Are You Adequately Protecting Yourself?

Predators may be lurking in your site, sifting through customers' accounts and stealing vital information. If you don't believe you're at risk, a recent study about information security in the U.K., might have you thinking twice.

The Information Security Breaches Survey 2000 found during the last two years that as many as three in five British businesses have suffered from some computer-related security damage Plus, 43 percent of the companies surveyed who have "highly sensitive information," admitted to experiencing some kind of "extremely serious" security breach in that time.

Survey cosponsor Axent Technologies is critical of British companies' security efforts. "This report shows that to date, British companies have let security escape them," the group explains. "We have a long way to go before we can truly provide a secure Internet environment."

Of the companies surveyed, only one in seven had even developed any formal information security measures. The problems aren't limited to the U.K either, as a look through recent news stories shows.

For example, CIHost, a Web hosting company, was left red-faced when customers were easily able access numerous credit card accounts on the site. It turns out the snafu was caused when a database was moved to an outside server for access by an outside developer. Unfortunately for CIHost, someone forgot to install password protections, which left nearly 1,500 names and credit card numbers vulnerable.

Outpost.com made a different, yet equally critical error: A customer, James Wynne, noticed that the Web address for his transaction included his order number. He found that by changing a number in the URL, he could access countless other customers' records. "You can see someone's email address, their billing address, their shipping address, type of credit card they used, their order history--everything they bought, everything they received, everything they're currently waiting for," Wynne told Wired News.

In January, disgruntled former employees from Global Health Trax left unsecured information on the company's old website. (The old site was still running even though the company had abandoned it in favor of a new URL.) Visitors could access information about hundreds of the company's distributors, including home phone numbers, bank account and credit card numbers, MSNBC reported.

Incidents like these aren't isolated. The examples above or only a small sample of recent occurrences.

How can these problems occur so easily? After all, most online businesses employ specially trained computer experts and install the most up-to-date computer software and security tools, right? Oops, maybe not.

IGN sought the perspectives of several computer security specialists, and what they had to say might surprise you. Most security breaches, they agreed, are due to lack of attention and even a lack of actual security tools and measures.

One of the worst security problems facing businesses, a SANS (System Administration, Networking and Security) Institute representative recently told ZDNet, is the use of unqualified employees to handle security. SANS operates one of many websites that offer computer security training classes. (You can find a complete listing of security training and certification programs on their site, www.sans.org.)

Where many businesses go wrong, said Walter Kopf with J.S. Wurzler Underwriting Managers, is by leaving a port open or adding a new workstation without installing the proper firewalls.

Donald Evans, CISSP, FLMI is a security specialist for United Space Alliance. He suggested that most security problems begin before the site ever goes live. The Internet works fine for what it was designed to do, he said, only it wasn't intended for e-commerce.

Additionally, Web designers don't plan ahead for security and compound the problem by adding more controls after the fact. "Lots of website design tools aren't fully tested," Evans said, which increases potential security problems for sites that add yet more features to their design.

Another expert, Chris Anderson, practice leader, eSecurity Solutions for Ernst & Young Canada, outlined what he considers the most common security mistakes:

The use of weak or poor passwords, and not changing them frequently;
Weak or poor implementation of systems and programs;
Poor design of sites, with architecture that leaves the site vulnerable to be compromised;
Not using an intrusion detection system;
Even with the best technology in the world; lack of care and attention or poor implementation of security leaves the system vulnerable to breaches.

Often, Anderson said, company personnel don't read the manuals for the various software programs and system. Failure to do so results in your system being set up inappropriately for your business purposes.

Anderson also recommends having a plan in place should a security breach occur. For example, he suggests keeping a copy of the software, databases, etc. on CD or on a separate server. Such information should be regularly updated, at least once a month. Also, someone should be designated to handle all outside inquiries (good public relations!), which will allow the IT experts to do their job. Planning ahead, he said, will help your site to get back up and running quickly.

Operators need to determine whether a duplicate environment is the wiser route than just making a copy of software and databases. Obviously, an extra server isn't a cheap choice, but it might be the wiser choice. In some cases, Anderson explained, a duplicate environment is cost effective when compared to what it would cost should your site fail and need to be completely reinstalled.

Another excellent resource for IT professionals is www.securityfocus.com, which offers security news and information, training, and updates. Security Focus' MIS manager Ryan Russell lists several security issues for operators to consider:

It's important to patch known security problems. If you don't, it's easy pickings for hackers who watch for security hole announcements. They use the information to hack into the many sites that don't patch their holes.
You should also remove extraneous functions from your system. Many systems, such as Windows, come with a number of functions already switched on. Many of them are unnecessary for your business or are duplicated somewhere else. It's important to turn them off so they can't be turned against you, Russell said. (Also, it protects you against any security holes that you may be unaware of.)
Remove extraneous CGI programs. Again, this is something that is frequently duplicated on your system by various software programs. Get rid of them before they, too, can be turned against you.
Apply a firewall in front of your servers, it helps give your site "security in depth," he explained.

There are other issues to consider. "It's fairly easy to install a shopping cart and make it function," Russell said. Unfortunately, computer professionals forget to check for vulnerabilities, or even to look at the manuals for known conflicts or vulnerabilities. This can lead to inadequate protection of customer data.

Russell concurs with SANS Institute experts regarding a lack of skills among some IT professionals. He feels that even worse, however, is the lack of support from company managers for their security personnel.

Ideally, the webmaster and security professional work together while developing a site, thereby preventing the slipping in of security weaknesses. Too often, however, security professionals are brought in after the site is finished, which makes it much more difficult to correct any holes.

Security is "80 percent management and 30 percent technical," explained another computer expert, Alex Woda of Woda & Associates (www.awa.ca). Woda emphasized that security isn't a one shot deal. Rather, it's an ongoing process that requires someone who is knowledgeable and who's also paying attention.

Finally, you might want to insure your site against damages and losses caused from hackers, crackers, and other problems interrupting the site's business. According to the Insurance Information Institute (www.iii.org), companies with revenues of $1 billion or less can expect premiums to range between $25,000 to $125,000 for $25 million in coverage. The maximum amount of coverage is $200 million. One insurance company gaming site operators can contact directly is J.S. Wurzler Underwriting Managers, which indicated it would probably work with online gaming sites. Their site is www.jswum.com.

In the end, your best protection against security problems is knowledge. You might want to check out the following resources:

Anderson's site, www.esecurityonline.com, lists several classes that IT experts would find helpful, including "Extreme Hacking 101."
www.mycio.com/zombie/default.asp
"Internet attackers are hijacking Internet resources to launch massive attacks against major Internet web sites," according to MyCIO.com, which offers a free scanning service to ensure your machines aren't running Zombie agents, and aren't vulnerable to having these agents deployed on your site.
CMISS
The Carnegie Mellon Institute for Survivable Systems is a research group concentrating on prevention of security problems, rather than response.
Bug-hacking group Philtered.Net has recently warned Internet service providers about a Perl script that hackers can use to extract subscribers' information right off the terminal by using Simple Network Management Protocol (SNMP). With this information, Internet users' real locations can be determined.
www.cert.org
Additionally, check out the CERT site, which earlier this year publicized another security problem. CSS or cross-site scripting permits malicious script commands or executable code to be inserted by one user into another user's session. Even worse, if incorporated into a cookie, the malicious code could follow a user throughout the Web and possibly access cached pages on computers protected behind firewalls (see related story, "Dealing with Insecurity").