Web security fears grow for business

By Published on .

pullq: "Building a Web page isn't a free service, and protecting the site isn't the developer's job. It's a management concern that can't be overlooked," pullq2: "It's an ongoing process -- not a one-time matter," oldclass: 7 When the Web sites of security-conscious organizations such as the CIA, the Department of Justice and the U.S. Air Force are victimized by Web vandals, the warning to business sites seems clear.

Unfortunately, security experts say, most businesses do little to protect their Web sites today. Adding to the problem -- which can be especially serious for those conducting transactions over the Internet -- is that security help doesn't necessarily come cheap.

"Building a Web page isn't a free service, and protecting the site isn't the developer's job. It's a management concern that can't be overlooked," says William Hugh Murray, executive consultant, Information Protection for Deloitte & Touche, a computing consultancy based in Wilton, Conn.


Even if a company Web site isn't used to transmitting information or documents over the Internet, and it strictly provides company information, the thought of what happened to the Justice Department and the CIA is enough to keep some people awake at nights.

According to industry analysts, in both the CIA and Justice break-ins, hackers escaped from Web server applications and gained access to operating system functions via the log-on information still loaded on the Web server.

A primary precaution not taken by the CIA or Justice was to remove access to the operating system used to set up the Web site, before allowing public access.

"In the Justice Department, and CIA Web site break-ins, if there had been no log-on in those servers, they could not have been hacked that way," Mr. Murray says.


In a nutshell, security is a matter of policies, enforcement and diligence.

"It's an ongoing process -- not a one-time matter," says Curt Stammberger, director of technology marketing for RSA Corp., a leading cryptography company.

And even though securing your Web server is a technical issue, the marketers and business executives who manage corporate Web sites need to know what questions to ask their IT department and outside Web developers.

In general, Web site security boils down to a few key elements:

  • Access control: Accomplished with passwords, tokens or, in extreme cases, even fingerprint scanners;

  • Authentication: Accomplished via digital signatures that ensure documents such as invoices or purchase orders transmitted over the Internet haven't been tampered with;

  • Privacy: Accomplished via encryption.

    Businesses must decide on a companywide basis which security measures are important. "Not everyone needs privacy. If purchase orders are flying over the Internet, you may not need privacy but authentication will be important to you," says Mr. Stammberger.

    To get an idea of the enormity of the security products, Web site managers may want to browse to view the hundreds of third-party products listed by RSA in a Security Solutions Catalog.

    The first step, especially if you aren't trained in Web and Internet security issues, is to do your homework. Some analysts recommend books like the "Security Issues for the Internet and World Wide Web" by Computer Technology Research.

    Others recommend contacting the National Computer Security Association (NCSA) in Carlisle, Pa..

    The NCSA is a for-profit association that creates and maintains security-related certification programs. Its newest, started last summer, is a Certified Web Site program, designed to assure Web users that certified sites meet minimum requirements for a range of security issues.

    "There is no 100% security guarantee, but this certification will greatly reduce the chances of a break-in," says Sam Glesner, marketing director for NCSA.

    For a fee of $8,500 for the first Web server, and an additional fee for multiple Web servers, NCSA will certify your site, protecting it from a variety of possible breaches.


    According to Mr. Glesner there are several things that businesses can do to improve their Web site's security, including:

  • Provide access controls, such as passwords for authorized personnel who will access/update the Web site;

  • Maintain logging information, because it identifies those who have accessed your Web site and can be used to help trace troublemakers. (The log is really a Web site traffic report that keeps track of every visitor to your site.);

  • Use a standard encryption mechanism for all sensitive data transmission;

  • Select personnel to act as CGI and JAVA script evaluators, since CGI scripts and JAVA applets have security holes that will enable hackers to access a Web server. (When these applets are left open, hackers can sometimes find ways to access the server.);

  • Make sure Web pages that contain or accept sensitive data are made non-cachable. Data caching enables intruders to store sensitive information on their hard drives or local disk drives, so they can rummage through those files later for passwords and other sensitive information.

  • Most Popular
    In this article: