Hack alert: Where's the outrage?

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/eweek/stories/general/0,11011,2628705,00.html

By Scott Berinato and Renee Boucher Ferguson, eWEEK
September 15, 2000 3:28 PM ET

If youre keeping score, heres the tally from this week: three
international Web sites hacked; two damning reports regarding Internet
privacy standards released; and one shocking statistic published,
claiming that nearly one-third of e-businesses dont even use
firewalls.

Taken together, these events paint a bleak picture of the state of
Internet privacy and security. And this time, experts are telling IT
managers that they have only themselves to blame because the primary
culprits are lax security practices and an unwillingness to spend
extra time and money upfront to secure their companies Web sites.

In short, the rush to e everything is catching up with companies in
the form of a growing security crisis.

Its well past time for IT to look in the mirror, said Jeff Vickler,
CIO of Chicago-based Equity Residential Properties Trust, which owns
thousands of rental properties across the country. You have to believe
in your gut that youre naked out there, but right now, companies think
their public servers are no different from their internal servers.
Thats a mistake.

The recent hacks were serious: Western Union Financial Services Inc.
had the credit and debit card information of nearly 16,000 customers
compromised; hackers took personal data, including customer addresses
and phone numbers, from a database belonging to Ikea International
A/S, an international furniture company; and OPEC, the Organization of
Petroleum Exporting Countries, had its Web site defaced by someone
protesting high oil prices.

No big mystery

Experts say its easy to understand why hacking crimes are increasing.

The only thing that has been missing until now is the incentive to
hack, said security expert Avi Rubin, of AT&T Labs, in Murray Hill,
N.J. Now, theres plenty of incentive, its easier than ever, theres not
enough talent out there to combat it, and companies are more
interested in being on the Internet than being secure on the Internet.

In every case, the victimized company would not comment beyond
prepared statements that downplayed the situation or passed the buck.
Western Union, of Englewood, Colo., claimed no credit fraud had
occurred. An Ikea spokeswoman in Plymouth Meeting, Pa., said the
company relies on a third party for its Web presence.

It took OPEC, based in Vienna, Austria, almost a day to remove the
message a hacker put on its sites introduction page. The organization
is trying to trace the attacker, but a spokesman said the hacker hid
his or her tracks well.

Experts point to the Western Union and Ikea hacks as proof that
companies simply arent disciplined enough with security practices.
Western Unions system was left vulnerable during maintenance; Ikeas
site was pried open on a holiday weekend when no one was monitoring
the system.

Technology is not the problem; the technology is there, said Dan
Turissini, vice president of operations at Operational Research
Consultants, an Alexandria, Va., company thats building security
systems for the Navy, the Air Force and the state of Pennsylvania.
Companies are very reluctant to spend a little more, work a little
harder and take a couple of extra steps upfront to ensure security
later on. Making sure youre not vulnerable during system maintenance
-- thats basic stuff. An upfront security assessment could have easily
prevented that.

Frightening figures

A study by Cutter Consortium, of Arlington, Mass., indicates
frighteningly low levels of expertise and investment in security.
Cutter, a division of Cutter Information Corp., found that 31 percent
of 134 global companies it polled dont even use firewalls, and the
level of expertise in basic security technologies is low.

As bad as this week was, Cutter analyst Ken Orr said he expects
security breaches to increase, not decrease. The companies keep trying
to minimize [negative] information, and analysts say it wont be that
bad, Orr said. Of course, its going to be that bad. Its going to be
worse. And the coverup never helps.

Whats more, experts say, the response from some in the IT community --
a rigid focus on firewalls as the method to prevent hacking and a
propensity to downplay the issue rather than deal with it head-on --
is indicative of why there is a problem in the first place.

For example, Deborah Rossi, executive vice president of business
Internet services at San Francisco-based Wells Fargo & Co., used the
Western Union hack as an opportunity to talk up the fact that Wells
Fargo has not been breached.

Customers look to us as a trusted entity, Rossi said. When asked why
an attack couldnt happen at Wells Fargo, Rossi said, We have multiple
firewalls, so that when we are doing maintenance on our site, we have
multiple servers and firewalls, so hackers cant get in.

AT&Ts Rubin scoffs at such responses. All it takes is one
misconfigured firewall; people have to realize you cant just throw up
a firewall and think youre safe, he said. Rubin did concede that
hacking your own systems, as Rossi said Wells Fargo does, is a good
measure to take but said firms should shy away from claims of being
hack-proof.

Having private data stolen is bad enough, but unauthorized exposure to
third parties is another growing problem. This week, a General
Accounting Office report stated that only 3 percent of government
sites privacy policies met all Federal Trade Commission criteria for
adequate online privacy, and 15 percent of government sites evaluated
did not yet post privacy policies.

In addition, the Cutter report found that 47 percent of companies
polled did not have an adequate privacy policy online. Respondents
ranked privacy sixth out of eight factors that are important to
e-business.

Radical steps needed

As long as companies prize an Internet presence more than security and
the privacy of customers, there will be more weeks like this one.
Unless IT is willing to take radical steps, the situation will get
worse.

How radical? Some experts suggest that firms shut down their sites
until they can fully assess security and privacy measures. For
competitive reasons, thats not likely to happen. Rubin, for his part,
would like security vendors to stop marketing off other companies
security woes and stop pouring money into marketing security
altogether.

You cant differentiate their products or services, just their
marketing, he said, adding that he sees a need for an underwriters
organization, much like Underwriters Laboratories Inc.

You cant expect security and privacy to maintain itself, Turissini
said. It needs care and feeding. It needs updating and maintenance and
some kind of human intervention. It needs money. I dont think people
understand that. They dont want to hear it.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".