E-commerce Security Best Practice Guidelines

Document Sample
E-commerce Security Best Practice Guidelines Powered By Docstoc
					E-commerce Security Best Practice Guidelines

These guidelines document a number of best practices related to E-commerce security. In each case,
the risk of not implementing the practice is identified.

While these practices should be regarded as prerequisites to ensuring the security of E-commerce
resources, they should not be regarded as sufficient. In other words, these practices can be considered
to represent a ‘baseline’ upon which a secure structure can be built.

Practice           Description                                 Risk Of Not Implementing
Three tier         E-commerce architecture must be             A single tier E-commerce
architecture       separated physically and logically into     architecture exposes the web server
                   three separate components: the Web          as a single point of attack.
                   server; the Application server; and the
                   Database server (E-commerce
                   systems). The data should be stored
                   behind a firewall and accessed
                   through an application proxy.
Web server         The web server must be placed               Not having the web site behind a
placement          behind a firewall, and the firewall must    firewall exposes the web site to
                   be configured to allow connections to       direct attacks.
                   the web server only on ports and
                   services required for business
                   reasons. The Web server should
                   reside on its own segment, separate
                   and distinct from other servers.
Web server         Ensure no update or write access is         Update or write access could be
access             allowed to the web server file system.      misused to hack the web site. The
                                                               compromised web server could then
                                                               be used to launch attacks on the
                                                               other E-commerce systems.
User               Customers must be identified through        Insecure access to a customer
authentication     the use of a User ID and password, as       account could result in misuse of
                   a minimum. Strong authentication            customer specific information.
                   mechanisms such as digital
                   certificates and hard tokens should be
                   used for proprietary or highly restricted
Inter-             E-Commerce infrastructure must be           Insecure inter-process/inter-machine
process/Inter-     built to ensure secure inter-               communications and authentication
machine            process/inter-machine communication         are security threats and could be
communication      and authentication.                         used to compromise the systems.

Page 1 of 4                                                            Source: www.knowledgeleader.com
Practice            Description                              Risk Of Not Implementing
Critical and        Proprietary data traveling between the   Information could be compromised if
confidential data   web browser and web server must be       it passes unencrypted over the
Encryption          encrypted.                               internet.

Stored              Ensure that transaction data is          If transaction data, which is
transaction data    encrypted as it is stored.               comprised of customer specific
Encryption                                                   confidential information, is not stored
                                                             securely, an unauthorized user could
                                                             access this information in a readable
Transaction         Transactions must initiate and           Transactions contain critical data and
processing          complete on the application server,      if not secured could result in
                    not the web server.                      unauthorized access of that data.
                                                             Because the web server sits in the
                                                             de-militarized zone (DMZ) it is
                                                             considered to be in an insecure
Session security    Session keys must be indecipherable,     If sessions are not terminated
and timeouts        have unique values, and should           properly they may allow a user to
                    provide for secure sessions to be        connect to a session without getting
                    logged out by the user or to time out    authenticated again, which can be
                    automatically.                           misused to gain access to a
                                                             customer's account.
Content             The content management system            Liabilities of erroneous content
management          must ensure that no erroneous            delivery could be enormous, and an
                    information, such as incorrect product   insecure content management
                    pricing, inaccurate customer data, or    access could result in compromise of
                    proprietary product details, is          the systems and its critical data.
                    published. Also ensure that content
                    management access is configured
Domain Name         The DNS must be properly configured      Failure to properly configure the DNS
Server (DNS)        to not advertise internal hosts.         often results in information leakage
configuration       Configure the DNS to only advertise      about the corporate network.
                    hosts to which you wish to allow         Information gathering is typically the
                    access from the Internet. No other       first step a hacker will use when
                    hosts should appear in the Internet      attacking a network.
                    accessible DNS tables. Do not allow      Misconfigurations in the DNS could
                    zone transfers from the Internet to      also result in a denial of service
                    internal zones.                          attack.
Account             Minimize the number of administrator     The greater the number of system
management          and system accounts on E-commerce        administrator accounts, the greater
                    systems                                  the possibility of unauthorized
                                                             access to a highly privileged
                                                             account. This can result in
                                                             unauthorized access to all
                                                             information in the system.

Page 2 of 4                                                           Source: www.knowledgeleader.com
Practice             Description                                 Risk Of Not Implementing
Backup and           E-commerce systems should be                Failure to properly backup the E-
restoration          backed up regularly, and restoration        commerce systems could result in
procedures           procedures should regularly be tested       the loss of configuration information
                     to validate the integrity of the backups.   as well as system files, security log
                                                                 files, and data.
Software and         All necessary recommended vendor            Failure to install the latest
security patches     software and security patches should        recommended security patches
                     be installed and properly configured        could result in the systems becoming
                     for E-commerce systems.                     vulnerable to new attack methods.

