The theft of online attendee data from the World Economic Forum has brought meeting registration security into high profile. How secure is your system?


For the second year in a row, Nortel Networks provided a network for the prestigious World Economic Forum meeting, held in Davos, Switzerland, from January 27 to February 1. Andre Schneider, chief information officer for the WEF, hailed the installation as playing “a key role in making the annual meeting one of the most technologically innovative gatherings of world leaders.” Conference hotels were connected by high-speed ADSL (asynchronous digital subscriber line) service, and the conference venues were networked on a gigabit Ethernet local area network. Among the system's features were interactive kiosks at the major hotels, at which attendees could make remote reservations for conference sessions, meals, and other events, and could search the attendee database to set up online meetings with others at the conference. An innovation at this year's conference was the addition of a leased line between Davos and Geneva, where a network operations center managed traffic, security, and reliability.

There was just one problem. Somebody else had decided to be technologically innovative too, at the WEF's expense.

A 20-year-old part-time IT consultant (his name was never released) from Bern managed to hack into the network during the conference and steal 1,400 attendee records, including credit card numbers. The hacker's confederates gave a Swiss newspaper a CD-ROM with evidence of all the data that he'd stolen. While the Geneva police soon had the culprit, he had managed to put the WEF into the news with a most embarrassing story.

It Can't Happen Here

Could this have happened at your meeting? Odds are, you probably don't think so, and that's a common problem. It's so common, in fact, that it has a name, which is SNMP (Security is Not My Problem), according to Jim Litchko, general manager of Integrated Management Services Inc., a high-tech security consulting firm in Arlington, Va. At a presentation given to the Black Hat Conference (hackers like to get together for meetings too, you know) in Las Vegas in 1998, Litchko said that most U.S. organizations didn't need a smoking gun to realize that they had a data security problem, but rather “a bleeding wound.”

“That's when they come to you [the security consultants and hackers in the Black Hat audience] at the last minute and say ‘I need security’ and start buying the wrong stuff.”

If you think Litchko's outlook sounds bleak, that's because you haven't heard Joe Cosby, a senior partner with Washington, D.C., conference software specialists Summitlink: “You're worried about someone stealing your data? When was the last time you backed up your system? If it all were to burn today, would you be comfortable with it? I'll wager that not more than 5 percent of companies can say that, and that some proportion of that 5 percent don't know what they're talking about.”

Don't Talk About Security

If Cosby's assumption is correct, 95 percent of tech organizations don't know what they're doing when it comes to data security. Fortunately, there is a 5-percenter out there who not only knows what to do but understands the specific needs of conference organizers. Lauren Hall is executive vice president and chief technology officer for the Software and Information Industry Association, a 1,400-member organization of code and content companies. She represents SIIA on privacy and security issues and conducts seminars nationwide on online privacy.

Paradoxically, Hall's initial piece of security advice for conference organizers is to not discuss security arrangements. “Part of my job involves advising companies about how to write security policies,” she says. “I often tell them to make some general statements about the security of their customers' data and to say that they'll take reasonable steps to assure security. I tell them not to say ‘We run a Sun Solaris 2.5 server and protect data with a Raptor firewall.’ Whenever I see something like that, I think to myself, 13-year-olds all over the world are going to see that statement as a challenge.” She has no desire, she says, to become “a poster child for how an organization can be screwed up by hackers.”

So the first, greatest lesson of data security for conference organizers is: Have a little humility. If hackers want to get into your system, they will. And be grateful that, for the most part, they aren't thieves. “I'm not defending hackers, but the guys who are really good want to break into your system just to see if they can do it, not to steal your data.” A corollary to the first lesson is that it is unlikely that your meeting is a tempting target.

“Let's say I get into the Comdex database and steal 250,000 credit card numbers. That's nothing compared to what I can get by breaking into Amazon.com,” says Hall. “Frankly, if I'm a thief looking for credit card numbers, I've got better targets than meetings.”

Just Say No to Info?

Was that a sigh of relief? Not so fast: “On the other hand, I might target a medium-sized meeting because the security on the Web site is likely to be pretty weak,” says Hall. And if you don't want your security to be weak, what do you do?

Not everybody is going to like Hall's first strategy because it requires conference organizers to do something they are naturally loathe to do: deny themselves information. “Meetings management people need to know that somebody has registered for a conference and that they've paid,” she says. “People working at the registration desk need enough information so they can do their jobs when an attendee shows up without a receipt — that means knowledge that they paid with Visa, and maybe the last four digits of the card, and that the sale was approved. They don't need to see the whole number.”

