Loose Talk about Cyber Security | September 2001 Web Exclusive

Web Exclusive: Loose Talk about Tight Cyber Security

Back \| E-mail to a Friend \| Print

By Jim Robinson, RHU, CLU ChFC, CFP, MSFS

An advisor's guide to firewalls, encryption and secured socket layers.

As in any other aspect of life, feeling safe in cyberspace is preferable to feeling as if a mugging--virtual or otherwise--is lurking just around the corner. All of us want that archtypical "clean and well-lit place," even on the Internet.

And for advisors, their very livelihood depends on safety in cyberspace. While it can be said that they sell peace-of-mind, the truth is that this peace comes at a price. Clients essentially swap intimate, private details about themselves for the ability to sleep soundly at night. Thus, advisors need to be doubly certain that their piece of the Internet is secure.

Which brings us to a contemplation of the various security measures that can be brought to bear in cyberspace. While advisors don't need to have a deep understanding of what can be done to keep their online client records private, an overview is advisable. After all, there was a bestseller just a few seasons ago devoted to cultural literacy--the minimal amount of cultural knowledge every citizen should have. So you must view the following as an exercise in cyber-cultural literacy. Ultimately, it's useful stuff to know--and who knows? It may help you win on The Weakest Link.

Financial advisors would willingly use the Web to expand and manage their practices if they could be assured that authentication, confidentiality, data integrity and nonrepudiation will hinder or prevent breaches in client trust that lead to lawsuits.

Here's a brief explanation of these components:

Authentication: Customers must be able to assure themselves that they are, in fact, doing business and sending private information with a real entity--not a "spoof" site or a person masquerading as a financial services practitioner.

Confidentiality: Sensitive Internet communications and transactions, such as the transmission of client data, financial and business information, must be kept private.

Data Integrity: During transmission on the Internet, communication must be protected from undetectable alteration by third parties.

Nonrepudiation: It should not be possible for a financial service practitioner, client, prospect or peer to claim that he or she did not send a secured communication or did not make and receive a secured communication.

These four qualities can be attained through the knowledgeable use of a variety of Internet security measures:

Dedicated servers are the first line of defense. They create insular intranets and extranets. An intranet is basically an internal or private Internet used strictly within the confines of a company, university, organization or association. RealGlobal.com (see main article) would deploy a global intranet with an extranet component to reach clients and other professionals. The difference between an intranet and an extranet can be somewhat blurry, but generally an extranet implies real-time access through a firewall.

Firewalls provide added security by blocking access to unauthorized users. A firewall might be a dedicated server equipped with a dial-back feature or software-based protection called defensive coding.

Encryption is a way of coding information so that if it is intercepted as it travels over a network, it cannot be read. Only the party with the right type of decoding software can unscramble the message. The two most common types of cryptography are "same key" and "public key." In same-key cryptography, a message is encrypted and decrypted using the same mathematical key (which is passed along from one party to another in a separate transmission). A more secure method is public-key cryptography, which uses a pair of different mathematical keys (one public, one private) that have a particular relationship to one another. In public-key cryptography, any message encrypted with one key can only be decrypted with the other key--and vice versa.

A Secured Socket Layer (SSL) is a protocol that enables encrypted, authenticated communications across the Internet. SSL is mostly--but not exclusively--used in communications between Web browsers and Web servers. SSL ensures three important functions: privacy, authentication and message integrity. In an SSL connection, each side of the connection must have a security certificate--something that each side's software sends to each other. Each side then encrypts what it sends, using information from both its own certificate and the other side's certificate. This ensures that only the intended recipient can decrypt it--and that the other side can be certain the data came from the place it claims to have come from. It also ensures that the message has not been tampered with. SSL comes in different "strengths:" 40-bit and 128-bit. 128-bit encryption is approximately 3 X 1,026 stronger than 40-bit encryption.

A Digital Certificate is a specially prepared software file that functions as an electronic credential in cyberspace. Think of it as a business license, an employee ID badge or a customer membership card. It identifies the certificate owner, authenticates the owner's membership in a given organization or community and establishes the owner's authority to engage in a transaction. Digital certificates are like fingerprints. Hackers can't assume the identity of the user because they can't get their hands on the user's unique digital fingerprint. Other security tools would be firewalls and intrusion-detection software.

A Digital Signature enables contracts like life insurance and mortgages to be legally entered into via the Internet. The Electronic Signatures in Global and National Commerce Act was signed into law in June 2000. This law states that the traditional law of signatures applies to e-commerce, just as it does to conventional, paper-based commerce.

Top | Back | E-mail to a Friend | Print

If you are not receiving your magazine or need to change your address,
please contact membersupport@naifa.org.

For comments on articles on this website contact mleyes@naifa.org.