Can You Hack Internet Security?

By Jeffrey W. Rasco, CMP

Reprinted from The Meeting Professional with permission of the author.

“The Highlander” says it’s social engineering.

The Systems Engineer says it’s nothing less than terrorism.

What is it?  You may know it as hacking or cracking, spreading Internet viruses, or otherwise fouling things up for the rest of us online.  It is Internet security, and it goes a lot deeper than whether or not to enter your credit card number to register for a conference or buy the latest bestseller from Amazon.com. 

Last month we wrote about broadband access to the Net, and how these systems supply “always on” access.  It can be a blessing or a curse.  If the link is always open, holes can exist for unscrupulous types to enter into your computer, and from there into your organization’s, or worse.  Even the sole proprietor in a home office can be a target. 

We have to face facts.  The Internet is not an entirely nice place, and managing sensitive data is no longer the exclusive domain of information technology professionals.  In this month’s column, we will look at some security issues and discuss how you can best deal with them whether you work from home, or in a cube farm.

Breaching Security

A couple of years ago, computer hackers brought the Internet wobbling to its knees in organized, high-profile attacks on popular sites including Yahoo, Amazon, eBay, E*Trade, CNN, Buy.com, and a number of others.  Similar attacks occur against individual organizations with alarming frequency.  These assaults, where computer systems are inundated with millions of bogus hits are called “distributed denial of service” attacks, because they slow or shut down Internet services under their sheer weight.  

In May 2000, the infamous ILOVEYOU virus hit 45 million computers in 20 countries causing $6 billion in damage.  There are tens of thousands of viruses cataloged, and hundreds more crop up every month, creating time-stealing nuisances at best, and financial devastation at their worst.  Especially since September 11^th, many in government fear a terrorist assault on the nation’s computers more than suicide bombers or biological attack.

 “The Highlander” is an Internet security expert and part-time hacker.  He explains that hackers use their expertise for good (or simply recreation), and many have created successful businesses finding security flaws in organizational systems.  Crackers, on the other hand, are the ones who create and distribute viruses, or search for holes in Internet security and exploit them in order to steal or create havoc.

The Highlander (and the bad guys, too) prefer to breach the security of host computers rather than attacking the encrypted transmission of information.  “Social engineering” is simply tricking others into believing the hacker can be trusted. He has been so successful at simply calling someone in an organization and getting them to provide a password or other entry information, he rarely has to resort to a technical assault.

“Why try to break 128-bit encryption when you can talk an employee out of a password?  A lot of time and money are invested in technical solutions to security problems, when a better investment may be in training staff to protect sensitive information,” he says.

“Most events have websites these days, and many or most of them conduct business online,” warns the Highlander.  “Someone in the planner’s office with administrative access to the site can expose their organization to tremendous liability, and their customers to credit card losses and identity theft with just a slip of the tongue.”  He advises that credit card and other sensitive data be kept separate from your main site, either through a third party or separate server, and definitely behind a firewall.

Firewall technology creates a block to unwelcome users, and is fairly easy to implement, according to our security expert.  They can be sophisticated hardware/software configurations for larger systems, or software solutions such as those from McAfee, Norton, and ZoneAlarm for the home office.  The latter are available free, or at nominal costs from the suppliers, and can keep a cracker from accessing your data, or worse, using your computer to launch an attack on others.

The View From Inside

The “System Engineer” is vice president of an industry-leading e-commerce provider, managing thousands of events-related transactions per year.  They are not taking any chances.  Simply publishing his company’s name could set them up for attack.

“What drives hacking and cracking is the challenge,” he says.  “It is nothing but engineering arrogance.  It’s information terrorism, plain and simple.”

He agrees that security begins at home. “Technical security measures must be in place and frequently refreshed, then management has to insure that everyone is vigilant, and every employee knows it is their job to protect data 24/7.” 

Both gentleman say meeting professionals can’t be expected to be experts in Internet security, but when dealing with their internal or external technology partners, they should expect to see a written data plan.  It should include details on network security, data encryption, site certification, verification of trusted sites, user authentication, user security and protocols.  What happens when someone leaves the company?  What nondisclosure, privacy statements, and reminders to staff are in place?

There should also be a disaster recovery plan – where the company is equipped, prepared and ready for the unexpected fire, flood or other disaster on the premises.  It should involve all vendors and providers to the service group.  Satisfy yourself that these items are in place, and be diligent about updates.

What Can I Do?

There are some security basics that every computer user should master to protect themselves, their organizations, and their clients.

·         Get virus protection, and use it.  Norton and McAfee are both popular.  Keep the software updated, and do a full scan of your system regularly (at least weekly). 

·         Don’t open e-mail from people you don’t know.  Especially if it contains an attachment.  This isn’t failsafe, but it is a good habit to get into.

·         Disable auto preview features in your inbox. 

·         Delete chain e-mails and other spam.  Do not reply to them.  Do not send them to “everyone you care about.”  These are just another type of virus in that they cause Net and inbox congestion. 

·         If a friend or co-worker sends you an e-mail warning of a virus, check it out before you act on it.  McAfee and Norton both have comprehensive files on virus hoaxes.  

·         Set up a personal firewall if you are not protected by your organization’s system.  Test periodically to see that there are no holes (free at www.hackerwatch.org). 

·         Turn off your computer if you are not going to be using it for an extended period, or at least unplug the Internet cable.  They can’t hack it if it isn’t on and online.

·         Change your passwords frequently, and don’t be obvious.  Mix up letters and numbers, don’t use things like initials and birthdays.  Never, never, never tell anyone your passwords.

·         Always check your browser before you enter sensitive data.  Both Microsoft’s Internet Explorer and Netscape’s Navigator show a closed “lock” icon when secure.

·         If you collect any data on your site, have a thorough privacy policy.  Review the privacy policies of the Websites you frequent.  Don’t do business with companies that won’t protect your privacy and put it in writing.

·         Make sure your e-commerce site, and any that you visit has site certification and a clear privacy statement.  VeriSign and TRUSTe are two of the more popular certifying groups.

·         Back up your important data.  It’s best to have at least a couple of backups in separate locations.   If a baddie does get to you, at least you won’t lose everything.