Common Business Applications
Securing Common Business Applications
Losing millions of dollars because Bank of America’s credit card database was vulnerable to a default login and password should just be a bad dream for the lonely security administrator and never the excuse you give the boss after finding out millions of dollars has been falsely charged to your customers credit cards.
Securing common business applications is one of the most important decisions any size company will ever have to make in the 21st century. To fully understand the idea of securing common business applications we will discuss the different types of businesses and their common business applications. Next we will answer the question of why we need to secure common business applications and the common methods used to secure them in each type of business.
The concepts behind securing business applications to include web, database, email, and de-militarized zone (DMZ) services will also be presented. Following up behind the current concepts of securing business applications will be the trends to today in the industry of security as related to business applications.
By examining Security Software Development Life Cycle (SecSDLC) we can understand the process and procedures used to secure common business applications along with the Enterprise Information Security Policy (EISP). Finally we will explore the roles of security in the future and predict the role of security related to business applications.
- What types of businesses are out there?
- What are common business applications?
- Why do we need to secure common business applications?
- What are the common methods to secure common business applications in each type of business?
- What are the concepts of securing business applications for web, database, email, and DMZ server services?
- What are the current trends in securing business applications?
- What are SecSDLC and EISP?
- What is the role of security in the future?
- What predictions can be made of the role of security related to business applications for the future?
Any legally recognized organizational entity which provides goods and services to consumers or a corporate group like governments, non-profit charities is a business. The pursuit of business is to earn a profit, to which most are privately owned to increase the earnings to the owners. The owners and operators of a business must generate a financial return in substitution of work and potential accepted risk. Because a business needs to accept some risk security is enacted to ensure the business survives.
The types of businesses are classified in many ways. A common method of classification is that of primary profit-generating activities. For instance, manufacturers produce products, from raw materials, and then are sold for a profit. Companies that make physical goods, such as cars or pipes, are considered manufacturers. Service businesses offer intangible goods or services and typically generate a profit by charging for labor or other services provided to government, other businesses or consumers.
Organizations ranging from house decorators to consulting firms to restaurants and even to entertainers are types of service businesses. Retailers and distributors act as middle-men in getting goods produced by manufacturers to the intended consumer, generating a profit as a result of providing sales or distribution services. Most consumer-oriented stores and catalogue companies are distributors or retailers. Agriculture and mining businesses are concerned with the production of raw material, such as plants or minerals.
Financial businesses include banks and other companies that generate profit through investment and management of capital. Information businesses generate profits primarily from the resale of intellectual property and include movie studios, publishers and packaged software companies. Utilities produce public services, such as heat, electricity, or sewage treatment, and are usually government chartered. Real estate businesses generate profit from the selling, renting, and development of properties, homes, and buildings.
Transportation businesses deliver goods and individuals from location to location, generating a profit on the transportation costs. What ties these kinds of business together? As you will see in the next paragraph it is all about the departments in which the business uses to complete the businesses needs.
What do all of these different types of business have in common? The departments that maintain and operate the overall business units on a continuous scale. For example, accounting which is typically responsible for financial reporting, financial controls and the raising of the capital necessary to run the business. Human resources department which is typically responsible for hiring, firing, payroll, benefits, etc. The following are more examples of what all business usually have in common:
- Marketing and sales - responsible for selling the business' goods or services to the customer and for managing the relationships with the customer
- Marketing - Typically responsible for promoting interest in, and generating demand for, the business' products or services, and positioning them within the market
- Sales - finding likely purchasers and obtaining their agreement (known as a contract) to buy the business' products or services.
- Operations - makes the product or delivers the service.
- Production - produces the raw materials into the delivered goods, if they require processing.
- Customer service - supports customers who need help with the goods or services
- Procurement - responsible for acquiring the goods and services necessary for the business.
- Purchasing - processes the purchase orders and related transactions.
- Research and Development - tests to create new products and to determine their viability (e.g. pilot plants).
- Information Technology - manages the business' computer and data assets
- Communications/Public Relations - responsible for communicating to the outside world
- Administration - provides administrative support to the other departments (such as typing and filing)
As you can see there are many specific functions businesses need to have in order to operate. Each function needs some kind of computer application resource to use. Without securing those applications the business jeopardizes its profits. As stated in the next section we will discuss the types of business applications that each department might use or encounter as part of the daily work cycle.
The kind of common business applications we are talking about in the above sections can be categorized by the business functionality from an enterprise perspective and it can also be categorized based on how and where they run.
Application categorization based on the business functionality
Business to Customer (B2C) Applications. These are in general customer facing applications. Most of these are web/browser based applications. It includes dynamic content based web sites. Some of these applications can be client based application that needs to be installed on customer's computing device (laptop/desktop).
Examples include ordering system, customer support system, web sites providing product information, applets/Active-X lightweight clients, and clients that are installed on customer devices.
Business to Business (B2B) Applications. These applications are used between business partners like suppliers, resellers etc. Traditionally these applications are accessed using dedicated lines between business partners.
Lately many of these applications directly use Internet with security features such as VPNs. Many of these applications are based on SOA (service oriented architecture) and leverage web-services. Examples include parts ordering and status system, and bulk order submission web service.
Internal Applications. These applications are used within the organization (Intranet) and are not exposed or available to the outside enterprise. These include web based applications as well as desktop applications such as email and instant messaging. Examples include HR systems, internal financial, IT Desktop support system, and email clients.
Application categorization based on how and where they run
Front-End Applications. These are the applications that interact with users through GUI such as browser, desktop client etc. Examples include order status checking system and email clients.
Background Applications. These applications do not directly interact with the user. These are typically background processes and jobs. Examples include background order validation and job nightly data synchronization scripts. http://www.owasp.org/index.php/Definition_for_common_business_applications
As these types of common business applications increase in industry standardization and become more widely used the strong our security implementation will have to be. So why do we need so much security in our common business applications if they are only going to be used for good? Well as the next section will prove common business applications are not always used for good in fact more then not they are used for bad.
External hackers, malicious employees (internal threat), organized crime, business competition, along with stolen data, identity theft, data breach, hijacked personal information are just some of the ingredients needed to support reasons why we should secure common business applications.
In an article by Ray Martin called “Preventing Identity Theft” he explains how consumer fraud is the most common complaint in the United States. “Last year, more than 750,000 Americans had their identities hijacked -- including high-profile victims like Oprah Winfrey and Tiger Woods.” It costs the average victim more than $1,000 to clean up the mess left by identity thieves, according to the Federal Trade Commission.
Martin details that, hijacking of personal information for fraud or theft made up 42 percent of the 204,000 fraud complaints filed with the Federal Trade Commission (FTC) last year. Complaints of identity theft increased 23 percent of the FTC's Consumer Sentinel database in 2000; this also translated into the top consumer fraud headaches (which is no surprise). Equipped with social security numbers, bank account numbers and other confidential personal information, criminals can then apply for credit cards or bank loans, set up cell phone service or pass bad checks under the victims name and credit history.
Why do we need to secure common business applications? To answer this question we look to one of the most respected reports on the information technology highway, “The 2008 Data Breach Investigations Report”. This report spans four years and more than 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported.
Not only did this report cover the right areas of business but it is one if the first-of-its-kind, conducted by Verizon Business Security Solutions investigative experts. This study found that 73 percent of breaches resulted from external sources versus 18 percent from insider threats. Insider threats are still very common to risk assessment for common business applications.
Most breaches resulted from a combination of events rather than a single hack or intrusion. Securing common business applications is a very important job and as we find out more on why we need to secure these technologies we will also set the tone for common methods used to secure business applications.
The key findings examine basic security tenets that will also be discussed in the next section, the common methods used to secure common business applications? Exploring this world of threats many people will say that the insider is responsible for most security breaches. The 20080 Data Breach Investigations Report will prove otherwise.
First key finding is that most data breaches investigated were caused by external sources. 39 percent of breaches were attributed to business partners, a number that increased five times during the course of the period studied. More breaches resulted from a combination of events rather than a single action of the intruder. 62 percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. These internal errors point in the direction of the development life cycle which will be discussed in a later section.
For breaches that were deliberate, 59 percent were the result of hacking and intrusions. Of the breaches resulting or originating by means of hacking, 39 percent were aimed at the application or software layer. This is a direct reason why data owners need to secure common business applications. Even more of a reason is the aspect of attacks to the application, software and services layer were much more ordinary than operating system platform exploits, totaling 23 percent.
