Phishers, Hackers and Thieves

The following article was written by Karyn Murphy.
E-commerce threats abound, but you can apply these practical security tactics and solutions to ward off the Internet goblins.


Rarely a month goes by without some form of e-commerce breach making the news:

A hack at CardSystems, a credit card processor, exposes 40 million credit card numbers.
A Fidelity Investments laptop—containing information about 196,000 Hewlett-Packard employees—is stolen from a rental car.
Counterfeit "phishing" messages purporting to be from PayPal and other financial institutions try to trick recipients into divulging sensitive information.

The databases behind your business are virtual goldmines that need to be protected.
Often it's the large businesses with innumerable spoils that draw the most attention, but midsize companies have to assume that they, too, are at risk. CardSystems, a 100-person credit card processing company, learned that the hard way, after it was pushed to the brink of bankruptcy and ultimately was bought out by another company.

Which security threats you should be most concerned about? The 2005 CSI/FBI Computer Crime and Security Survey, which polled 700 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, reports that viruses continue to be the source of greatest total loss, with unauthorized access and the theft of proprietary information coming close behind. Not surprisingly, Web site incidents, such as Web site defacement, have increased dramatically, and the volume of unwanted e-mail suggests that spam and phishing are on the rise. Laptop theft, while down compared to previous years, was reported by about half of all respondents.

As scary as those threats are, it's the after-effects that should strike fear in every midsize company. "The true threat to e-commerce is collapse of consumer confidence," says Bill Ashley, CEO of Allied National Inc., a 100-employee insurance administrator that uses an online storefront for sales and plan enrollment. "If the consumer believes that e-commerce transactions are not secure—even if this is from a false impression—business will be significantly impacted."

Bob Hayes, executive director for the CSO Executive Council, an organization of security executives dedicated to furthering strategic security solutions, observes that midsize companies have the same security issues as large companies, "but they don't have the same resources." He advises developing security standards, identifying metrics and implementing tactics to mitigate risks, focusing on the most vulnerable, costly areas.

You also need to look at what data is being collected, used, transmitted and stored, asserts Johannes Ullrich, chief research officer at The SANS Institute, the largest source for information security training and certification in the world. "Data is a liability," he says. "If you don't need it, don't keep it." Does your sales rep really need the entire customer database on his laptop, or can he get his job done with just one file?

Of course, your Web site is a point of vulnerability, and every feature you offer is a potential hole, so keep it simple. You need to assume that every application in your infrastructure—from enterprise resource planning (ERP) to customer relationship management (CRM)—will be exposed to the Internet, warns Bob LaGarde, founder and CEO of LaGarde–StoreFront. Those systems were likely developed outside the Internet scope, thus are less secure than you might expect, he says.

Strategy aside, you still need to protect your company against specific attacks, and there is a wide variety of tools to choose from.

Viruses, Spam and Phishing
It's no wonder that e-mail has become a prime target of misuse. Fortunately, the CSI/FBI study shows that 96 percent of the respondents use antivirus software. Iperia, a midsize provider of Internet Protocol-based messaging technology, has installed antivirus and antispam products configured to automatically update software, taking the onus off users, says Art Leondires, COO and executive vice president. You can also use Intel Corp.'s Execute Disable Bit to prevent malicious worms from inserting code in the buffer. And to protect against corporate phishing, MessageGate Inc.'s Email Filtering provides content analysis to weed out attacks. As for services, Microsoft® Exchange Hosted Services provide hosted e-mail security, compliance and availability, while Verisign offers anti-phishing services.

Network Defense
The databases behind your business are virtual goldmines. Direct access to databases where millions of records can be stolen is a much bigger concern than phishing, which only captures one ID at a time, says Allied National's Ashley. With this in mind, the Payment Card Industry (PCI) Data Security Standard requires merchant members to use firewalls, data encryption and access control, among other things, to help prevent the theft of credit card information.

According to the CSI/FBI survey, 97 percent of respondents use firewalls. But don't stop with the corporate network. You can get personal firewalls from the likes of Symantec and McAfee, among others, for telecommuters and small remote offices. You might also consider Microsoft's security gateway, ISA (Internet Security and Acceleration) Server, which provides a unified firewall and virtual private network (VPN).

Many companies use some form of access control. Server-based access control restricts which users get access to what data. Identity management takes it to a higher level, controlling the access privileges for all your users, from employees and partners to customers.

Authentication is another ballgame. Observers recommend that companies look to strengthen password requirements. Iperia, for example, mandates eight-character passwords that change every 120 days, combined with complexity requirements (a mixture of uppercase, lowercase and alphanumeric characters). For secure remote access, Iperia uses secure HTTPS via the Web (limiting access to only certain IP addresses) and a password-protected VPN. For stronger authentication, companies like RSA Security offer one-time-use passwords generated by handheld security devices.

Laptop Protection
The theft of the Fidelity Investments laptop caused a new ripple of concern over the security of data stored on mobile devices—laptops, PDAs, Blackberries, phones, etc. File encryption—used by 46 percent of CSI/FBI respondents—is particularly important, and easier to do than one might think. IBM has unveiled chip-based encryption technology to lock PCs and mobile devices. Other defenses include Absolute Software's Computrace and CyberAngel Security Solutions Inc.'s CyberAngel Security Software, programs that track stolen laptops, and Everdream Corp.'s services that delete or encrypt files on stolen laptops.

Wireless Threats
Wireless LANs represent another access point for the mal-intentioned. You should develop strict policies around their use, prohibiting employees from installing their own equipment. To enforce these policies, Microsoft provides software asset management solutions to detect rogue appliances. For authorized equipment, be sure to enable WPA (Wi-Fi protected access) encryption to scramble network traffic. You can also control access, as Iperia does, with domain passwords and MAC addresses (unique identifiers), denying requests from unwanted clients. Senforce Technologies Inc. offers a suite of wireless security solutions, ranging from Wi-Fi connectivity control to enpoint integrity.

For any such security need, you can get as sophisticated as you like. But remember, the newest "killer app" isn't always the right answer. The CSO Executive Council's Hayes recalls a company that was eager to implement biometrics technology to secure facilities, only to find that employees had not bought into the concept and bypassed the system. "I'd take a diligent employee or lesser technology that is utilized 100 percent over that anytime," he says.