Web Sites: The Weakest Link In Security

The number of companies reporting Web-site attacks has skyrocketed in the past year, according to a survey the Computer Security Institute released last week. The Computer Crime and Security survey, conducted in January by the institute and the computer-intrusion squad of the FBI's San Francisco office, found that 95% of respondents had experienced more than 10 Web-site incidents during 2004, up from 5% in 2003. Some 700 computer-security practitioners at U.S. companies, government agencies, medical institutions, and universities responded to the survey.

The huge increase is because companies recognize that their Web sites provide a gateway for thieves to steal data, experts say. "We're seeing a huge change in the numbers, not because these things weren't happening, but because people weren't aware that attackers could walk right through their front doors and steal information," says Erik Caso, VP of business development at NT Objectives Inc., an application security and software company.

Companies have invested heavily in firewalls, intrusion-detection systems, and other technologies to protect their networks, but they've largely ignored the fact that public Web sites provide enough information to allow criminals to get at sensitive data. By simply manipulating URLs or cookies, hackers can gain entry to proprietary information without setting off any alarms. "Instead of trying to get past the firewall," Caso says, "they just sail through it by browsing the Web site."