E-commerce organizations will adopt one of two strategies in respect of their e-commerce site functionality: they will either own (and be responsible for) their server platform, or they will contract with an organization that supplies that service, who usually also provides some form of web retailer package that can be integrated with their website and with an Online Payment Service. The security issues in each case are different: if the servers are owned in-house, security has to be tackled in-house; if the website is outsourced, then the quality of the provider's security is the
issue.
Organizations need to take specific steps to protect ('harden') their web servers from attack. There are a number of baseline security measures that should be documented. The starting point, if the organization is
Essentials for e-commerce 113
running its web servers in-house, is to apply the CIS benchmarks to their configuration. These can be downloaded from www.cisecurity.org and they run through a downloadable Security Scoring Tool and can be managed by the system administrator. Ensuring that servers are configured and patched to at least these standards should be a minimum requirement. You can also purchase step-by-step guides from SANS for a number of systems. It is possible that, following a risk assessment, you might decide that the site needs further security upgrading, but that requires input from a professional information security adviser and is beyond the scope of this book.
Web servers should be set up in a DMZ (demilitarized zone), themselves protected by appropriate firewalls and routers. Backup and business continuity issues will need proper consideration.
Web applications must filter user-supplied data. Raw user input could contain all sorts of things that the organization does not want on its system. Hackers can access corporate networks through websites. The application must therefore enforce the content type of data entered so that, for instance, a numerical input can only be a number and all non-numeric characters must be filtered to exclude string and query terminators, wildcard selectors and all sorts of other unusual input. Specialist advice should be sought to ensure that the most current technological defences have been incorporated into the application.
If the website is outsourced, you should find out from your provider what their approach to securing their web servers is. You should ask about the server environment, (the servers should be in a server farm) the standards to which the servers are configured, and check whether or not the organization is certificated to BS 7799/ISO 17799. You should also ask for evidence about what security incidents they have handled in the last nine months, and how much downtime their clients suffered. You should ask for references (preferably, substantial organizations who have been clients for at least a year), and you should check with them as to the security record.
You will want to be sure that the way personal data is collected and where it is held will enable you to comply with Data Protection Act and privacy rules - see www.itgovernance.co.uk for current information on these issues. You will also want to ensure that integration with your Online Payment Provider is effective, and that payment details are properly protected.
تعليقات
إرسال تعليق