E-commerce opens up holes to hackers

Just because you're small it doesn't mean you're not a target for hackers, says Jeff Moss. And Moss knows what he's talking about. He used to regularly break into corporate America's systems, just to learn about how they worked. Now Moss is the head of a team of hackers working for Secure Computing in the US.

Just because you're small it doesn't mean you're not a target for hackers, says Jeff Moss.

And Moss knows what he's talking about. He used to regularly break into corporate America's systems, just to learn about how they worked.

Now Moss is the head of a team of hackers working for Secure Computing in the US who spends his time breaking into government departments and corporations to show them where the holes are in their security.

"Companies are getting on to the Net and opening up their systems to the world and often they don't realise what a risk that poses."

Moss says beware of the default settings on e-commerce packages, as they are easily defeated. "Default settings include passwords, who can have high-level access, that sort of thing. Many of the factory settings are well known and available."

Moss says the move toward e-commerce will drive the need for security specialists.

"Many companies are doing partner-to-partner transactions with their competitors. One division at IBM may be doing work with Apple, but if they're not careful they'll open up their entire network to each other."

You can forget about the idea of the hacker as a pimply-faced youth sitting in a basement breaking into company systems, says Moss.

"It's other companies. They've got a budget and more of a business mentality. They will want to do something with the information they access."

But Moss believes the greatest threat to a company's security comes from another, unexpected source. "A lot of the time we're discovering that it's your own employees or ex-employees who are the threat."

To combat this, Moss says the first thing companies should consider is their overall security policy. "If the company has no policy, there's no use doing anything else until they get one."

This policy should cover what employees are and aren't allowed to do with the system, and just as importantly, what to do when you fire employees. "Do you remove their access and escort them out or do you leave them on the system until the next batch is ready to be updated?"

Once the policy is in place, Moss and his team are ready to conduct an audit of what needs to be done. "We find that most companies have about 70% of the equipment they need. They just don't realise or understand what they should be doing."

Moss believes that most people are afraid of the idea of hackers but don't understand their mentality. "When people don't understand hackers they tend to get mythologised into these super beings. We try to dispel the myths."

Moss says once the fog has lifted it's not so daunting and the company can begin to make real decisions about its security.

More information about "ethical hackers" can be found at Secure Computing's Web site — www.securecomputing.com.

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place

[]