Return to The Write Edge News Center Return to Newscenter Return to The Write Edge Lobby


May 2000   


SECURITY ISSUES -- RISKS AND SOLUTIONS

by Lori Enos
 

Other Articles
-- This Month --

The Great Divide: Internet Security & the Generation Gap

Web Currency: A Look at Both Sides of the Cyber Coin

- Article Archive -

Recent Articles

Affordable Web design, web hosting, and web content management systems

 
Recent hacker attacks have plunged computer security into darkness, and some analysts don't yet see the light at the end of the tunnel. Chris Davis, a security expert with TygerTeam, said, "It will get worse before it gets better."

No one seems to be immune from hack attacks. In February, eBay, Yahoo, Buy.com, and other high-profile sites were shut down for hours after hackers launched a denial of service attack. Smaller sites can also find themselves the target of cybercriminals. Two teenagers from Wales were recently arrested and accused of hacking into 11 small sites and stealing information for over 26,000 credit cards. Worse yet, they posted at least 1,000 of the numbers online. In fact, in a recent survey 90 percent of the 643 computer security practitioners queried said they had suffered some kind of security breach in the past year.

The federal government is taking action to cut down on cybercrime but too often that's a matter of too little too late. So it's important that you take the initiative and take action to secure your site.

Security Threats

Before you can protect yourself, you need to know what you're up against. Threats to your system's security can come from both inside and outside your organization, although recent research shows that most security breaches come from inside. The variations are almost countless, but here are the basic types of security breaches that you might encounter:

  • Misuse of Resources. Unlimited computer time and Internet access can tempt some employees to misuse resources. Misuse of resources ranges from downloading pornography to employees using company assets to operate side businesses.
  • Theft of Assets. Unfortunately not all employees are honest, and some have been known to let greed get the better of them. Theft of assets includes theft of computers, especially laptops, as well as proprietary information stored on computers.
  • Unauthorized Access. Any time an outsider breaks into your computer system or an insider accesses an area without appropriate clearance, you have unauthorized access. Although hackers sometimes break into systems only to peruse information, unauthorized access can lead to theft or alteration of sensitive data.
  • Data Alteration. Sometimes hackers break into systems and alter information as it travels along the information superhighway. Often it's the contents of an e-commerce transaction -- user name, credit-card numbers, and/or dollar amounts -- that are altered.
  • Vandalism. Sometimes hackers break into your site and alter it to make a statement. Even the FBI has been the victim of Web-site vandalism.
  • Monitoring. Monitoring is the high-tech version of eavesdropping, and it occurs when hackers intercept and monitor your transmissions in search of confidential information.
  • Spoofing or Hijacking. Spoofing or hijacking occurs when a cybercriminal registers a domain name that is very similar to yours and hijacks your customers. Often cybercriminals will set up the site to look very similar so that customers are misled. Online vandals do this to steal data from your customers or to disrupt your business and ruin your good name.
  • Denial of Service (DoS) Attack. This is what brought eBay, Amazon, Yahoo!, and Buy.com to their knees. A DoS occurs when hackers overwhelm your site with access requests. When your system becomes overwhelmed with phony access requests, it shuts down and visitors get the high-tech equivalent of a busy signal.
  • Viruses. A virus is a destructive program that can wreak havoc on your system, destroying data and even hardware. Viruses are commonly spread through email attachments.
  • Credit-Card Fraud and Identity Fraud. Both credit-card fraud and identity fraud occur when a criminal uses a credit card in another person's name to make a purchase. The difference is that credit-card fraud occurs when a virtual vandal steals an existing credit card, or credit-card number, and uses it to make a purchase. Identity fraud occurs when a criminal steals identifying information -- name, social security number, and birth date -- and uses that information to obtain a new credit card in another person's name. Although consumers suffer from both types of fraud, online merchants suffer the most because credit-card issuers only hold cardholders responsible for the first $50 of unauthorized charges -- and most will waive the $50. Meanwhile, merchants have to pay back the rest.
  • Repudiation. Thieves aren't the only ones taking advantage of the fact that credit-card companies don't hold cardholders responsible for unauthorized charges. Sometimes card users make a charge and then deny making it. When that happens, credit-card issuers usually take the side of the cardholder and charge the merchant.

Protecting Yourself

The best way companies can protect themselves, according to Davis, is to hire a full-time security expert or to contract security out to a consulting firm. Davis says it's hard for companies to stay current on security issues because the field changes from week to week.

Although experts may know best, there are some basic steps you can take to protect yourself from cybercrime.

  • Assess Your System. If you've got a system in place, take some time to thoroughly analyze it and determine its weak points. Knowing your system's weak points will help you develop a security system to plug up those holes. Businesses using canned e-commerce software should contact the vendor and other users to determine what bugs have been developed and, more importantly, what patches are available to fix identified problems. The hackers in Wales apparently exploited weaknesses in Microsoft's e-commerce software to steal credit-card numbers in January 2000. However, Microsoft had identified the problem and issued a patch in 1998. The problem was that users weren't downloading and installing the patch.
  • Establish Security Procedures. Once you've analyzed your system, develop security procedures to protect your assets. Your security procedure should detail who has access to what and what methods you're taking to secure confidential information.
  • Keep Your Security Procedures Updated. All too often companies take the time to develop security procedures but don't update them as systems evolve or are replaced. Review your security procedures regularly and update them as necessary.
  • Limit Access. Not every employee needs access to every aspect of your system. Employees should have access to the information they'll need to do their job but no more.
  • Establish a secure infrastructure. The first step in protecting your data has to be establishing a secure environment by putting your sensitive information behind a firewall. Routers and a firewall will prevent unauthorized intrusions into your system by monitoring the flow of information between your Web server and the Internet.
  • Monitor Your System. Routers and firewalls are not foolproof so it's a good idea to invest in intruder-monitoring software that will let you know if there's been a breach, so you can take immediate action to protect confidential information.
  • Verify Credit-Card Purchases. Credit-card verifications can be as simple as checking to make sure the name, credit-card number, and expiration date match up, or they can include address verification. Including address verification is a good idea because some cyberthieves get the card number but not the address.
  • Encrypt Your Data. Encrypting or encoding data as it's being transmitted over the Internet makes it tougher for crooks to steal credit-card numbers. Most sites use SSL (Secure Socket Layer) encryption to protect data.

What to Do If You've Been Hacked

As recent hack attacks have shown us, even the biggest sites are vulnerable to hack attacks; that's why it's crucial to have monitoring software to detect attacks on your system. While some attacks like vandalism and DoS attacks are obvious, other attacks can go undetected for months if the system isn't being properly monitored.

The first thing to do if you find you've been hacked is to take steps to find out the extent of the problem. It is especially crucial to determine if confidential information has been compromised. This may be easier said than done and you might need to bring in an expert to assess the situation.

Once you've determined the extent of the attack, notify the authorities. The federal government has set up a website, Cybercrime, that spells out how to report hack attacks. Some attacks need to be reported to the FTC, while others are to be reported to the FBI.

Next, plug the holes in your system. It's important to do so as soon as possible so that hackers, or copycats, can't get back in.

Lastly, and most embarrassingly, if customer information has been compromised, you'll have to notify your customers so they can contact their credit-card companies and cancel their cards.

Plan Ahead

Good planning is the best way to protect your computers and the data they hold. Take the time to plan how you're going to secure your information and what you're going to do if you're the victim of a hack attack. Who knows, your planning could deter a hack attack or, at the very least, let you recover quickly if you are hacked.
Services to make your products and ideas soar

The Write Edge
TopTop of Page
  © 2000 The Write Edge, Ltd. All Rights Reserved.
  -- http://www.writeedge.com/articles/securityissues.asp