Is it all the fault of hackers?

Not long ago, about 1 million credit card numbers were stolen from more than 40 electronic banking and e-commerce sites. It's been called the largest organized Internet crime attack ever. Even though firewalls and other security infrastructure were deployed on all 40 sites, it still didn't help.

Similarly, there have been many recent cases of website corruption, denial of service, and Internet worms, and the attacked websites are also equipped with security technology.

Who's to blame for these attacks? "Server administrators and their managers should have the primary responsibility," said Stephen Northcutt, director of the Global Incident Analysis Center. "If they don't do the bare minimum to keep the system secure , it will make it easier for attackers to succeed, and things will get worse."

The security risk is from the inside

The myth of the so-called hacker genius creating a wonderful way to break into the Internet site is just a Some bizarre stories. Most of the high-profile breaches in recent years have been caused by system administrators lacking the skills or resources to close security holes.

"Security and IT resource planning have not received the attention they deserve, which exposes businesses to internal and external risks." Andy Evans, senior security engineer at Ecora, a maker of IT prosecution tools ) said.

Basic front-line business decisions, such as resource allocation and administrator training, have replaced purely technical decisions as the cure for security ills. However, it is not enough to have firewalls, intrusion detection systems and antivirus filters. Enterprises must make security policy and management their day-to-day routine, and this day-to-day behavior must involve users.

Too few companies are training their employees on safety in everyday computer use, Northcote said. Lack of vigilance by employees is often the reason for new viruses and worms to spread.

"Cybersecurity is a problem not because these things are too complicated, but because people think they are too complicated," said Mike Corby of Netigy, which provides cybersecurity to multinational corporations And performance consulting services, "As long as people apply awareness and people-centred skills as they do in other areas of business, security issues can be addressed. Security issues should be treated like other business drivers."

Security Marketing Opportunity Matters

Over the past four years, Bryant has seen a major shift in security policy. "In the past, security was a purely technical issue dismissed by top management; now, a good security record can be a powerful marketing opportunity," he said.

Recently, Visa credit cards have been advertised in the guarantees that the confidentiality of the customer's personal data will be maintained. This shows that marketing with safety as a selling point has taken hold among consumers. Consumers care about corporate attitudes toward cybersecurity. Many companies are beginning to realize that security is a competitive marketing issue for both business partners and the public.

To demonstrate that security is at stake, Visa Card USA requires traders to adhere to a comprehensive set of security regulations that form part of the "Visa Card Holder Information Security Procedures" (see sidebar: "Visa Card Holder Information Security Procedures" Company Information Security Regulations). These regulations include obvious security steps, such as implementing firewalls, as well as more long-term goals, such as encrypting stored credit card data and data sent over the network, and checking systems and processes on a daily basis. Unsurprisingly, the 12 guidelines give nearly equal consideration to technology and corporate security policy.

"These regulations are part of a process designed to improve compliance and safety," said Jean Bruesewitz, senior vice president, Advanced Risk Solutions, Visa, Inc.

Security requires ongoing maintenance

Security is not cheap, and the total cost of having security is not primarily infrastructure.

"The real expense is the ongoing maintenance and upgrades. Compared to the ongoing cost of the business, the cost of acquiring the technology is small," Mike Bryant said. Security consultant Jason Fossen agrees, advising security administrators to subscribe to emails to stay informed of the latest security alerts and patches.

Weekly, sometimes daily reports of denial-of-service attacks, server software vulnerabilities, and Internet service problems make it difficult for information technology security managers to determine how critical these vulnerabilities are to a particular site. New cost considerations arise when security gaps and the problems that need to be addressed must be prioritized. According to Cisco Secure Consulting's annual "Security Vulnerability Report," assessing and mitigating risk based on cost is an information security manager's top priority. Mike Fuhrman, Cisco's manager of security consulting, said: "When we complete a technical vulnerability assessment of a corporate website and list more than 100 vulnerabilities, the first thing customers ask is, 'Can you help us understand? Which one to deal with first?'."

There are several Internet databases available for documenting security breaches, but Cisco's "Security Encyclopedia" really helps security personnel prioritize potential problems. This free service is a database that helps consultants and security experts prioritize security breaches by associating security concerns with specific industries.

Distinguish internal and external vulnerabilities

One of the top reasons why hackers have successfully breached security systems in recent times is that companies do not have the time and resources to patch their security infrastructure. Tools can play an important role in helping businesses determine how best to allocate resources and patch vulnerabilities.

To help policymakers prioritize the security vulnerability statistics it collects, the encyclopedia uses Cisco's own database. The database contains data compiled after 3 years of security vulnerability testing of client websites. To determine the severity of the vulnerability, the encyclopedia distinguishes between internal and external vulnerabilities.

Internal vulnerabilities cannot be directly attacked from the Internet, while external vulnerabilities will. For example, a network file system may be vulnerable when tested on an internal corporate network, but generally cannot be attacked from outside the firewall. External vulnerabilities are often subject to direct attacks from outside the enterprise, but both employees and successful external attackers can exploit internal vulnerabilities.

The Cisco Security Encyclopedia came about because Cisco consultants found that while they were able to identify vulnerabilities on customers' websites, they were often unable to determine which vulnerabilities were most important to customers.

"Unless the consultant is with the client for a long time, it's impossible for an outside consultant to come in and understand the client's business process," said Fuhrman. "We bring up what we think is the most serious security breach, but these are not necessarily the same as the client thinks. What matters most is consistent."

Which vulnerabilities to prioritize

There are many reasons for prioritization, but one that shouldn't be overlooked is marketing. Security is playing an increasingly important role in the inter-enterprise and consumer services markets.

When a business contracts with a computer security expert to investigate vulnerabilities in its information systems, the business opens all of its information resources to that expert. But how smart are these security experts?

Perhaps the most important consideration when companies sign up with security professionals is that they should have a bit of "normal reason": don't follow suit. Just because someone says something can be done doesn't mean it can or can't be done. A true expert should be credible and able to provide support in a written report.

But be aware that even the best computer security experts may be reluctant to tell you how their conclusions were corroborated -- security experts have their own secrets. Regardless, every system vulnerability discovered should be accompanied by a comprehensive set of assessments and countermeasures. It's easier to break something than to fix it. Hackers may know how to break into a network, but they can't do anything to clean up the mess.

Businesses are finding that they need to keep pace with their competitors in order to inspire customer confidence. Therefore, a business may focus on solving problems within a particular service or set of services used by customers, such as communication with its business partners, even though statistically other areas of the infrastructure have more serious problems . This awareness and continued commitment to safety is exactly what businesses need, and what their customers demand.

Originally reprinted from the April 23, 2001 issue of Information Week magazine with permission. Its subsidiary company, CMP Media LLC, registers the copyright. Translated by Lian Qingsong.