Are you the next target for hackers? That's the disturbing question circulating among some security experts in the wake of attacks against big-name sites like
Yahoo! and eBay. The experts see small companies and their Web-hosting services as especially vulnerable to attacks that could destroy their data or turn their
companies into unwitting agents for attacks on other sites. "The next wave of vulnerability is going to be the small to midsize business," says Ken Fehrnstrom,
CEO of Ensim Corp., a network-security company in Mountain View, Calif.
Chief among the concerns is that small companies lack sophisticated firewalls and other preventive measures to keep hackers out of their systems. What's more,
small companies aren't beefing up their security systems even as they become more vulnerable. High-speed, always-on Internet connections such as DSL and cable
modems are being heavily marketed to small companies at increasingly affordable prices, and an an always-on connection is much easier for a hacker to penetrate
than a system that connect via dial-up modem.
An always-on link requires constant surveillance, and few small businesses have the money or the knowhow to provide it. Steph Marr, vice-president for
information security at Predictive Systems Inc., a network design and consulting company in Santa Cruz, Calif., says companies should spend at least 5% to 10% of
their information technology budget on security. For companies of at least 50 employees, this could come to about $10,000.
If that's too big a bite, Marr says minimally secure networks costing a few thousand dollars are "relatively easy" to install. At the very least, businesses
should install software that checks for unusual bandwidth surges or other abnormal activity such as unauthorized file changes in real time. Companies should also
have a system that audits the real-time checks, and they should make sure at least one person is managing the network and monitoring it at all times, he says.
But that sort of software detects only obvious problems, says Weld Pond (not his real name), a security expert for @Stake, a Boston-based company comprised of
a former underground group of hackers known as L0pht. Apart from unusual surges in the amount of bandwidth or strange traffic patterns, cybervandals rarely leave
such obvious fingerprints. "Hackers tend to break into networks without causing any disruptions -- using an abandoned account, let's say -- and sometimes they
even improve the network if it's slow," Pond says. Odd as that sounds, hackers tend to like their attacks to run fast and smooth, so if they're trying to
piggyback on a cumbersome network, they may fix the glitches.
What's the point? There's the chilling possibility that hackers will take over a small-business server and use it as a base for attacks like those that
disabled eBay and Yahoo! These so-called denial-of-service attacks occur when hackers infiltrate hundreds of other computers and direct them to bombard a
high-profile site like CNN with more traffic than it can handle, blocking users from gaining access.
INNOCENT ABETTORS. Investigators are still tracing where the recent attacks came from, but Stanford University and the University of California at Santa
Barbara have acknowledged that their networks were hijacked and turned into "zombies" that participated in them. What about small companies? No proof yet shows
they were involved. But security experts say among the most likely abettors -- albeit innocent ones --were small-business networks. Why? Because security is so
lame, and the adoption of DSL can make these networks even more attractive as launching pads for hackers. "It will become increasingly easy to launch attacks from
small businesses as high-bandwidth technology becomes more ubiquitous," Fehrnstrom says.
Denial-of-service attacks are usually directed at major sites rather than at small companies because the hacker's goal is to create lots of publicity. But
don't take false comfort. Once a hacker has taken over your network, you're open to far more devastating kinds of attacks. "Being a staging point for a
denial-of-service attack doesn't put you out of business," Pond says, "but if your customer data gets stolen, that can put a cramp in your business."
Another potential weak spot is the trend for small businesses to use other companies -- Internet service providers and an ever-burgeoning array of software and
service providers -- to host key elements of their business, from their Web sites to their accounting software. The problem here is that while you might have a
top-flight security system, your hosting service is only as secure as the least secure site that's sharing the service.
|
"The vast majority of
small businesses are
leaving themselves
open to attack,"
|
|
It's a sticky issue for Web hosts, which have been criticized for dragging their feet on security. In response, nine ISPs formed an alliance with Net security
company ICSA.net on Feb. 23. Founding members, which include Cable One, Cable & Wireless, Digex, Global Crossing, Global Center, GTE Internetworking, Level(3),
Time Warner's Road Runner, and Sprint, must secure their own internal systems, add filtering technology to prevent forging the source address of a piece of data,
and provide support for their members to do the same. The group's first goal is to improve security at the 5,000 smaller ISPs that are still getting up to speed
on the issue.
The initiatives come none too soon. "The vast majority of small businesses are leaving themselves open to attack," says Andrew Moloney, a manager for
entry-level systems at 3Com. "Very few of them are installing firewalls because they think they're being protected by their hosting services. It's fundamentally a
question of education."
"SOFT AND CHEWY." For its part, 3Com has introduced a new firewall and content filtering product that attaches to a DSL or cable modem for about $450 to $500.
But making a company's computer system secure isn't just a matter of installing software. It often requires changing behavior at a company. "Small-business
networks are hard and crunchy on the outside, soft and chewy on the inside," says Marr of Predictive Systems. "Once you get past the exterior surface, the inside
is wide open because small businesses don't want to prevent their employees from getting access to anything and everything they need."
Marr says he expects hackers will soon start to make small modifications to sites, especially those of e-tailers, that cause customers to go to the
competition. "Denial of service is one concern, but theft of intellectual property or outright sabotage is another matter altogether," he says. One hypothetical
example he gives is an online book retailer where some titles are erroneously listed as out of stock, causing shoppers to go to another seller.
If you learn one lesson, it should be this: If your security system consists of counting on your site's small size or low profile, you're asking for trouble.
By
Stefani Eads
in New York
