Hackers' invitation to hit system links

[InfoSec News <isn () C4I ORG>]

http://www.afr.com.au/information/20000911/A57799-2000Sep10.html

Monday, September 11, 2000

By Helene Zampetakis

Australia's top companies are inviting hardened technophiles to attack
their inner sanctum in a bid to appraise their weak links in what is
emerging as the hard-nosed new approach to risk management.

Far from being an expression of masochism, the strategy aims to test
on the ground the stability and robustness of the corporate
information system.

Over the past year, companies such as Computer Associates, Ernst &
Young and Compuware have begun setting up dedicated teams that focus
on bringing down the system to assess how to secure it.

Computer Associates has a unit that it estimates can hack into a
corporate system within an hour.

Ernst & Young has established an attack and penetration team
comprising 115 people with hacker skills across Australia that goes
all out to break into clients' security systems, while Compuware has
an internet testing centre that can bombard a website with hits to
assess its breaking point.

The growth of these services comes at a time when the failure of the
corporate extranet can cause far-reaching financial damage and cost
organisations heavily in terms of lost business opportunities.

Last month Impulse's website crashed when it was bombarded with an
unexpected number of hits from prospective passengers on the day of
its launch.

At that time, Ansett Airlines experienced a rush in visits to its own
internet site, but was unaware of why hits had peaked then.

An Ansett insider last week said that Ansett was now planning to
measure the peaks in its website activity to track and exploit
patterns.

According to the vice-president for Compuware Asia/Pacific, Mr John
Debrincat, an enormous opportunity exists for companies to capture
market share as a result of their competitors' failure.

Compuware runs a testing centre that measures load capacity and has
undertaken jobs for companies such as AMP, Coles Myer and Westpac.

Mr Debrincat said that nine out of 10 of Australia's top 20 companies
that had run a web checking tool against their site had discovered
gaping holes in their capacity.

Compuwares' international product line sales manager, Mr Dan
Martinson, noted that more than 50 per cent of sites tested globally
had significant room for improvement.

The No1 exposure is that they haven't considered peak bandwidth and
the impact on available response time.

Mr Debrincat said: "The internet testing application is one of our
most rapidly growing parts of the business because there are not
enough resources focusing on the testing of internet applications
globally. It's such a huge area that I don't even know where it will
end up."

At Ernst & Young, demand for security testing services has surged over
the past two years to a point that the company now has 115 employees
with hacking competencies serving this market where there were none
two years ago.

The unit mimics the actions of a hacker to break into a system using
techniques such as social engineering (posing as a bona fide employee
or help desk caller) and gathering information on the corporation.

Ernst & Young's national director for e-security solutions, Mr Bruce
Young, said one of his main concerns was that known vulnerabilities
undermined systems in more than 80 per cent of attack and penetration
assignments.

However, short of unplugging the computer from the internet, no
organisation could feel completely safe.

It was a matter of risk mitigation, Mr Young said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".