March 6, 1998 1:10 PM PST
Hackers keep sites on guard
Just ask Dane Jasper, security night-owl and partner of Sonic, the Northern California Internet service provider that helped catch its young customers who are accused of hacking their way into unclassified Pentagon computer systems.
"I have CERT [Computer Emergency Response Team] security alerts going to my alphanumeric pager," said Jasper. "So even in the late evening, if my pager goes off with a CERT advisory, I can see if it's relevant to my own network."
CERT issues advisories about security risks along with information on how to fix them. Other alerts come from the companies that sell operating systems, and Jasper's pager also is set to pick up notifications from RedHat, a distributor of the Linux operating system.
The trick used by the alleged Pentagon hackers was the subject of a CERT advisory in December, noted Jasper. That advisory included information on various patches for the security hole.
Does this mean the Pentagon wasn't keeping up on its CERT advisories?
"Not necessarily," said Jasper. "It might have been that the system wasn't important enough to warrant updating...It's all about the management of risk, gauging your exposure and deciding how important it is for you to monitor systems."
If negligence is one extreme, having someone monitor systems 24 hours per day is another, said Jasper. And that's a solution that might not be cost-effective, especially since the military claims it does not store any classified information on computers connected to the Internet.
As systems managers scramble to plug holes and weigh costs, benefits, and risks, companies are stepping in to capitalize on security concerns with diagnostic, reparative, and informational services.
One recently launched Web site offers a fee-based database of vulnerabilities and solutions. The site, operated by Melbourne, Australia-based security consulting start-up Shake Communications, also includes a journal of security news.
Other, more established, companies include Internet Security Systems (ISS), which provides technology that scans networks for vulnerabilities and intrusions. For ISS, whose clients include the Air Force, the recent spate of computer security publicity has meant booming business.
"In the last few days we've been deluged with calls from people wanting to know how we can help them," said ISS founder and chief technology officer Christopher Klaus. "This is a problem where there is a technological solution."
Intrusion detection technologies commonly work like virus detection programs, scanning for known culprits. This has led to the criticism that they leave the systems at risk for new, unknown threats--but defenders point out that even if it isn't foolproof, the technology is better than nothing.
"I think intrusion detection is an important technology that will become more and more common," said Dave Kennedy, director of research for International Computer Security Association. Kennedy predicted the technology would reach the commodity status of virus protection and firewalls within the next three or four years.
Kennedy downplayed the criticisms of intrusion detection. "Be aware that you have a 5 percent risk window," he said. "But before that you had a 100 percent risk window. You just improved security 95 percent. It's like wearing a seat belt. There's no such thing as perfect security."