Do you leave the buying of gifts for special occasions until the last minute? I'm pretty bad at it. Christmas Eve every year used to be a mad dash around crowded shops looking for inspiration and the shortest checkout queue. Today, I still leave it late but generally I don't miss any gift giving occasions due to the multitude of vendors on the Internet.

Online Transactions

Online shopping has made the selection of gifts a breeze. I've yet to find a High Street store that does not have the majority of its products available online. I simply browse through the online catalogue, select the appropriate gift, type in my credit card details and within days a package arrives at the specified destination and gift-wrapped to boot!

So far, I've had a 100% success rate when transacting through online stores. Everything I've ordered has arrived safely and on time. Perhaps I've just been lucky? Many people are averse to supplying credit card information to online vendors through the Internet. I've read and continue to read reports of individual's allegedly falling foul of "poor Internet security". Only when their credit card statement arrives through the post do they discover they've been billed for goods and services they know nothing about. My Bank informs me most of the complaints they receive nowadays concerning credit card disputes arise from alleged Internet transactions.

Assessing the Risk

The reason I'm comfortable making purchases through the Internet is because I've assessed the risk and concluded it's safe to do so. Many of the vendors give additional confidence to the customer by providing secure Web pages for online transactions. The introduction and slow acceptance of Public Key Infrastructure (PKI), digital certificates and encryption are all enhancing today's e-commence environment by providing confidentiality, authentication and integrity for both the vendor and the customer.

From the home user through to large international organisations, computer security should generally begin with a risk assessment. This will enable assets to be identified and establish how the perceived threats to these assets may be mitigated. Commercial organisations should develop and implement controls based on recognised standards. Information security risk management guidelines, Standards Australia, AS/NZS4360 provides a framework and methodology for performing a formal risk assessment. AS/NZS4444 parts 1 and 2 provide guidelines for establishing and maintaining a code of practice for Information Security Management. The guideline states "It is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce and can therefore be applied by large, medium and small organizations."

While a home user may not consciously create a set of rules (or policy) by which members of the household can access the family's PC, access restrictions may be put in place to ensure certain members of the family have limited access. We are all aware of the dangers of the Internet to young children and by installing, configuring and maintaining a product such as Net Nanny; the home user is establishing a form of access control to computer systems in a similar way to many commercial organisations.

Education

It is imperative organisations promote and encourage good computer security practices as well as ensuring risks and responsibilities are communicated to and understood by everyone who has access to their computer systems. There should be a continual process of audit and evaluation to ensure the controls and practices in place are appropriate. Simply installing a firewall or router in order to protect your environment from the perceived threats from the Internet is not sufficient. Such devices need to be correctly configured, monitored and maintained to ensure they are giving the maximum possible protection from potential attacks.

Internet mailing lists frequently highlight bugs and potential security flaws in software. In many cases, a Web site will have been defaced because a hacker has identified a known vulnerability and exploited it. Most software vendors will quickly develop and release a fix for a vulnerability once it has been brought to their attention.
 
It is the responsibility of the individual system administrator to stay informed and implement all necessary software updates. If a system administrator has been lax by failing to implement recommended software patches, he or she may find out about the vulnerability only after, for example, a hacker has defaced the company's Web server. Not only will the system administrator be perceived as having been negligent in his/her duties, the company's reputation may have been severely tarnished by adverse publicity and dissuade potential customer from buying products through their Internet gateway.

I subscribe to several security-related mailing lists in order to keep abreast of the latest computer security news, software developments and potential exploits. I find the SANS (System Administration, Networking, and Security) Institute mailing list (available at http://www.sans.org) and "bugtraq" http://www.securityfocus.com to be invaluable resources when it comes to keeping up to date with the latest security exploits. I'd also recommend http://www.securityfocus.com as an excellent reference site for anything related to computer security. There are literally hundreds of links and resources available on this Web site.

Backup and Recovery

Your data is a valuable asset and should be treated as such. Large organisations will periodically test their backup and recovery procedures to ensure they are able to provide computer systems should disaster strike. Home users should also follow this example. There are many utilities available today that enable data to be easily backed-up and, if necessary, restored. How many of us are guilty of religiously backing-up important data to disk, tape or CD but never check to ensure recovery is possible? A few extra minutes work after a backup to ensure your files can be restored and accessed is time well spent.

Many commercial organisations have the luxury of switching to a disaster recovery site should their main data centre become unusable. Home users should perhaps look beyond simply backing up their data and leaving the backup media in the PC or on the desk beside it. If possible, store your irreplaceable data off site. After a fire, your insurance company may organise for your home to be rebuilt and replace the contents, including your PC, its operating system and software packages, but who is going to restore your personal data?

Back to Basics

When I first started working with computers many years ago, security was seen more as a hindrance than help. Incidents such as last year's "ILOVEYOU" Internet worm and the more recent "Anna Kournikova/OnTheFly" Internet worm have highlighted the need for appropriate training to be provided and controls implemented, followed and maintained before an individual is permitted access to a computer system. Organisations now realise it is far more cost effective to install and maintain virus protection software and provide education and training to their employees than to clean up retrospectively.

While I cannot claim that every software developer has security as their number one priority when it comes to design, it's good to know they now realise that security must be built into an application and not bolted on towards the end of the development lifecycle. This to me is a step in the right direction.
Computers are only as secure as the people who operate them. While it may never be possible to completely nullify all the threats, individuals and organisations should take time to research and assess the risks; a small investment today may save many hours or days of frustration in the future.

About the Author 
Ross Miller, tartan@goconnect.net, is an IT Security Consultant for an international organisation in Melbourne with over 12 years experience in IT Security and Risk Management. He started his career in Scotland before moving to and working in Europe and has been permanently based in Australia since 1998.

Reprinted from the April 2001 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[About Melbourne PC User Group]