Internet Security Authority Offers 10 Ways to Prevent Cyberterrorism

Dulles, VA (July 3, 2002) - The Fourth of July is upon us, and the U.S. government warns us to be on the defensive as we celebrate the nation's most patriotic holiday. The threat, however, is to our economic system as well as to our lives. John Broome, chief technology officer at ServerVault Corp., the nation's No. 1 secure Internet hosting provider, warns that one area of vulnerability is the Internet infrastructure - the foundation for commerce and communication in almost every major industry and government agency.

Last year, there were over 90 million hacking incidents in the United States, according to the U.S. Defense Department. While the vast majority of these were unsuccessful, many caused costly problems for companies, government agencies and individuals. Some sources indicate that up to 40 percent of co-located servers have been breached. On average it takes less than five hours for a server to be compromised if it is attached to the Internet without proper security systems in place.

"It is surprising how many networks have overlooked the most basic safeguards," says Broome, who oversees critical infrastructure, facilities and network engineering at ServerVault. His opinions carry a great deal of weight because he has designed and implemented secure, high-availability network solutions for the highest levels of the U.S. Department of Defense. He gained notoriety in 1999 when he remedied problems exposed by a hacker into the high-profile Pentagon Internet.

Following are Broome's basic recommendations to minimize a cyberthreat:

Employ Strong Passwords. As simple as this sounds, it is one of the most overlooked methods of keeping systems safe. There are a number of freely available tools that 'guess' passwords - a very common technique referred to as 'brute force cracking.' These programs work by repeatedly attempting to log in as a known user and supplying different passwords until successful. Many of these cracking algorithms are very sophisticated and supply the most commonly used passwords first, then start going through dictionary words. Passwords should always be in mixed case and contain at least one number and one special character.

Disable Unnecessary Applications and Services. Malicious users often gain access to systems at unexpected entry points. One common technique is to scan a system for all active applications or ports and use vulnerable applications as an entry point. These applications may not be necessary to the system's operation. In order to minimize the threat against any system, a prudent user should disable all unnecessary applications or services.

Keep Software up to Date. This is important on all systems. As malicious users discover vulnerabilities in different operating system components or applications, software vendors release patches to these components which mitigate or eliminate these threats. All systems should be regularly updated with vendor patches in order to maintain security. There are a number of services that offer continual update alerts via email.

Beware of Mail Attachments. This is one of the most common methods of causing damage. Many email applications today allow for the execution of code in email attachments. Many 'worms' have been released in this manner over the past few years, with effects ranging from relatively harmless propagation of the worm to massive file damage. Users should disable features of their mail application that allow for indiscriminate execution of active code attachments and use a reliable virus scanner that understands email attachments.

Engage Anti-Virus Software. This software has the ability to scan files on a local computer and, in some cases, to monitor inbound and outbound traffic from applications such as email attachments. This software requires constant updating in order to be effective, and the best applications will automatically download updated virus definition files at predetermined intervals.

Maintain Proper Browser Security Settings. Today's dynamic Web sites offer rich web experiences, but they have also introduced vulnerabilities. Modern Internet browsers allow the capability to download active programs to local computers for local execution. With improper security settings applied to the local computer browser, some of this code has the potential to investigate or alter the local computer system - without the knowledge of the user. Users should adopt the most stringent browser security policy possible on their browsers and be wary of visiting some Internet Web sites.

Build Strong Firewalls. A good firewall system can protect networks from many of the above vulnerabilities - even when the other best practices are not followed. Firewalls now exist for personal or single-system use as well as the traditional network appliance. These personal firewalls provide a great deal of protection for mobile users or users who do not operate their systems behind an adequate corporate firewall system.

Weigh the Importance of Convenience vs. Security. There are always compromises made among functionality, convenience and security. It is important to find the right balance and the right technologies to meet the overall goal. Let users get the job done in the most convenient way possible while still implementing strong and effective security practices. Educate all users to the threat of cyberattack, and establish minimum requirements for your organization. Regularly audit security practices and periodically release security awareness statements to keep users aware of the constant threat.

Enact and enforce strong policy. Staff members with access to or control over critical information should undergo rigorous background checks and should comply with strong security policy. Verifying users via strong authentication practices and making sure that all activity is logged are keys to prevention and accurate forensics in the event of an attack.

Identify most critical information and host it in the safest possible manner. Not every database or server needs the ultimate level of security. Evaluate the consequences of a breach on a system-by-system basis. Consider outsourcing your most critical systems to a trusted third-party secure hosting company. When considering this option look at network security, physical security and policy security. All three components should be the best of breed to ensure ultimate protection.

About ServerVault
ServerVault provides complex Internet hosting solutions that have the best protection against hackers or viruses. ServerVault - ranked No.1 in security by Meta Group, Tier One and other major third parties - delivers the industry's most robust service level agreements with 99.999 percent reliability and is competitively priced to make it No.1 in value. The company has a growing customer base of Fortune 1000 and global companies including CapitalOne, Carlyle Group, National Football League, United Way and Citigroup. Built on its platform of security, reliability, value and customer care, ServerVault offers complex Web and intranet hosting, secure outsourced email and VPN and firewall solutions. The company's platform is substantially different from other hosting providers, offering 50 discrete points of protection and extensive proprietary technology. ServerVault operates the first and only commercially available data center built to stringent sensitive compartmented information facility standards set by the Department of Defense. The company's headquarters and principal data center are located in Dulles, Va. ServerVault is owned by affiliates of Cincinnati-based Fort Washington Investment Advisors, Inc., a member of Western & Southern Financial Group. For more information, visit www.servervault.com or call 1.877.78.VAULT.

For additional information about ServerVault, please contact:
John Broome, Chief Technology Officer
ServerVault Corp.
703.652.5900
john@servervault.com

About Excedent
Excedent is a global leader in Web-based and wireless email hosting solutions. Our mission is to provide companies around the world with a secure, reliable infrastructure to facilitate effective business communication. We work with small businesses and service providers of all sizes to deploy mission critical Web-based and wireless email systems. The company is privately held and has been serving clients since October 1999.