For retailers, the Internet represents a good news/bad news scenario.
The good news: The Internet comprises a global network of millions of PCs that allows retailers to offer services and products to customers, business partners and employees. The bad news: The Internet is not secure. "All data you send out on the Internet is in the clear," said Tom Thibault, manager, information security, Wegmans Food Markets, Rochester, N.Y. "This means it can be easily modified, as well as viewed. Once data leaves your network, you have no control of where it's going, unless you deploy security controls."
Thibault made these comments at the Food Marketing Institute's Marketechnics show, held at the Dallas Convention Center Feb. 23-25, in a session on Internet security. He shared the session with Randy Breault, team leader, information security, Hannaford Bros., Scarborough, Maine. Both executives explained how their companies go about securing their internal networks to allow Web-based communication with trading partners, customers and employees.
Thibault described the various kinds of hackers retailers need to be concerned about. One group is simply in it for the "challenge" and don't intend to gain financially, though they can cause much public embarrassment. Another kind is motivated by financial gain, intending to steal credit-card information, even if it means "taking your business down," he said. "Both types are serious threats to your organization." And they have grown in number and sophistication, noted Breault.
Hackers may also include foreign governments and corporations, competitors, and, most significantly, current and former disgruntled employees who are familiar with a company's network. "The No. 1 risk is a disgruntled employee who remains on the inside," Thibault said.
Breault cited a 2001 study conducted by the FBI and the Computer Security Institute finding that 85% of companies reported a computer security breach in the past year and 64% acknowledged financial losses as a result of these breaches, with an average loss of $2 million.
The most basic tool used in securing internal networks from outside threats remains the firewall, which acts as a security gateway between the Internet and a private network.
A firewall can take the form of third-party software installed on corporate servers. It can also be a hardware device with a proprietary operating system inserted strategically in a company's network, protecting such things as a database, application servers, PCs, printers and store connections. Often two firewalls are used, one connected to the internal network and one connected to the Internet.
But firewalls alone are not enough, said Thibault. "You need a strong network security policy that clearly defines what actions you want to occur both in and out of the company," he said.
Breault believes that firewalls should only be viewed as the last line of defense. "Organizations should still make the security of their internal systems a top priority," he said. "Internal servers, PCs and other systems should be kept up-to-date with security patches and anti-virus software." Outside parties should be granted access to systems on a "need to know" basis.
Still, Thibault contended that by securing the integrity of data received from, and sent out to, the Internet, firewalls preserve customer, business partner and employee confidence."
The firewall also serves as an "audit trail" enabling retailers to capture information coming into and out of their business. "You can look at the type of attacks being made against your firewall," said Thibault. "I can guarantee that [even] if you have a firewall, you are being attacked on a daily basis."
One of the major security strategies employed by Wegmans and recommended by Thibault is the creation of a "DMZ" (demilitarized zone, a term used during the Vietnam War), the space between the internal firewall connected to the company's private network and the external firewall connected to the Internet.
In the DMZ reside the company's Web servers for such applications as e-mail, human resources, business-to-business, business-to-consumer (Web site), FTP (file transfer protocol) and the VPN (virtual private network). The DMZ can serve as a buffer between the "untrusted world of the Internet and the private network," Thibault said.
At Wegmans, employees can tap into the HR self-service Web server to obtain personal payroll data -- and Thibault said this will eventually eliminate the need for pay stubs. Employees can also access their work schedule, and at Hannaford Bros. they can enroll for benefits.
The VPN server, which creates an unbreakable "tunnel" into the company network, gives employees working away from the office, such as IT support personnel, a secure connection to the network. The VPN at Wegmans replaced an old dial-up system that provided "a very poor connection with a lot of hassle and maintenance," Thibault said.
On the B2B side, Wegmans uses a supply chain server for bids and other distribution purposes. It also uses the FTP server to exchange large EDI files such as purchase orders with vendors and even to send out 401(k) files.
For B2C communications from consumers to Wegmans' Web site, the chain's external firewall only permits HTTP transmissions into the Web server in the DMZ, blocking other types of information such as e-mail.
At servers in the DMZ, information originating inside the company network is encrypted as an extra measure of protection before it's sent out to the Internet. "The DMZ is just meant for transaction processing," said Thibault. "At no time does the data sit in the DMZ."
The DMZ is set up to receive all outside communications to Wegmans except e-mail, which is the only function allowed to go through the external firewall into the private network.
All outside users of servers in Wegmans system need IDs and passwords for authentication.
Wegmans' firewalls also control what its employees can access from the Web. "We take Internet access very seriously," said Thibault. But the company's policy allows employees personal use of the Internet before and after working hours and during lunch. Unlike some companies, Wegmans allows employees to access sports sites, but blocks others, such as pornographic sites, and prohibits downloading of files.
Wegmans stores Web activity for each employee, who are tracked by site, day and hour, and time spent. Employees are also monitored to see if they are checking home e-mail.
Breault stressed the need for internal networks to be equipped with anti-virus protections. He noted that gateway appliances sitting outside the firewall can be used to inspect all data coming into a network so that viruses can be eliminated.
Servers, especially e-mail servers -- "the path of least resistance," Breault said -- should be kept up-to-date with the latest virus protections. "Anti-virus definitions should be pushed to workstations on a daily basis," he said.
Thibault and Breault stressed the need for the latest security patches. "If you're not patching your servers, there's a good chance they're being hacked," said Thibault.
For Breault, there is a never-ending need to be vigilant. "New system vulnerabilities need to be evaluated daily for all applicable operating systems, databases and applications," he said.
