Securing your network
Your startup's survival depends on it

Brian Martin
DSIC Security Consultant
June 2000

 Everyone must pay
 You will be targeted
 Fixing it now is expensive!
 Consequences of not fixing it
 A bit of free advice
 It's that easy?
 About the author

Collecting customer demographics is good, and collecting payments online is good. But it isn't good if this information is stolen from your company's computers. Brian Martin examines how -- and how often -- this really happens, and what you can do to prevent it.

In the last twelve months, over one million consumers have been the victims of personal information theft. These ordinary Web surfers have found their credit card numbers and personal information have been surreptitiously stolen from e-commerce Web sites where they conducted business. Each incident has seen anywhere from a few hundred to a few hundred thousand cards leaked out to unauthorized persons. In some cases, the once-private information found its way onto public Web pages for anyone to see. Here are a few sites that experienced credit card theft in recent months:

Table 1. Sites from which credit card numbers
have been stolen recently

Site Cards Stolen
Promobility/Ltamedia    26,000
CD Universe 300,000
7 Retailers  25,000
RealNames  10,000+
Thai E-Shop   5,000

(See Resources for sources for these figures.)

Other shops inadvertently expose consumer information above and beyond credit card numbers: revealed its customers' billing and e-mail addresses, FAO Schwarz leaked consumer e-mail addresses and telephone numbers, and Northwest Airlines leaked both credit card and other personal information over the Web. (See Resources.)

In some cases the culprits were teenagers with a message that e-commerce is not safe, as with the recent Curador case (see Resources). Along with their rant about the evils of business on the Web came pilfered credit cards. Hung out on public Web pages for everyone to see.

Having this information pilfered would have been bad enough: the adverse media publicity turned it into a public relations nightmare -- with a company just like yours at the center of it.

For the average net user who just had their credit card number dumped into the lap of a fifteen year old known on the Internet as "0wn j00", this is a hassle that typically takes ten minutes to resolve on the phone. This assumes that the customer is aware of the intrusion and theft of information. (Most cases of credit card information theft are not reported to the customers, even if the information is known to be compromised.)

I recently became aware that my own credit card had fallen in the hands of computer intruders, leading me to call Mastercard. Hitting the option to "report a stolen credit card," I was shocked when the friendly operator asked me if the theft occurred via the Internet. The fact that they ask this question first, as if they assume that is where the theft occurred startled me. Ten minutes later I had a new card number issued and I was ready to Web surf for more music and DVDs.

With fraud protection on all major credit cards, the end user is not liable for fraudulent purchases totaling more than $50. A ten-minute phone call will get your card number re-issued and your account flagged to watch for suspicious activity, alleviating you of future fraudulent purchases. With that in mind, it is easy to determine who really suffers over these information theft incidents.

Everyone must cough up some dough
The costs for reacting to and managing information theft incidents fall to the company with lax security as well as to the credit card companies. And the major credit card companies do not let this slide. Major credit card companies already categorize online retailers as "high-risk," and, in recent months, Mastercard and Visa have announced measures that are not favorable to smaller online retailers (see

Given the nature of Americans and the frequency of lawsuits, it is probably only a matter of time before some angry net users file suit against insecure companies responsible for leaking out their private information. When a purchase is made on a business Web site, it is assumed that the transaction is secure. If a corner store were to hang all of their credit card receipts in the window, you can imagine the outcry and lawsuits that would result. This is effectively what some Web sites do with client information. Rather than voluntarily hang it in the window, they leave it in places that are almost as easy to find.

Don't think you won't be targeted
Being a nobody on the Internet is not going to save you. A new breed of attackers don't even know your company name until after they break in. Utilizing intrusion programs that scan thousands of machines in minutes, they seek out a vulnerable server. To them, the machine may have a designation of "" and be completely meaningless -- until they break into the machine. Once compromised, these attackers will then see who it belongs to and act accordingly. A large percentage of public Web defacements are committed against arbitrary companies regardless of who they are, or how big their network is. (See
Resources for a link to the Attrition mirror, which chronicles Web defacements.)

