Yellow Corporation, a US$2.9 billion Fortune
500 company with 32,000 employees, is one of the largest freight carriers in
the nation. Based in Overland, KS, the company has made a concerted effort to
move much of its day-to-day customer and driver interaction to the Web. Last
year, its online efforts were recognized by CIO magazine, which named Yellow
as one of the Top 100 technology companies in 1999.
Yellow Reinvents
Itself As An eBusiness
In the freight business, where customers and
carriers are all in a hurry to meet demanding delivery schedules, the
availability and integrity of information are crucial.
For that reason, Yellow Corporation made a
strategic decision during the mid-1990s to migrate many of its routine
business transactions to the Internet. Since that time, Yellow has reinvented
itself as an eBusiness, using the Internet to broker many of its
business-to-business transportation and related services. In doing so, it has
also transformed the freight industry.
Yellow selected eTrust Access Control, a
security tool that enabled them to cohesively control and manage their UNIX
systems from a single point. Yellow uses eTrust Access Control to secure
sensitive system files and key critical data files, and as a soft firewall to
monitor and provide secure access for those who visit the site. Because of
eTrust Access Control, both customers and carriers are able to have free and
easy access to the information they need, while the more confidential
operations of Yellow's enterprise servers are protected.
Now using the Internet, Yellow customers are
able to get instant rate quotes, which include all freight charges, fuel
charges, and projected delivery dates. They can schedule pickups and delivery,
trace shipments, and make payments electronically.
Corporate and independent carriers are able
to get all the information they need regarding available shipments, which
increases the speed of the shipping process. They can print necessary forms
and permits, and they can gain immediate access to Yellow's customer service
department when necessary via YellowLive, a feature that Yellow has put into
place with the help of AOL's Instant Messenger service.
Yellow believes that its investment in
technology is just as important as its investments in trucks and terminals.
One recent episode has helped to reaffirm that belief.
eTrust Access
Control Protected Against Significant Losses
During the summer of 1999, Michael Milliard,
Senior Information Security Analyst, noticed a series of alerts originating
from the company's UNIX Web servers. Milliard checked the eTrust Access
Control log files on the servers for the cause of the alerts, and he found
that an unidentified user had tried to gain access to Yellow's proprietary
system files and user IDs via the Internet.
"We saw a line of messages in the
eTrust Access Control logs, at five to ten second intervals, trying to hit the
various services that were available on our server," Milliard said.
Requests for that kind of access are rare. "At the system level, we don't
see a lot of activity, other than systems people or applications people making
changes to the website."
He continued, "The alerts gave the
impression that someone, a 'script kiddie,' a person who doesn't have enough
system knowledge to operate at a system level, was running a scanning type of
program like 'nmap'. Nmap is one of many hacker scripts or hacker programs
that are out there."
Milliard estimates that the attack lasted
for 60-90 minutes, during which time the uninvited guest scanned various
server ports, looking for access to any of the services that were available on
the server, including ftp, telnet, http, and e-mail.
"We call it a 'blunt force hack.' They
were running the script, trying to exploit the services that are on that
server." The soft firewall component of eTrust Access Control
"locked up" the basic services on their UNIX server, Milliard said,
"so that as they were checking access to each service, they were getting
the message, 'denied, denied, denied…' That's all they saw."
Later, checking the IP address of the
individual trying to access those items, Milliard found that it had been an
individual from outside the company. Further investigation with the ISP
determined that that particular account had since been closed.
"The website is one of our primary
sales vehicles. In many respects, this website replaces the need to have a
customer or a carrier speak with a live representative. That's what eTrust
Access Control protected," Milliard said. The eTrust Access Control log
files showed that the hacker had failed due to eTrust Access Control
protection.
Had the attack been successful, "we
would have experienced a loss of availability," Milliard said. "Or,
if they had damaged pages, it would have taken time to recover them. And since
we're a 24 x 7 operation, that loss of availability would have transferred
into financial loss. Our sales force is directing all of our customers to that
page. It's our main presence on the Web."
Milliard estimated that the company could
easily have lost about US$30,000-US$60,000 an hour. That loss was prevented
because eTrust Access Control was monitoring the site.
Future Plans
According to Milliard, Yellow's Management
is firmly behind the company's Internet efforts as a strategic direction for
sales. And CA's eTrust solutions will be a part of that future.
Milliard said he will continue to support
the use of eTrust Access Control as a means of providing security for Yellow's
eBusiness efforts. "I think eTrust Access will become an industry
standard for security in the UNIX and Client/Server environments."
