If security is a major concern for your organization, check out TechRepublic’s IT Security Survival Guide. This book and CD provide the information you need to keep your organization’s IT systems safe from contemporary network threats and to protect systems and data.

A security document from the National
Institute of Standards and Technology (NIST) can help administrators get
through the often complex problem of designing and implementing secure
e-commerce practices over the Web. I’m going to give you a breakdown of what
this document has to offer.

The report

NIST (formerly the Bureau of Standards) has published the final version of Special
Publication 800-63
, “Electronic Authentication Guideline:
Recommendations of the National Institute of Standards and Technology.”

Federal agencies are required to follow some of the
recommendations made by NIST, but these recommendations can also provide a
valuable guide to commercial IT departments, especially for administrators who
are looking for ready-made guidelines for securing their own Web operations. Electronic
authentication is one of the most critical security concerns of many
administrators, and this 63-page report provides a lot of useful information,
even though much of it is well hidden in the many pages of “official”
language.

The report divides the
authentication problem into four basic levels related to the different level of
confidence each provides. This is a good place to start in designing your own
security plan, especially if you want to make use of the later parts of the
guide, which tie specific protocols and threats to the different levels of
security.

Obviously, it is much more
important to be certain about whom you are authenticating if they are placing
orders or you are sending financial information to them, but even at the most
basic level, it is often critical that businesses be able to authenticate the
person at the other end of the data stream even before sending such basic
information as price quotes (especially if you quote different prices to
different customers for various marketing or credit-worthiness reasons).

The SP 800-63 report can help you
define the authentication level(s) most appropriate for your organization, as
well as which protocols you should use to reach each level. In addition, the
publication can save you a lot of time when it comes to preparing a
comprehensive list of the actual threats you may face. IT professionals know that
you can’t adequately protect against something you don’t know about, and we also
know just how easy it is to overlook one danger while you are trying to decide
on everything you must protect against.

While not everything in this
document will apply directly to your IT environment, it’s good to know that you
can just copy and paste some sections directly into your plans if they seem
appropriate. It’s good form to give NIST credit for their contribution, but
this is copyright-free material, so you don’t have to spend endless hours
rewriting or altering sections before you can use the recommendations in your
own operations. You also don’t have to worry about how much or how little of
the text you can reuse without incurring the ire of a vendor.

The tables in Section 9, Summary of
Technical Requirements by Level, are very useful. If you can match your needs
with one of the four predefined levels detailed in the first part of this
document, these tables will quickly show just what technical hurdles you may
face in implementing the guidelines, such as what token types are permitted at
a certain level and what attack vectors you may need to protect against to
achieve a certain degree of security.

The token types covered in SP
800-63 include (with the most secure at the top of the list):

  • Hard
    crypto tokens
  • One-time
    password devices
  • Soft
    crypto tokens
  • Passwords
  • PINs

The various attacks described
include:

  • Online
    guessing
  • Replay
  • Eavesdropping
  • Verifier
    impersonation
  • Man-in-the-middle
    attacks
  • Session
    hijacking

The highest level of security
requires protection against all six of these types of attacks, while the lowest
level only requires protection against replay and online guessing.

Appendix A is devoted to an
information theory-based analysis of passwords, including a formula for
evaluating password strength and information content (entropy level) of any
password. In cryptography, entropy is used as a basic measure of how easy or
difficult it would be to guess a particular password or category of passwords.
Although the mathematics may not interest you, there is an extensive general
discussion that should be helpful to anyone involved in security (other than
professional cryptographers).

Final word

Many times we are too quick to
dismiss any government work in our field. Many of us have come face-to-face
with the limitations of government agencies and sometimes forget that there is also
some very helpful work being done by these agencies that we can take advantage
of in our everyday work. Those of us in the U.S. are paying for this one way or
another, so why not take advantage of the few pearls we can take from publications
such as the ones from NIST? If nothing else, this document can serve as a great
training resource to get new IT staff members up to speed on various security
issues.


Also watch for . . .

  • Wired News
    has reported
    a significant federal court ruling
    in a Massachusetts
    case in which a bookseller copied and read all the e-mails his customers
    were sending using his e-mail service. His snooping was for commercial
    purposes, targeting customers with book offers based on the e-mails they
    sent to Amazon (this practice is similar to the Google free gigabyte
    e-mail system that is about to debut). He was sued, but the court has
    ruled that he did not violate the Wiretap Act. The privacy implications to
    companies are obvious. Don’t use public mail systems to conduct business,
    don’t send e-mails from various wireless connections such as those found
    at coffee shops. On the other hand, if you set up a free e-mail service
    for your customers you are apparently free to snoop on what they are
    saying, at least for the time being. I look for this one to go all the way
    to the Supreme Court in Washington.
  • A
    News.com report
    on the new California privacy law
    includes a link to comments by a legal firm about the effects the California
    Online Privacy Protection act of 2003
    will have on all companies doing
    any business in California.
    The law spells out privacy statement requirements and other
    privacy-related rules regarding sharing of customer data.
  • On the
    “we can all relax now” front, the UN has come out
    against spam
    and, according to the CMP story, the UN says it will eliminate
    spam within two years, leading to “the preservation of the Internet.”
    Whew! That’s a great weight off my mind.
  • Lotus
    Domino Web Access (iNotes) has a DoS issue caused by large JPG images. See
    the Secunia note for the few
    available details on this unspecified problem.
  • IBM’s SecureWay Firewall can suffer
    a DoS event from invalid packets. There is a report on
    the Open Source Vulnerability Database.
  • Mozilla and Firefox have a newly
    discovered problem that is covered in a Secunia report.