding documents that are classified or proprietary must be made. Shredding or pulverization services can be contracted from an outside firm that, for a fee, will shred magnetic media, printer cartridges, and paper. A large corporation may shred upward of 76,000 pounds of output in a variety of media annually.

Special Security Considerations for Ecommerce

It is well known that intruders can violate the integrity of any computer system. As an analyst, you need to take a series of precautions to protect the computer network from both internal and external Web security threats. A number of actions and products can help you:

1. Virus protection software.
2. Email filtering products that provide policy-based email and email attachment scanning and filtering to protect companies against both incoming and outgoing email. Incoming scanning protects against spam (unsolicited email such as advertising) attacks, and outgoing scanning protects against the loss of proprietary information.
3. RL filtering products that provide employees with access to the Web by user, by groups of users, by computers, by the time, or by the day of the week.
4. Firewalls, gateways, and virtual private networks that prevent hackers from gaining backdoor access to a corporate network.
5. Intrusion detection and antiphishing products that continually monitor usage, provide messages and reports, and suggest actions to take.
6. Vulnerability management products that assess the potential risks in a system and discover and report vulnerabilities. Some products correlate the vulnerabilities to make it easier to find the root cause of the security breach. Risk cannot be eliminated, but this software can help manage the risk by balancing security risk to the financial bottom line.
7. Security technologies such as secure socket layering (SSL) for authentication.
8. Encryption technologies such as secure electronic translation (SET).
9. Public key infrastructure (PKI) and digital certificates (obtained from a company such as VeriSign). Use of digital certificates ensures that the reported sender of the message is really the company that sent the message.

Privacy Considerations for Ecommerce

The other side of security is privacy. To make your Web site more secure, you must ask the user or customer to give up some privacy.

As a Web site designer, you will recognize that the company for which you design exercises a great deal of power over the data its customers are providing. The same tenets of ethical and legal behavior apply to Web site design as to the design of any traditional application that accepts personal data from customers. The Web, however, allows the data to be collected faster and allows different data to be collected (such as the browsing habits of the customer). In general, information technology makes it possible to store more data in data warehouses, process that data, and distribute the data more widely.

Every company for which you design an ecommerce application should adopt a privacy policy. Here are some guidelines:

1. Start with a corporate policy on privacy. Make sure it is prominently displayed on the Web site so that all customers can access the policy whenever they complete a transaction.
2. Only ask for information the application requires to complete the transaction at hand. For example, is it necessary to the transaction to ask a person’s age or gender?
3. Make it optional for customers to fill out personal information on the Web site. Some customers do not mind receiving targeted messages, but you should always give customers an opportunity to maintain the confidentiality of their personal data by not responding.
4. Use sources that allow you to obtain anonymous information about classes of customers. There are companies that offer audience profiling technology and technology solutions for management of advertisements, their targeting, and their delivery. They do so by maintaining a dynamic database of consumer profiles without linking them to individuals, thereby respecting customers’ rights to privacy.
5. Be ethical. Avoid the latest cheap trick that permits your client to gather information about the customer in highly suspect ways. Tricks such as screen scraping (capturing remotely what is on a customer’s screen) and email cookie grabbing are clear violations of privacy, and may prove to be illegal as well.

A coordinated policy of security and privacy is essential. It is essential to establish these policies and adhere to them when implementing an ecommerce application.