YOU PROBABLY HAVE MULTI-LEVEL FIREWALLS IN PLACE. And, you've invested in state-of-the-art monitored intrusion prevention systems. You are even enforcing strong passwords for all the staff in your company. Your privacy data, such as credit card numbers, is only in encrypted databases, too. You are following industry best practices and wish good luck to any hacker trying to penetrate your defences to steal data. Why wouldn't you feel confident you're as well protected as possible? Unfortunately, that confidence is misguided. If you're involved in any kind of electronic commerce, you may soon be facing a new challenge. And this time, it won't just hit the big companies. To make matters worse, all the above countermeasures will effectively be useless. Following is the anatomy of a "denial-of-business attack" on a typical e-commerce Web site:

When it begins, it will start slowly. At first, it will actually look like your site is picking up business. Order numbers will be up significantly  and your manager will smile, already planning to spend his bonus on a holiday in the tropics. However, on day two of the attack you will start getting the odd complaint from your call centre that customers are receiving goods they didn't order. The warehouse manager may also complain about several items being returned to sender with an incorrect address. You‘re likely to suspect data corruption or maybe operator errors, so an investigation will be your next logical step.

At this stage, it is mostly a nuisance causing a few people to stay late to sort things out. You don't know what you're facing, so you're still confident you can fix the problems. Internal staff and your software supplier will frantically try to figure out what is going wrong.  Unfortunately, all tests will show the systems working flawlessly. Day three is progressively worse. In the morning the call centre will be flooded with irate callers. You also start getting complaints that  people who are not even customers have had their credit card charged for items that were never ordered from your company. You may also get a call from your credit card processor alerting you to an unusual number of failed card authorisations. Full-scale emergency You will now know that you have a full-scale emergency. If you don't, the view of the CFO and most of the operations staff standing with lit torches and raised pitchforks in the middle of the ICT department will probably give it away.

It is highly likely that you will push for the only sensible choice: shutting down the site until you can figure out what is going on. Your company has now suffered a full-scale and successful denial-of- business attack.

The best strategic approach is to separate business functionality from security aspects. Do not expect the application itself to deal with new threats. Instead, wrap it in a security layer that can address emerging risks. This is similar to existing solution architectural patterns, where presentation is separated from business logic.

For example, a single specialised security layer (e.g. in the form of an inline filter) can handle the problem. This way, newly identified threats can be quickly eliminated and an applicationwide response implemented - without touching a large number of code points.