Patching security holes isn't enough
CAMBRIDGE, MASS. — Some Web sites are about as porous as Swiss cheese, others are relatively solid. But none are 100 percent safe, says Space Rogue, a computer-security researcher with @Stake, a Web security company here.
Web security is a hot issue right now. When the FBI's Web site was shut down last month, it highlighted the need for more secure systems.
According to the Computer Security Institute, based in San Francisco, last year 57 percent of corporations, government institutions, and universities reported their Internet connection as a frequent point of attack, up from 37 percent in 1996.
"A lot of times, companies will call a security company and say, 'Yeah, we just want you to do a penetration test,' " says Space Rogue, referring to how vulnerable a system is to hackers. "They're missing the boat. It's just a snap shot of the entire thing for that one day.
"You really have to look at the system as a whole and start from the bottom and design the security into it, as opposed to find the hole and patch it. That just doesn't work. The reactive method is old and it needs to change," Space Rogue says. "The goal should not be to make it 100 percent secure. If you set out with that goal, you're going to fail."
Rather than focusing on security breaches, companies should be more concerned with their competition, says Ted Julian, vice president of marketing and business development at @Stake. "A security breach could put you out of business,... [but] it's sort of unlikely.
"What will put you out of business is somebody adding package tracking or inventory notification. That will kill you," he says. "Security is the No. 1 enabler of e-commerce, because everything else that you do ... will be constrained if you don't have the right security in place."
Often times, says Space Rogue, companies know security flaws exist within their systems that make them vulnerable, but don't inform their customers. "By making flaws public [as some Web sites do], you're informing the customers, which then puts pressure on the corporations to fix the problem."
Space Rogue, who always goes by his cybername, says successful security hackers have a "healthy paranoia. You've got to look at a system and you've got to poke at it. A lot of it's just curiosity. You stumble across stuff."
(c) Copyright 2000. The Christian Science Publishing Society