Protecting your trading partners

Protecting your trading partners

July 1990 Computer Fraud & Security Bulletin deserves a great deal of attention in its further development and refinement. In particular the SECURI...

403KB Sizes 0 Downloads 7 Views

July 1990

Computer Fraud & Security Bulletin

deserves a great deal of attention in its further development and refinement. In particular the

SECURITY IN EDI Protecting

Your Trading Partners John Sherwood Sherwood Associates

Limited

Electronic Data Interchange (EDI) is a technique which enables computer-to-computer transfer of structured information, usually between companies who are ‘trading partners’. The technique is used to exchange documents of all types which are involved in the trading partner relationship. Orders, invoices, specifications, parts lists, catalogues, and many more documents are transferred between the computers of the trading partners to facilitate paperless trading. EDI often embraces the exchange of CAD/CAM product design data and also includes the use of Electronic Funds Transfer for settlement of invoices. EDI will be a major feature of business in the 1990s. Already some of the largest operators such as Marks & Spencer are unwilling to trade with suppliers who do not use EDI. The benefits of EDI are the great reductions that it gives in lead times, thus speeding up the trading cycle; the great improvement that it gives in customer service; the great savings that it makes in the costs of printing and mailing documents; the great improvements that it makes in cash flow by releasing capital traditionally tied up in high stock levels; the improved trust that it enables in trading relationships which are based on ‘just-in-time’ manufacturing strategies. The technical basis of EDI is the wide range of data communications technology now available and commonly in use. Networks of computers have been with us for some time, and in recent years we have heard much about ‘open systems interconnection’ (OSI). It is this range of technological solutions which have made EDI possible. However, the application of these techniques in EDI is an emergent field of technology which yet

01990

Elsevier Science Publishers Ltd

security of EDI systems will become a more and more pressing issue as EDI matures and becomes totally integrated into almost all major trading relationships. Why does EDI need security? Security is all about providing an environment in which things happen in the way that we want them to happen and in the way that we expect them to happen. A security sub-system is therefore tasked with protecting against the unexpected and unwanted eventualities which are frequently referred to as ‘risks’. What then are the risks which potentially threaten us if we use EDI? Will any of our trading partners attempt to defraud us to benefit their own business at the expense of ours? Will individuals who work for either our own company or for that of a trading partner attempt to defraud us for their personal benefit? Will third parties attempt to intercept our electronic trading to fraudulently divert goods or other valuables to themselves instead of to a genuine trading partner? Will they masquerade as a genuine partner to achieve this or will they simply change the details of instructions issued by a genuine partner? These are some of the possibilities that immediately spring to mind. There is nothing particularly new in anyfhing mentioned above. We have simply identified some of the ways that fraud has been committed for many centuries, and history tells us what wherever there are opportunities to commit fraud there is usually someone with criminal tendencies close at hand who will take advantage of the opportunity. What is different about EDI is that it is a completely new environment in which to conduct trade and we therefore have limited experience of how large or small the risks may be. It is also very easy to be seduced by the glamour of the new technology and forget about the dirty deeds that may be done by society’s criminals.

7

Computer Fraud & Security Bulletin

Every trading organization suffers a certain level of theft which it is prepared to tolerate because it would cost more to prevent the losses than to sustain them. Fraud has been defined as ‘theft by lying’, and so one can assume that all organizations also have a tolerance to a certain level of fraud. It seems unlikely, however, that organizations would be prepared to tolerate the levels of fraud that could be executed in an EDI environment. Computerized systems provide the potential both for very high-value fraud (the ‘big job’) and for systematic long-term milking of small amounts which in time add up to a very large

July 1990

and many commentators on EDI have written along such lines. However, security is to be incorporated so as to protect the business activity of the trading partners. It must be selected for its appropriate reflection of the business relationship which exists between them and it must be under their operational control. For these reasons it is not the role of the network service provider to address EDI security, although one would expect such providers to build their networks so as to minimize the threats to their customers.

sum of money (the ‘salami fraud’). An additional factor which must be addressed in EDI environments is the processing by machines rather than by people. The opportunity is lost for a human operator to question the validity of what he or she recognizes as an unusual transaction. If we look to history it is this human curiosity which has often led to the foiling of frauds which would otherwise have been successful. It seems then that EDI may provide a higher risk environment than the more traditional methods of trading. This should not discourage its use, but should prompt us to incorporate mechanisms to protect sufl iciently against the potential frauds. It should be particularly recognized that EDI provides a tempting target for organized crime, which is only ever interested in large scale projects where there is sufficient opportunity. Our security arrangements for EDI must therefore make such organized fraud economically unattractive.

EDI security is an ‘end-to-end’ issue which must be the concern of the trading partners. Solutions must be sought which give the trading partners the same full control over their own security that they would expect in other areas of their business management. This means that the systems must not require complete trust in other parties, whether they be service providers or trading partners. It ought to be possible to do business with organizations whose integrity is not necessarily fully known or trusted, otherwise the opportunities for doing business will be restricted. Clearly there is a need to protect the integrity of EDI messages to prevent them from being altered without such alteration being detected. Proving the origin of a message is also important and providing restricted delivery with authentic acknowledgement closes the loop and gives both parties security that they are genuinely doing business with one another and not with

What are the security requirements for EDI? EDI involves communications between trading partners. There is often a network service provider who links these partners together and who provides the technology and equipment by which the messages are transmitted and switched in the network. It is tempting to imagine that security should also be the responsibility of this service provider

a fraudster. Furthermore, non-repudiation is needed to prevent either party from later claiming that they were not the originator of either the message or its acknowledgement. Confidentiality is perhaps more debatable. Many people would argue that it is unimportant to prevent others from knowing how many widgets they are buying. However, it is very

01990

Elsevier Science Publishers Ltd

Computer Fraud & Security Bulletin

July 1990

common for highly confidential proprietary

work going on at present in the development of

information to be sent back and forth during

standards in all aspects of EDI, including

the negotiation of trading terms. This would be

security, but the most likely ones to be

particularly true of a manufacturer bringing a

adopted will be those which follow existing

new product to market where sub-assemblies

international standards that have already been

are to be purchased from other suppliers. Potential suppliers are given information

established. For this reason the X.400 and

‘commercially in confidence’ to enable them to

interest, since they jointly contain much of

design and quote for the supply of

what is required to solve the security problems

components. Such information would probably

of EDI.

be of the CAD/CAM

X.500 standards from CCllT

are of particular

variety in an EDI X.400 is the series number of a group of

environment.

CCITT standards relating to message handling Another reason for not dismissing

and electronic mail. The standards define both

confidentiality is that its existence makes the

the system architecture and the

job of the fraudster so much more difficult. The criminal who commits fraud takes time to

communication protocols that are required to implement two distinct types of system. These

research your business and to look for the opportunities. If you make everything easy for

are called respectively the Message Handling Service (MHS) and the Interpersonal

him to read you are helping him a great deal. If you encipher your EDI messages you will

Messaging Service (IPMS). The architectural definitions contain elements such as the User

probably cause him to look elsewhere, because suddenly its all too much hard work

Agent (UA) and Message Transfer Agent (MTA), and the protocol definitions cover

for him, and hard work rarely appeals to the serious criminal.

X.400 was the first comprehensive

layers four, five and seven of the OSI model. set of

standards which defined protocols at the Other requirements are concerned with the manageability of the security sub-system.

‘application layer’ of the OSI seven-layer model..

It must be possible to log selected message attributes for audit purposes, both on incoming and outgoing messages. It must also be

What is most important about X.400 is that it provided the first real hope of

possible to correlate the authentic acknowledgements with the appropriate

vendor-independent system architectures, with the ability to implement systems in a

outgoing messages. Since EDI is always performed in association with other parties,

X.400 also addressed many of the issue of

interoperability of security mechanisms is of the utmost importance, and since third parties

secure system management (for those with a specific interest in the detail, refer to Section

will frequently be involved in providing network services, the routing and delivery of EDI

10, ‘Security Model’, of X.402, 1988).

messages must be completely independent of any message content which will be subject to

The MHS architecture of X.400 is seen by many as the solution to providing the basic

security treatment.

service for EDI. On top of that can be

What solutions

such as the EDIFACT standard. X.400 provides the system management, including

multi-vendor environment. The 1988 release of

implemented specific EDI application protocols are available?

The issue of inter-operability immediately suggests that whatever we adopt must be internationally standard. There is considerable

01990

Elsevier Science Publishers Ltd

the security management.

Computer Fraud & Security Bulletin

X.500 is the series number of another set of standards from CCllT

which are

complementary to X.400, and which define the

July 1990

SECURITY CHALLENGES

OF LANs

structure and management of an international directory. This directory holds information on users, such as their address and other routing

The move to structured

information required to deliver electronic

cabling

Chris Gahan B/CC Data Networks

messages to them. It also stores security-related attributes such as the certified RSA public key of the user. The specific standard which deals with security matters is X.509, ‘The Authentication Framework’. Annex C of X.509 describes the RSA public key crypto-system in detail. Traditional paper systems have relied heavily on personal signatures for providing

Traditionally, companies such as IBM, Unisys and other mainframe vendors have connected terminals directly to their mainframes. However, over the last few years, Local Area Networks (LANs), such as Ethernet and Token Ring, have become their preferred way of delivering Information Technology (IT) services to users.

proof of origin and non-repudiation. In the electronic environment, digital signatures can be implemented using the public key crypt0 techniques described in X.509. There are now available vendor solutions which provide these specific signature capabilities. These same public key techniques are used to manage the secret keys which are needed to apply other types of crytography to protect message integrity and message confidentiality. Hence we can see in the combination of X.402 and X.509, the building blocks from which a solution to the security requirements of EDI can be constructed. The marketplace is also beginning to contain suppliers who have these solutions in a packaged form ready to be integrated into EDI applications. X.400 and X.500 are all about creating vendor independence and multi-vendor environments. Nevertheless, the systems integration capability is perhaps one of the most important factors which will distinguish those suppliers who are successful in this market, from those who are not.

The fundamental purpose of a LAN is to make corporate information easily and readily accessible to an organization’s staff. The lack of proper access control can pose an unacceptable threat to one of the organization’s key assets, its information. While incidents involving hacking, over wide area networks, gain most of the headlines, the main threat comes from within. Some surveys estimate the internal threat at 80% of security incidents. LAN security is therefore very important. The ability of management to implement adequate LAN security has failed to keep pace with the growth and importance of lANs. An IT manager, from a leading bank, said recently “LAN security is a major problem and we have no solution”. This article looks at the LAN security issues and at the new trends in networks to see if they can improve security in a cost effective way. Security -a

definition

Network Security is the protection of the confidentiality, integrity and availability of information provided through a network and of the network itself.

10

01990

Elsevier Science Publishers Ltd