RealTime IT News

Despite Consumer Confidence, Security Issues Remain

According to one network security expert, senior management executives at major financial and e-commerce organizations are chiefly to blame for the many security flaws found in today's Web sites.

Peggy Weigle, chief executive officer of e-commerce security firm Sanctum Inc., said it's mainly because of management requirements that Web application developers are stuck producing vulnerable sites, easy prey for malicious hackers (called crackers).

The reason developers are doing this, she said, is because management wants them to build sites that are faster, stickier and more attractive than the competition's.

In other words, function is compromised in favor of form.

That, coupled with an alarming lack of education in application security, makes many sites vulnerable to break in. According to Weigle, there are only 2,000 qualified developers for the 640,000 B2B and B2C registered sites worldwide.

"At then end of the day, senior management needs to be taking more responsibility to ensure that their site is secure," Weigle said.

Many people, mainly the media, are under the assumption that (server exploits) are happening at the network level, Weigle said. But it's at the application level, behind the firewall, where the back end databases are kept and getting infiltrated by the wrong people.

In the 70 audits Sanctum has performed in its three years of operation, Weigle said her team was able to compromise the integrity of 97 percent of them, in one of four ways: stealing proprietary corporate information, garnering customer information like credit card numbers, altering the prices on e-commerce sites, or defacing the site itself.

Regardless of who's to blame for security, two recent studies emphasize one fact: companies better get their security act together if they want to cash in on the growing numbers of online shoppers.

Market Facts Inc., a global market research company, released the results of a study Tuesday that show 80 percent of online consumers feel the benefits of the Internet outweigh any drawbacks and potential problems.

What's more, about 56 percent of those polled said they were comfortable giving out their credit card information while another 40.1 percent of those polled said they felt comfortable or somewhat comfortable about giving out personal information.

But offsetting that comforting statistic is a study that shows an increase of cyber-crime in the past year, according to the sixth annual Computer Security Institute/Federal Bureau of Investigations Computer Crime and Security Survey, released Monday.

It used to be crackers were content with defacing Web sites, such as the incident this weekend at the Girl Scouts of America home page, which was usurped with the usual hacker tirade.

Originally reported to the Attrition Web site, not only were crackers able to code their way through the www.girlscouts.org domain, they were able to affect its alternate domain www.gsusa.org.

And it's not just the organizations that have a passing knowledge, institutionally, of the Internet. Microsoft Corp., which is in the middle of a major marketing push to put its services online, lost face when its Domain Name Servers were allegedly cracked in January, putting the site in and out of commission for nearly a week.

Sjofn Agustsdottir, director of surveys and special projects for DNS security firm Men & Mice, said that although many Fortune 500 companies have tightened up their security, many are still at risk if they don't acknowledge a security problem.

"(There) is a grave lack of concern for protecting private information," Agustsdottir said. "As the FBI recently announced, hackers from Russia are attacking vulnerable holes such as the BIND DNS flaws in major corporate organizations. Issues like the BIND DNS flaws can be dealt with by simply upgrading t