So far, the Internet has been a pretty safe place to do business. Or has it?
Seven hackers—members of L0pht Heavy Industries, an independent watchdog group—this week told the Senate Committee on Governmental Affairs that it would only take 30 minutes for them to render the Internet unusable for the entire nation. The individuals testified under their Internet aliases.
In fact, they asserted the Internet infrastructure is so fragile—the underlying network protocols are more than 20 years old—that it would be possible to terminate communications between the United States and all other countries, and to prevent major backbone providers such as MCI and AT&T from routing network traffic to each other. The hackers said they contributed these findings, and at least 19 security advisories, to the appropriate government agencies.
L0pht members are concerned about government and corporate naivete about security, and their testimony can raise consciousness among corporate users, said Mark Gembicki, executive vice president of WarRoom Research LLC, a provider of business competitive analysis and developer of the new report "Corporate America’s Security Intelligence Risk."
As if the L0pht members’ startling testimony wasn’t enough, officials from the General Accounting Office told the committee that the GAO has uncovered serious computer security weaknesses at the State Department and Federal Aviation Administration that could jeopardize those agencies’ operations. For example, penetration tests revealed that the State Department’s sensitive but unclassified information systems can be easily accessed, the agency lacks a comprehensive information security program and the organization is not adequately promoting awareness among its employees.
Last week’s hearings—the first in a series chaired by Sen. Fred Thompson, R-Tenn.,—are being held to assess the security of government and corporate computer systems and telecommunication networks.
Similarly, large corporate users are striving to get a handle on their security vulnerabilities.
Many "CEOs are babes in the woods" in their understanding of information security and are looking for direction, said Gembicki. To get that direction, many organizations are looking to penetration testing services, according to security experts. These services attack enterprise networks to help organizations determine how the deployment of Internet technology may make them more vulnerable to data access, alterations of data, disclosure, disruption and denial of service by unauthorized users.
The GAO, for example, used penetration testing to expose the vulnerabilities in the State Department’s networks. The methods used by the penetration testing team might have been used more maliciously to delete or modify important data, scrutinize network traffic or shut services down, officials said.
"Anyone running Internet commerce should do something to make sure they’re as secure as they can be. To do that, they have to understand where the vulnerabilities are," said Len Ashby, president of the Center for the Study of Insurance Operations, a Toronto-based property and casualty insurance company that recently was tested by Secure Computing Inc.’s penetration assessment team.
"There were no dramatic findings, but there were a number of minor ones—all of which could have provided more information to hackers or [more information] than bona fide users needed," Ashby said.
Penetration testing is becoming a critical part of doing business over the Internet, experts said, but organizations should be careful whom they hire to conduct the testing. "You have to find a team that is knowledgeable—not just about point products, but about enterprise security," said Art Wong, president of Secure Networks Inc., a security assessment firm that was recently acquired by Network Associates.
To be effective, a penetration service must understand its client’s business, use a mixture of commercially available and home-grown intrusion detection/scanning tools, and know how to derive pertinent information from those tools, said Jeff Moss, director of Secure Computing’s assessment services and founder of Def Con, the world’s largest annual hacker convention.
Ashby said he chose Secure Computing because its team was not only interested in his company’s business, but is comprised of savvy, "ethical" hackers. If a penetration team "isn’t attuned to your business, they won’t be able to do a proper risk assessment. They could spend a lot of time doing things of no value to you at all," he said.
Or they could wind up getting too much information about your company’s vulnerabilities—a concern of many Fortune 1000 IT managers.
According to a WarRoom Research survey of 320 Fortune 1000 companies, nearly 50 percent of respondents were interested in some type of penetration testing. However, "everyone’s concerned about letting [penetration services companies] in too far [and allowing the services to] walk away with vulnerability information," Gembicki said.
Some companies are trying to train their own staffers to detect vulnerabilities and attacks, he added.
The cost of such services also be should scrutinized closely. Some penetration testing services are "grossly overpriced," charging in excess of $3,500 per day, per consultant, Gembicki said. A good service will train its client’s IT staffers to identify and fix security problems on their own, he added.
Some IT departments are relying on off-the-shelf intrusion detection and scanning tools to identify holes in their networks. However, these tools—high-tech burglar alarms that monitor networks or operating systems for suspicious activity—are still maturing, and users must know how to deploy them properly, industry experts warn.
"There is never such a thing as perfect security. Everything you put in place is a hurdle. Some are little, some are very big. Intrusion detection is another hurdle," said Ira Winkler, president of the Information Security Advisory Group, a provider of penetration services.