Thwarting intruders before they even attempt penetration is the aim of Ernst & Young subsidiary eSecurityOnline in Kansas City, Mo. It began in mid-June to offer to the public and private sectors a suite of Internet-based security services. Based on the ability of its technical staff to stay current with security threats by scouring the Internet and other sources, the company touts its ability to bring to desktop computers continually updated information on security threats, software weaknesses and software fixes.
Subscribers log on and indicate the applications they are running to obtain access to some 2,250 known vulnerabilities for 300 software applications, including operating systems and databases. Device-specific weaknesses, such as those that can be exploited on routers and switches, can also be pinpointed.
Once eSecurityOnline.com identifies exploitable soft spots, it ranks each by level of urgency and notifies information technology managers or system administrators.
Another of the company’s online offerings, a baseline-standards service, goes a step further by offering eSecurityOnline customers “asset hardening,” or secure resets of common software programs, including changes to registry settings, router configurations and passwords and user identifications. Subscribers also receive free virus updates and patches to combat viruses.
For a yearly fee per user, per computer, eSecurityOnline.com will continue to uncover potential threats and solutions to deter attack.
“There are a lot of very sharp security professionals, in both government and corporate America, that are forever managing risk,” said Tony Spinelli, vice president of online services for eSecurityOnline. “What we’re offering is a proactive and perpetual feed to the subscriber. You can receive alerts on a daily basis. It is solutions before problems.”
Those problems seem destined to multiply. A physically isolated computer that is nonetheless electronically connected to the Internet is just as vulnerable to intrusion as any highly staffed government agency or corporate office.
According to CyberGuardian’s Harden, by 1999 there were roughly 1 billion unique, accessible pages on the World Wide Web. Internet traffic is anticipated to double every 100 days, and a new network is added every 30 seconds.
Business-to-business e-commerce is projected to hit at least $1.5 trillion by 2004, with thousands of financial institutions online and hundreds enabled for cash and credit-card transactions.
Attacks that disrupt operations are only a beginning. In the future, malicious hackers likely will aim for a much bigger score than just the bragging rights to a well-executed assault. Some analysts have concluded it is only a matter of time before a single incident either nets an attacker or costs a provider at least $1 billion.
“You can have secure applications,” said Unisys’ Finn. “But it takes thought. It doesn’t happen automatically. Hackers only have to get lucky once. You have to be lucky 24 hours a day.”
