Tech Industry

Keeping Web security tight falls in firms' hands

Following a series of attacks on leading Web sites, companies need to be wary of what their hosting firm can and can't do to help protect against hacker assaults.

In the wake of a number of Web site attacks, Web hosting firms say companies should make sure they are aware of their security options.

Hosting firms run data centers that are filled with a number high-end computer servers to keep Web sites up and running. Yet when security problems arise, analysts say hosting companies shouldn?t be the ones held responsible for the breach. Instead, a Web hosting firm?s clients--the Yahoos and the Amazons of the Net--should make sure they have security issues covered.

"The responsibility falls on whatever address is on the dot-com," said Gartner Group analyst Stephen Elliot. "From the company's standpoint, most offerings from Web hosting companies are limited in terms of (security management)."

This week some of the leading Web sites were shut down by ?denial of service? attacks, an anonymous barrage of Web site requests that can paralyze a site?s server systems. Leading portal Yahoo was first to fall prey this week, followed by discount e-tailer, online brokerage E*Trade, and many others.

Web hosting firms often don?t operate their own networks, putting them at a disadvantage if troubles arise. Yet most are still responsible for providing constant connections to the Net--and a possible back-up plan--if there is an unexpected spike in traffic, or other problems arise. Some dot-coms tackle the problems themselves by outsourcing with several different hosting companies.

Paul Vixie, a senior vice president of services at AboveNet, said his company's "primary purpose is carrying traffic." Yet the hosting firm also offers security features for its more than 800 customers. "We carry attacks as well. It's a double-edged sword."

How a denial of service attack works The security problem is something every site must decide to handle in their own way, Vixie said. They can either pay their hosting company to keep an eye on security, or take care of any problems themselves with outsourcing contracts. All in all, hosting executives said, it?s up to the company how much protection they want, and ultimately, how much they want to pay to get it.

"Security ultimately depends on what (customers) do, as well as security to connections on their site," said Bill Wilson, president of Arca Systems, a subsidiary of Exodus, which hosts servers for eBay and

"I think of what we do as a service. We provide security in our data center. We can work with customers to provide them security. We can help them plan so they aren't caught flat-footed when something like this occurs."

Although many Net companies like Amazon and choose to keep their security efforts in-house, a malicious hacker attack, like the denial of service shutdowns this week, can hit any vulnerable server in a hosted or unhosted setting, analysts said.

"The risk is the same," said Giga Information Group analyst Art Williams. But he said the more a company's business depends on a complex web of external networks, the more vulnerable it could be to an attack.

Aware of the new dangers in hosting, a new crop of companies are moving to cater solely to dot-com needs by managing e-commerce sites and security full time.

San Francisco hosting start-up Mimecom maintains a number of e-commerce sites. The firm is now working on security measures that can try to prevent a denial of service attack. Yet chairman Michael Carrier said such attacks are "one of the hardest things to do anything about."

"You have to have such careful measurement of your performance that you can sense the change" that starts the attack in motion, he said.

Shutdown special report Hosting company Digex said it has a "comprehensive security department" that issued warnings to its customers about the recent attacks.

"Everyone is fair game,? said Digex security officer Pamela Fusco. Her company enforces strict rules regarding hardware and software upgrades, and requires customers to update their network security regularly.

"I can't secure (Digex client) MindSpring, but I can tell MindSpring what we do and what they need to do," she said. "Our customers are receptive.?

Despite those efforts, cyberterrorism will be the "talk of 2000," and hosting centers will be among the many targets, said Jeanne Schaaf, an analyst at Forrester Research.

"In a networked economy where you are transacting huge volumes of...commerce at few physical sites, these places would be targets for people making mischief," she said.

"There's no data saying whether you get better security hosting yourself or when you're outsourcing," she said.