STORIES BY NICOLE NASCENZI
World Staff Writer
Jeff Bewley does not need a ski mask and a crowbar to break into your business: All he needs is a keyboard and about 30 seconds.
Bewley is the security division manager for Tulsa-based Sequoyah Technologies. He spends his days trying to break into his clients' computer systems. The exercise is one in safety and precaution.
"A lot of people think they are immune to having their businesses hacked because they run a boring business," Bewley said.
They are wrong. Hackers can run programs that scan 16 million computers in one night, he said. People hack into systems because they can, not because they find a certain business interesting.
Computers quickly have become an integral business tool. The days of executives passing contracts across a boardroom table for their business partners to sign are quickly disappearing.
Today, many business deals are negotiated, written and finalized on the Internet, without the contracting parties ever meeting in person. Since the advent of electronic commerce a few years ago, an increasing number of businesses are buying, selling and trading products and services online. But the convenience and efficiency of e-commerce is tempered with worries about its reliability and security, say industry experts.
"The Internet provides an opportunity for tremendous access to information and at the same time it is so hard to secure that everything could collapse," said Sujeet Shenoi, a University of Tulsa computer science professor.
Shenoi and fellow computer science professor John Hale recently presented a workshop on e-commerce security at the University of Oklahoma-Tulsa. The workshop was part of the university's "Current Issues in Telecommunications" series.
The one-day workshop was designed for professionals needing an overview of security issues, said Pramode Verma, series director and OU-Tulsa's director of the tele-computing program and a computer engineering professor.
Verma said e-commerce security is "one of the most important topics facing today's executives."
Data traveling on the Internet can be intercepted, copied or manipulated in a variety of ways. And it does not take a computer science degree to hack into a Web site, Hale said.
"More sophisticated attacks are being carried out by less sophisticated users," he said. Hackers often go to Web sites and download the codes for attacks without knowing how the code was constructed. Experienced or not, hackers can cause harm in a variety of ways.
By conducting a distributed denial of service attack, a hacker uses multiple computers to overload a system with information, Hale said. The information overload eventually causes the system to shut down. When the system shuts down, the business' Web site is not operational and it is losing money.
Several Internet giants were crippled by DDOS attacks in February 2000, said Anup Ghosh, e-commerce security expert and director of security for Virginia-based Cigital, a security risk management software company.
Ghosh said hackers strategically took down eBay.com, CNN.com, Amazon.com and Yahoo.com by overloading the systems with information.
"Some of these victims were taken offline for hours, and others for days," he said.
If hackers find security holes, they have the ability to enter a company's network, operating systems and Web servers.
"The best thing a hacker could do (for the business victim) if he or she broke into your operating system is to destroy everything and delete all of the files," Bewley said. Worse problems can occur when a company does not know a hacker has broken into its system. The cyber intruder could install a program called a "sniffer" and grab a copy of all the traffic that goes across a company's network.
Network traffic often includes passwords, credit card numbers and e-mails, Bewley said. The hacker may work for a competitor and potentially could alter commodity process or change warehouse inventory lists.
Before a company goes back to doing all of its transactions on paper, Bewley said, there are a number of ways to address security concerns.
"Security is not a product," said Hank Haines, executive vice president of Sequoyah Technologies. "It is a process." Sequoyah is one of many companies that specialize in helping businesses secure computer systems.
"Security makes good business sense," Ghosh said. "If a company's computer systems are secure, there will be no down time, no lost sales and no bad PR." His recent book, "Security and Privacy for E-Business," addresses many areas of concern for executives struggling with security issues. | Intellectual property theft - often committed with the aid of a computer - cost United States businesses more than $45 billion in 1999.
"In an ideal world, a company should have one security specialist for every 10 information technology employees," Shenoi said.
In reality, security specialists can be hard to come by - and even harder to afford.
"Any business needs to re-evaluate its security needs regularly," said Trent Hein, chief technology offcer and senior vice president of Colorado-based XOR. "It is a changing landscape."
Many companies, including XOR, which has an office in Tulsa, and Sequoyah Technologies, conduct computer security audits.
"A company which wants to sell products online and thinks security is a waste of time" will change its mind after it is hit by hackers, Shenoi said.
"There is no need for a research scientist to have access to the payroll records. You only want to allow the employee as much access as the invidual needs to perform his job."
- John Hale: University of Tulsa Computer Science Professor on Security Issues
Awareness key to business defense strategies
Defending a business against unseen attackers can seem like a daunting task.
There is no panacea for computer security problems, said Trent Hein, chief technology officer and senior vice president of Colorado-based XOR.
But, awareness is the most important tool in the fight against hackers, said Sujeet Shenoi, a University of Tulsa computer science professor.
The public hears about only a fraction of the cyber crimes because companies often do not want security breeches to become a matter of public knowledge.
And, security problems do not always come in the form of nameless, faceless hackers from the outside.
"Between 50 (percent) and 65 percent of security incidents are internal," Hein said. "The incidents come either from a disgruntled employee or from someone mishandling information."
Some tips include:
> All employees should not have the same degree of access to the company's systems, said John Hale, University of Tulsa computer science professor.
"There is no need for a research scientist to have access to the payroll records. You only want to allow the employee as much access as the individual needs to perform his job."
> Companies need to develop security protocols and ensure that all of the employees follow the protocols, Hale said.
For example, employees should not leave passwords posted on computer monitors or on the back of keyboards, he said.
If a system is compromised, the company should have a crisis plan to minimize the damage to the system and the company's operations.
> Firewalls can be used to stop hackers from accessing an organization's network, said Jeff Bewley, security division manager for Tulsa-based Sequoyah Technologies.
A firewall is a device - often software - that mediates traffic from the Internet. A firewall is used as a measure of protection for the systems that reside behind the firewall.
A firewall is useless if its logs are not checked, Bewley said. A firewall may catch a pattern of attacks on the system, but the software will do no good if no one notices the attacks.
> Software should be continually updated with the most recent patches from the manufacturer.
Vendors continually release software updates to correct bugs found in the programs, said Anup Ghosh, e-commerce security expert and director of security for Virginia-based Cigital.
Some patches fix problems critical to the software's security, Ghosh said.
But, by the time a patch is created, hackers already know how to exploit that particular weakness in the program.
"In practice, many people do not apply patches because 30 percent of the new code introduced may cause a new problem," he said.
Companies need an expert to decide which patches are critical and to make sure they are installed on all company machines, Ghosh said.
> Important e-mail for anything important," Shenoi said. "It is so easy to sniff e-mail that I use the telephone."
Sniffing is a method of electronically eavesdropping on the text of the message.
Encryption is a way of scrambling data, requiring a user to have a certain "key" in order to unscramble it.
Tulsa-based SecureAgent.com produces a program called SecureNotes that encrypts the e-mail message and confirms that the message reached its destination uncorrupted, said R. Brent Johnson, SecureAgent.com president.
The program works in conjunction with most e-mail programs.
Return to the News Coverage |
