Event
Summary
While law
enforcement agencies chase their tails in an international hacker hunt, hosting
providers and eCommerce CIOs have surprisingly escaped the wrath of accountability.
Stockholders of Internet companies should be asking who inside their investment
holding is responsible and is being held accountable for security. If no one
is held accountable, you can be assured that security will continue to be a
low priority.
All
too often in Internet companies, security is an afterthought. The executive
management team chooses not to take enough measures to protect its customers
and systems until after a security incident of considerable magnitude has taken
place. This consistent pattern of locking the barn door after the horse has
been stolen has been going on in Internet companies for years. In fact, it is
incredible that many large-scale corporations have experienced significant security
violations and have managed to keep these violations from reaching the front
page of the Wall Street Journal.
Some
hosting providers knowingly expose customers on insecure backend networks simply
because internally security is not given a high-enough priority. Typically,
getting new customers up and running has a lot higher priority than securing
old customers. When it comes to provisioning new customers, hosting providers
often become neglectful after the honeymoon period is over.
If
an Internet company is outsourcing its web hosting to a service provider, a
member of the executive management team needs to be held responsible for making
sure its service provider has taken due security precautions. If your service
provider claims your site is secure, they should not have any qualms about their
customers performing audits on them.
Market
Impact
For publicly traded companies, when a site goes down due to a security attack,
this affects the bottom line.
|
|
|
Fig.
1 Amazon.com Share Valuation Drops after Site Outage due to Security Attack.
|
Amazon.com
has seen steady declines in the valuation of its stock since its site suffered
a pro-longed outage due to a Distributed Denial of Service Attack on February
9th. According to the Yankee Group, eBay, Buy.com, E*Trade, and Amazon cumulatively
suffered losses in excess of $1 billion in the second week in February when
they were hit with what is known as a Distributed Denial of Service attack.
|
|
|
Fig.
2 Ebay.Com Share Valuation Drops after Site Outage due to Security Attack.
|
Attorney
General, Janet Reno, testifying before a Senate panel, called the challenge
of averting cyber-crime "one of the most critical issues that law enforcement
has ever faced," the Associated Press reported. Among security professionals,
time spent chasing hackers has long been regarded as something that typically
never proves worthwhile.
User
Recommendations
- Organizations which are participating in online eCommerce need to hold
someone responsible for the security of their site -- in most cases, this
should be the CIO.
- Shareholders need to hold businesses responsible for their website security.
- Directors of public corporations should insist that the CEO of their
corporation hold someone accountable for the security of their networks,
website, and infrastructure.
- CIOs should ensure that their eCommerce sites undergo an independent
Security Vulnerability Assessment at least once a quarter.
- Only purchase a Security Vulnerability Assessment that has a module that
can assess susceptibility to Denial of Service attacks as well as other
common exploits, such as those reported to the SecurityFocus Bugtraq mailing
list.
- There are various products on the market that can protect websites from
Denial of Service attacks known as Synfloods. CIOs should ask their hosting
providers what they are doing to protect their customers from Synfloods.