Security Links

Cardholder Information Security Program
VISA
This Acrobat document is an excellent methodology for protecting your clients' credit card information.  It summarizes twelve basic steps that need to be taken, and then goes into the details and best practices for implementation.  If you are an Internet merchant, have dreams of becoming one, or are just interested in making your systems more secure, you should download this publication. 

Card Not Present
Visa
"Card Not Present" is a technical term referring to a mail or phone order, or to an Internet merchant receiving a credit card number.  Since they don't have the card in hand, they are presented with LOTS of challenges to avoid credit card fraud, for which the merchant is primarily liable.  This article by Visa identifies the big issues to worry about.  If you're a merchant, read this.  If you're a customer, reading this will help you understand why merchants get a little nervous about accepting your credit card.

Find and Eliminate Snooping Software and Web Bugs
cnet.com
This is a fascinating article on the latest ways your privacy can be invaded, and what you can do about it.  A particularly noxious technique is called "web-bugs" and this article reviews their evilness. 

As a supplement, here is the The Web Bug FAQ.  This is a well-written and very illuminating discussion of what Web Bugs are and how they work.

Visa issues ten commandments for online merchants
Computerworld
Visa's getting a little tired of Internet fraud and has come up with specifications for security practices.  These commandments are generic and really should be a road-map for any company interested in improving their security.  The article doesn't go into much detail, but does point to the link at Visa:

Here are the commandments:

1.  Put a firewall in place
2.  Make sure you have the latest security patches installed
3.  Encrypt data that can possibly be seen from the Internet, whether authorized or unauthorized
4.  Encrypt data sent over the Internet
5.  Use up-to-date anti-virus software
6.  Restrict access to data on a need-to-know basis
7.  Assign unique login ID's to anyone with access to data
8.  Use those ID's to track all access of data
9.  Don't use the default configurations and passwords that came with the system
10. Run regular audits and tests of your security practices

They also recommend three additional "best practices"

1.  Vet employees who have access to data to reduce the potential for an "inside job"
2.  Physically secure papers, diskettes and computers that contain data
3.  Destroy obsolete data

Hmmm, actually, it looks like 13 commandments rather than 10.  Anyway, these are good rules to follow.

New Manager Sees How Security Gets Done - Not!
Computerworld
Consultants, articles and books can tell you what you need to do about your security problems (as well as other things), but this journal describes how implementing all of these great ideas works in the real world.  Problematic products, politics, lack of budget, recalcitrant users, multiple layers of management, divided responsibilities and authority...all of these things make the process of putting recommendations into action a much harder task than just coming up with the ideas in the first place.  That's why I like being a consultant.
 

Napster trap
Computerworld
Not only should you outlaw the use of Napster on your company's network because of the probable negative effect on productivity and bandwidth, you also have to worry about the possible legal ramifications.  And now you have something more to worry about...security.  Napster allows MP3 files on your computers to be shared across the Internet.  Now there's a new product called "Wrapster" that allows ANY files to be shared - not just MP3 files.  This is just insane.  As author Deborah Radcliff says, "...the best defense is to outlaw MP3 downloads on corporate computers and laptops. If employees still want music as they work, tell them to listen to the radio." 

Covering your assets
Computer Shopper
Even though it does get a little deep in spots, this is an excellent primer on firewalls.  It explains packet filtering, proxy servers and network address translation.  If you're just getting onto the Internet, or want to know what all those networking guys are talking about, this article may fill in a few gaps.

Chat clients may pose security threats, CERT warns
Computerworld
Worried about email and the security risks it represents?  Don't even think about Internet chat.  Whether it's AOL, Microsoft, Yahoo or IRC, these are insecure and easily compromised tools that usually have no place in a organizational environment.  Only use them when there is a clear business reason (such as real-time customer support).  And make sure your staff knows that identities can be captured or spoofed, passwords can be stolen, conversations can be monitored, and viruses can be passed.  If you have to use chat, make sure you have very strict policies in place similar to your email usage policy.  Also include rules about transmission of sensitive or confidential information.  And if you don't need chat in your company, incorporate that into your Internet usage policy.

Computer Security Institute
While the true hard-core security fans may be interested in membership in this organization, the real value of this site is its archive of sample articles that have been published in their magazine. 

Failed dot-coms may be selling your private information
CNET
There are two stories here.  One is related to privacy.  You know, the information that you gave to some dot.com who assured you that it would never be transferred to any other company.  Well, forget about it.  If they're in fire-sale bankruptcy mode, then all bets are off.  And the second story is that, when up against the wall, forget promises.  If you're dealing with a vendor who is in financial trouble, no commitment they make can be relied upon.  So when doing your procurement research, do a credit check.  See if the vendor going to be able to keep their promises.  Obviously this may be overkill if you're just buying a MP3 player from a dot.com, but if you're relying a firm to be there in a year when you're having problems with your Web site, any promises they made are irrelevant if you can't find them.

