The Right Tools To Fight Cybercrime

You wake up one morning, excited to go to work. You've labored on your e-business Web site launch for eight months, perfecting every last detail, and the site just went live. You're excited because the site is an instant hit. Funding is pouring in like beer at Oktoberfest, and the buzz is already out about your future IPO. Life, in all respects, is good,until you get to your office and fire up your computer. Something's wrong. Programs have been altered, applications aren't functioning, network connections are down and, worst of all, files containing financial data and precious trade secrets are missing. You're panicking. A hacker? Can't be,the company just debuted a few months ago. Was your plan to implement advanced security measures after the site went live flawed?

You're finally able to call up your Web site, and instead of the slick graphics, sharp logo and catchy company name, you find the words "You Lose!" on your computer screen.

That IPO you were dreaming about? Not happening.

The college trust fund for the kids? Gone.

That gorgeous, maroon Jaguar you had your eye on? Forget about it.

Wake up! Fortunately it's only a nightmare.That scenario may have seemed over-the-top, but a recent study by PricewaterhouseCoopers predicts that the IT industry will lose $1.6 trillion in revenue because of cybercrime and security breaches for 2000 alone. New viruses and high-profile attacks on major corporations and the federal government have left many e-businesses, software vendors and just about anyone using the Web for profit, feeling exposed and vulnerable.

The recent wave of cybercrime has sparked new initiatives in the security market. No longer are companies relying on firewalls that will simply deflect hackers and disgruntled employees. IT companies want a sword instead of a shield. They want the equivalent of Excalibur: a supreme weapon to protect their businesses and bring the perpetrators to justice. The question is, which software innovators will be able to draw the sword from the stone?

"If you look at the past few months, we're seeing events that are making it very difficult to do business over the Internet," says Ken Ballou, senior vice president of channel sales at Computer Associates.

Ballou points to debilitating attacks on Yahoo! and eBay earlier this year. If they had taken place a few months later, Ballou claims, CA could have prevented them with its eTrust Internet Defense suite. The company's newest security solution, released in late August, features five components,firewall, content inspection, intrusion detection, VPN and, perhaps most important, antivirus protection. Say e-business was a building: The firewall would be the barbed-wired fence, content inspection would be the night watchman, intrusion detection would be the alarm system and the anti-virus program would be that large, near-rabid Doberman at the front gate.

"I Love You", Not

CA's antivirus program, called InnoculateIT, was conceived in early May,the same time that the company was scrambling to mount a counterattack against the "I Love You" virus, using an earlier version of InoculateIT to strike down the notorious plague. The technology was widely recognized as being one of the first and best cures for the widespread virus. Ballou says the company has come a long way since then with Internet Defense, which takes a more comprehensive approach in detection of intruders and identification of threats.

If anything, identification is the key thread in the blanket of new security. Like CA, Recourse Technologies talked with clients, vendors and partners about their primary security concerns not long ago. The consensus was that users needed a way to identify the attackers and get the goods on when, where and how they broke into the system.

"Firewalls are great, but they only deflect [attacks] and don't allow any response," says Recourse Technologies president and CEO Frank Huerta. "Responding to an attack is very time-consuming, and there's a lot of confusion in trying to identify and track the attackers."

Setting the Trap

Recourse Technologies then developed a "honeypot" tool,appropriately named ManTrap,which acts as sort of a reverse Trojan horse by diverting attackers to a decoy environment that "traps" the intruder. If configured with firewalls, for instance, the program can redirect suspicious traffic to the ManTrap cage. Combined with ManHunt, which specializes in monitoring systems and collecting forensic data from attacks, the software is one of the most proactive security weapons yet.

"This isn't an aggressive tool, but it really compiles a lot of evidence on the attack, and that's going to become increasingly important to the e-business industry," says Fred Kost, vice president of marketing for Recourse Technologies. "You're never going to be completely safe. But you can have a better chance of preventing attacks and finding out who's attacking you."

While new software and technology will help level the playing field for e-business, a fundamental change is needed in the industry's approach to security, says Alan Paller, director of research at the System Administration, Networking and Security (SANS) Institute. This, he says, will help to eliminate simple, correctable human errors that leave the doors wide open for intruders to hack and invade with impunity (see "The 10 Worst Security Mistakes IT People Make", page 140). Common "open-door" mistakes include using widely known default passwords or no network passwords at all and failing to remove CGI sample scripts from Web servers after installation, which can be used by intruders to manipulate the actual server.

