1. Hewitt.com Redesign Security Considerations Jorgen Hesselberg, MITP’07 Brute Force

2. Business Background Hewitt Associates Hewitt Associates Market leader in HR management and outsourcing Market leader in HR management and outsourcing Major competitors: Accenture, Watson Wyatt, ADS Major competitors: Accenture, Watson Wyatt, ADS 24,000 employees worldwide 24,000 employees worldwide $3 Billion annual revenue (’06) $3 Billion annual revenue (’06) …last among competitors in internally commissioned web site study

3. Hewitt.com redesign Implementation approach Outsource website design and development Outsource website design and development ARC Worldwide (Leo Burnett) ARC Worldwide (Leo Burnett) Outsource hosting services Outsource hosting services SAVVIS SAVVIS

4. Planning and Risk Mitigation Outsourced hosting alleviated security fears Outsourced hosting alleviated security fears Physical separation from Hewitt’s customer data Physical separation from Hewitt’s customer data Legal responsibility on vendors Legal responsibility on vendors Prove that the system is safe before paying Prove that the system is safe before paying Perform thorough ethical hack by outside security firm Perform thorough ethical hack by outside security firm Symantec Symantec

5. Business Risk Identification DOS attacks would be bad… DOS attacks would be bad… …but defacing the site would be much worse. Loss of credibility in conservative industry Loss of credibility in conservative industry Brand name capital loss (Goodwill) Brand name capital loss (Goodwill) Public embarrassment Public embarrassment Legal implications Legal implications

6. Vulnerability Report Results Overall, site security was solid. No known vulnerabilities related to the Hewitt.com site. Overall, site security was solid. No known vulnerabilities related to the Hewitt.com site. However, content management tool used to update material on site was accessed through separate site – only protected through encrypted username and password However, content management tool used to update material on site was accessed through separate site – only protected through encrypted username and password

7. Management Reaction “Does not sound like a big deal” “Probably not much to worry about” “I can’t even remember my own password, much less hack anyone else’s”

8. Regroup and Recover Hewitt security personnel confirmed that current Hewitt.com site gets attacked more than 1000 times every hour of every day Port sniffing Port sniffing Mini-DOS attacks Mini-DOS attacks Cross site scripting attempts Cross site scripting attempts …etc …etc I presented management with these results...with pretty graphs. I presented management with these results...with pretty graphs.

9. Solution and Aftermath Management saw potential issue Management saw potential issue Agreed to add VPN requirement to scope to add extra layer of security Agreed to add VPN requirement to scope to add extra layer of security Not a perfect solution, but reduced risk significantly Not a perfect solution, but reduced risk significantly Had to balance practicality and benefits Had to balance practicality and benefits Symantec approved approach, identified risk as ‘acceptable’ Symantec approved approach, identified risk as ‘acceptable’

10. Hewitt.com launch …within three months: …within three months: Number of hits from target segments increased 354% Number of hits from target segments increased 354% Industry professionals Industry professionals HR Analysts HR Analysts Most popular HR site in the world Most popular HR site in the world More than 400,000 hits a month More than 400,000 hits a month …and no hacker attacks!!! …and no hacker attacks!!!