Internet Security--A Plan of Attack

There has been a string of incidents in which computer hackers attacked prominent e-commerce sites. The experts hope the incidents serve as a wake-up call.

BY CHRISTOPHER CORNELL

Not many weeks ago, you could scarcely watch a TV newscast without hearing breathless reports of prominent e-commerce sites being attacked by mysterious, unidentifiable "computer hackers." The stories probably sent chills down the spine of many a CEO whose company has recently ventured out onto the World Wide Web. After all, many of them must have said to themselves, if Internet stalwarts like Yahoo! and eBay can be victims, how can I possibly be safe?

Still, many of the news reports were more sensational than they needed to be. The recent attacks, while frustrating for e-commerce customers, did not actually damage computers, destroy data or compromise confidential files.

In fact, in the recent "denial of service" (DOS) cases, the only computers actually broken into were obscure collegiate computers, which were then used to tie up the e-commerce sites by sending thousands upon thousands of messages to them. It's a bit like somebody using a stolen calling card to call your customer service department, only to hang up, over and over again. The distraction would prevent your staffers from attending to legitimate customers, but it would not injure your employees or damage your equipment.

"In many cases, the mechanisms of the attack are pretty simple," observes Jack Danahy, president of Waltham, MA-based Information Protection Technologies, which produces system security products (they are found on the Web at iprotechnologies.com). "The news reports don't represent accurately the fact that these attacks are not the work of geniuses, but rather the simple execution of some well-known tool by what is probably some disenfranchised adolescent."

Larry Slotnick, vice president of engineering at Palo Alto, CA-based Noosh Inc.—developer of the Internet-based print production solution found at Noosh.com—agrees that some of the news coverage has been "overly alarmist. Web software tools will evolve to monitor and avoid attacks of this sort in the future," Slotnick predicts.

But in the meantime, nobody is recommending complacency. Some recent studies have shown that many e-commerce customers will migrate quickly to a competitor if they cannot get the service they want, at the moment they want it. To compound this problem, the research also indicates that this momentary change of direction often results in continued patronage to the new site. But this is not the only kind of attack that's possible.

"Of course, many different hacks can occur," agrees Patrick White, CEO of Sprockets.com, a secure Web hosting service based in Boston. "The most common is where the hacker guesses the user name and password to get 'root'," or control of a company's system. White has encountered more than one computer system where this guessing game is all too easy.

"If your user name is 'user name' and your password is 'password,' that's pretty easy to guess," he laughs.

Compromising Positions
A different form of attack is called Web page modification. If a hacker can learn the passwords that are used to upload pages to a company's Website, he or she can upload their own Web page, displaying whatever message they choose, or rerouting the user to another site.

In one recent case, a major catalog Website of a huge, reputable brand had its home page diverted to a pornography site. In another, retailer Staples.com had a product catalog Web page hacked, and all the hyperlinks for individual products were changed to links that led users to competitor OfficeDepot.com. Several government Web pages have also been replaced with Web pages featuring manifesto-like pronouncements.

Worse, computer systems without proper security can be vulnerable to even more serious, and potentially devastating, attacks: attacks in which data are altered or corrupted; attacks in which customer files are damaged or compromised; attacks which can bring down an entire company's network.

"The worst type of attack is one that involves data compromise," Slotnick notes, adding that a hacker can gain 'read-only' access—meaning that he or she can read the information but cannot change it—or modification access.

"Either, potentially, is hugely destructive to a company, depending on the degree of sensitivity of the data. Critical information about a company's strategic plan can be extremely valuable to a competitor. Companies should think very carefully about how critical infor-mation is made available over the Web."

"The real threat for the future lies in less well-known attack types where actual content is altered or services are rendered inoperable through machine changes," agrees Danahy. "In these cases, simple network reconfiguration cannot solve the problem. Entire systems will need to be reloaded and corruption reversed."

Could this happen to you?
"The threat is very real," Danahy says, and he has a list of things a CEO should know—or find out—about his e-commerce system.

The first question, he says, is: "Where are we hosting? If it is internal, do we have a firewall? Even if the Website is hosted externally, what about internal servers? Are they protected by a firewall?

"Second, who knows the root passwords, and where are they stored? The most common security breach is internal!

"Third, what strategies are we using to compartmentalize and protect client files? Who internally has access to these servers? Could someone break in via our Internet connection?"

White recommends that CEOs ask the information technology (IT) professionals at their companies these and other questions about Internet security, and listen care-fully to the responses. He cautions that if the responses are any of the following, CEOs should be very concerned for their security:

I'm not worried because we're pretty small.
"Organizations are typically not attacked for their size, but rather because their address fell within a range of IP addresses being scanned by automated hacking utilities," White says.

All we really need is a firewall.
"A good firewall is only part of the solution, creating what we refer to as the hard-crunchy outside, soft chewy center problem," says White, referring to a situation where a firewall is a system's one and only line of defense, and, if breached, the system is defenseless.

I'll just set up the security, and we can review it every six months.
"Security requires daily interaction to ensure that new issues and vulnerabilities haven't compromised the systems," White explains.

Noosh's Slotnick has one more question to add to that list:

Have we ever been hacked?
"Listen for a thoughtful answer to this question," he suggests. "No one can be certain that they have not been attacked, so a firm, definite 'No' response would be highly suspect."

If the meeting with your IT manager has left you more worried than before, that shouldn't be a surprise, iprotechnology.com's Danahy notes.

"In general, IT managers lack the focus and experience to create and manage the type of security we are talking about." he says. "It isn't because they aren't smart and talented, rather because they have so many conflicting requirements for their time, and security is really a full-time job."

Counter Strike
There are immediate steps that a company worried about Internet security can take to guard against hackers and uninvited guests.

"Document the business flow," Danahy explains. "Figure out those things which need to be exposed to the Internet, and create two separate networks: one for the internal, one for the external. Then figure out the most restrictive way that the organization can connect the two networks, prohibiting every type of connection that is not directly related to the business model.

"In general, no technology should be purchased until the security plan has been developed. Each organization is different, and based on the business model, customer base and need for connectivity, different technologies will be important. A good general plan is to recruit two reputable security firms to generate a security proposal for the business, and balance one against the other. While it will also point up needs, there is a basic educating process that goes on that is invaluable for the organization."

In the worst case scenario, a company begins to address these issues only after an attack has occurred.

In that situation, Danahy says, CEOs need to run damage control by asking their IT managers even harder questions:

When did this happen? Exactly what happened?
"If the administrator cannot pinpoint exactly when and how the attack occurred, more monitoring and checking are necessary," Danahy asserts.

How quickly can you clean up?
"Good planning and replication should make cleanup a fairly speedy process," Danahy opines. "If the restoration takes days, then better release engineering, planning and backups are needed."

But everyone agrees that it is far better to prevent an attack in the first place.

"The biggest pitfall," Slotnick warns, "is to think of security as different from, and not tightly integrated with, the entire site. Security systems must be tied to the site at the most fundamental, elemental levels, usually beginning with the database schema design. Security cannot be thought of as separate from overall site reliability, performance and scalability. Security cannot be bolted on. Adding it later is almost guaranteed to require a site redesign."