1 / 10

Hewitt.com Redesign

Hewitt.com Redesign. Security Considerations Jorgen Hesselberg, MITP’07 Brute Force. Business Background. Hewitt Associates Market leader in HR management and outsourcing Major competitors: Accenture, Watson Wyatt, ADS 24,000 employees worldwide $3 Billion annual revenue (’06)

idania
Download Presentation

Hewitt.com Redesign

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hewitt.com Redesign Security Considerations Jorgen Hesselberg, MITP’07Brute Force

  2. Business Background • Hewitt Associates • Market leader in HR management and outsourcing • Major competitors: Accenture, Watson Wyatt, ADS • 24,000 employees worldwide • $3 Billion annual revenue (’06) …last among competitors in internally commissioned web site study

  3. Hewitt.com redesign Implementation approach • Outsource website design and development • ARC Worldwide (Leo Burnett) • Outsource hosting services • SAVVIS

  4. Planning and Risk Mitigation • Outsourced hosting alleviated security fears • Physical separation from Hewitt’s customer data • Legal responsibility on vendors • Prove that the system is safe before paying • Perform thorough ethical hack by outside security firm • Symantec

  5. Business Risk Identification • DOS attacks would be bad… …but defacing the site would be much worse. • Loss of credibility in conservative industry • Brand name capital loss (Goodwill) • Public embarrassment • Legal implications

  6. Vulnerability Report Results • Overall, site security was solid. No known vulnerabilities related to the Hewitt.com site. • However, content management tool used to update material on site was accessed through separate site – only protected through encrypted username and password

  7. Management Reaction “Does not sound like a big deal” “Probably not much to worry about” “I can’t even remember my own password, much less hack anyone else’s”

  8. Regroup and Recover Hewitt security personnel confirmed that current Hewitt.com site gets attacked more than 1000 times every hour of every day • Port sniffing • Mini-DOS attacks • Cross site scripting attempts • …etc I presented management with these results...with pretty graphs. 

  9. Solution and Aftermath • Management saw potential issue • Agreed to add VPN requirement to scope to add extra layer of security • Not a perfect solution, but reduced risk significantly • Had to balance practicality and benefits • Symantec approved approach, identified risk as ‘acceptable’

  10. Hewitt.com launch • …within three months: • Number of hits from target segments increased 354% • Industry professionals • HR Analysts • Most popular HR site in the world • More than 400,000 hits a month …and no hacker attacks!!! 

More Related