Consultant: Security means less internal access

Internal hacking is the largest threat an e-commerce company faces, according to one security expert.

Fred Cotton, CEO of Fred Cotton and Associates, a security consultancy firm, said at a Toronto conference that employees have the greatest amount of exposure to company information, exposure many of them should never have.

“Often we give more than the person needs. ‘Here, you’re a shipping clerk, we’ll give you access to the whole system,'” Cotton said.

He added businesses should have better systems for blocking access. “It’s basic accounting. Most companies ought to be able to do that.”

The Californian, whose background is law enforcement, said the temptation to the employee is huge, and that they should not be put in that position in the first place.

“If you’re going to give access, make sure you have an audited system to prevent internal losses,” Cotton said.

He added internal hacking and information violations often go unreported in an effort to maintain public confidence in the company. The drawback to this, he noted, is offenders are free to move on to their next employer.

He also stressed that temp employees often are given full access to files without any background checks. “You only have to pay off one lawsuit, and you could have paid for an entire security system.”

Cotton likened firewalls to an idiot savant. “You tell the firewall, ‘Do not let the bad guys in.’ Well, no bad guys get in, but you find out later other things are coming in and you configured the firewall wrong.”

He couldn’t definitively list the best security features. “Usually if I’m there, it means there weren’t any.” However, he suggested sending trade information through virtual private networks, activating and monitoring intrusion detection software, audit tracking, backgrounding employees and training employees on security issues.

Cotton noted hackers are smart and are now mentoring a younger group.

“There are a lot of script kiddies out there. All they’re going to do is download a script and point it at your IP. Legally, they’re going to get charged with a hacking violation, but are they the ones with the skills?” he asked. “That’s what I see as part of the problem. You don’t have to be a good hacker to get into somebody’s system anymore.”

Frank Koblun, director of consumer e-commerce for HMV North America, talked about the company’s recent experience with hackers.

Although the HMV site only went live July of last year, two months ago the IT staff noticed the Web servers were taking a suspicious number of requests.

“They took the site off-line for an hour,” he explained. “They had to, or we could have been forced off-line.”

He added the company keeps audit logs, which allowed them to define that the problem was external. Koblun noted this was the first and only attack so far. He said HMV had been very concerned with security from the beginning, but since the attack they have upgraded their software further and reconfigured their system.

“We have a security policy and IT management procedures in place and we do regular audits of those. Whenever our systems or circumstances change we have to revisit those policies,” Koblun said.

A security policy needs to be the first step on the journey toward a complete security system, according to Greg Clark, CTO for Tivoli Systems Inc.’s security business unit. Clark noted a full security system will be made up of many elements, but that nobody is going to purchase a complete security system from one company.

“Some people do firewalls really well and some people scan viruses really well.” Tivoli offers a new SecureWay umbrella solution to give businesses the core elements of a security policy and to integrate point products they have, according to Clark.

“This tool goes out and deals with the security products. It will send you the events as they come and say, ‘Oh, that’s not really a problem,'” he explained, adding this will cut down on security teams watching 10 different screens, trying to analyze the activities of each one.

Although he would not say whether the Tivoli solution was a good one, IDC Canada analyst Dan McLean said SecureWay is the right idea.

“I think the holistic approach is the right one,” McLean said. “What you want to be doing, in terms of imposing security, is look at it in a solutions-based approach. Look at it as a solution rather than as a collection of point products that are designed to combat against certain things.”

He said point solutions only patch specific security holes. “That’s what niche products are about. So you plug up this one hole, but something else unplugs.”

McLean noted people are trying to integrate their security products so there is some degree of interoperability.

“I think people want that, but a lot of them don’t have the wherewithal to impose it. If I’m a medium-sized company of less than 500 people and, yeah, I want the solution but it’s expensive and one issue is can I afford it and can I afford to hire the people who will allow me to do this sort of thing?”

He noted the Tivoli solution looks good, but needs to be scaled down to fit the typical Canadian business customer.