Task Force Unveils E-business Security Guidelines By Kevin Featherly, Newsbytes March 15, 2000

A consortium of key Internet businesses has formed an industry task force aimed at spreading the gospel of e-business security -- particularly to medium-sized, Web-based companies -- in the wake of the recent denial of service attacks.

The group has issued a set of guidelines aimed at getting businesses to think about their own corporate virtual well being, something many of them currently are not doing.

"The reality is that most organizations are not aware of the security systems that they've already got in place," said Simon Perry, vice president of security systems for virus-software maker Computer Associates, who hosted the press conference unveiling the task force's recommendations today.

"In some cases," Perry said, "(companies) are spending an enormous amount of money on secure operating systems and so forth. What they don't do is look at those firewalls and make sure that they're configured correctly, that they have ongoing maintenance, or that the operating systems are not installed with default settings that provide no security whatsoever." And that's just one major security area that is persistently overlooked, he said.

The group, known as the Internet Security Task Force, includes representatives from major companies like Cisco, eToys Inc., Sabre, Inc., Travelocity, Verio Inc., and Computer Associates, among others. The group said it is aiming its report, "Initial Set of Recommendations for Securing eBusiness," at keeping companies safe from attack by identifying the risks.

Simon said various industry surveys indicate that somewhere between half and three-quarters of all Web sites are vulnerable to at least one of 20 known security holes hackers exploit.

"Certainly in that vast majority (of mid-sized companies), the understanding of security basically is much less than it is at eToys and so forth," said Simon. "We felt that all we needed to do was distill our collective wisdom and our collective expertise and make all this information available about what is required to connect to the Internet securely."

While the group is interested in working with government by helping to identify attacks and attackers when they are present, it is ceding responsibility over patrolling the Internet backbone to authorities, Simon said.

He said the group began meeting several weeks ago, inspired by last month's massive series of denial of service attacks that briefly felled Web goliaths like Yahoo, E-Trade and Amazon.

In most cases, security lapses are the result of a lack of understanding, said Kayne Grau, senior director of information technology at eToys, who also spoke at today's conference. He said that many companies purchase and install software that they think will keep them safe from attack, not realizing the expertise needed to ensure the products actually do their jobs.

"These companies are going out and spending a lot of money on firewalls and filters, and that's a great first step," Grau said. "But if you're installing out of the box, it can be extremely vanilla, it can leave you extremely vulnerable. If you're going to take a big step, you should have a full-time security officer. That should be a major (commitment) for companies. You're dealing with credit-card information, personal information, it's extremely important to make sure it's secure overall."

That means tremendous costs, of course. And Grau later acknowledged that eToys, a 500-employee firm that was the second most popular Web site during the past Christmas shopping season, has only one full-time and another part-time security worker.

Another problem the group wants to address publicly, Simon said, is the issue of what he called "incomplete clean-up and mishandling of credentials" of people both inside and outside of companies. "When someone joins a company, they get a user ID and password, many times on multiple systems," Simon said. "When that person leaves the organization, most times there is not adequate clean-up of those credentials. User IDs end up lying around dormant."

This is exactly the kind of security hole that hacker Kevin Mitnick was famous for exploiting.

"Really these (IDs) just are lying there, waiting for hackers and attackers to come in and to use those," Simon said. "Because hackers, if they're given a choice between using a real brute-force approach and running very computing-intensive applications to try to break into an environment, or of finding default IDs and passwords that haven't been cleaned up correctly, they'll always go for the latter."

Authentication is the other main theme hammered on in today's conference. Simon identified authentication as the ability to identify anybody who has a user ID on a networked system, whether it's an employee or a customer, when they access a system.

"Today, as businesses open up their environments, they're opening up their core systems in ways which increasingly allow those customers to access their systems directly," Simon said. "We are allowing customers to access their own data and corporate data. In all those cases some kind of authentication is required."

One of the fundamental problems in preaching security gospel, Simon said, is that too many companies are already looking past the sorts of primitive attacks that took down Yahoo and are focusing on larger issues that are still matters for future consideration. Use of public key infrastructure (PKI) systems that enable creation of online authorization certificates is one example.

"Today in the industry there is recognition that public key infrastructure is a good mechanism for large-scale e-business," Simon said. "But we wanted to address all of the findings of these recommendations at a majority of people who are connecting to the Internet, and a majority of medium-sized e-businesses, so we really didn't focus on PKI. We really felt there were much more problems around with the mishandling of and mis-creation of user names, and weak systems for authentication of user ID's and passwords. And that's really were we focused."

Simon said the task force is intentionally avoiding use of their bully pulpit to market their own products.

"We're not recommending that we implement 'X' firewall," he said. "Really our focus is the whole area of what is involved in these attacks, so everyone can make sure you're not going to be a victim, and so your environment can't be used to launch attacks."

The group's recommendations cover the following areas of security concern:

-Authentication -Privacy of Information -Detection of Security Events -Defense of the Corporate Perimeter -Intrusion Detection -Malicious Content -Access Control -Administration -Incident Response

Simon and Grau said that today's recommendations are very broad in scope, and that the group will "drill down" to arrive at more concrete guidelines in future meetings. The group plans to meet at an unspecified location sometime in early April, Simon said. Details on that gathering have yet to be hammered out.

A full report on the what the group recommends is available at the Computer Associates Web site at http://www.ca.com/ISTF .

Reported by Newsbytes.com

http://currents.net/newstoday/00/03/15/news1.html

-- Jen Bunker (jen@bunkergroup.com), March 15, 2000