The IPO Report

Web Site Security
August 20, 1997

by

Tom Taulli

If you like what we do here, please click on our sponsor's banner and check out our store. Thanks!

In early July, 1997, 2,397 customers of ESPNNet and NBA.COM got a glimpse of the potential dangers of the Internet. A hacker was able to electronically capture each customer's credit card info.

The hacker emailed the following:

"You are the victim of a careless abuse of privacy and security. Your recent use of a credit card on 'zonestore-espnet.sportszone.com' or 'store.nba.com' is documented in a simple text file on a Web page with practically no security. One of our associates found the URL posted in a Usenet group."

The hacker then listed each customer's name, address, phone number and the last eight digits of his or her credit card number. Fortunately, the hacker did not use the credit cards to make purchases.

Officials at ESPNNet and NBA.COM believe that the hacker did not use a complex hack to break into the site, but likely was a former employee who had access to internal passwords.

Unfortunately, there are many commerce sites that have security flaws. According to an Ernst & Young study, of 526 commercial Web sites surveyed, about 46% admitted that they suffered security breaches.

But there are ways of building a secure commerce site.

In September, various experts in network security will meet at a conference to discuss how to solve security problems http://www.boltonco.com. The conference will focus on a rapidly evolving standard from a company called the National Computer Security Association (NCSA).

The mastermind behind NCSA is Peter Tippet, who founded the company in 1989. Many years ago, he was an emergency room doctor. Now, Tippet believes that fighting computer viruses and other security intrusions is the same as fighting human viruses. He developed software that scans servers and basically takes an X-Ray, which shows all the security holes. Then NCSA helps plug the holes--after which the site will receive NCSA certification. The certification lasts for one year (the company can display the NCSA logo on its site). Although, NCSA does perform random audits. The reason is that the NCSA standard is rapidly evolving.

To be certified, a site must meet the following criteria:

• Network Security: A site must be able to survive network attacks. For example, this can be done using a firewall. A firewall is a proxy that sits between the Internet and a company's internal network. In essence, a firewall serves as a filter--where you can limit which IP addresses have access to the network and the Internet. Also, most firewalls provide a means of monitoring and alerting of security intrusions.
• DNS (Domain Naming Service): DNS is the system that routes domain names to the servers that host a site. NCSA requires that the DNS information be accurate.
• NIC Information: If you do a "whois" search on www.internic.com, you can see information regarding who owns a domain name. NSCA requires that a site's NIC information be accurate. There must be at least two different contacts for the domain name. This allows for users to contact the company if there is a security problem.
• Logging: A site must have an activity log (which shows who has visited the site) that is secure and retrievable. This log can be a source of finding those who are trying to hack the site.
• Secure Connections: If private information is being processed-such as credit card numbers-then a site must use a standard encryption mechanism, such as SSL (Secure Socket Layer), SHTTP (Secure HTTP), SET (Secure Electronic Transactions) and so on. Although, it appears that SSL is becoming the standard.
• CGI (Common Gateway Interface): CGI is a language used on a server to create interactive Web sites (for example, CGI allows for a shopping cart system on Amazon.com). These CGI scripts must be written, analyzed, stored and posted in a secure manner. In fact, hackers use CGI "escape codes" to break into sites.
• Client Executables: A site must have a person, called a "CxE evaluator," whose job it is to evaluate the security of executables (an executable is a regular program that is downloaded from the Web and is run on the client desktop). Common executables are ActiveX and Java applications--both of which can have malicious code that can destroy data or even manipulate financial transactions (such as taking money out of your Quicken account).
• Sensitive Data: The part of a site that processes sensitive data must be non-cacheable. "Cache" means storing information on either the client desktop or the server. This is done to help speed-up Internet access. Also, cookies (which are small files stored on a client desktop) must not contain sensitive information.
• Physical Environment: The servers must be in an access controlled area. There must be a directory of authorized personnel, as well as emergency contact information. After all, more than 90% of all breaches occur internally.
• Logical Environment: There must be a secure password policy and a webmaster contact.
• Operational Environment: Sensitive information must be regularly transferred from the server and put into archives. There must be backups and recovery capabilities. The server's private key must be protected by a strong passphrase.

Interestingly enough, even though a site might have security mechanisms in place--such as firewalls, virus protection software, etc.--in many cases, the configuration is incorrect. "It's like having an alarm system that does not notify the police if there is an intrusion," says Robert Davidson, Executive VP at Bolton & Company, a regional insurance Brokerage based in Calif. and a co-developer of InsurePoint, an online insurance site (www.insurepoint.com). With NCSA certification, not only will a site have many areas of defense, but the implementation of security precautions will be performed properly.

But NCSA certification is not cheap. The cost of obtaining the certification is approximately $8500 per server. Then again, having a site hacked can be extremely expensive. It could destroy a business.

"It is not far-fetched to say that Web site security will become a fiduciary duty," says Davidson. In other words, a company will need to take affirmative steps to ensure the security of its site. If it fails to do so, then a company could be subject to lawsuits.

In fact, Davidson's firm has partnered with Atlanta-based Hamilton, Dorsey, Alston Company (HDA)-the program developer- as the first retailer on the West Coast authorized by HDA to distribute an innovative policy specifically designed to insure against security breaches of a Web site. What makes their approach novel is that if a company's Web site becomes certified by NCSA, the company is entitled to a discount on the premium for the policy - up to as much as 25%. The insurance policy is underwritten by AIG (American International Group) of Member Companies.

Even the Big Six accounting firms are entering the Web site security business. For example, suppose that Amazon.com hires KPMG to audit its books, but fails to investigate the security mechanisms of the site. If the site melts down, KPMG could be liable.

Even though NCSA is a rigorous standard, it is not fail-safe. There is no way to guarantee complete security. But according to Tippet, NCSA certification can reduce security risk exposures--at a minimum--by a factor of ten. To put this into perspective, if the same reduction were to happen with auto safety, the number of highway deaths would plunge from 40,000 to 4,000.