What event organizers often fail to understand, says Hall, is that “any time you access or display data, or send data to someone, or allow someone to modify data, you're creating a security risk. It may be a manageable risk; you may even be able to configure your system so the security risk is almost negligible. But you have to realize that every time you open a door for legitimate purposes, you may also be opening it to illegitimate purposes.” To that end, she recommends a thorough audit of information storing practices. For example, she recommends that organizers ask themselves whether there are legal or operational reasons for storing credit card information on a server. If there aren't, the data shouldn't be stored.

Not Just a Firewall

Hall's second strategy for security involves realizing that “set it and forget it” is a recipe for disaster, and realizing that while a firewall — a device with which to calibrate access to data — may be necessary, it is not sufficient to assure security. “Being well-protected means having users change their passwords often,” she says. “If you have Web access to a membership or customer database, you must force users to log in to some kind of security system.” She adds that well-made database software will have functions that allow you to encrypt information. And, of course, if you are taking registrations at a Web site, be sure to use the Secure Socket Level encryption software that comes standard with all new Web browsers. “Any halfway sophisticated webmaster can set that up for you,” she says.

Will an ASP Bite You?

Conference organizers who outsource database management to ASPs (Application Service Providers) have a different set of security problems — including one that is mainly a problem of perception. Planners worry that data traveling from their servers to a distant ASP might be vulnerable. Possibly, says Hall, but not likely. “The chances of someone intercepting your data as it travels down a wire are pretty negligible,” she says. “I know the police and privacy advocates love for us to think everyone is being snooped on, but that's not where the problems are.”

The problems begin once the data is aggregated. The security questions to ask ASPs, she says, are not about data transfer but about storage. “Always ask an ASP how the data is stored and where it is stored. Put into the contract a line that says the service provider must take reasonable steps to protect the data. This creates an obligation for them,” she says. As far as fears that an ASP will declare ownership of your data, she says it is not in an ASP's interests to do that. “They can only do it so many times before everybody figures them out and stops using their services. Most ASPs understand that data security is a huge issue.”

Sam Wu, director of information technology for seeuthere.com, which bills itself as the oldest ASP serving the conference market (since 1998), agrees. A big part of seeuthere.com's sales pitch has to do with security: “We use multiple firewalls, multi-tier network design [just like Amazon.com and other big Web retailers], and have a dual-authentication process for clients using our service,” he says, adding that seeuthere.com runs its own Web-hosting service, so it is not dependent upon the security practices of another vendor.

It's the Easy Stuff

Again, it may be important to have good hardware, but it is much more important to realize that hardware means nothing without good security practices. As Jim Litchko of IMSI told the Black Hat conference, “It isn't enough to buy a firewall. It has to be configured, and you have to have a policy about it. There is no aspirin for security — not firewalls, not Public Key Encryption. You can only have as much security as your users will accept.”

Hall agrees. “You can have a firewall that won't let anything in or out, but it's the stupid stuff where people make mistakes,” she says. “I had a client one time who had an administrative server walk out the door. All the network security in the world won't help if you don't lock the door to the room where the server sits.” She adds that the on-site situation is fraught with potential problems. “It's so easy for someone to bring up information on a screen at a registration desk, then walk away, leaving it for anyone to see,” she says. There is more to security than credit card numbers, too. “Does everyone need to know that Mr. So-And-So requested a handicap-accessible bathroom or a kosher meal? That's where security breaches and misuse really happen.”

The closer one looks, the more it becomes apparent that good overall security practices are what really save the day. “Think about all the security risks you have when you're at a meeting site,” says Rick Werth, CPP, head of Event and Meeting Security Services, based in Franklin, Tenn. “You have printed documents, laptop computers, fax machines … and network security. Security is as basic as this stuff, and as sophisticated as firewalls and encryption.” Werth points out that a data attack can shake your audience's confidence. “Will your attendees start wondering whether they're risking their privacy by attending your meetings?”

Coda

That's a question the members of the managing board of the World Economic Forum have been asking. On February 5, 2001, they released a statement calling for Swiss authorities to launch an investigation, and saying that the WEF had initiated legal proceedings to prevent dissemination of the stolen data. The statement ended with the following:

“Despite this cyber attack, the World Economic Forum remains resolute in its commitment to its mission of improving the state of the world, and the Forum remains confident that its members and participants will resist any and all attempts to undermine an institution that has contributed so much to global prosperity and world peace.”

Let's hope so.

Safety First: 8 No-Cost Steps to Data Security

  1. Don't talk about your data security arrangements.
  2. Question the need for access to data. Who needs to see what?
  3. Always force authentication via password before giving access to data.
  4. Change passwords often.
  5. Delete data you don't need.
  6. Never send — or accept — confidential information via e-mail.
  7. Think about security before you set up your registration site.
  8. Add a security clause to the contract if you work with a registration ASP.