Less than 25 percent of attacks took advantage of a known or unknown vulnerability. Considerably, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach. Nine of 10 breaches involved some type of unidentified systems, data, network connections and/or account user privileges. Lately, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.
The breaches investigated in this report denote a broad range of industries. The retail, food and beverage industries account for more than half of all cases investigated by Verizon Business Security Solutions investigative experts. By comparison, the financial business services, where you deal with great monetary assets that have to be well-protected more so then other sectors, accounted for 14 percent of breaches studied. To defeat criminal conglomerates that maintain access to hackers, fraudsters and other organized crime groups we must first agree upon why we must secure common business applications!
Now after understanding why we must secure common business applications we will discuss common methods used to secure common business applications. Many organizations have the critical issue of developing those secure business applications. The high-level solution to the issue might include one if not all of the following common ways to secure business applications:
First, secure infrastructure such as routers, firewalls, and operating systems. Secure applications, including secure programming practices for languages like Java and Perl, and specific application-level security controls such as application firewalls. Second, security policies and processes including information technology policy and processes, for instance, secure system design and development practices, sound configuration and change management, vulnerability testing, threat assessments, and ongoing vulnerability and incident monitoring and response. Lately, business-level policy and processes, such as secure methods for bringing new customers on board, and mitigating the security issues that result from insecure customer service and help desk activities.
The common theme throughout the security industry is most security activity has emphasized on securing the information technology infrastructure. Without doubt securing network and systems infrastructures are critical to the release of a secure business application. This might include properly and securely configuring the base infrastructure elements such as servers, routers, switches, etc., and instituting changes and patches over time to remove new vulnerabilities.
It also might require putting in place protective measures such as fixed firewalls, ensuring network, system, and local level access controls, and correctly protecting data and communications through virtual private networks (VPNs) or other cryptographic protocols. This infrastructure bird’s eye view of security also involves such measures as monitoring for potentially malicious activity or for denial of service conditions as appropriate.
Important to consider not just infrastructure but organizations need to put as much effort into securing the whole system, not just the base infrastructure components like servers and routers, and switches but incorporate application-level mechanisms as well, for instance, programs, databases, and middleware elements, and those core business applications.
Making certain the application itself is protected is as important as protecting the base infrastructure. Primarily, application-level security is achieved by using secure coding practices to create appropriately hardened applications. Nevertheless, even in smaller businesses, it is difficult to ensure that all application developers are sufficiently trained in secure coding practices, procedures, and techniques which must be kept up on new vulnerabilities. In larger businesses, it is a challenge.
It is vitally important to put non-technical security controls on an equal footing with technical controls. Using non-technical security controls, like security policy, training and education, and processes and procedures, are important as technical controls, this might include strong passwords and firewalls. The non-technical controls pertain to such items as implementing a secure systems development life cycle and making the decision to put security into systems from the start rather than after its development.
Included in the common methods of securing business applications are concepts of securing web, database, email, and demilitarized zone (DMZ) server services. The concepts to network security can be found in understanding the choices and strategies available as building blocks of network security. These include implementing user authentication, using proxy servers and firewalls, setting up DMZs, and taking advantage of port and packet filtering technologies.
Securing web based services starts with vetting the web content and code. User interaction of this web interface would be without vulnerable cross-side scripting or code based attacks. Vulnerability analysis of web content and web engines go a long way in securing your web services. Email services can be applied to the concept of allowing and disallowing users the right to have access to send and receive email.
The concept of securing your email services lies in the patching of vulnerabilities and monitoring control of usage. DMZ server service do include web and email but also include file transfer protocol (FTP). Any DMZ service should be applied the concept of a bastion host. Securing all unnecessary ports and protocols of the host except it intended function. These concepts of securing the business applications can go along way as many threats are of mispatched or unpatched servers and services.
Net-Security.org gives us a very good idea of how to use concepts of securing web, database, email, and DMZ services by first:
Align process with policy. In 59 percent of data breaches, the organization had security policies and procedures established for the system, but these measures were never implemented.
Implement, implement, implement. Create a data retention plan. With 66 percent of all breaches involving data that a company did not even know was on their system, it's critical that an organization knows were data flows and where it resides. Identify data and prioritize its risk to the organization.
Control data with transaction zones. Investigators concluded that network segmentation can help prevent, or at least partially mitigate, an attack. In other words, wall off data when and where appropriate.
