After several high-profile web site attacks, experts offer advice to help safeguard your site

One of the biggest mistakes many e-retailers make is a basic one. Intruders often enter sites by breaching passwords. Too often, retailers use default system passwords, or they choose easy to identify names, Prince maintains. Computer programs created or altered by crackers are easily found on the Web that can quickly retrieve log-in names and passwords. Then once inside, a cracker has access to both company and customer information.

“Have good password discipline,” he says. “Then take that thread of password discipline and run it through all the other dimensions of your security system, such as keeping your software up to date, your firewalls properly configured and purging credit card information. Those things will greatly reduce the probability of a violation.”

Toysmart.com, a Waltham, Mass-based online toy retailer, has been lucky. Since its launch in 1998, the company has not experienced a break-in or a denial of service attack. But if they occur, Ralph Logan Jr., senior information security engineer, says the company is as ready as it will ever be. Toysmart’s customer database is encrypted and located away from any Internet facing networks. The site also uses firewalls, intrusion detection systems, authentication measures and virtual private net-working. While Logan won’t specify which commercial products the company uses, he says most of the site’s security system development is done in-house. “A good firewall is certainly a key element for any Internet-facing system,” he notes. “The most common area to protect with a firewall is where everything from the Internet comes in and everything from the corporate local area network goes out.”

But Toysmart goes a step further by protecting all Internet access points across its network with firewalls and dial-up pools. The internal and external firewalls along with checkpoints, allow the company to track any network traffic that comes in or out of the site. The intrusion detection systems are both host-based and network-based. The host provides file integrity checks, which allow security staff to look for any file changes that might have occurred since the last check, while the intrusion detection side monitors for irregularities in information patches that travel across network lines.

To further protect the site, Logan personally carries out penetration and vulnerability testing by breaking and fixing the systems’ codes. The authentication measures Toysmart has in place within its corporate LAN protect customer information, such as credit card numbers, that change hands through an order process.

“The credit card number goes immediately into an encrypted database,” Logan explains. “A customer service person may or may not see it, and the fulfillment people never see it. But anyone who touches that information is logged, so any anomalies in the flow of customer behavior or the credit card number are noted and flagged. I can say that our due diligence to provide a secure environment for our customers is the best you are going to get.”

Superstore Buy.com, Aliso Viejo, Calif. learned that lesson firsthand when it became one of the victims of the denial of service attacks last month.

Although the company had its own “anti-crawler” software in place, CEO Gregory Hawkins says nothing could have prepared the site for the beating it took from the attack. While these types of attacks are common, they generally originate from one computer source on a much smaller scale, which allows most site security systems to recognize the attack and quickly block it. The February attack originated from multiple IP addresses. “We have always recognized the potential damage of crawling and have had protection in place,” Hawkins says. “The good news is that it worked. The bad news is something of this magnitude—literally one gigabit per second on the network—was of such a magnitude that we just couldn’t handle it.”

Even the company’s Web host, Santa Clara, Calif.-based Exodus Communications, was caught off guard by the attack’s enormity. Gary Grossman, director of security research and development for Exodus, says attacks are getting more aggressive, but the components of the attack are usually easily recognized, enabling the company to quickly put defense filters into place. “What we cannot do is predict what the attack will look like before it occurs,” he says, admitting the procedure is a little like shutting the barn door after the horse has already escaped. The problem, most security experts agree, is that it is difficult to defend against or create a filter for something that does not yet exist.

In the meantime, to help fend off denial of service attacks, Grossman says online retailers who don’t use a Web host should have routing equipment at the head end of their site that allows filtering against these attacks.

IRCE 2008 Conference Multi-Media CD-ROM

But not even a Web host can provide a totally secure site for its clients, so many companies such as Buy.com are continually adding features and functionality to their security systems. “Our biggest issue is that customer privacy cannot be compromised so we are focusing on that and the threat that somebody can come in and shut our doors,” says Hawkins.

While defending against denial of service attacks may be difficult, protecting customer information against break-ins is a much more manageable task. Chip Mesec, vice president of marketing for SecurityFocus Inc., a security information firm based in San Mateo, Calif., says it’s no secret to crackers that many retail sites store credit card numbers in plain-text files. Many also use the same server for credit card numbers as they do for company information. This allows crackers to not only get customer information, but employee records as well.

Without disclosing company names, SecurityFocus reports having found and verified security weaknesses in several Web sites that were so blatant that almost anyone could get into the site’s databases and extract Web content, credit card numbers and owner names, passwords, and even company staff information, such as employee records, salaries, social security numbers, addresses and other personal information.

Mesec acknowledges that companies of all types and sizes are not taking even simple precautions to keep hackers and crackers out of their systems. A cyber criminal can easily break into 20 to 30 small retail sites in one night. Even if each site only has 500 credit cards with a total of $25,000 in available credit, it can add up to $500,000 in a single nights work for the criminal.

But there is one promising note for e-retailers that may help to deter cyber crime. According to the Federal government, if caught and convicted, criminals could face penalties of five to 10 years in prison and fines up to $250,000, or in some cases twice the gross loss to the victim. Negligent, unintentional damage to a Web site is a misdemeanor, punishable by six months to a year in prison and a $100,000 fine.

With the heightened awareness of e-commerce, cyber crime is going to become more of a problem for Web companies. It doesn’t matter how big or a small a retailer is, safeguarding customer information is more critical than ever.

To help e-retailers gain an advantage, security experts offer some important advice: