This paper examines the true causes of systematic failures of real-world access control within the context of modern business transactions. Today’s business transactions depend heavily on systems that were developed and protected by off-the-shelf, checklist-mentality security technologies/products such as firewalls, intrusion detection systems and anti-virus software. This dependency, as well as the oversight of system level security requirements, frequently leads to incorrect and incomplete security implementation at the business process and transaction levels. To fully illustrate the critical issues faced by today’s system, this paper utilizes a real-life cyber crime case for analytical purposes. This case was successfully prosecuted by a jury trial at the US Federal Court in Seattle during the period of 1999-2000. It revealed many fatal system security failures and business process trust collapses in an environment involving multiple online web-based systems. The paper then shows how such failures are directly attributed from the inappropriate application of technologies/products based on false assumptions of trust, as well as the lack of appropriate security engineering process during the systems development phase. Observations and recommendations are also made regarding what can be done to enhance security and trust requirements at the levels of business transactions and processes.
Read full abstract