Simply having an Internet presence puts you in the line of fire. Because of this, you must not think of being attacked as a "what if" scenario. It is more appropriate to think of it as a "when it happens" event. When your corporate network is attacked, will it be able to repel the miscreants? If they manage to compromise your systems, what information is there to be pillaged and shared with the world? How will your customers react if their personal information and credit cards are shared with millions of people? A single incident involving information theft can devastate a company's reputation and integrity. By planning ahead and incorporating good security from the start, companies have the power to avoid these incidents.

But fixing now is expensive!
No matter how large (or small) your company may be, regardless of what financial resources may be available, paying large amounts of money to implement a secure Internet presence can be difficult to justify. The powers that be don't understand the need to spend money on a project with no tangible results: no product in hand, no new service or abilities; just the notion that the corporate network is now "secure," whatever that means. Ironically these same money managers don't blink when spending a million dollars on a secure corporate building. Large fences, extra lighting, biometric access devices, controlled access vaults and safes are a given. No one in their right mind would think of building a corporate headquarters without these security mechanisms. Yet when it comes to computer network security, administrators find themselves fighting to install a $1000 firewall.

A clear pattern exists in the last five years of public computer intrusion incidents. Once a company has been virtually molested and has had articles written about it, there tends to be a followup to the original breaking news that tells how the company is throwing unbelievable amounts of effort and money at prevention. It seems that it takes an embarrassing incident and a company being raked over the coals of public opinion for the notion of computer security to be considered seriously.

Preventive network security is cheap at any price: as with an old car, a twenty dollar oil change today can save you a three thousand dollar engine rebuild tomorrow.

The consequences if you don't
If your company reported a $1.5 million loss over the intrusion and theft of your entire client database, would you be happy? As you laugh at my absurd question, consider that is not uncommon to see such high damage tags on computer intrusions.

Table 2. Recent damage reports
Incident Damage
Kevin Mitnick 299 Million
PhoneMasters 1.85 Million
Citibank 10 Million+

While I am often a critic of such high figures, these are the numbers you see in the headlines after an attack. Whether the damage was really worth one million or one thousand, millions of your potential clients will often see the more dramatic figure splashed across the news.

Besides: can you afford any needless damages, to your bottom line or to your reputation, from computer intrusions? Can you afford to lose the demographic information you've painstakingly collected, or your trade secrets, or the credit card numbers (and the trust) of your customers?

A bit of free advice
The fact that you will be broken into or at least targeted shouldn't discourage you in the least. It is rather easy to arm yourself with the tools and techniques needed to prevent it from happening to you.

First and foremost, show due diligence by securing your networks now, before an incident occurs. Develop a security plan that will protect both you and your customers and implement it as fast as possible. If your network already enjoys some security, this is the time to give it a thorough review and consider additional defenses. Proactive security is the single most beneficial action one can take with any corporate resource, especially computer networks.

If your company operates a Web page that takes in customer information such as name, address, and credit card, develop a system that pushes that information to a secure machine until it can be moved offline. Once a transaction occurs, there is absolutely no need to keep this sensitive information online. At that point the information serves a single negative purpose: it's a target for computer intruders. While it is convenient for customers to revisit a Web site and not have to type in that long sixteen-digit credit card number, is it really that much of a hassle compared to the threat of the information being publicly disseminated?

Keep your customers informed. Develop a privacy policy that is prominently displayed on your corporate Web page. Let visitors know that you consider security an important aspect of business and describe the measures you have taken to ensure that their information stays private. List a point of contact should customers have questions about security. Do not promise them miracles or guarantee their information will never get out, but assure them you have taken every step to help ensure their security.

It's that easy?
Building and maintaining a secure network is not always an easy task. With any such goal, careful planning and devoting the correct resources to the security plan make all the difference in the world. There are sure to be potholes along the way, but with proper planning from day one, you can make sure that your computers are not the victims of credit card, or personal information, theft. And your customers will thank you for it.


News sources for sites from which credit card numbers have been stolen recently (Table 1):

News sources for sites from which personal information has been stolen recently:

News sources for damage reports (Table 2):

Other resources mentioned in this article:

Related reading: