A Wall Of Fire

Katherine Gaudette learned the hard way that her company's Web site was vulnerable to an attack by hackers. Founder of Capetown-Rio Inc., a 12-person marketing communications firm located in Redmond, Washington, Gaudette thought she was safe when she implemented a firewall security device (a mix of software and hardware designed to keep out unauthorized Internet users) early last year to protect her company's network from computer hackers. "When we work with customers, we're acting, in essence, as their counselors," says Gaudette, 35. "So we have to make sure what we're doing with them doesn't get shared with anybody else."

But while her firewall held just fine, the ISP hosting her Web site didn't have one. Her Web site was hacked in August--a computer thug entered Capetown-Rio's Web server and deleted key information about some promotional campaigns for major clients.

Safety First

Be afraid--be very afraid--because this could happen to you. In fact, hackers are breaking into Web sites around the world at a frightening pace. Hackers commonly gain access to a company's internal network through holes in its Web server, which is what happened in Capetown-Rio's case.

When hackers break into your Web site, they can copy, edit or delete files. They can vandalize your site by stealing programs and disrupting networks or by crashing sites outright. And once they're on a site, hackers can use phony identities to buy goods and services or they can vandalize a site and change its look, its text and its overall message.

The easiest way to prevent a hacker from entering your Web site is to implement a firewall on your Web server. Firewalls keep unauthorized people out by monitoring the flow of information between a company's Web server and the Internet. The firewall identifies and selectively blocks any unwanted communication. "A properly configured firewall will stop all Internet attacks," says Peter S. Tippett, founder and chief technologist of ISCA.net, a security consulting firm in Reston, Virginia.

Tippett says the problem is most sites don't have properly configured firewalls--the person setting up the firewall may have erected it in the wrong place, for example, or connected it incorrectly. In fact, ICSA.net researched more than 2,000 Web sites last year and found that while all had firewalls, more than 80 percent were still vulnerable to being hacked with the use of easily available tools.

"These companies are worried about their security and seem to be trying to do the right thing," Tippett says, "but they're doing the equivalent of putting an airbag in the backseat of a car when it comes to security precautions."

Before implementing a firewall system, consult with a security expert who can tell you what kind of security solution you need for your business. The person in your company who put up your Web site may know whom to call; otherwise, ask your Web consultant or Web-hosting company for the name of a security expert. The expert will want to know if your site was created in a secure fashion: Did your Web developer use secure protocols and software when building the site? Is the ISP that's hosting your site secure?

Not sure how secure your site is? Try testing it. ICSA.net's Security Snapshot system, available free of charge, allows you to click on to ICSA.net's site, answer questions about your security program and then enter your e-mail address. ICSA.net will run various tests against your company's site and then e-mail you a "Risk Index" score in six categories that include hacking-related risks.

Managed Security: In-House . . . Or Out?

If you don't know anything about Web-site security but prefer to keep your security management system in-house, try a good full-service solution, such as WatchGuard's $4,990 LiveSecurity System.

WatchGuard's system includes fire-wall software and other security features and combines them into an appliance called the WatchGuard Firebox. The appliance has three ports, allowing you to set up your Firebox to secure your Internet connection, LAN connection and e-mail server.

The system also includes the Live-Security Broadcast Service, which informs you of hacker threats, viruses and vulnerabilities in new software versions. It keeps you informed by transmitting new articles and editorials on security content over the Internet directly to a desktop computer.

One low-cost solution is ConSeal PC Firewall from Signal 9 Solutions, a software program which costs anywhere from $50 for a desktop version to $295 for an NT server version. While this system is robust and can carefully guard your computer and Web site, you should be familiar with the program and the necessary computer code if you plan on installing it without a well-versed professional.

If you don't have time to manage your security in-house, you can outsource it to an ISP or a Web-hosting company, many of which offer managed security systems. GTE Internetworking, for example, offers a version of WatchGuard's system called GTE Security Advantage, which costs $795 per month, plus a one-time setup fee of $995.

Other ISPs and Web-hosting companies offering similar security systems are PSINet and Verio Inc.. Another option is using services from a new crop of vendors called managed security suppliers, such as LURHQ Corp., which works with Fortune 1000 companies, and Internet Security Systems Inc..

Safe And Secure?

Unfortunately, no matter what type of system you choose to implement, as a small-business owner, you'll probably be more at risk for security problems than larger companies.

"Small businesses are probably at greater risk because they don't have an in-house staff monitoring the security of their system, and entropy sets in," says William C. Boni, leader of PricewaterhouseCoopers' Information Protection Practice and co-author of I-Way Robbery: Crime on the Internet (Butterworth-Heinemann). "If you don't maintain a consistent degree of readiness, [Internet security measures] actually become ineffective over a period of time."

While getting involved in the world of e-commerce is almost a necessity these days, remember the security risk is great--and it's only going to intensify in the future. Luckily, firewall costs are now coming down, according to Tippett, and ISPs are improving their security setups. So there's help on the horizon.

Next Step

By Robert McGarvey

• Microsoft (http://www.microsoft.com/security): Microsoft's security site is chock-full of bulletins, checklists, news and tips regarding security.

• CERT Coordination Center (http://www.cert.org): Part of a federally funded research and development group at Carnegie Mellon University, CERT's Web site is a reliable source of accurate, objective information about viruses and Internet vulnerabilities.

• The SANS Institute (http://www.sans.org): The System Administration, Networking and Security Institute and its Web site provide informational materials about site security as well as information about SANS-sponsored conferences focusing on user experiences and security problem-solving.

• International Computer Security Association (http://www.icsa.net): Even though this is a for-profit association, check out its site for objective information about firewalls and other security tools. The Web site offers a staggering amount of information, and much of it is free.

• Hackers.com (http://www.hackers.com): This site is run by a group of hackers intent on clearing the name of these self-proclaimed "curious" explorers of the Web.

• Business Security e-Journal (http://www.lubrinco.com): Sign up here for a free, monthly newsletter on security. A recent issue delved into the security perils posed by voice-mail systems and also gave a snapshot of what it's like to work undercover. It's a useful read, presented in short, snappy prose.

Contact Source

Capetown-Rio Inc., (425) 869-2005, http://www.capetownrio.com