Stopping Hackers Before They Strike

By Natanya Wachtel

A little over a year ago, any retailer ignoring its network security sat up and took notice when 11 top-ranked Web sites, including Yahoo, Amazon and eBay, were paralyzed by hackers, making "denial of service" a household phrase.

Then came the infamous "I Love You" virus in May that wreaked digital havoc across the United States and spread throughout the world virtually overnight. In the scant few hours it took to develop a patch to defeat it, the amorous worm had copied and distributed itself to some 10 million computers. Experts disagree on the total damages, but estimates range from $700 million to $15 billion.

Last fall, Western Union shut down its Web site for five days after hackers slipped through a security hole opened when employees left a key file unprotected during routine site maintenance. The hackers stole 15,700 credit-card and debit-card numbers before the company could act.

And, of course, there were other hacking incidents last year, including well-publicized ones like Egghead's (see story, page 24) and CD Universe's. Overall, the Yankee Group estimates that hacker attacks will have an impact in excess of $1.2 billion this year. Do we have a problem here?

We do, yet many companies are still unaware of the dangers their systems face, not only from outside their company, but also from within. According to Forrester Research, North American companies with revenue greater than $100 million are spending just $213 of every $1 million of top-line revenue on security.

One click-and-mortar retailer, who asked to remain nameless, says that ignoring cybercrime is a big mistake—which his company learned the hard way. "We didn't realize how and why we needed to protect ourselves until it happened to us. It is still difficult to say how much revenue was lost, but we estimate it to be over 5% of the revenue for that quarter—a fourth quarter. I am glad we stayed out of the media spotlight, but we are not out of the woods. We lost many potential customers and spent more money trying to fix the problem than we would have spent if we used better security measures in the first place."

Fortunately, for many areas where retailers are vulnerable to online security breaches, there are solutions and/or industry initiatives. Take denial-of-service attacks, which can be quite pernicious. In one variety, hackers send packets of data with a fake return address, which the Web server repeatedly tries to send back but can't. The trick creates a bottleneck that eventually causes the server to crash and blocks legitimate traffic. In another example, hackers send data packets out of their normal sequence and the Web server devotes so many CPU resources to straighten them out that it can't process legitimate traffic.

But the companies that got burned last year by denial-of-service attacks are fighting back. Yahoo, Amazon, eBay, Buy.com, Schwab and many of the others have formed a consortium, The DDoS (Distributed Denial of Service) Working Group. "It's imperative that we in the industry take these attacks seriously," says Henry Teng of KPMG, who is the group chairman. The consortium aims to address the requirements for providing early warnings signs for security breaches and promote industry-wide communications regarding denial of service attacks across the Web. Teng says that he urges retailers who wish to join the group to contact him at KPMG.

"This is an industry problem," says Allen Yousefi, who joined Information Security at eBay soon after the group's first meeting. "It's not just a problem for eBay or Yahoo! or Amazon. We're big names, so we get the attention. EBay has long recognized the best way to combat cybercrime, whether it's fraud or hacking, is by working cooperatively with law enforcement authorities, industry leaders and the multimillion member eBay community."

John Zent, manager of risk management at Yahoo, says, "Yahoo Is very pleased to be a part of this working group. As an industry leader and as a company affected by last year's denial of service attack," says Zent, "we felt it was important for us to participate and share our key DDoS learning and insights with other Internet companies."

The DDoS Working Group has teamed up with security companies like New Jersey-based Niksun to develop network analysis test tools that spot trouble and alert administrators. Niksun has already designed several solutions currently used by companies in the financial and eretailing industries. One tool, NetDetector, is used for security forensics to analyze recorded traffic data and issue an alarm about possible network hacking. Another tool, called NetVCR, can monitor quality-of-service in networks and Web servers.

The widely publicized distributed denial-of-service attack last year demonstrated how vulnerable a firewall can be. The culprits simply flooded Yahoo's network with so many requests that it effectively shut down the network, firewall intact.

Security experts say that it's not the firewall that fails, but rather it's the person who's watching it. The defense, they say, is to set up software "sentries" that detect and respond to threats and hacks on company networks that interact with the outside world, and, update firewall software when bug patches come out.

Experts also recommend hiring a third party to monitor firewalls, Web servers and company networks. Outsourcers can maintain security operations centers—such as Niksun for the DDoS consortium—that watch multiple points across customers' networks for possible breakdowns, break-ins and hacks. Other preventive measures include setting up security measures to accept only HTTP visitors, or some other minimum level of traffic, if firewalls allow visitors into the company's Web site. And, of course, there's always firewall insurance.

Although some of the biggest security threats to your company can come from outside, internal threats can be just as dangerous. Ill-willed employees can corrupt or destroy computer systems by planting viruses in the network, exploiting bugs in software code or installing unapproved hardware or software with disastrous results.

Last October, mere hours after Spinrecords.com announced major layoffs, hackers suspected of being former or current employees broke into the San Diego online music seller's Web site. The intruders hung a "going-out-of-business sale" banner on the site and posted a warning urging customers not to buy CDs there.

Some companies have implemented policies to defend against these internal threats, including creating and publicizing company-wide security measures, limiting employee access to computer systems to the lowest level necessary, and requiring employees to use IDs. Additionally, experts recommend pre-configuring browsers to limit what employees can do, reminding employees to log off PCs when they leave their desks, and installing lockout screensavers so people can't access machines that are not theirs. Many also suggest spreading responsibility for networks and security protocols among multiple workers, so one person can't knowingly or accidentally do significant damage.

Hacking is no longer limited to the desktop Web, having infiltrated mobile commerce as well. Indeed, for m-commerce to reach $37 billion by 2004, as predicted, the industry must solve some basic security problems, assuaging fears about conducting business through the air. Over 70% of U.S. and Canadian wireless users say they are concerned about security when it comes to mobile devices, according to a recent study by Ipsos-Reid.

For example, if you use a mobile phone capable of receiving simple messaging you need to look out for SMS messages hiding nefarious instructions. Japanese phone users got an SMS message that ordered phones to dial 911, potentially tying up emergency services.

Amid all the worry, comes a host of new products aimed at plugging the leaks and bolstering the trust between wireless buyer and seller. For example, OpenWave Systems (a joint venture of Phone.com and Software.com) recently released its secure enterprise proxy server, which addresses data left unencrypted while passing through a WAP (wireless application protocol) gateway. Although the data is left in the clear for only 1/1000th of a second, that's enough time to give security-conscious banks pause.

Phones will also receive a security upgrade. The newest version (1.3) of the WAP microbrowser will include a wireless identity module that can store a digital signature. Additionally, OpenWave Systems will support highly secure smart cards in the next version of its WAP microbrowser, and phone makers Motorola, Nokia and Ericcson are set to produce smart card phones this year.