Security on the web

May 1, 2001 12:00 PM, By Carey Adams

Attacks on company computers are becoming all too common. The vulnerability of e-commerce sites is in the news daily.

Cyber-attacks against retail sites can cost a company hundreds of thousands of dollars in lost revenue. Taking a proactive approach to protecting a web site against hackers is the best policy, but for many companies, taking the first step is difficult — where should they turn?

“You would be surprised at the number of companies that don't know how to protect their web sites or what to do if their site is penetrated,” says Scott Wright, director of information security services for The Netplex Group, an e-business solutions provider.

The Netplex Group, Reston, Va., specializes in creating solutions for information security. Its offerings include threat and vulnerability analysis, information security penetration testing, security architecture development, policy development and security awareness, security implementation, and IT security training.

Wright says companies shouldn't wait until their site is hacked before doing anything.

“A lot of retail companies end up losing millions of dollars every year because they chose not to protect their sites,” says Wright. “The costs to protect an information security site are miniscule compared to what might happen if it is left unprotected.”

Hacker attacks that force computer servers to shut down can cost a company $20,000 to $30,000 an hour.

Linda Fletcher, director of security for Alverno Health Systems, turned to The Netplex Group after realizing that Alverno's IT system carried too much vital client information that might be subject to attack.

“Our information travels on several servers and facilities daily. That is vital information that we cannot allow to be breached,” says Fletcher. “We wanted to reduce the risk to losing very confidential information. You can't put a price on patient confidentiality.”

Netplex performed a threat and vulnerability assessment on Alverno's IT infrastructure to discovery weaknesses and exposures to both internal and external threats. Such an assessment is the first and one of the most vital steps a company should take to protect its information on the web information.

“With so much information moving between servers, we didn't know if we had holes in our system that we could plug if something went wrong. We definitely didn't want a triggering event that would force us to do something. That would be after-the-fact.”

A threat and vulnerability assessment can determine how well a firewall works, and whether a company needs an intrusion detection system and disaster recovery system. The assessment can also determine how well the physical and administrative procedures within the company will work in the case of an IT failure.

Wright says many retail web sites are not properly password-protected. “If a hacker gets in, they can put in a root hit which can open up a whole lot of back doors to a site. Once in the site, hackers can do a tremendous amount of damage,” says Wright.

Retail sites are especially at risk for financial failure without proper protection. Hackers have learned to place tools that work against the CGI Scripts, which allow interaction on a web site. The tool can place information that tells lies to the site, thus allowing a hacker to buy products for less than 90 percent of the listed price.

Hackers are also capable of causing buffer overflows that can flood the memory of the IT server. Flooding the server allows hackers to place an executable code that can open a port or firewall into the Website. In this way hackers can change the content on the site.

“Hackers are sophisticated and can cause a lot of damage if they are allowed,” says Wright.

Fletcher says she knew Alverno didn't have a plan in place if something went wrong within its information security department. “With so much information moving between servers, we didn't know if we had holes in our system that we could plug if something went wrong,” says Fletcher. “We definitely didn't want a triggering event that would force us to do something. That would be after-the-fact.”

Fletcher said having the assessment done demonstrated to management that the system wasn't impenetrable.

“We wanted to present ideas to management to show what can happen to our system if it is breached, and the cost,” says Fletcher.

Alverno had Netplex perform port scans on its system, and Netplex consultants taught Alverno employees how to perform port scans themselves.

Retail web sites and IT systems are also advised to have penetration testing performed, which involves the consultants attempting to penetrate the network perimeter and internal systems to assess vulnerability.

Businesses are also encouraged to have a policy development and security awareness check. The procedure can produce and document IT security policies and procedures that work best for each individual company.

Wright says many companies have backed away from having an IT assessment for fear that information will leak that an assessment was performed.

“A lot people are very concerned about the reputation of their company. They would like you to think they have an unblemished record,” Wright says.

But he cautions anyone who thinks their company is above intrusion.

“It doesn't cost a lot to have an information security check performed to safeguard a system's integrity and maintain the security of critical data, but it will cost a lot if the system is penetrated and valuable information is stolen or lost,” says Wright.

For the record

About the author

Carey Adams is associate editor of Access Control & Security Systems Integration and iSecurity.

About the companies

Visit infoLink at www.securitysolutions.com for more information on companies featured in this article.
The Netplex Group — 162

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue