Security Links
Cardholder
Information Security Program
VISA
This Acrobat document is an excellent methodology for protecting your clients'
credit card information. It summarizes twelve basic steps that need to be
taken, and then goes into the details and best practices for implementation.
If you are an Internet merchant, have dreams of becoming one, or are just
interested in making your systems more secure, you should download this
publication.
Card Not Present
Visa
"Card Not Present" is a technical term referring to a mail or phone
order, or to an Internet merchant receiving a credit card number. Since
they don't have the card in hand, they are presented with LOTS of challenges to
avoid credit card fraud, for which the merchant is primarily liable. This
article by Visa identifies the big issues to worry about. If you're a
merchant, read this. If you're a customer, reading this will help you
understand why merchants get a little nervous about accepting your credit card.
Find
and Eliminate Snooping Software and Web Bugs
cnet.com
This is a fascinating article on the latest ways your privacy can be invaded,
and what you can do about it. A particularly noxious technique is called
"web-bugs" and this article reviews their evilness.
As a supplement, here is the The
Web Bug FAQ. This is a well-written and very illuminating discussion
of what Web Bugs are and how they work.
Visa
issues ten commandments for online merchants
Computerworld
Visa's getting a little tired of Internet fraud and has come up with
specifications for security practices. These commandments are generic and
really should be a road-map for any company interested in improving their
security. The article doesn't go into much detail, but
does point to the link at Visa:
Here are the commandments:
1. Put a firewall in place
2. Make sure you have the latest security patches installed
3. Encrypt data that can possibly be seen from the Internet, whether
authorized or unauthorized
4. Encrypt data sent over the Internet
5. Use up-to-date anti-virus software
6. Restrict access to data on a need-to-know basis
7. Assign unique login ID's to anyone with access to data
8. Use those ID's to track all access of data
9. Don't use the default configurations and passwords that came with the
system
10. Run regular audits and tests of your security practices
They also recommend three additional "best practices"
1. Vet employees who have access to data to reduce the potential for an
"inside job"
2. Physically secure papers, diskettes and computers that contain data
3. Destroy obsolete data
Hmmm, actually, it looks like 13 commandments rather than 10. Anyway,
these are good rules to follow.
New
Manager Sees How Security Gets Done - Not!
Computerworld
Consultants, articles and books can tell you what you need to do about your
security problems (as well as other things), but this journal describes how
implementing all of these great ideas works in the real world. Problematic
products, politics, lack of budget, recalcitrant users, multiple layers of
management, divided responsibilities and authority...all of these things make
the process of putting recommendations into action a much harder task than just
coming up with the ideas in the first place. That's why I like being a
consultant.
Napster
trap
Computerworld
Not only should you outlaw the use of Napster on your company's network because
of the probable negative effect on productivity and bandwidth, you also have to
worry about the possible legal ramifications. And now you have something
more to worry about...security. Napster allows MP3 files on your computers
to be shared across the Internet. Now there's a new product called "Wrapster"
that allows ANY files to be shared - not just MP3 files. This is just
insane. As author Deborah Radcliff says, "...the best defense is to
outlaw MP3 downloads on corporate computers and laptops. If employees still want
music as they work, tell them to listen to the radio."
Covering
your assets
Computer Shopper
Even though it does get a little deep in spots, this is an excellent primer on
firewalls. It explains packet filtering, proxy servers and network address
translation. If you're just getting onto the Internet, or want to know
what all those networking guys are talking about, this article may fill in a few
gaps.
Chat
clients may pose security threats, CERT warns
Computerworld
Worried about email and the security risks it represents? Don't even think
about Internet chat. Whether it's AOL, Microsoft, Yahoo or IRC, these are
insecure and easily compromised tools that usually have no place in a
organizational environment. Only use them when there is a clear business
reason (such as real-time customer support). And make sure your staff
knows that identities can be captured or spoofed, passwords can be stolen,
conversations can be monitored, and viruses can be passed. If you have to
use chat, make sure you have very strict policies in place similar to your email
usage policy. Also include rules about transmission of sensitive or
confidential information. And if you don't need chat in your company,
incorporate that into your Internet usage policy.
Computer Security Institute
While the true hard-core security fans may be interested in membership in this
organization, the real value of this site is its archive of sample articles that
have been published in their magazine.
Failed dot-coms
may be selling your private information
CNET
There are two stories here. One is related to privacy. You know, the
information that you gave to some dot.com who assured you that it would never be
transferred to any other company. Well, forget about it. If they're
in fire-sale bankruptcy mode, then all bets are off. And the second story
is that, when up against the wall, forget promises. If you're dealing with
a vendor who is in financial trouble, no commitment they make can be relied
upon. So when doing your procurement research, do a credit check.
