Posted: November 27th, 2013 | Filed under: IIS & HTTP
PCI DSS is a set of standards developed by major credit card companies to keep credit card information secure and reduce fraud. The standards apply to any organization that processes, stores, or transmits credit card data. Occasionally, the PCI Security Standards Council will announce updates to the standards, which may require approved companies to make changes to their security hardware, software, and practices. The latest updates (PCI DSS Standards 3.0) were introduced a few months back, but recent documentation has shed a bit more light on you need to do to start preparing for compliance once the new rules come into effect on January 1, 2014.
Read the rest of this entry »
No Comments »
Posted: October 30th, 2013 | Filed under: IIS & HTTP
Despite our best preventive efforts and proactive measures, practices, and training, security breaches still happen. It is just a fact of life today. The most prepared CISOs could quickly handle a breach if they knew when it was going to occur. But there is no spidey sense that will tingle when a hacker makes his way into your database, or alarm that will sound when a user’s session is hijacked and unauthorized permissions are obtained. But certain activities can help you notice unusual and potentially dangerous activities happening around your web assets. They include:
- Configuring alerts
- Using reporting tools
- Monitoring your app
These activities are vital for effectively dealing with an incident. Alerts (via email, SMS, etc.) offer the application and site owners a way to know that they are under attack. It’s as if the app is shouting “Help! Something is wrong!” And regular use of reports gives site owners a way monitor normal usage on the site and quickly recognize unusual activity. But the benefits do not end there.
No Comments »
Posted: October 30th, 2013 | Filed under: Web and Application Security | Tags: data security, database security, information security, web security
From the perspective of a business owner, the web can be a terrifying place, ripe with threats. We’ve compiled a list of our favorite web security videos that will make you want to disconnect from the internet and hide.
No Comments »
Posted: October 3rd, 2013 | Filed under: IIS & HTTP
This November, the Payment Card Industry (PCI) Security Standards Council will change the PCI Data Security Standard (PCI DSS) and the Payment Application-Data Security Standard (PA-DSS). This means organizations that handle cardholder data will need to update their security to adhere with the new rules. We’ve read the initial documentation and have laid out some of the biggest changes to prepare for over the coming year.
No Comments »
Posted: August 18th, 2013 | Filed under: IIS & HTTP
Business today cannot ignore varied creative spaces for marketing their offerings. And this is exactly the reason for a tremendous rise in third party applications, be it standalone programs or small plugins that add functionality. This is a departure from the previous paradigm of companies depending heavily upon enterprise software providers and a few others for all their applications.
Organizations now want to have a go at everything, which seems more convenient and helps them network. Employees can’t seem to live without social networking applications like Facebook, LinkedIn, Twitter, and various other applications offered by 3rd party providers making them essential for today’s business. According to mobile market research and consultancy firm research2guidance, the market for app development services, including application creation, management, distribution and extension services, will grow in to $100 billion in 2015.
Although these applications and social networks are primarily intended for consumer use, companies are increasingly recognizing their business benefits. This creates a unique challenge for the IT department. In addition to the benefits, they can negatively impact productivity, network bandwidth, users’ privacy, data security and the integrity of IT systems (via malware and application vulnerabilities). A lot of these applications come with severe vulnerabilities and exposing business and personal data to them poses a high security risk. Previously, only malware was a major threat. But today, about 75% of cyber attacks happen due to vulnerabilities in third-party applications. General perception amongst companies is that by investing in patch management, and by patching third party applications, they will be safe. But there is more to it than just patch management.
During our network and application audits, we have observed that such patching devices, even if implemented and configured, fail to ensure 100% patch management. Also enterprises are always at the mercy of third-party vendors for patching the flaws and preventing a software exploit. In some cases, the patches are released months after a flaw has been detected. And in the meantime new flaws emerge. In order to be secure, 3rd party applications should be managed more proactively.
Some do’s and don’ts for third party apps:
•Depending upon risk, companies should define and offer selective usage of these applications.
•Frequent security audits of all 3rd Party applications should be implemented. A good practice would be to incorporate a mandatory requirement of security audit certificate in application procurement tender. This would enforce software product companies to implement secure coding practices and get audited from an independent security firm.
•Only implementing an automated patch management system will not help the cause. There has to be a team of knowledgeable people managing this system and ensuring patch adherence.
•It is advisable to implement two-factor authentication for 3rd party applications. Twofactor authentication that uses out-of-band authentication such as a PIN sent to a smart phone, does require a hacker to go to extensive lengths to beat it, and so adds an additional layer of protection.
•Conduct security awareness trainings for business users, application IT teams and Infosec teams at regular intervals to educate and sensitize teams on ongoing attack trends and how they can prevent them.
•Finally, even employees can ensure secure and safe usage by practicing a few things like using different passwords for their personal and business accounts and regularly changing them. Define privacy settings in all social media applications such that personal information is not exposed. Immediately revoke access to third party applications if employees sense anything fishy in their accounts. These are small steps, but can go a long in ensuring safe and secure usage!
-Hardik Kothari, Business Development, Net-Square Solutions
No Comments »