Egg raid shows cracks in e-security

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

The recent raid on egg, the online bank, has once again put the spotlight on the security of internet operations. With major companies such as Barclays Bank and PowerGen already having had their internet operations attacked it is clear that even the largest and most powerful organisations are not immune from the hackers.

The recent raid on egg, the online bank, has once again put the spotlight on the security of internet operations. With major companies such as Barclays Bank and PowerGen already having had their internet operations attacked it is clear that even the largest and most powerful organisations are not immune from the hackers.

Studies show that companies are in such a hurry to set up their internet operations that security is a low priority. A survey by KPMG, the chartered accountants, showed that 27 per cent of organisations have never tested the security of their internet connections. More than a third of organisations connected to the internet have no automated system that reports attempted security violations. This is in spite of research from the United Sates which shows that the average new website receives some kind of attack within its first five hours of existence.

But the message is starting to get through and, as it does, a whole industry devoted to online security is developing. Welcome to the world of "ethical hacking".

Ethical hacking is when a company like egg or Barclays pays a consultancy firm specialising in online security to test their systems by attempting to hack into them. The industry has already been colonised by the major accountancy forms such as PricewaterhouseCoopers and KPMG as well as computer giants like IBM and a host of specialist boutiques.

These firms have been enjoying exploding demand. IBM had just three people specialising in this area three years ago. Now it has 40. PwC says that three years ago it would receive an ethical hacking assignment once every few months. Now its 60-strong team gets several a week.

The consultants say most of their work comes from financial services companies, the major utilities, telecoms and media companies and the larger dot.coms. They always see an upsurge in inquiries when another major security breach is reported, particularly if the victim is a rival in their sector.

Ethical hacking, or "penetration testing" as the industry itself tends to call it, takes several forms. At its most basic it is a kind of legalised breaking and entering. Staff at the consultancy might pose as a photo copier engineer or IT consultant to check how easy it is to get into the building. Once in they will monitor the security habits of staff. Do they leave their computers switched on with their pass word scribbled on a Post-It note, for example? Much of the work involves authorised raids on the systems themselves.

According to PwC the approach to ethical hacking can take three main forms. The first is blind testing from the internet. This is done from the consultancy's PCs and does not require entry into the client's premises. The second is on-site hacking where the client gives the consultancy access to its network.

The third form is described in a rather sinister fashion as "social engineering". This could involve the consultants ringing up staff, pretending to be the IT department running a test and asking them for their passwords to see how readily this information is available. According to the consultants this information is often easily obtained because staff are trying to be helpful.

The consultants say that the vast majority of systems are "wide open", with many firewall security systems never previously tested. Part of the skill is not to damage the operating system in the process of the raid.

With demand for internet security professionals exceeding supply, pay rates for security professionals have been rising sharply. According to SSR Personnel, one of the biggest security recruitment firms, a "penetration tester" could earn anything from £25,000 a year as a graduate up to £100,000 as a senior team leader. "Intrusion detectors", who would be employed in-house by major companies, can command £50,000 to £60,000 a year. Specialist freelance consultants can earn £1,000 to £2,500 a day.

According to firms like KPMG and PwC their ethical hackers are not all 23-year-old computer geeks or "resprayed auditors". Many are in their 30s and 40s and come from technology firms and the armed forces.

But the sector does tend to attract the young enthusiast. As one recruitment company says: "Hacking is fine when you are aged 13-17. Then you grow up and have to get a job. This industry is a natural for the poacher turned gamekeeper."

I suppose it was only a matter of time but a company in Cardiff has claimed a "world first" with one of its employees being awarded a doctorate in eBusiness. Adrian Garcia-Sierra, an eBusiness consultant (what else?) at Lakewood Computer Systems, gained the doctorate at the e-commerce Innovation Centre, at Cardiff University, backed by four years of funding from BT. Adrian's PhD thesis examined the e-commerce potential of small to medium-sized businesses.

n.cope@independent.co.uk