The recent series of denial-of-service (DoS) attacks on some of the Internet’s most popular Web sites rocked cyberspace and called into question whether the online community is truly able to handle the massive amount of activity that it now sees.
As a result, the stock prices of companies involved in the online security market surged, vendors found a new opportunity to pitch their wares, and the U.S. government vowed to step up law enforcement efforts to bring the perpetrators to justice.
In the following exclusive interview with the E-Commerce Times, Scott Gordon, director of intrusion detection for security solutions provider AXENT Technologies (Nasdaq: AXNT), discusses e-commerce security issues and offers a blueprint for what companies can do to protect themselves as they transfer their business operations online.
Q What are the most significant security issues facing e-commerce professionals?
A There are a few issues. One issue would be the mere fact that there’s not enough security expertise out there, and often there are not enough resources to fortify e-business initiatives with security. So, even if a company has the budget to open an application to more partners or to address some of the security issues, they may not have the expertise or the resources to have these security systems up and running and fine-tuned in time for the application that they want to deploy.
We see the need for security consulting services so that people can have a partner come in and not only make suggestions on how to continually improve their security processes, but to also work with them to understand their business initiative. They can then bring in our software, or work with another vendor’s software, and actually configure it, tune it and help the company maintain it. So one issue is being able to keep up with demand and implement security as their businesses grow.
The next issue is keeping up with the enormous threat. The number of hackers in the hacking community clearly outweighs the number of researchers, and it’s an awesome, daunting task for any company to rely on themselves to keep up with the threat. That’s where they turn to the security experts. So, I think that it’s our goal to not only provide them with good security tools to minimize risks now, but to come out with timely updates, and have the infrastructure in terms of research to help our customers maintain this risk reduction effort.
Q What are denial-of-service attacks, and what can be done, if anything, to prevent them from occurring?
A Generically speaking, a denial-of-service attack is when a computer system makes requests of another computer system and inundates it with so many requests — without acknowledging receipt that the request was accepted — that system can no longer accept legitimate requests for service.
These sorts of attacks have been around for quite some time. In fact, there are public domain tools at hacker sites and hacker communities where anybody with some computer expertise or knowledge can download and use these programs.
The recently publicized attacks on the likes of Yahoo!, Amazon, AOL and E*Trade were unique in terms of the use of a specific type of denial-of-service attack and the short timing of hitting all these major sites in just a few days. These were called distributed-coordinated denial-of-service attacks, and these tools, such as Trin00, were actually publicized by Carnegie Mellon University’s CERT (Computer Emergency Response Team) back in the fall of last year.
The way a distributed-coordinated denial-of-service attack works is, essentially a hacker goes into a third party’s computer system. By way of probing, they exploit a vulnerability that enables them to compromise a system. They are then able to place this rogue application into the compromised system, and instruct that program when to attack and what to attack.
So, you can imagine a hacker compromising numerous systems, placing all these rogue applications that all at once bombard a given target with requests. These sites, which are used to taking thousands and thousands of requests, are overwhelmed by all these systems that are designated to surge and attack at a given point in time, and service cannot be accessed.