Abstract
This paper examines the true causes of systematic failures of real-world access control within the context of modern business transactions. Today’s business transactions depend heavily on systems that were developed and protected by off-the-shelf, checklist-mentality security technologies/products such as firewalls, intrusion detection systems and anti-virus software. This dependency, as well as the oversight of system level security requirements, frequently leads to incorrect and incomplete security implementation at the business process and transaction levels. To fully illustrate the critical issues faced by today’s system, this paper utilizes a real-life cyber crime case for analytical purposes. This case was successfully prosecuted by a jury trial at the US Federal Court in Seattle during the period of 1999-2000. It revealed many fatal system security failures and business process trust collapses in an environment involving multiple online web-based systems. The paper then shows how such failures are directly attributed from the inappropriate application of technologies/products based on false assumptions of trust, as well as the lack of appropriate security engineering process during the systems development phase. Observations and recommendations are also made regarding what can be done to enhance security and trust requirements at the levels of business transactions and processes.
Highlights
Modern day system development has become increasingly complex and this has led to the common approach of relying heavily on the integration of “off-the-shelf” components.When systems are constructed in this manner, security functionalities, if addressed at all, frequently end up being “off-the-shelf” component-based solutions
The paper will demonstrate that security components such as firewalls and intrusion detection systems (IDS) may be effective in safeguarding building block system components, they are grossly inadequate for safeguarding the business processes that these systems intend to implement
Beneath the reality of on-line business transactions, all tangible communication protocols, including HTTP and HTTPS, represent nothing more than a stream of bits formatted according to a specification
Summary
Modern day system development has become increasingly complex and this has led to the common approach of relying heavily on the integration of “off-the-shelf” components. When systems are constructed in this manner, security functionalities, if addressed at all, frequently end up being “off-the-shelf” component-based solutions This “checklistmentality” treats security as a second-class citizen and defines it merely as the sum of security functionalities of all products to be integrated into the system. Using a real-life case analysis, this paper demonstrates by example where significant business systems, built using “box integration” methodology and “off-the-shelf” security applications, have failed and how the violations went undetected by the system operators. In this particular case, the system failures resulted in millions of dollars of damages and untold numbers of identity theft cases
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
