Leslie Walker's Dotcom Live
Discussion with Mike Higgins, president of Para-Protect Inc.
1 p.m. EST: Thursday, February 3, 2000
As the Internet grows and the electronic flow of information increases, more and more concerns are raised regarding the security of documents, e-mails and information. In fact, the number of security breaches is not only rising but also going largely unreported to the FBI. Instead many companies are opting to bypass the FBI when they detect a hacker attack, instead calling the equivalent of digital Ghostbusters -- private security consultants steeped in the eerie world of hackerdom.
Indeed, the e-security industry is being turbocharged by the rise of electronic commerce and computer hackers. A new breed
of security firms is being cultivated to go mouse-to-mouse with digital intruders. A digital arms race is underway between hackers, who are developing tools to make computer break-ins push-button easy, and the software industry, which is frantically working on tools to thwart them. Mike Higgins, president of Para-Protect Inc. has been in the security business for years. Mike has written extensively on the subject and joins us live at 1 p.m. Thursday to discuss the threats lurking in cyberspace.
Submit your questions early.
Let’s start with you, Mike. I find your background curious. You set up the first computer SWAT team at the Department of Defense, then served as DOD’s deputy director for information security at a time when cyber-crime was still a brand new concept. Now you run a start-up in Northern Virginia doing for private companies what you used to do for government.
Tell us more about your government roots. What lessons did you learn from studying information warfare?
Mike Higgins: As the founder of the Automated Systems Security Incident Support Team, I realized early on that the issue most important to both government as well as business was operations and availability. The focus of most government emergency response teams at the time was to support the operations of the information processing systems. Business are no different; they need to support the availability of their own information processing systems.
As the Net and e-commerce continue their rapid expansion, information infrastructure is becoming crucial to private business as well as governments. President Clinton outlined plans last month to spend $91 billion to protect computer networks and create a CyberService that would work like ROTC, signing up college kids to fight hackers.
Are these initiatives enough—will they really help?
Mike Higgins: Any initiative of this nature will of course help because it focuses attention on the problem of the shortage of qualified IT professionals in the security field. However, until the commercial structure steps up to the issues and supports them by providing positions and career paths, the likelihood that a government-centric solution, in and of itself, will succeed is relatively low.
The good news, though, is that the government, through this action, will focus attention and may even encourage individuals to enter the information security field.
How often are credit card numbers really stolen online? Was the recent case of the music site having its customers' credit card data exposed an aberration?
Mike Higgins: Although there are no good statistics, there is a lot of anecdotal information. The recent "hack" at CD Universe is one of the latest examples, but others such as the attempted extortion of Visa also take place on a fairly regular basis. However, the responsibility for security still lies with the e-commerce sites themselves. The rush to be first to market sometimes overshadows the need for tight security. These incidents that have been covered in the media should not dissuade you from trusting e-commerce in general; they should just make you cautious about whom you do business with.
When I recently logged onto a personal start page site I got a pop-up window informing me that there was no encryption and a subsequent window told me my "certificate" had expired at the end of the year. What do I do now to make sure I'm secure?
Mike Higgins: It sounds to me as though you're using an old version of your web browser. You should update your browser to the most current version, which will have current certificates in its database. While that won't make sure that you're secure, it sure is an important first step.
We are a Civil-Environmental Engineering Firm. Are we really at risk of being "hacked"?
Mike Higgins: Yes. The reality is that most hackers don't look specifically for a particular target, but they scan the network in general looking for vulnerable targets. While you might not be the true target per se, a moderately skilled attacker might be able to use your site to launch attacks at other sites, in turn exposing your company to quite a bit of liability. Further, if your company has intellectual property that it seeks to protect, an attacker could be able to steal or alter that data via an intrusion on your network.
Mike, 2 questions: 1- what minimal recommendations would you have for a person just starting a small business, or one who has a small business and not a huge operating budget? 2- Is it unreasonable for a small business operator to expect his-her internet presence provider or ISP to actually use realistic security on their systems; if so, how can s-he check to make sure the ISP is actually doing what they say?
Mike Higgins: Good questions. 1 - If you plan on having a presence on the Web, then you should consider having it hosted by a reputable company -- one that puts security responsiveness directly in its contractual obligations to you the customer and has (preferably) been vetted by an independent third party. Ask whomever you plan on doing business with what their security policy is and whom do they use to verify their security. Get these things in writing whenever possible.
2 - It is not unreasonable at all. Quite the opposite; even as a small business, you should expect your ISP, hosting site, etc., to follow best business practices with regards to security. Similar to my answer in 1 above, ask your ISP and get the answers in writing if possible. Security should be one (of many) evaluation criteria in selecting a reputable ISP to support your small business.
At Carnegie Mellon, the Computer Emergency Response Team (CERT) has
been keeping tabs on computer hacker for 11 years. It’s seen a steady increase in computer crime, logging more than 8,000 incidents last year alone, including many unauthorized intrusions into Web sites and private computer networks.
