Security News > 2000 > November > How Companies Can Enhance Web Security
http://www.computerworld.com/cwi/story/0,1199,NAV47-68_STO53952,00.html By DAN VERTON November 13, 2000 With the peak online holiday buying season just around the corner, Internet security experts are urging U.S. companies to enhance their security posture in light of recent threats made by hacker groups in the Middle East to launch an electronic holy war against companies with ties to Israel. "Most companies are spending less than 3% of their budgets on security," said Richard Hunter, managing vice president for e-metrics consulting at Stamford, Conn.-based Gartner Group Inc. "They are getting lucky. Any hacker with a screwdriver can knock them over. The lessons that have been learned so far have not been learned by a critical mass of the potential victims." And those lessons, according to a recent Gartner study on the Middle East hacker threat, are many. "When a potential threat has been identified, standard enterprise security measures should be complemented by increased firewall analysis, intrusion detection and detailed inspection of site usage logs," said the study. Internet service providers and server hosting companies also must have the processes in place to quickly detect and react to denial-of-service attacks. Commonsense steps that companies can take to enhance their security include reviewing corporate relationships, such as banking arrangements, to see if there are any links that might make them potential targets, said John Pescatore, research director for Internet security at Gartner. In addition, although disconnecting entirely from the Internet isn't a practical option, "you certainly need to be reviewing your intrusion detection logs more frequently, conduct penetration testing against yourself and check your Web servers more frequently to see if they have been manipulated," said Pescatore. The design of a company's e-commerce network also plays a role in creating an active defense against hackers, said Allan Paller, director of research at the SANS Institute, a security research organization in Bethesda, Md. "Once the attack has been identified, effective network controls can sometimes allow some business to continue instead of just falling over dead," said Paller. In additon, Paller urges the use of strong encryption to protect customer information. "Reputation destruction comes from loss of important personal data belonging to clients," said Paller. "Encryption of all such information is really important." Steve Wilson, president of Wilson Group Communications Inc., a Columbus, Ohio-based crisis-management firm, added that companies also must think proactively about the hours and days after an attack has occurred. For example, when the Love Bug virus brought down several major e-commerce sites last year, "too many companies were not prepared at all for anything like that, and as a result, they just didn't have anything to tell their customers," said Wilson. "You need to tell people something." And, if necessary, companies need to be prepared to make concessions to customers, such as extending special pricing to make up for people not being able to use their site, Wilson said. But being honest with your customers goes only so far. Companies must also be willing to share information with the industry at large and with federal law enforcement agencies, said Wilson. Unfortunately, many companies are unwilling to do so because of the fear that the news will put them out of business. "Companies have an obligation within reason to share that information with other companies so that they can avoid it," said Wilson. "There's too much at risk to the economy for companies to hold this information. If Microsoft can admit it, anybody can." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
News URL
http://www.computerworld.com/cwi/story/0,1199,NAV47-68_STO53952,00.html