Security?  Who cares?
Computerworld
An interesting perspective on why security problems are prone to human failure.  People look to their management for guidance.  If management doesn't really take security seriously, then neither will the workers.  Does YOUR CEO talk about security?  Has she ever made an impassioned statement to the troops threatening storm-warnings on both coasts if there is a security breech?  Or does she pay lip service only when the CIO begs for some attention?

Panel rips IT for security complacency
Computerworld
How secure is your environment?  How do you know?  Have you run an audit?  Have you applied all of the available patches?  Have you implemented the recommendations of the FBI and the SANS Institute?  The answers to these questions are generally negative.  This article is an exhortation to deal with these issues and make your organization more secure.  One useful tip is not to put your existing IT staff in charge of security.  It will just be one more job for them and they're already overworked as it is.  Either hire staff dedicated to that role, or use an outside consultant.

Cyberstalking Hype
Inter@ctive Week
While the second half of this article delves into the reality of "cyberstalking," what I found most interesting was an analysis of how negative trends, such as cyberstalking, can be overblown.  The author calls it the "Iron Quadrangle" and includes four categories of people who contribute to the problem:

Sensation mongers: journalists after an exciting story

Pandering politicians: they hop on the bandwagon to wring some political benefit

Academics and consultants: who "study" the problem in search of publicity, grant money, etc.

Activists in search of a new cause: their current cause is running out of steam and they need a new one

It's helpful to remember this model when you're looking at whatever the latest "buzz" is.  It might be cyberstalking, it could be cyber-privacy, it could be identity theft, or any number  of sensational issues.  When searching for the truth, it's helpful to know the agendas of the people who are talking about it.

How To Eliminate The Ten Most Critical Internet Security Threats
SANS Institute
This report has gotten a lot of press since it came out last week.  The list is somewhat technical, but the recommendations boil down to some basic strategies:

1.  Make sure your software is at the current update and patch level.  This particularly includes infrastructure items like utilities, firewalls, server and workstation operating systems, Web server software, email, browsers, etc. 

2.  Beware of custom code, applications and scripts.  This also includes sample applications that were included with the package you bought.  The report specifically mentions CGI scripts on Web servers.

3.  There are several Unix and Linux utilities such as sendmail, bind, IMAP, POP, and RFC that have weaknesses.  Make sure that patches are applied, or turn off these functions.

4.  Don't allow file-sharing on your Windows machines.  And if you must (e.g. file servers), implement the strongest security possible.

5.  Remove any guest and demo user accounts and passwords that came with your system.  These are frequently left intact by careless consultants or uninformed administrators.  In addition, make sure that a strong password policy is in effect for all accounts, for both users and administrators.

6.  SNMP is very insecure and can give hackers information about your network, or allow them to control certain elements of it.  Unless you need it, disable it.  And if you use it, there are some configuration changes you should make.

7.  There are a bunch of holes in Outlook and Outlook Express.  This report gives you some guidance on how to close them.

Jury convicts IT manager of crippling company's systems
Computerworld
There's an easy and clear lesson to learn here.  A small company had one guy who was responsible for all of the computer systems.  He left a "bomb" on the server that not only crashed it, but also deleted key files required for the company's production.  AND, he was in charge of backups.  Guess what...no backups.  So if you're one of those tiny companies that relies completely on one overworked, underpaid guy with an attitude, you had better look out.  The solution?  Get someone else involved quickly, even if it's a networking consultant.  And YOU should keep the backup tapes.

The enemy within
NetworkWorld Fusion
While we're all fussing about the security problems that make the evening news, your own employees may be doing much more damage - and you don't even know it.  It could be a disgruntled employee who just got a warning.  Or it could be a clerk who is having trouble making a car payment.  But companies have been paying more attention to "protecting the perimeter" than in establishing internal policies, access controls, and audit trails.  The article mentions some products that provide these functions and details experiences of several end users.

Microsoft's Outlook: Cloudy security
eWeek
Once again, your curmudgeonly, sour, gray-bearded sage has shown the mainstream press the way.  This article discusses the concerns corporate IT managers have with viruses that take advantage of Microsoft Outlook.  A couple of executives express concern about continuing to use Outlook, and Microsoft's strategy of delivering functionality and integration over security.  Bottom line - think twice when planning your next email investment.