System and           System and configuration files for all      Failure to properly secure system
configuration file   E-commerce systems should only be           and configuration files could result in
security             viewable by the Administrator.              modifications by unauthorized
                                                                 personnel that could result in the
                                                                 addition of significant security
Conflicting          The web server should only be               Rogue processes could compromise
software             running web server software. No             security not only of the web server,
                     other software packages should be           but also the internal hosts, through
                     installed unless a sufficient business      the introduction of back doors.
                     need exists.                                Unnecessary processes could also
                                                                 strain the operating system
                                                                 resources thereby affecting web
                                                                 server performance.
Physical security    All E-commerce related hardware             The lack of adequate physical
                     components should be in a physically        security around the E-commerce
                     secure environment, such as a card-         components could result in
                     access data center.                         unauthorized changes to the
Remote               Remote administration should be             The use of inappropriate software for
administration       performed through appropriate vendor        remote administration could
                     software by a small number of               introduce programs into the system
                     administrators. The remote solution         that compromise the integrity of the
                     should support two-factor                   commerce systems. Inappropriate
                     authentication such as secure IDs or        software also could inadvertently turn
                     digital certificates. Additionally, the     on insecure services for remote
                     entire session should be logged.            administration.
Vulnerability        The E-commerce systems should               Without periodic vulnerability
scanning             periodically be scanned with                scanning, a new vulnerability or
                     vulnerability scanners to determine if      exploit may be introduced into the
                     the system is vulnerable to new             system without the system
                     exploits.                                   administrator’s knowledge.
Redundancy           Where necessary, redundant fail-over        Redundant systems are necessary to
                     systems and procedures should exist         improve the availability of the E-
                     for all E-commerce-supporting               commerce-supporting systems, and
                     systems.                                    to reduce the time necessary to
                                                                 recover from a system failure.

Page 3 of 4                                                               Source: www.knowledgeleader.com
Practice             Description                                   Risk Of Not Implementing
Operating            E-commerce systems must be                    Weak operating system level
system security      installed on a securely configured and        controls could lead to compromise of
                     maintained operating system.                  the systems or denial of service.

Intrusion            The E-commerce infrastructure must            Lack of an Intrusion detection system
detection &          include a real time intrusion detection       and incidence response procedures
Incidence            system. This must also be supported           may result in unauthorized activities
response             with incidence response procedures to         being undetected. Undetected
procedures           ensure incidences are responded to            intrusions are likely to result in
                     and escalated in an appropriate and           increased damages due to a longer
                     timely manner.                                period of unauthorized access.
Privacy policy       If the web site collects personally           Consumer data privacy is an
                     identifiable information the web site’s       extremely sensitive issue in today’s
                     privacy policy should notify users of         business world. Consumers are
                     what information is collected by the          becoming increasingly aware of their
                     web site; with whom the information           privacy rights and hence increasingly
                     may be shared; and what kind of               reluctant to give out personal details
                     security procedures are in place to           on the Internet. Lack of a privacy
                     protect the information.                      policy may result in litigation.
CyberProcess         An E-commerce web site must have a            This will help mitigate customer’s
Certification        Seal of Trust or a CyberProcess               fear of operating in an insecure
                     Certification performed. This helps           environment.
                     build web site credibility and customer
                     trust, thus increasing the value of the
                     site. The certification process is
                     usually performed by a trusted third
Customer             Customer Service functions must only          If the customer service function is not
Service              be accessed via the internal network          secured it could be misused to get
functions            and access should be secured. Also,           unauthorized access to customer
                     if a customer requests a reset of their       data.
                     password, a confirmation of their new
                     password should be sent only to the
                     address of record.
Logging and          Logging must be enabled on all E-             Failure to enable logging for
monitoring           commerce systems. In addition to              customer service activity could result
                     meeting regular logging requirements,         in security breaches going
                     all Customer Service activity should          undetected.
                     also be logged.
Service Level        E-commerce services managed by the            Service level agreements define the
Agreements           service providers should have                 quality of service, which if not
                     comprehensive service level                   specified clearly could result in poor
                     agreements ensuring security.                 service support.

This material was first published by Protiviti Inc. on www.knowledgeleader.com. The KnowledgeLeader Internal
Audit and Risk Management Community is a resource for tools, best practices, white papers, risk models, and other
materials that you can use on a daily basis to help you manage risk or improve your internal audit function. You are
welcome sign up on line for a free 30-day trial. The purpose of the website is to help you save time and stay abreast
of business and technology risks and other internal audit and IT audit issues.

Page 4 of 4                                                                  Source: www.knowledgeleader.com