AUTOEVALUACIÓN DE LA PROPUESTA

In order to help a group of users understand the ideals of choosing strong passwords, create this contest for them to take part in:

■ _{Set up a Windows NT Workstation and allow the users}

to create accounts for themselves and pick their ideas of strong passwords.

■ _{Once your group has chosen their passwords, dump the}

passwords using L0pht Crack and begin to crack them.

Tools & Traps…

The other way that security can be seen as an enabler is by building awareness of how a secure environment can assist your employees with performing their jobs. Explain how tools such as Secure Shell and virtual private networks (VPNs) can allow them to perform their job duties remotely. Demonstrate and explain technical solutions that enable a greater range of services to be performed by your development groups by including secure tunneling and strong authentication.When other teams begin to see security as a flexible tool that creates options for their projects instead of a tight set of rules that they have to follow, you will have created a partnering image for your team.

Portraying your team as being enablers makes it much easier for your team members to perform. Organizations in which these types of part- nerships exist between the security team and the other groups often have a much lower rate of incidents and a much higher rate of job satis- faction. Be seen as enablers instead of “Net cops” and you will find much more success in the e-commerce world.

■ _{L0phtcrack is available from}

www.securitysoftwaretech.com.

■ _{Award a prize to the last password cracked by the tool}

during a short seminar about choosing strong passwords. Several companies have used this approach to create aware- ness of one of the most basic security problems. The majority of the companies using this approach saw a large improvement in the quality of the passwords being used by their employees. In fact, in one case where the same contest was tried again a year later, they found that the average time to crack the users’ pass- words had increased to more than double!

Summary

Understanding the basic principles of e-commerce security is the first step on your journey toward a sustainable protection of your business. By applying the three principles of security (confidentiality, integrity, and availability) to your e-commerce model, you can begin to under- stand the impact of different scenarios on your site. Additionally, by adding a system of continual assessment and revisions to your site, you can keep up with the ever-changing conditions of the online world, and even extend the principles to your daily business processes. Finally, by setting clear goals for security and integrating them into the planning, development, and implementation stages of your projects, you can ensure a sustainable security posture. Maintaining that posture over time

requires a process for the managing and monitoring of your systems. The methodology for adding security principles to an existing e- commerce site is very similar to the process of starting from the ground up. It begins with risk assessment, and then the setting of priorities for repairing the most critical vulnerabilities and weaknesses in your site; allowing you to bring your security posture to a higher level without impacting the day-to-day operation. Migration policy is used to manage the change process in our production networks and ensure that by adding these risk mitigation and vulnerability repairs, we do not prevent our site from doing business.

One of the most common problems for security teams and their managers is the justification of a budget for security operations.Two often-used strategies for doing this are taking the yardstick approach and by using a fear tactic approach to the justification. In the yardstick approach, information is gathered and presented that defines the costs of vulnerabilities and risks experienced by the organization and how the work done by the security team has saved the company substantial losses and expenditures.The fear tactic approach uses tools such as penetration testing to prove that the organization has vulnerabilities and exposures in the hope that by realizing the risks they face, the company will release budgeted resources to mitigate the risks. Each of these strategies has its positive effects and its drawbacks.

Security can be seen in two primary types of roles in an organization; the role of enabler, or the role of restrictor. In the role of enabler, the security team acts as consultants and works with the entire organization to raise security awareness and to improve the security posture over time. In the role of restrictor, the security team is often seen as a hindrance to the business process.The restrictor role often makes it very difficult to per- form security tasks that require working with other teams from your orga- nization.Take steps to always present your team as the security enabler. Build awareness and a sense of trust with your fellow employees.

Solutions Fast Track