An Airplane Is a Great Place To Gather Some Intelligence
Wall Street Journal, 11/8/99
An enjoyable article on people who read over your shoulder when you're using your laptop on the airplane.  It offers opinions about the ethical questions involved, as well as discussing the wider issue of airplane privacy in general.  For example, before rehearsing your sales pitch with the stranger who happens to be sitting next to you, check to see if she's your competitor who is flying to meet with the same customer as you.  There are a couple of tips.  They include: 

- waiting until your seat mates are asleep before you open up your laptop,

- getting a filter that blurs the text unless you're right in front of the screen, 

- getting a bulkhead window seat,

- preparing a document that says, "If you can read this, you should be ashamed of yourself" to retrieve whenever you sense someone is looking over your shoulder,

- read a book.

Symantec Anti-virus Research Center
This is a very handy resource for finding out the latest viruses that are cruising around.  Click on any virus listed and it gives you all kinds of useful information, including how it's spread, its history, etc.

Rx for viruses: Get tough with e-mail attachments
Computerworld
Regular readers know how I feel about email attachments - I don't like 'em.  This article echos that thought and has some specific ideas.  For example, attachments would be stripped from email coming from outside the company firewall.  Sending files within the company network makes sense, but when it's coming from outside, the risks are too great.  Part of the problem with attachments isn't just their potential for carrying viruses.  They also chew up bandwidth, are frequent time-wasters, and often require translation or a version of software that the user has scrounge up.  The author recommends the same thing I do - insist on incorporating the document into the text of the email itself, not as an attachment.

PC Protection Guide
ZDNet
This article covers virus protection software and techniques to avoid viruses.  It also reviews PC security issues and keeping your software upgraded.  It isn't comprehensive.  For example, there is no discussion of protecting your system from someone with physical access, nor do they discuss encryption options.  But the article may answer some questions for you regarding Internet security.

Hijacking of Errant E-Mails Grows, Leading to Some Embarrassing Tales
Wall Street Journal, 11/9/99
Every day, the good old US Mail looks better and better.  This is the latest bit of Internet weirdness that can catch you off guard.  The article describes Internet sites that, for lack of a better word, are hijacking email.  They do this by setting up a site that is similar to another company's domain name and then reading any email that gets accidently sent. 

For example, let's say I'm dealing with a customer who types a message to me in care of gadwell.com as opposed to gadwall.com.  If Gadwell.com has been snagged by my evil competitor, then my customer's email would go to him, and I would probably lose my customer...at least my relationship would be compromised.

While the article describes organizations doing this intentionally, it can also happen by accident simply through the use of a misplaced vowel or punctuation mark.

The article goes on to describe several more examples of this type of problem.  And it discusses the legality of the activity, the ethics, the impact of trademarks, etc.

How to solve the problem?  First of all, register as many possible combinations of your domain name as possible, even misspellings.  For example, after reading this article, I registered gadwell.com, simply because I HAVE had some clients misspell the correct name of Gadwall. 

Also, be CAREFUL about the email addresses that you type.  Use your address book, or copy the email address from emails you receive.  Try to avoid actually typing email addresses manually.

Defending your e-castle
ZDNet - Small Business

This is a pretty comprehensive article that discusses the basic stuff you should be doing to protect your company from e-terrors.  The first is to install a firewall.  Two particular products for small businesses and SOHO's are mentioned.  The next is to make sure your software has all of the security patches.  Then you want to reconfigure your software to close some of the loopholes that our friends in Redmond left open for your convenience.  And finally, pound into your employees' heads that they should be very careful opening attachments.

Security Updates and Vulnerability Patches
ZDNet
Do you want to be depressed?  Go to this site and see how many patches are available for your software.  And I'll bet you don't have all of them applied to your system.  This looks like a good resource to start with, but I'd check with the vendor's site to make sure you've got everything.  This article is part of a larger site...updates.zdnet.com which includes information on all updates, not just security problems.

Defending your e-castle
ZDNet - Small Business
This is a pretty comprehensive article that discusses the basic stuff you should be doing to protect your company from e-terrors.  The first is to install a firewall.  Two particular products for small businesses and SOHO's are mentioned.  The next is to make sure your software has all of the security patches.  Then you want to reconfigure your software to close some of the loopholes that our friends in Redmond left open for your convenience.  And finally, pound into your employees' heads that they should be very careful opening attachments.

Security Updates and Vulnerability Patches
ZDNet
Do you want to be depressed?  Go to this site and see how many patches are available for your software.  And I'll bet you don't have all of them applied to your system.  This looks like a good resource to start with, but I'd check with the vendor's site to make sure you've got everything.  This article is part of a larger site...updates.zdnet.com which includes information on all updates, not just security problems.

 

a production of Take Charge Seminars

We provide informative and enjoyable seminars on sales and use tax other topics. 

 Take Charge Seminars.com
SalesTax-UseTax.com

JimFrazier.com

 

 

 

 

 

Copyright MMXIV The Gadwall Group, Ltd.  All Rights Reserved
     Copyright and Trademark Information
Contact us at 224-325-5590 or info1007@takechargeseminars.com and please make sure "inquiry" is in the subject