BUSINESSWEEK ONLINE: FRONTIER - the resource for entrepreneurs  
 
 
DIGITAL MANAGER MARCH 6, 2000


Your Web Site Might Be Playing Host to a Hacker

"Always-on" connections make small companies always-vulnerable to attack

RELATED TOOLS

E-Mail Story



Is Your Business a Trojan Horse for Hackers?

Notorious Hackers Become Entrepreneurs

Hacked to Pieces: How One Company Survived an Attack

How to Keep Hackers Out of Your System

Digital Manager Archive


Are you the next target for hackers? That's the disturbing question circulating among some security experts in the wake of attacks against big-name sites like Yahoo! and eBay. The experts see small companies and their Web-hosting services as especially vulnerable to attacks that could destroy their data or turn their companies into unwitting agents for attacks on other sites. "The next wave of vulnerability is going to be the small to midsize business," says Ken Fehrnstrom, CEO of Ensim Corp., a network-security company in Mountain View, Calif.

Chief among the concerns is that small companies lack sophisticated firewalls and other preventive measures to keep hackers out of their systems. What's more, small companies aren't beefing up their security systems even as they become more vulnerable. High-speed, always-on Internet connections such as DSL and cable modems are being heavily marketed to small companies at increasingly affordable prices, and an an always-on connection is much easier for a hacker to penetrate than a system that connect via dial-up modem.

An always-on link requires constant surveillance, and few small businesses have the money or the knowhow to provide it. Steph Marr, vice-president for information security at Predictive Systems Inc., a network design and consulting company in Santa Cruz, Calif., says companies should spend at least 5% to 10% of their information technology budget on security. For companies of at least 50 employees, this could come to about $10,000.

If that's too big a bite, Marr says minimally secure networks costing a few thousand dollars are "relatively easy" to install. At the very least, businesses should install software that checks for unusual bandwidth surges or other abnormal activity such as unauthorized file changes in real time. Companies should also have a system that audits the real-time checks, and they should make sure at least one person is managing the network and monitoring it at all times, he says.

 


The threat: Hackers will take over your server and use it as a base for denial-of-service attacks
 

But that sort of software detects only obvious problems, says Weld Pond (not his real name), a security expert for @Stake, a Boston-based company comprised of a former underground group of hackers known as L0pht. Apart from unusual surges in the amount of bandwidth or strange traffic patterns, cybervandals rarely leave such obvious fingerprints. "Hackers tend to break into networks without causing any disruptions -- using an abandoned account, let's say -- and sometimes they even improve the network if it's slow," Pond says. Odd as that sounds, hackers tend to like their attacks to run fast and smooth, so if they're trying to piggyback on a cumbersome network, they may fix the glitches.

What's the point? There's the chilling possibility that hackers will take over a small-business server and use it as a base for attacks like those that disabled eBay and Yahoo! These so-called denial-of-service attacks occur when hackers infiltrate hundreds of other computers and direct them to bombard a high-profile site like CNN with more traffic than it can handle, blocking users from gaining access.

INNOCENT ABETTORS. Investigators are still tracing where the recent attacks came from, but Stanford University and the University of California at Santa Barbara have acknowledged that their networks were hijacked and turned into "zombies" that participated in them. What about small companies? No proof yet shows they were involved. But security experts say among the most likely abettors -- albeit innocent ones --were small-business networks. Why? Because security is so lame, and the adoption of DSL can make these networks even more attractive as launching pads for hackers. "It will become increasingly easy to launch attacks from small businesses as high-bandwidth technology becomes more ubiquitous," Fehrnstrom says.

Denial-of-service attacks are usually directed at major sites rather than at small companies because the hacker's goal is to create lots of publicity. But don't take false comfort. Once a hacker has taken over your network, you're open to far more devastating kinds of attacks. "Being a staging point for a denial-of-service attack doesn't put you out of business," Pond says, "but if your customer data gets stolen, that can put a cramp in your business."

Another potential weak spot is the trend for small businesses to use other companies -- Internet service providers and an ever-burgeoning array of software and service providers -- to host key elements of their business, from their Web sites to their accounting software. The problem here is that while you might have a top-flight security system, your hosting service is only as secure as the least secure site that's sharing the service.

 


"The vast majority of small businesses are leaving themselves open to attack,"
 

It's a sticky issue for Web hosts, which have been criticized for dragging their feet on security. In response, nine ISPs formed an alliance with Net security company ICSA.net on Feb. 23. Founding members, which include Cable One, Cable & Wireless, Digex, Global Crossing, Global Center, GTE Internetworking, Level(3), Time Warner's Road Runner, and Sprint, must secure their own internal systems, add filtering technology to prevent forging the source address of a piece of data, and provide support for their members to do the same. The group's first goal is to improve security at the 5,000 smaller ISPs that are still getting up to speed on the issue.

The initiatives come none too soon. "The vast majority of small businesses are leaving themselves open to attack," says Andrew Moloney, a manager for entry-level systems at 3Com. "Very few of them are installing firewalls because they think they're being protected by their hosting services. It's fundamentally a question of education."

"SOFT AND CHEWY." For its part, 3Com has introduced a new firewall and content filtering product that attaches to a DSL or cable modem for about $450 to $500. But making a company's computer system secure isn't just a matter of installing software. It often requires changing behavior at a company. "Small-business networks are hard and crunchy on the outside, soft and chewy on the inside," says Marr of Predictive Systems. "Once you get past the exterior surface, the inside is wide open because small businesses don't want to prevent their employees from getting access to anything and everything they need."

Marr says he expects hackers will soon start to make small modifications to sites, especially those of e-tailers, that cause customers to go to the competition. "Denial of service is one concern, but theft of intellectual property or outright sabotage is another matter altogether," he says. One hypothetical example he gives is an online book retailer where some titles are erroneously listed as out of stock, causing shoppers to go to another seller.

If you learn one lesson, it should be this: If your security system consists of counting on your site's small size or low profile, you're asking for trouble.


By Stefani Eads in New York


Top

[an error occurred while processing this directive]



Business Week Home Bloomberg L.P.
Copyright 2000, Bloomberg L.P.
Terms of Use   Privacy Policy

Bloomberg L.P.
Media Kit | Special Sections | MarketPlace | Knowledge Centers
Bloomberg L.P.