TO SERVE AND PROTECT.

• Author: BORT, JULIE

VENTURING ONTO THE WEB IS A BUSINESS MUST, WHICH MAKES SECURITY KNOW-HOW A BUSINESS IMPERATIVE.

In the online world, there's no such thing as complete safety; only degrees of security. For each degree of security you obtain, you sacrifice an equal amount of freedom. This is the truism that makes computer security experts frown. Information can be easy to obtain, or it can be secure, but one side always steals from the other.

It used to be security meant keeping your employees away from resources they shouldn't see. E-business has changed the rules entirely.

"An e-commerce site wants to let anyone in, but only let them do a limited number of items," said Ed Bassett, vice president of technology for computer security consultant firm Denver Tech Labs of Englewood. "It's not so much a new area of security as a new way of doing business."

E-business forces a company to trust the ultimate, unsafe, interconnected public Internet. As you tap into the Web's interconnected potential, you are also tapping into its risks: hackers, fraud and maliciousness.

Recent widely publicized denial of service attacks suffered by eBay, Yahoo! and other well-protected sites are a case in point. Despite these sites' state-of-the-art defenses, they fell prey to an attack of horrifying scope, albeit one that was more an annoyance than a real security threat; the hackers shut down the sites for a while but didn't try to steal anything.

The reasons hackers attack are so varied as to make any site vulnerable. Certainly, if financial transactions are involved, consider yourself a target. But misguided youth -- so called crackers (see glossary) -- might attack just because they can. And then there are hired guns conducting corporate espionage, which is a concern when the stakes are particularly high.

The lesson here is that there is no such thing as a hacker-proof network. But, neither does that mean you must voluntarily place your neck on the blade. With education and the right technology you can create a "safe-enough" environment to conduct e-business.

A 10-step program

Before you look at a single piece of technology to protect your website from attack, you must decide what "safe enough" means to you. The way to do that is to develop a comprehensive security plan. Such a plan should include five steps:

* Perform a risk assessment to identify the value of your information and systems. Conduct a separate assessment for each type of data that may cross the Internet.

* Establish policies or guidelines that describe your security goals and procedures. Policies will differ depending on the level of assessed risk for each type of data.

* Enforce the policies using technologies such as firewalls, passwords, intrusion detection software and anti-virus software.

* Audit your site to verify policies are strong, enforcement is effective and all components are implemented properly. This should be done by someone other than the person who designed the security system.

* Monitor your systems for attacks. A number of firms offer this as a service, from monthly data collection to 7/24 babysitting.

You also must learn each of the ways to secure a system. These ways are best understood via the CIA model, said Mark Willoughby, vice president of sales for security...