Where do you see this headed—will it get worse or better?
Mike Higgins: The real question is whether there are more incidents occurring or whether we're (as a community) getting better at detecting them. Statistically, as the net gets bigger and the number of computer-literate citizens on the net increases, there are going to be more crimes. The tools for executing these crimes continue to evolve and improve so that the technical know-how required to attack a system continuously decreases. That implies that the number of attacks is going to continue to increase.
So, to answer your question directly, "worse".
What does it cost to get the electronic equivalent of a burglar alarm for your Web site? ditto for your private network offline.
Mike Higgins: That partially depends on the complexity of your web site and private network, but there are several solutions for both small business and home users that are affordable and effective. Software solutions (e.g., BlackIce and NFR's Back Officer Friendly) start at just a few dollars per system. Hardware firewall/monitoring solutions start at just several hundred dollars and provide a more robust security perimeter.
College Park, MD:
What are the chances of a person's ordinary e-mail being read by anyone along its route through cyberspace? Where does it actually become available for viewing to people other than the intended recipient, and how?
Mike Higgins: Due to the sheer volume of email on the Internet at large, the actual likelihood is quite low. However, the capability of "sniffing" email on the net has been around for several years, is readily and freely available, and is seen in real-world incidents on a daily basis. Further, with the advent of cable modem and similar networks, it is now possible/feasible for your next door neighbor to see all of your email traffic with a freely downloaded piece of software. Think of these systems as Internet party lines where several houses in a neighborhood share the same line -- anyone can listen in at any time.
I'm particularly interested in security from hackers when dealing with on-line investing. Are such activities -buying and selling socks, transferring money, etc.-really secure? How do Firms like Schwab et.al. protect us, or are we subject to all risk??
Mike Higgins: Start by verifying that the web browser is using encryption during your on-line trading sessions -- look for the little closed pad lock in the corner of your browser screen. Next, be sure to do business with reputable trading firms that have robust security policies and practices. (Ask them for written specifics.) Lastly, there is a huge amount of on-line trading taking place. The likelihood of any one session being compromised by an attacker is relatively low.
Most analysts predict that the majority of business will eventually be conducted online. What is being done to protect the security of high-value business transactions? Do you think that digital signatures are appropriate for transactions that must be verifiable for a long period of time, for example, home mortgages, insurance policies, etc...?
Mike Higgins: As far as what is being done to protect high-value transactions, it is up to the individual companies that are involved in the transactions. Most reputable companies do a pretty good job. However, this is still an emerging business, at least with regards to Internet-based transactions. Standards do not exist in any formal way. I hope that, in the next few months, reliable third-party validation of security practices will become widely available and accepted.
On the topic of digital signatures, they can be very effective and efficient, but need to be implemented more universally and on a fundamentally solid infrastructure. That infrastructure does not yet exist universally. Getting a digital signature from a site that has been compromised by an attacker is not worth the bytes that it's printed on.
If my system gets hacked and one of my customers is damaged -like private information revealed or something like that-, am I responsible or liable in any way? Or is it the responsibility of the hacker?
Mike Higgins: I am not a lawyer... If I were, I'd be charging you a lot of money to say "yes, you are liable". The real answer is maybe. A lot depends on how the attack took place -- e.g., what practices were you following to protect your systems and so on.
Tell us about domain name hijacking. This is a strange new crime—or is it even a crime? People are actually rewriting the addresses of Internet sites—the files inside certain central computer that tell everyone where Web sites are located (these computers are called “domain name servers.”)
How often is this happening-- and am I correct in assuming it’s illegal?
Mike Higgins: Domain Name Servers are like phone books on the Internet in a sense. If someone were able to modify the phone book to point a person's name to a different phone numbers, all calls (looked up through the phone book) would go to that incorrect number. The analogy on the Internet does happen, but not on a daily basis. Is it a crime? It might be, time will tell. Is it wrong? Yes! There is no valid reason why this takes place and if it isn't a violation of a specific law then it should be.
I’m curious how often Web sites are attacked-- or shut down-- by enemies or people who fancy themselves pranksters. You call this a “denial of service attack.” Just how easy it to attack a Web site?
And can you tell us about the new tool called TRINOO you’ve warned clients about?
Mike Higgins: The ease of hacking web sites is directly proportional to the time and energy spent designing a secure web site and the subsequent maintenance of the web site once in operation. Some problems can not be predicted (a new vulnerability in Microsoft IIS application) but there are a lot of very well known security vulnerabilities that are just ignored due to inexperience, speed of getting the web site on line, or in some very isolated instances negligence on the part of the designers and builders.
Once a Web Site is up, the responsibility remains on the part of the owner to make sure someone is watching the vulnerability alerts to assure that their security hasn't been eclipsed by a new vulnerability.
