The Nuts and Bolts of Information SecurityPart 1: Risk Management

    February 10, 2004

Are you at risk? If your vital information is, then so are you. While you’re struggling to make sales or generate Web site traffic, managing risks to protect vital information is probably the furthest thing from your mind. None-the-less, as times become more perilous, risk management is an essential part of the on-line presence.

Myths, hysteria, hyperbole, and misunderstandings abound about information security on the Internet. Anyone with a Web presence is being bombarded almost daily with new information about network security problems and viruses. Acquiring network providers are on merchant’s backs about the new CISP security requirements. And, everyone is wondering if the next intrusion will bring down the entire Internet.

This is the first of a four part article that will attempt to define some of the issues of information security, provide perspective, and offer practical insights about what can be done. It is especially directed to the small to medium sized merchant and the risks of conducting credit card transactions through the on-line store. However, just having a privacy policy implies that you save vital information and need to manage the risks. Parts 2 and 3 will get into details for protecting information, including design considerations; part 4 will summarize the articles and expose a few of the myths.

According to the Gartner Group, 50 percent of small and mid-sized organizations that manage their own network security and use the Internet for more than e-mail will be attacked via the Internet by 2003. By 2004, the other 50 percent will have spent more than 20 billion dollars to keep their systems from being attacked.

Put your 20 billion away. This article will not address in any depth the issues of network security, routers, firewalls, and intrusion detection systems. It’s assumed here that your web site is hosted by a service provider or that you have your own IT network staff and that they are looking out for you in this regard.

For anyone storing vital information, some of the risks are unauthorized copying or downloading of data, unauthorized disclosure, unauthorized transactions, data destruction, and data alteration.

The objective of risk management is to provide for information confidentiality and integrity while maintaining availability. Confidentiality requires a “need to know”. Integrity requires protecting the data from intentional or accidental changes. Availability requires making the data accessible to authorized users, but only when, where, and as needed.

No system is 100% secure and the cost of providing security will rise exponentially as risk approaches zero. Hence, risk management is required to determine your vulnerabilities and to provide a plan to begin fixing the areas of greatest exposure.

Security breaches can only come from inside or outside of an organization and can be unintended or hacker initiated. This sounds trivial, but consider that an inside breach can come about through social engineering from an outside hacker. Social engineering is the process where-by an outsider persuades an insider to take action and/or disclose information that is not authorized to the outsider.

Consider this: You have a call center that responds to on-line store enquiries. You get a call from a customer who says, “This is Jake Gonnagetcha. The last time I ordered from you I used my Visa card #4111111111111111. I never know if the card uses my shipping location or mailing address, but whichever it was, it worked last time. I want to order again. Can you please tell me which address I used before?”

This information disclosure seems innocent enough and often times it will be, but this time a stolen card number was being used by a thief that needs the card address to get past Address Verification at another site.

Closer to home are examples of “take action” social engineering. These are the myriad of e-mail viruses floating around. If you haven’t been bitten already you probably will be. The intruder gets you to open an e-mail attachment by using some intriguing message or by hiding the attached file extension. Once opened, your machine is infected, possibly with a back door that gives the intruder full access to all of the information on your machine.


Potentially even more threatening attacks are socially engineered into your machines by getting you to install freeware which includes an executable spyware program. This technique is used by certain advertising companies to gather personal data, but be aware that such spyware could just as easily be used to read and manipulate any other files on a machine.

You may be feeding the intruder by brining home information to work on, sometimes entire databases. All of the effort to block hackers by your hosting company or IT staff, can be laid to waste by this simple, well intentioned act.

While such executable software won’t generally be socially engineered into your Web host machines, it may get into your home computer. Depending on how you manage your host connections, this software could easily use the home computer as a conduit to the host. At the very least, you need to require that anyone taking work home has a software firewall on their personal machine that blocks the computer from acting as a server.


Your first line of defense in risk management is to have a plan for protecting information.

1) Identify the information that is vital and create a hierarchy of personnel who have access to that information.

2) As a minimum, password protect vital information and keep a record of employees accessing the information.

3) Make sure employees understand the possibilities inherent in social engineering and are aware of the various scams being run at the time.

4) Set up alert triggers that require employees to notify supervisors when a suspicious activity occurs.

5) Watch that vital information isn’t being innocently moved to non-secure locations by yourself or well intentioned employees.

6) Backup data periodically to a secure location. The frequency should depend on the level of activity you experience. If you are using a remote service provider, ask them what their backup policy is, but don’t rely on it. Make your own backups. If you’re running your own servers, be sure to remove the backup tapes or discs to an alternate location. Backup media that gets destroyed by fire or some other calamity along with the original data isn’t going to do you any good.

7) Designate someone within your organization to be responsible for information security. Make them accountable and give them the authority to implement procedures.

This is by no means an exhaustive list of items for a risk management plan. The idea is to start you thinking about protecting vital information. Remember, even a privacy policy without risk management is no policy at all.

Part 2 of this article will review the CISP (Customer Information Security Policy) being mandated by the acquiring financial networks and suggest tools that will make implementation easier. While the article is directed to the on-line merchant processing credit cards, it contains a wealth of information that is useful for any Web presence.

Mel Davey is the creator of ImagineNation (, a full service E-Commerce Application Service Provider, offering Storefronts, Order Management Utilities, and 3rd party credit card processing.