BLACKHAT Solutions is a leader in information security, website security, network security, application security including penetration test and internet security services

Business internet security essential in vulnerable online environment

As business protection from data mining awaits government legislation, the best option for protecting network security is tailored penetration tests.

The internet is the global platform for prosperity and commercial innovation today and for the future, making internet security the number one priority for organisations of all sizes and for all levels of government. Businesses transact, use remote access, store data, back-up and operate networks - all online. With these crucial operations outside the users' control, understanding the risks and liabilities for companies and how to avoid them is more important than ever.

Fears about internet security need to be understood in the context of a lack of regulation. Internet infrastructure is in private hands, yet there is unprecedented dependence on online transactions. Worldwide, governments are urgently investigating ways of containing the threat of cyber attacks as the expertise of hackers out-paces built-in system protection.

The law does not currently protect business owners from liability when company data is illegally infiltrated and data is stolen and misused. In the absence of legislative controls, business proprietors need to rank internet security as their highest priority. Privacy breaches, hacking and external fraud through exploiting weak protection systems in internet security are often personal risks for business owners, regardless of the level of in-house precautions undertaken.

Almost without exception, transactions and document exchange is carried out online today, compromising network security where users log in remotely and in many other daily business circumstances. Security lapses also occur during online data back-ups and when manual software upgrades are delayed. Manual administration of application security updates can open a business to vulnerability through human error or delays.

Security risks are possible every time a website is accessed during daily operations because any website can be infected with automated viruses ready to enter host systems.

Until governments find a way to address the perpetrators of internet fraud, it's the responsibility of individual businesses to reduce their risk.

Application security is built in to off-the-shelf business software. The minimum application security protection is encryption, but this basic level of protection requires regular updating, through certification renewal carried out by the user after automated expiry periods.

Additional in-house application security measures are needed to enhance standard system protection. Problems arise from the manual administration required and threats from internet security lapses can occur during just brief time-lags between upgrades - of days or even hours.

High volumes of web transactions, particularly financial, means extra measures beyond application security are are crucial for timely risk identification to avoid liability, loss or cost.

One of the options for business is expert penetration tests. These identify where risks have entered from ‘gaps' in manual security and increase ongoing vigilance. Such tests are necessary because common problems in manual security administration leave companies vulnerable. Some of these problems include errors from the multiple stages required to renew certification, purchase authority delays, company mergers and restructures, internal document control, staff turnover, absenteeism, budget cuts affecting upgrades and dealing with multiple vendors.

These security gaps create entry points for hackers to mine data. Hackers are dedicated to outsmarting encryption systems and seeking out security lapses. This is why frequent updates are recommended by software manufacturers.

A test tailored to an individual business locates common exposures from when different departments, individuals or branch offices separately maintain multiple software certification or when there is a range of renewal timetables within a business; when changing job functions or different IT management systems throughout the business affect attention to detail.

Hackers can use such opportunities to send in automated ‘botnets' or robot networks to infect network security in a number of ways, such as intercepting secured data such as passwords and usernames.

Botnets infect computer systems, passing through fragile information security barriers. Botnet ‘armies' can be collected using common social networks, such as Twitter. These can flood a system with search queries or harvest email addresses to use for spam in other attacks. Botnets cause disruptions to service by increasing bandwidth consumption, overloading a system for example, to prevent a website from functioning or by slowing or stopping data exchange.

Encryption software designed to protect network security deters such system infections. However, most hackers are able to adapt to new firewalls faster than programs can be updated. ‘Key logger' programs are another way hackers keep ahead of firewall upgrades. These seek out certain keystroke sequences typically used ahead of financial transactions or log-ons. Key logging has been used successfully in thefts from trusted financial systems such as PayPal.

Another threat to security is the use of remote access. The significant advantage of remote access is that it allows employees to have mobility and convenience at a low cost. But remote access poses one of the greatest risks to business data and information security.

With online transactions and access a way of life for consumers and business alike, inadequate website security that leads to exposure of private information or data can have disastrous consequences.

Liability remains with the website's owner, which means that regardless of the level of internet security, if a personal system is infected because of a company's vulnerability, the company or its owners are responsible for any loss, damage or exposure of that customer.

Internal or external testing enhances protection and can even guarantee it to a rate of 99 per cent.

Independent tests provide a high certainty of website security beyond pre-packaged software and even additional in-house administration systems. Results can reveal threats to wireless access, telephone communications, physical and network security between departments and in general daily activity, from sources such as IT devices and assets that might not otherwise be considered risks. They can also determine where network security is vulnerable to attacks through gaps in system architecture, auditing procedures or system implementation, discrepancies across departmental units and in operating systems.

Further threats can be assessed by testing ‘social engineering', a term applied to the level of trust given by employees to outsiders seeking information to which they are not entitled. Social engineering is a way to test whether employees understand the importance of restricting company access or security details such as log-ins, entry codes to buildings and similar onsite information.

While conducting online business has enabled swift, instant and sophisticated business and creative innovation beyond imagination, the online economy also presents serious security concerns. As long as web regulation is flexible or non-existent, vulnerable transactions and data stored by private enterprise are open to liability. Digital infrastructure is not secure as long as it depends on the open internet for transactions between organisations and individuals. The proliferation of cyber attacks on corporations and governments are evidence that business vigilance on information technology is a priority that needs ongoing attention.