See if the vendor going to be able to keep their promises. Obviously this
may be overkill if you're just buying a MP3 player from a dot.com, but if you're
relying a firm to be there in a year when you're having problems with your Web
site, any promises they made are irrelevant if you can't find them.
Security?
Who cares?
Computerworld
An interesting perspective on why security problems are prone to human failure.
People look to their management for guidance. If management doesn't really
take security seriously, then neither will the workers. Does YOUR CEO talk
about security? Has she ever made an impassioned statement to the troops
threatening storm-warnings on both coasts if there is a security breech?
Or does she pay lip service only when the CIO begs for some attention?
Panel
rips IT for security complacency
Computerworld
How secure is your environment? How do you know? Have you run an
audit? Have you applied all of the available patches? Have you
implemented the recommendations of the FBI and the SANS Institute? The
answers to these questions are generally negative. This article is an
exhortation to deal with these issues and make your organization more secure.
One useful tip is not to put your existing IT staff in charge of security.
It will just be one more job for them and they're already overworked as it is.
Either hire staff dedicated to that role, or use an outside consultant.
Cyberstalking
Hype
Inter@ctive Week
While the second half of this article delves into the reality of "cyberstalking,"
what I found most interesting was an analysis of how negative trends, such as
cyberstalking, can be overblown. The author calls it the "Iron
Quadrangle" and includes four categories of people who contribute to the
problem:
Sensation mongers: journalists after an exciting story
Pandering politicians: they hop on the bandwagon to wring some political
benefit
Academics and consultants: who "study" the problem in search of
publicity, grant money, etc.
Activists in search of a new cause: their current cause is running out of
steam and they need a new one
It's helpful to remember this model when you're looking at whatever the
latest "buzz" is. It might be cyberstalking, it could be
cyber-privacy, it could be identity theft, or any number of sensational
issues. When searching for the truth, it's helpful to know the agendas of
the people who are talking about it.
How To Eliminate The Ten Most
Critical Internet Security Threats
SANS Institute
This report has gotten a lot of press since it came out last week. The
list is somewhat technical, but the recommendations boil down to some basic
strategies:
1. Make sure your software is at the current update and patch level.
This particularly includes infrastructure items like utilities, firewalls,
server and workstation operating systems, Web server software, email, browsers,
etc.
2. Beware of custom code, applications and scripts. This also
includes sample applications that were included with the package you bought.
The report specifically mentions CGI scripts on Web servers.
3. There are several Unix and Linux utilities such as sendmail, bind,
IMAP, POP, and RFC that have weaknesses. Make sure that patches are
applied, or turn off these functions.
4. Don't allow file-sharing on your Windows machines. And if you
must (e.g. file servers), implement the strongest security possible.
5. Remove any guest and demo user accounts and passwords that came with
your system. These are frequently left intact by careless consultants or
uninformed administrators. In addition, make sure that a strong password
policy is in effect for all accounts, for both users and administrators.
6. SNMP is very insecure and can give hackers information about your
network, or allow them to control certain elements of it. Unless you need
it, disable it. And if you use it, there are some configuration changes
you should make.
7. There are a bunch of holes in Outlook and Outlook Express.
This report gives you some guidance on how to close them.
Jury
convicts IT manager of crippling company's systems
Computerworld
There's an easy and clear lesson to learn here. A small company had one
guy who was responsible for all of the computer systems. He left a
"bomb" on the server that not only crashed it, but also deleted key
files required for the company's production. AND, he was in charge of
backups. Guess what...no backups. So if you're one of those tiny
companies that relies completely on one overworked, underpaid guy with an
attitude, you had better look out. The solution? Get someone else
involved quickly, even if it's a networking consultant. And YOU should
keep the backup tapes.
The enemy
within
NetworkWorld Fusion
While we're all fussing about the security problems that make the evening news,
your own employees may be doing much more damage - and you don't even know it.
It could be a disgruntled employee who just got a warning. Or it could be
a clerk who is having trouble making a car payment. But companies have
been paying more attention to "protecting the perimeter" than in
establishing internal policies, access controls, and audit trails. The
article mentions some products that provide these functions and details
experiences of several end users.
Microsoft's
Outlook: Cloudy security
eWeek
Once again, your curmudgeonly, sour, gray-bearded sage has shown the mainstream
press the way. This article discusses the concerns corporate IT managers
have with viruses that take advantage of Microsoft Outlook. A couple of
executives express concern about continuing to use Outlook, and Microsoft's
strategy of delivering functionality and integration over security. Bottom
line - think twice when planning your next email investment.
