Retailers had barely regained their balance after a media blitz of negative publicity from several retail site break-ins that netted thieves more than 300,000 credit card numbers, when they were broadsided with a wave of denial of service attacks that toppled several major Web companies.
The incidents sent a booming wakeup call to e-retailers on just how vulnerable their sites are to intruders and called into question the Internet’s reliability as a secure network to store and exchange information.
While experts argue over the relative ease of breaching Web site security, the software that disrupts Web sites is easy to obtain on the Internet and can be downloaded for free. There also were conflicting reports that software from CyberCash was used by the cracker who broke into the CD Universe site to steal credit card numbers. CyberCash denies that its software was involved.
What’s more, experts maintain that these types of break-ins and attacks are more acts of vandalism and showmanship-crackers and hackers stroking their own egos-than actual burglaries. But online retailers aren’t impressed or amused, and there are signs these types of problems could get worse.
According to a survey by ICSA Inc., an Internet security company in Reston, Va., the number of companies falling victim to hackers or crackers increased by 92% between 1997 and 1998. That number is expected to rise, and as cyber criminals get bolder, many attacks could turn from mere inconveniences to potentially crippling events.
Clearly, all Web retailers are at risk and must take security seriously to maintain customer confidence and to protect themselves from financial loss-no matter how big or small the company. “Security has to do with estimating how bad it would be if something went bad,” says Frank Prince, senior analyst at Forrester Research, Cambridge, Mass. “Then putting together some measures to indemnify yourself from that risk. It’s important to remember that security is only as good as your weakest link.”
One of the biggest mistakes many e-retailers make is a basic one. Intruders often enter sites by breaching passwords. Too often, retailers use default system passwords, or they choose easy to identify names, Prince maintains. Computer programs created or altered by crackers are easily found on the Web that can quickly retrieve log-in names and passwords. Then once inside, a cracker has access to both company and customer information.
“Have good password discipline,” he says. “Then take that thread of password discipline and run it through all the other dimensions of your security system, such as keeping your software up to date, your firewalls properly configured and purging credit card information. Those things will greatly reduce the probability of a violation.”
Toysmart.com, a Waltham, Mass-based online toy retailer, has been lucky. Since its launch in 1998, the company has not experienced a break-in or a denial of service attack. But if they occur, Ralph Logan Jr., senior information security engineer, says the company is as ready as it will ever be. Toysmart’s customer database is encrypted and located away from any Internet facing networks. The site also uses firewalls, intrusion detection systems, authentication measures and virtual private net-working. While Logan won’t specify which commercial products the company uses, he says most of the site’s security system development is done in-house. “A good firewall is certainly a key element for any Internet-facing system,” he notes. “The most common area to protect with a firewall is where everything from the Internet comes in and everything from the corporate local area network goes out.”
But Toysmart goes a step further by protecting all Internet access points across its network with firewalls and dial-up pools. The internal and external firewalls along with checkpoints, allow the company to track any network traffic that comes in or out of the site. The intrusion detection systems are both host-based and network-based. The host provides file integrity checks, which allow security staff to look for any file changes that might have occurred since the last check, while the intrusion detection side monitors for irregularities in information patches that travel across network lines.
To further protect the site, Logan personally carries out penetration and vulnerability testing by breaking and fixing the systems’ codes. The authentication measures Toysmart has in place within its corporate LAN protect customer information, such as credit card numbers, that change hands through an order process.
“The credit card number goes immediately into an encrypted database,” Logan explains. “A customer service person may or may not see it, and the fulfillment people never see it. But anyone who touches that information is logged, so any anomalies in the flow of customer behavior or the credit card number are noted and flagged. I can say that our due diligence to provide a secure environment for our customers is the best you are going to get.”
For all the sophisticated work on firewalls and security, many experts say there’s little that can be done against a concerted denial of service attack and no security system will guard against every attack.
Superstore Buy.com, Aliso Viejo, Calif. learned that lesson firsthand when it became one of the victims of the denial of service attacks last month.
Although the company had its own “anti-crawler” software in place, CEO Gregory Hawkins says nothing could have prepared the site for the beating it took from the attack. While these types of attacks are common, they generally originate from one computer source on a much smaller scale, which allows most site security systems to recognize the attack and quickly block it. The February attack originated from multiple IP addresses. “We have always recognized the potential damage of crawling and have had protection in place,” Hawkins says. “The good news is that it worked. The bad news is something of this magnitude-literally one gigabit per second on the network-was of such a magnitude that we just couldn’t handle it.”