--------------------------------------------------------------------------------

From the Puget Sound Business Journal

Kathleen F. Miller Contributing Writer

In 1995 Robert Dinse, owner of Eskimo North, an Internet service provider based in Shoreline, learned the hard way the cost of doing business online.

A University of Washington student from Australia used a University of Washington computer to access his Eskimo North Account and wreaked havoc with accounts on other systems. The hacker was caught and expelled as penalty for compromising the UW's computer system.

Enraged at Dinse, the former student hired a Canadian hacker to break into Eskimo North's computer system.

This hacker exploited a known hole in the mail system to gain access to the ISP and compromise the system. Dinse estimates that his total costs reached close to $80,000 to restore the system and increase security.

Before the attack, he had installed security measures that failed. Today, he considers the timing of that early attack a lucky break.

"At that time most of our customers were using their accounts for personal use -- now more than 50 percent of our customers are businesses," he says. "I can never be relaxed about security or trust vendors."

Ultimately, he says e-commerce merchants must know their own systems and take charge of their own security with a variety of tools.

Deciding what level of security to employ and at what cost is one of the most important decisions technology managers make. Not making the right decision can lead to the loss of money and clients.

The Internet security market is changing as more small businesses recognize the need to protect their electronic assets, says Jason Wright a network security industry analyst.

"Network security has historically been a priority only for large firms with substantial budgets. More recently, firewall vendors have begun to introduce downscaled versions of their firewalls for the small office or home operations," he says.

IDC Research in Framingham, Mass., reports that firewall revenue grew 81 percent from 1997 to 1998. The firm predicts the firewall appliance market will increase at a 51 percent compound annual growth rate from 1998 to more than $1.4 billion in 2003.

Joe Kovara, chief technology officer for Issaquah-based Cybersafe, says one of the ironies of e-commerce is that when you shop online, you leave more information behind than if you had bought something in a store.

He points out that many sites now offer the convenience of remembering a customer's account information, including credit card numbers. These "electronic assets" are tempting to hackers who constantly seek holes in e-commerce companies' security systems.

For many companies, the first line of defense is a device called a firewall. An Internet firewall is a system or group of systems that enforces a security policy between an organization's network and the Internet. The firewall determines who has access to what, both externally and internally.

Unfortunately a firewall system cannot offer any protection once an attacker has gotten through or around the firewall. And once a firewall has been tweaked to open up access from the outside, such as customers needing access to additional information, or from the inside, such as employees needing access to additional protocols and facilities from the Web, security can degenerate rapidly.

Business pressures such as the struggle between sales to "open up connectivity" and a company's technical team's mandate to keep the system locked down also often results, Kovara says, in "firewalls that started out being firewalls to end up looking more like Swiss cheese," as users and different departments demand more access.

Over time, that need to exchange information online will make the old "barrier method" of Internet security obsolete.

So instead of defining security based on physical criteria, such as where an application runs (e.g., "inside" or "outside" the firewall), or where the application is accessed from (e.g., "inside" or "outside" the enterprise), we have to focus on who is accessing the application. We also have to focus on providing protection for each application, and the systems the application runs on."

The transformation must be watched carefully to ensure that security keeps pace.

Dinse believes a firewall alone is not an adequate solution, even for small businesses.

"Firewalls are not good total protection -- you have to cut holes in them to allow services such as e-mail to function -- and those holes get targeted by hackers," he says.

Vincent Salas, director of product marketing at Seattle's WatchGuard Technologies, says a firewall is a fundamental requirement for Internet security and should work in an integrated manner with other Internet security technologies.

Salas says there are several ways of allowing customers and others access into the network and to the information they need without "opening holes" in the firewall.

"The real issue is not whether firewalls are needed, or whether they alone are enough. Rather, the real issue is there is a shortage of security expertise in the marketplace," he says. "Most of the `holes' that exist in the firewall result from misconfiguration and not from permitting the use of applications necessary to conducting business."

Lawrence Dietz, director of strategic marketing for Maryland-based Axent Technologies, Inc. -- a provider of Internet security services -- says companies recognize that risks to their Internet security can come from inside as well as outside.

"Most industry experts agree that there is a substantial threat from inside the organization as well. Technically astute insiders who know the business and its technology are in the best position to exploit weaknesses," he says. "Small organizations can protect themselves in a number of ways -- ensure that their employees are exercising good password security and that passwords are never exchanged and changed frequently, perhaps every quarter."

The convenience of downloading operating systems also bring opportunities for hackers.

Companies such as Red Hat and Mandrake distribute the Linux operating system online. The catch is that the default settings in the distribution are insecure. Several services are turned on by default, including some that have security flaws. When a Linux distribution is installed, it should be secure by default.

Running components that are far more complex than the tasks they do requires is another area where businesses can make themselves vulnerable to a security breach, says Dinse.

Software components that run with extra privileges need to be as simple as possible to minimize the possibility of security holes.

Kovara also echoes Dinse's opinion that the more complex systems become, the more opportunities for security breaches. "Simple is good. Complex systems are difficult to secure. There's a reason Lindberg flew the Atlantic in a single-engine plane," he says.

Reach the Business Journal at 206-583-0701 or seattle@bizjournals.com.