How Companies Can Enhance Web Security

[William Knowles <wk () C4I ORG>]

http://www.computerworld.com/cwi/story/0,1199,NAV47-68_STO53952,00.html

By DAN VERTON
November 13, 2000

With the peak online holiday buying season just around the corner,
Internet security experts are urging U.S. companies to enhance their
security posture in light of recent threats made by hacker groups in
the Middle East to launch an electronic holy war against companies
with ties to Israel.

"Most companies are spending less than 3% of their budgets on
security," said Richard Hunter, managing vice president for e-metrics
consulting at Stamford, Conn.-based Gartner Group Inc. "They are
getting lucky. Any hacker with a screwdriver can knock them over. The
lessons that have been learned so far have not been learned by a
critical mass of the potential victims."

And those lessons, according to a recent Gartner study on the Middle
East hacker threat, are many. "When a potential threat has been
identified, standard enterprise security measures should be
complemented by increased firewall analysis, intrusion detection and
detailed inspection of site usage logs," said the study.

Internet service providers and server hosting companies also must have
the processes in place to quickly detect and react to
denial-of-service attacks.

Commonsense steps that companies can take to enhance their security
include reviewing corporate relationships, such as banking
arrangements, to see if there are any links that might make them
potential targets, said John Pescatore, research director for Internet
security at Gartner.

In addition, although disconnecting entirely from the Internet isn't a
practical option, "you certainly need to be reviewing your intrusion
detection logs more frequently, conduct penetration testing against
yourself and check your Web servers more frequently to see if they
have been manipulated," said Pescatore.

The design of a company's e-commerce network also plays a role in
creating an active defense against hackers, said Allan Paller,
director of research at the SANS Institute, a security research
organization in Bethesda, Md. "Once the attack has been identified,
effective network controls can sometimes allow some business to
continue instead of just falling over dead," said Paller.

In additon, Paller urges the use of strong encryption to protect
customer information. "Reputation destruction comes from loss of
important personal data belonging to clients," said Paller.
"Encryption of all such information is really important."

Steve Wilson, president of Wilson Group Communications Inc., a
Columbus, Ohio-based crisis-management firm, added that companies also
must think proactively about the hours and days after an attack has
occurred.

For example, when the Love Bug virus brought down several major
e-commerce sites last year, "too many companies were not prepared at
all for anything like that, and as a result, they just didn't have
anything to tell their customers," said Wilson. "You need to tell
people something."

And, if necessary, companies need to be prepared to make concessions
to customers, such as extending special pricing to make up for people
not being able to use their site, Wilson said.

But being honest with your customers goes only so far. Companies must
also be willing to share information with the industry at large and
with federal law enforcement agencies, said Wilson. Unfortunately,
many companies are unwilling to do so because of the fear that the
news will put them out of business.

"Companies have an obligation within reason to share that information
with other companies so that they can avoid it," said Wilson. "There's
too much at risk to the economy for companies to hold this
information. If Microsoft can admit it, anybody can."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".