Wish I could say, do it once, do it smart and it will be okay, that just doesn't happen. Every week a number of new vulnerabilities are discovered and publicized which need to reviewed for their impact to your business.
Have you ever personally handled a case where money was stolen online? Or for that matter, where anything of value was stolen electronically?
Mike Higgins: Personally, yes... I have been involved. I wish I could say I was more involved but I'm the boss, I more often manage the staff that is personally involved. Has my staff been personally involved, absolutely. Fraud, extortion, and theft happen regularly. Crime hasn't changed, the vehicles to commit the crime and venues of the crime have changed.
you're painting a pretty scary picture -- but how can a person learn what to do or how to do it? any good books on the subject?
Mike Higgins: I'm sorry for painting a picture of doom and gloom. Is it bad, yes, all the experts agree on that. Are there things that can and are being done yes to that as well. Are we better today than a year ago, yes as well. Technology is improving more products are making there way into the marketplace and awareness is increasing. These are all good things. There are a number of good books on the subject. Instead of plugging any one book over another I would encourage you to do two things. First use the web, search on "information security" and computer security on the web and use this as a resource to learn the right questions to ask. Second use a resource like Amazon.com and see what others think about books on information security.
I can't help thinking the media is blowing the threat of hackers way out of proportion. We all know it happens, but how common is it really. Aren't most hackers just bored teenagers who do little damage?
Mike Higgins: Let's categorize the attacks that you mention a bit... Of course, there are a large number of "bored 14 year-olds" sitting at home and running attack tools against corporate systems. They can be an annoyance and even do real damage, and these happen all the time. When you get down to the resource industrial spy, thief, etc., the numbers go way down, but then the impacts go way up. Finally, think about my earlier statements: the attack tools are getting better and require far less technical skills to run. Who writes these tools? What is their motivation? And what is their true intent and target? I don't know all the answers to these questions.
College Park, MD:
Tell us some common mistakes you see people making when they set up the sites on the Web.
Mike Higgins: They rush to get their product or service to market and don't pay enough attention to the security of the site. Know what the vulnerabilities are and what the likely threats to your site are, and secure the site accordingly. Security should enable what you're trying to do, but it shouldn't be an afterthought to be retro-engineered after the first time that the site has been hacked.
A simple first step might be to search the web for vulnerabilities associated with the application that you're planning on running. If you haven't done that, then you're likely to overlook a problem.
Unlike the private sector, the gov't isn't worried about the ROI, they want to serve their customers best, with lowest costs and time spent; but loss-theft and altering of personal data are just one of many unsatisfying potentials with this rush to web access.
Being involved in Gov't working groups, and having been in InfoSec for many years, I wonder how the issue of proactively securing systems is being addressed when there is such a push for E-Commerce and unfettered on-line access to national databases with little mention of or funding for security?
Is the caboose in front of the engine? Is the payload directing the guidance system?
Mike Higgins: (Is that you, Bob? Bawb?)
The problems of government and commercial industry are remarkably similar, but with different names at times. The challenge of government-based security professionals is to translate commercial ROI into a language that their bosses understand. In many instances, public embarassment or accusations of misuse of resources to protect public information are enough. Each agency or department will be different and it is the task of the professional to determine what are the hot buttons and key motivators which will succeed in raising the issue to a level where budget and resources are applied to the problem.
We are running out of time for today, folks.
Do you think our U.S. laws are adequate for prosecuting hackers? And what if the attack is launched from abroad?
Mike Higgins: No. But no country's laws are sufficient. The legal system typically lags behind technology. The very nature of the Internet is a borderless global society (that Al Gore did NOT invent). The idea that a single country can legislate the entire Internet is absurd. We don't have a model that efficiently addresses the borderless nature of the net.
As I said earlier, it is easy to paint a doom and gloom picture. Technology has risks and security is perhaps one of the biggest risks to the explosion of e-business and e-commerce. On individual levels, consumers must rely on the business to protect the information provided. On a corporate level, the threats have not changed at all in the last 20 years, fraud & embezzlement, extrotion, embarrassment & reputation loss, liaibility, loss of market share, regulatory violations, systems outage, loss of porperty, and theft of daat remain the same. What has changed is the mechanism which people will use to committ these acts aaginast businesses. Having the knolwedge about these threats, preparing to address them proactively and using the resources available both technically and with experts in the field will enable your company to be in business.
Keeping your business in business means knowing and addressing the state of the hack. Help is out there, use it.
We are wrapping up today’s dialogue. Thanks to our guest, Mike Higgins, for explaining the intricacies, challenges and pitfalls of electronic security. Thanks, too, to those of you who tuned in and asked thoughtful questions. Hope you’ll join us again in two weeks.
And for those of you who sent in questions and feedback about the newspaper industry—--my prediction in today's column that print on paper will eventually die—-stay tuned. We’ll be having a live chat about that in a few weeks!
© Copyright 2000 The Washington Post Company