The practice of surfing the Web from your work terminal may come to an end, according to cyber security expert Howard A. Schmidt.

Schmidt, the former head of online security for Microsoft and eBay, explained that many companies are mistakenly confident about the security of their computer networks and the proprietary information they hold.

“Firewalls and anti-virus packages are great first steps, but we’re finding tremendous vulnerabilities in software and firmware,” he said in a keynote speech on Jan. 7 at the International Conference on Cyber Security at Fordham. “Instead of enjoying the benefit of a new piece of software, we have to install it and then watch it.”

To stem the tide of hackers and other cyber criminals who want to commit economic espionage, Schmidt suggested that industries foster closer relationships with the federal government.

“Workplaces are designed to be open environments, and the general consensus is that when the government gets involved it will make things more difficult,” he said. “But that’s not the case.”

Schmidt said that the government can help protect the assets of corporations by crafting cyber crime laws and working with other nations to standardize those laws around the globe, as well as using law enforcement officers to track cyber criminals across national borders.

Corporations also must take more responsibility for their own online security, he said, which may lead to the restriction or outright end of personal Web surfing at work. The practice has been tolerated, if not outright encouraged, by companies thus far.

“We’re starting to see the security implications of allowing someone unfettered access to the Web from within the network,” he said, “and we’re beginning to hear complaints, like, ‘You took away my outlet for watching baseball games while I work.’ But like government systems, it’s difficult to allow that access and still maintain the level of security that’s necessary.’

Schmidt, the current president of the Information Security Forum, was chairman of cyberspace security for the White House and chief security strategist in the Department of Homeland Security.

Donning white hats to signify their place as protectors of corporate computer systems, AT&T Security staffers present their ethical hacking history.
Photo by Chris Taggart

In another presentation, Cynthia Cama, (FCLC ’86) principal technical staffer at AT&T Security, led an “ethical hacking” team in a mock test of a company’s computer network. Ethical Hackers, also known as “white hats,” routinely try to breach their own companies’ systems or applications to uncover its vulnerabilities.

“It’s all very ‘wild west.’ Traditional hackers are ‘black hats,’ out to destroy the system or gain money or fame, or cause damage or embarrassment,” Cama said. “We do the same things, but on the side of the good.”

The team presented a mock hack job into a make-believe bank, the “Bank of Lake Alphatown” in which they broke into the bank’s database by going through another company’s Web site located on the same server. They were then able to access the bank’s private account information by password testing.

One common mistake that exposes companies to vulnerability, said Cama, is making user names and passwords too easy to guess. For example, some security questions, such as “What is your favorite color?” are easily guessable. Others, such as “What is your mother’s maiden name?” can be easily breached by an automatic program that will run the contents of an entire phone book until it finds a match.

Another common oversight is not doing an operating system upload patch when it is released from Microsoft, Apple, or other OS’s.

“That is like leaving your house window broken when someone offers to fix it,” she said.

Cama said that team members usually have one specialty area, such as database access expertise, website breaching, or planting sniffers (a ‘wiretap’ code that listens to everything that goes across the system.)

During the presentation, team members wore white hats.

Joseph McLaughlin