Monitor event logs. Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Data logs should be continually and systemically monitored and responded to when events are discovered.
Create an incident response plan. If and when a breach is suspected, the organization must be ready to respond, not only to stop the data compromise but to collect evidence that enables the business to pursue prosecution when necessary.
Increase awareness. Only 14 percent of data breaches were discovered by employees of the victimized organization, even though employees are the first line of defense in safeguarding data.
Educate them to be aware. Engage in mock-incident testing: Making sure employees are well-trained to respond to a breach. Run drills and test people's abilities, judgments and actions during a mock crisis.
What are the current trends in securing business applications?
Parag Shiralkar and Bindiganavale S. Vijayaraman have talked about many trends in business. None as important as the digital signatures. Shiralkar and Vijayaraman are from the University of Akron working in the management department which utilizes digital signatures everyday for business functions.
In their report, “Digital Signature: Application Development Trends In E-Business” they talk about applications of digital signature technology and the rise because of legal and technological developments, along with strong market demand for secured transactions on the Internet.
The study of current trends of digital signature requires a relative study via various forms of business indicators that the majority of digital signature applications have been developed for the Business-to-Business (B2B) mode of e-business. Governments and the potential for their rapid growth in the Business-to-Consumer (B2C) mode of e-business is also a very strong trend of today.
Digital signature technology involves encrypting messages so only genuine parties are able to read the message. Two divided but interrelated keys carried out this process of encryption and decryption. One party in the communication holds the secret key, or the private key, and the other party holds the public key.
Shiralkar and Vijayaraman explain that digital signatures satisfy all functions, such as authenticity, non-repudiation, and security of a hand-written signature. A signature can be viewed as a means of authentication and can be owned by an individual electronically. This technology must be verified or approved by a third party in order to handle the liability issues that may be raised by bilateral transactions.
The trend began with the Utah Digital Signature Act which introduced the concept of a Certifying Authority (CA). CA is an organization that acts as a trusted third part. Many other states implemented very similar digital signature acts and/or had some association with security and online authentication which was added to their state laws. These technologically neutral acts were promoting business applications in all its modes such as business-to-business (B2B), business-to-consumer (B2C), and business-to-government (B2G).
Putting together discussions about the different types of businesses and their common business applications, why we need to secure common business applications, the common methods used to secure them in each type of business, concepts behind securing business applications to include web, database, email, and de-militarized zone (DMZ) services, and concepts of securing business applications have all lead to how it can all be done to produce a secure business application.
The Security Software Development Life Cycle (SecSDLC) is the methodology used to take each business application and secure, implement, and maintain. Understand the process and procedures used to secure common business applications are the SecSDLC to include the Enterprise Information Security Policy (EISP).
Many information system security professionals believe the SecSDLC to be the best approach for implementing the information security system in business applications. The SecSDLC begin with the widely acknowledged Systems Development Life Cycle (SDLC), a theoretical model for general information systems projects. Like the SDLC, the SecSDLC is normally composed of six phases: investigation, analysis, logical design, physical design, implementation, and maintenance and change.
The stages are part of a progressive model in which each phase begins with the result and information gained from the last phase. The investigation phase inspects the current status of your businesses information security. The analysis phase consists of documenting your businesses information assets and associated threats, as well as legal requirements involving information security.
The logical design phase creates and/or develops your information security plans while the physical design phase develops the particular technologies needed to apply the logical design. Implementation puts into practice what is determined in the physical design phase, and the maintenance and change phase includes life time testing and modification of the security system.
The investigation phase of the SecSDLC serves as a starting place for any new information security-driven project. The first step of the investigation phase should be to closely examine current information security practices. You should be able to answer the following questions: Do you have an information security policy, and if so, what does it include? What types of hardware and software do you use for security purposes? Do you have virus protection for all workstations? What types of firewalls are in place to protect your businesses applications and networks from people with malicious intents? Are wireless networks used, and if so, are they encrypted? Are backups performed on all essential systems? Can employees easily install software onto computers? What kind of physical security is in place? What monies, if any, are set aside solely for information security purposes? The answers to these and related questions should be documented for comparison purposes later in the SecSDLC.
Another key element of the investigation phase is to define management roles within the information security realm. Someone must be responsible for making information security decisions, and that person should have the backing of senior management such as the Chief Executive Officer (CEO). Some companies often have a dedicated Chief Information Security Officer (CISO) to head information security.
