Living on borrowed time

Sooner or later, every business that participates in e-commerce will have to deal with a hacker attack--or attempted attack--on its Web site.

By Patrick Courreges
Business Report staff

Companies expanding onto the Internet are potentially exposing both their own and their customers' confidential information to malicious forces out to exploit them for fun and profit.

However, a bit of prevention can be worth a megabyte of cure.

Effective security measures against hackers and "e-thieves" are readily available, yet local Web consultants still wonder why businesses often have better security for their office supply lockers than for their Web servers.

Most businesses could benefit right now from a simple electronic firewall product or by changing their administrative passwords to something not easily guessed, said John Nastasi, director of technical services for Redstick Internet Services.

Companies often overlook Internet security based on an "it won't happen to me" philosophy until an actual hacker attack or intrusion attempt, he said.

Though the danger is greater for larger companies with higher public profiles and dependence on e-commerce, even the smallest business with an Internet presence is at some risk, said Peter Sygula, president of NetShapers Inc.

"If you're a businessman and you're doing business on the Internet, you need security," he said. "People have a million and one excuses for not doing it."

Web site security affects not only a company's own proprietary information, but also customer data, such as credit card numbers, said John Crawford, CEO of BizBayou. Crawford recommends that companies doing e-commerce keep customer profile and credit card information off the Web site database. "There's a completely separate network for that and it should be segmented," he said.

Any company running its business through a Web site should get a digital certificate, an encryption system that works as a sort of digital key to a company's database, Crawford said. Digital certificates come in varying levels of encryption, but give Web sites solid front-line security for transactions and information transfers, he said. "You really need a digital certificate or you're broadcasting that information to everyone."

Companies that hire Internet service providers to host their sites need to investigate the ISP's server setup and make sure they are not lumped in with too many other companies on a single encryption certificate, he added.

Furthermore, businesses need to not only secure their own and their customers' information, but also be able to demonstrate and explain their security measures to customers, Crawford said. That's because trust is paramount in a marketplace where the jury is still out for customers and companies alike.

"If you can't establish trust, you can't make the sale," Crawford emphasized. "You've got to trust who you're giving your credit card to."

Nastasi said Web-based companies must also give thought to how their information is communicated to and from their servers. The best safeguards put in place to ensure that a malicious user cannot gain access to or download a database can be circumvented if credit card information is being transmitted to merchants by unsecured e-mail, he said.

Not every knot-head with access to a mouse has the talent or desire to find a way into unsecured systems, but enough bright people with bad intentions prowl the electronic streets to keep Web security designers constantly hopping. Some of these marauders are simple joyriders with a mean streak who intend more mischief than harm--often known as :script kiddies," Sygula said.

A favorite trick of both the serious hacker and the script kiddy is a port scan, whereby the user cruises the Internet randomly, looking for a site with its electronic door unlocked, he said. "It's like driving through a neighborhood and seeing who's home, who's not, who's got security, who doesn't," Sygula said.

Web site attacks, apart from intrusions seeking data to lift, take three basic forms: defacements, hijacking and denial of service, he said.

Defacements are basically Internet graffiti and are rarely seen except as pranks by disgruntled employees or script kiddies, Sygula said. Defacements can do some public relations damage to a company whose Web presence is in the public eye, but are usually just nuisances.

"They'll do it more as a stunt, an underwear up the flagpole kind of deal," Sygula said.

Hijacking is a more serious attack, in which a hacker redirects all of a site's traffic, or just a selected amount, to a site of the hacker's choosing.

"A network administrator will think everything's hunky-dory while the site is being siphoned off," Sygula said. Hijacking is not too difficult to track, but, if a hacker picks a site carefully and does not redirect traffic too obviously, the process can be a moneymaker, he said. "If you could get Excite for 15 minutes, you could make $10,000, just on pass-through advertising."

Denial-of-service attacks are the most difficult to defend against, and they are as likely to hurt a small company as a large one. "They're spreading like wildfire," Sygula noted. "Denial-of-service attacks are almost the worst thing that could happen. The way denial of service works is the Web server is flooded with fake requests that it tries to answer."

A Web site's functions can slow to a crawl, or the site may crash--a potential disaster for a market player advertising 24-7 service.

"Right now, they're called distributed denial-of-service attacks," Sygula said. "The attacks are not coming from the hacker himself, it's coming from all these servers he's already compromised."

NetShapers recently fended off six denial-of-service attacks on a Louisiana customer in the space of one week, with "hacked" servers from California, New York, Virginia and Croatia attempting to bog down the customer's site.

"It was one of the strongest attacks of my career," Sygula said.

Nastasi said new ways of exploiting Web servers are cropping up on a daily basis, from hacker attacks to viruses to intrusion, and ignorance of the hazards is the greatest danger to would-be e-business. Internet security should not be approached as a one-time investment, but as an ongoing initiative, he said.

And every company on the Web, sooner or later, will at least get a look, if not an attack, from some kind of e-thug, Sygula said.

"The truth is hackers are out there, just like viruses," he said.