An
Airplane Is a Great Place To Gather Some Intelligence
Wall Street Journal, 11/8/99
An enjoyable article on people who read over your shoulder when you're using
your laptop on the airplane. It offers opinions about the ethical
questions involved, as well as discussing the wider issue of airplane privacy in
general. For example, before rehearsing your sales pitch with the stranger
who happens to be sitting next to you, check to see if she's your competitor who
is flying to meet with the same customer as you. There are a couple of
tips. They include:
- waiting until your seat mates are asleep before you open up your laptop,
- getting a filter that blurs the text unless you're right in front of the
screen,
- getting a bulkhead window seat,
- preparing a document that says, "If you can read this, you should be
ashamed of yourself" to retrieve whenever you sense someone is looking over
your shoulder,
- read a book.
Symantec Anti-virus
Research Center
This is a very handy resource for finding out the latest viruses that are
cruising around. Click on any virus listed and it gives you all kinds of
useful information, including how it's spread, its history, etc.
Rx
for viruses: Get tough with e-mail attachments
Computerworld
Regular readers know how I feel about email attachments - I don't like 'em.
This article echos that thought and has some specific ideas. For example,
attachments would be stripped from email coming from outside the company
firewall. Sending files within the company network makes sense, but when
it's coming from outside, the risks are too great. Part of the problem
with attachments isn't just their potential for carrying viruses. They
also chew up bandwidth, are frequent time-wasters, and often require translation
or a version of software that the user has scrounge up. The author
recommends the same thing I do - insist on incorporating the document into the
text of the email itself, not as an attachment.
PC
Protection Guide
ZDNet
This article covers virus protection software and techniques to avoid viruses.
It also reviews PC security issues and keeping your software upgraded. It
isn't comprehensive. For example, there is no discussion of protecting
your system from someone with physical access, nor do they discuss encryption
options. But the article may answer some questions for you regarding
Internet security.
Hijacking
of Errant E-Mails Grows, Leading to Some Embarrassing Tales
Wall Street Journal, 11/9/99
Every day, the good old US Mail looks better and better. This is the
latest bit of Internet weirdness that can catch you off guard. The article
describes Internet sites that, for lack of a better word, are hijacking email.
They do this by setting up a site that is similar to another company's domain
name and then reading any email that gets accidently sent.
For example, let's say I'm dealing with a customer who types a message to me
in care of gadwell.com as opposed to gadwall.com. If Gadwell.com has been
snagged by my evil competitor, then my customer's email would go to him, and I
would probably lose my customer...at least my relationship would be compromised.
While the article describes organizations doing this intentionally, it can
also happen by accident simply through the use of a misplaced vowel or
punctuation mark.
The article goes on to describe several more examples of this type of
problem. And it discusses the legality of the activity, the ethics, the
impact of trademarks, etc.
How to solve the problem? First of all, register as many possible
combinations of your domain name as possible, even misspellings. For
example, after reading this article, I registered gadwell.com, simply because I
HAVE had some clients misspell the correct name of Gadwall.
Also, be CAREFUL about the email addresses that you type. Use your
address book, or copy the email address from emails you receive. Try to
avoid actually typing email addresses manually.
Defending
your e-castle
ZDNet - Small Business
This is a pretty comprehensive article that discusses the basic stuff you
should be doing to protect your company from e-terrors. The first is to
install a firewall. Two particular products for small businesses and
SOHO's are mentioned. The next is to make sure your software has all of
the security patches. Then you want to reconfigure your software to close
some of the loopholes that our friends in Redmond left open for your
convenience. And finally, pound into your employees' heads that they
should be very careful opening attachments.
Security Updates and
Vulnerability Patches
ZDNet
Do you want to be depressed? Go to this site and see how many patches are
available for your software. And I'll bet you don't have all of them
applied to your system. This looks like a good resource to start with, but
I'd check with the vendor's site to make sure you've got everything. This
article is part of a larger site...updates.zdnet.com
which includes information on all updates, not just security problems.
Defending
your e-castle
ZDNet - Small Business
This is a pretty comprehensive article that discusses the basic stuff you should
be doing to protect your company from e-terrors. The first is to install a
firewall. Two particular products for small businesses and SOHO's are
mentioned. The next is to make sure your software has all of the security
patches. Then you want to reconfigure your software to close some of the
loopholes that our friends in Redmond left open for your convenience. And
finally, pound into your employees' heads that they should be very careful
opening attachments.
Security Updates and
Vulnerability Patches
ZDNet
Do you want to be depressed? Go to this site and see how many patches are
available for your software. And I'll bet you don't have all of them
applied to your system. This looks like a good resource to start with, but
I'd check with the vendor's site to make sure you've got everything. This
article is part of a larger site...updates.zdnet.com
which includes information on all updates, not just security problems.
|