Funding is yet another key element of the investigation phase. While Open Source alternatives can help lower software costs, hardware costs and manpower costs cannot be ignored. The implementation phase will help the businesses information security professionals estimate costs, but budgetary matters should be planned ahead of time. Perhaps the project should start near the beginning of the fiscal year so more monies could be spent. These kinds of decisions should be considered in the investigation phase.
The analysis phase of the SecSDLC studies your information assets and likely threats to them. An asset is an “organizational resource” that has value, while a threat includes an object, person, or other entity that represents a constant danger to an asset.
Companies should also investigate threats that plague all industries. If you concluded in the investigation phase that your company does not have adequate virus protection, then viruses are definitely a threat to your school’s network, as they can cause harm to computer systems and take effort to remove.
Worms are another threat that plagues all industries. Worms are different from viruses in that they are self-replicating, and often spread by means other than executable files. As assets and their associated threats change so must be revision of security practices and policies.
The primary goal of the logical design phase of the SecSDLC is “to “design an information security program. The creation of an information security program begins with an information security blueprint”. An information security blueprint must include an information security policy. Information security policy is defined as the written rules that users of technology must observe, as it provides rules for the protection of the information assets of the organization.
The person in charge of information security should develop a thorough information security policy that defines what network behavior is and is not allowed. The policy should also define what consequences will be enforced if policy is broken, with direction from upper management.
Finally, the policy must be seen by all users of computer network technology, including employees, contractors, interns, and customers. All users should be forced to sign an acknowledgement of and agree to follow the information security policy, also known as acceptable use policy.
From the information gathered in the first two phases, you should have an idea of what security needs should be addressed. The logical design phase describes out in writing what should be done to address security needs. For example, if viruses pose a problem to machines on your company’s network, then virus protection should be specified as a solution to the problem. Install anti-virus software on all workstations and probably on the email gateway as well.
The email gateway should probably disallow certain types of attachments that traditionally carry viruses. If hackers are a concern, then you must specify a firewall and/or network intrusion detection system. Address the problem of worms by requiring workstations to update operating system patches.
Address physical security for company computer systems as well. What kinds of door locks need to be installed to the computer room, and who needs copies? If backups are inadequate, specify a backup system. Take measures to make sure employees cannot bypass security controls. There should be some type of authentication scheme in place so that employees must have a login and password to access any school computer system, and also prevent users from having administrator authority over any computer system.
The physical design phase of the SecSDLC develops generic ideas from the local phase into a certain plan of action. It specifies which particular technologies to use to address information security concerns.
The implementation phase of the SecSDLC carries out the plans designed in earlier phases. This happens through a project plan, a written plan that delivers instructions to the individuals who are executing the implementation phase. These instructions focus on the security control changes needed to the hardware, software, procedures, data, and people that make up the organization’s information systems. It is also important to create milestones or specific points in the project plan when a task and its action steps are complete. You will determine costs in the investigation phase, followed by implementing the task recommended in the physical design phase.
Maintenance and Change
The maintenance and change phase of the SecSDLC is the last phase and will continue throughout the security project’s lifetime. Penetration and vulnerability testing should be an ongoing project to test for new vulnerabilities. Nmap and Nessus are free Open Source utilities useful in this stage.
Nmap is a port scanner that detects open TCP and UDP ports, while Nessus reports vulnerabilities for any network services running on your computers. Your company will undoubtedly install new technologies, and those technologies will bring more risks. Flaws will be found in existing technologies as well, causing more vulnerability in the information systems. By keeping a close eye on security, hopefully your information security program will stand for several years.
The purpose of this Enterprise Information Security Policy is to create an environment withinstate of Iowa agencies that maintains system security and availability, data integrity and individual privacy by preventing unauthorized access to information and information systems and by preventing misuse of, damage to or loss of data. If there is a difference between this policy and other required policies, those with the more stringent control take precedence.
This document describes an enterprise level policy. Enterprise standards, processes and procedures will be developed to assist in the implementation. Each agency is responsible for developing policies, standards, processes and procedures to meet this policy. If it is determined that more stringent measures are needed, the agency is responsible for developing the policies, standards processes and procedures to meet that higher level of security.
What is the role of security in the future?
Predict the role of security related to business applications in the future.