Such simple mistakes account for roughly 80 percent of attacks in the industry, according to Paller. SANS Institute, a cooperative research group comprising more than 95,000 IT professionals, has been studying the issue of security for more than a decade.

"If you're going to protect yourself from a burglar, the first thing you do is lock the door," Paller says. "If you're going to fly an airplane, you have to examine it before you leave the ground."

That may sound obvious to some, but Paller says it's the obvious things that much of the industry is failing to grasp. Too many companies are rushing to go live before installing security infrastructure. Government agencies and many colleges and universities have become targets of cyberattackers as well, but e-business, with its mountainous wealth, is the lamb of choice.

Speed Kills

"Time-to-market is a root cause for security vulnerabilities in e-business," says Crispin Cowan, chief research scientist at WireX. "The convergence of e-commerce and open networks has allowed anyone with a bad attitude and the right tools to rip you off." WireX developed Immunix, which hardens programs and cures exploitable bugs in the system. The security tools also locate and sequester the route of the attack so copycats can't use that hole.

"The whole idea behind the software is that we can immunize a server network and remove the vulnerabilities before an attack is made," says Joonees K. Chay, president and CEO at WireX.

One of the most vital security tools, however, isn't new technology. More software vendors are jumping into the consulting field and providing managed services for e-businesses struggling with understanding and building security infrastructure. Internet Security Systems (ISS) recently began its managed security services program, which will focus primarily on small and midsize businesses in need of round-the-clock network monitoring. The Atlanta-based company, one of the pioneers of intrusion-detection software, also helps e-businesses install ISS products, such as Internet Scanner and RealSecure, which dissects data packets in a network to find out who's naughty and who's nice.

"E-business doesn't have the capacity to constantly monitor its security 24/7, but it's a 24/7 industry," says Tim McCormick, vice president of marketing at ISS.

Santa Clara, Calif.-based PGP Security, a Network Associates company, also provides managed services for its Desktop Security product line, which features firewall, intrusion detection and VPN technology. The floodgates opened for managed security services with the rise of e-business and B2B interaction, says Marvin Dickerson, PGP's director of product management. "How are your partners going to secure their businesses with 80,000 employees worldwide?" Dickerson asks. "It's not all about the product. Companies need scalability with their security, and they need to know how to manage their systems with those tools."

Most specialists agree on one thing,security, or a lack thereof, is the Achilles' heel of the new economy. Paller says he's encouraged that corporations are now combining their efforts and even working with the federal government on security issues. But he has no doubt that a small percentage of dangerous hackers and malicious employees will continue to adapt and find ways around even the newest defenses.

If that's true, is there any true security out there?

Yes, Paller says: "There's plenty of job security in the security tech field."

The 10 Worst Security Mistakes Information Technology People Make

1. Connecting systems to the Internet before hardening them

2. Connecting test systems to the Internet with default accounts/passwords

3. Failing to update systems when security holes are found

4. Using telnet and other unencrypted protocols for managing systems, routers,

firewalls and PKI

5. Giving users passwords over the phone, or changing user passwords in response to telephone or personal requests when the requester is not authenticated

6. Failing to maintain and test backups

7. Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail and rservices

8. Implementing firewalls with rules that don't stop malicious or dangerous traffic,incoming or outgoing

9. Failing to implement or update virus-detection software

10. Failing to educate users on what to look for and what to do when they see a potential security problem

And a bonus, number 11: Allowing untrained, uncertified people to take responsibility for securing important systems

Top Security Mistakes Senior Executives Make

1 Assigning untrained people to maintain security, providing neither the training nor the time to make it possible to learn the job

2 Failing to understand the relationship of information security to the business problem,they do not see the consequences of poor information security

3 Failing to deal with the operational aspects of security,making a few fixes and then not allowing the follow-through necessary to ensure the problems are solved

4 Failing to realize how much money their information and organizational reputations are worth

For more on fighting cybercrime, turn to "The Right Tools To Fight Cybercrime" on page 139.