Filter: Data Security

Cisco’s Managed Threat Defense: A New Era for Data Security Analytics?

IT security is no laughing matter, and organizations of all sizes and in all industries can’t afford to ignore it.

As CNN reports, Target CEO Gregg Steinhafel tendered his resignation after “extensive discussions” with the board of directors. Why? Because Steinhafel was in charge when company networks were hacked in December 2013, leading to the theft of 40 million credit card numbers. Unhappy consumers prompted a 46 percent drop in Target’s profit, and the retailer is now spending $100 million to upgrade its point-of-sale (POS) technology. But as a recent Sydney Morning Herald article points out, even if new POS terminals had been installed before the breach Steinhafel couldn’t have prevented the breach from happening.

Network giant Cisco thinks it has the answer to this cycle of security failure and executive blame: Managed Threat Defense. Is this the dawn of a new era for security analytics?

Changing the Locks on IT Security

In an ideal world, network security breaches wouldn’t happen. Defenses would outpace attacks, and security vendors could say with absolute certainty that attacks were impossible. Unfortunately, the opposite is true. As noted in Cisco’s Annual Security Report, 100 percent of companies admitted that some traffic coming from their networks headed straight for malware-laden websites.

Cisco’s Managed Threat Defense solution gives security analysts a “single pane of glass” to help identify suspicious activity, according to the company’s Data Sheet. In addition, the solution offers real-time predictive analytics powered by Hadoop 2.0, which can detect anomalous network patterns, zero in on “unknown” attacks and track emerging incidents.

Cisco’s offering is a combination of on-premises hardware and software — all incoming and outgoing data is monitored 24/7 by Cisco’s security operation centers, which can respond instantly in the event of a threat.

Seeing the Future of Data Protection

The Global Security Analytics Market 2014–2018 report from Research and Markets predicts a compound annual growth rate of 10.61 percent for security analytics through 2018. And while it sounds like smoke and mirrors, predictive analytics offers tangible benefits as the enterprise market shifts from reliance on local resources to as-a-service alternatives.

Creative malware developers and virus authors are taking full advantage of security gaps to write code that alters its structure with each execution. In response, security vendors have shifted away from walling off networks, because it’s all too easy to sneak through the gate; the new goal is to predict what a program will do before it has a chance to execute.

A recent IT-Director article talks about the need for security intelligence before, during and after an incident. The idea actually comes from Cisco’s Sourcefire and dovetails perfectly with the manifesto of Managed Threat Detection: end-to-end protection.

Current solutions focus on what happens before attacks by using blacklists of email addresses, applications and websites. After is also well populated by companies that can assess the extent of damage and help enterprises get back on their feet. During is when most solutions can’t perform. Managed Threat aims to close this gap by monitoring user environments in real-time for behaviors that may be the precursors of an attack. Instead of looking for a specific code or host, the solution uses streaming telemetry to evaluate network traffic on a moment-by-moment basis, in effect predicting the future.

A Three-Sided Defense or a Single Shield?

Not all companies agree with Cisco’s model — IBM, for example, believes end-point protection is still the first line of defense against malware and other cyberthreats. But it’s hard to argue with the idea that attacks are better handled on three fronts rather than one: Defend where possible, detect when able and destroy as necessary.

[image: voyager624/iStock/ThinkStockPhotos]

Data Security and BYOD: The IT Odd Couple?

For enterprise IT professionals, there’s no avoiding the bring-your-own-device (BYOD) trend. According to a Staples Advantage survey, 93 percent of employees say the kind of telecommuting programs made possible by BYOD are beneficial, while 53 percent of business decision-makers say allowing employees to access corporate networks with personal devices increases productivity.

But as IT admins have discovered, easy access increases the risk of a data security breach. Is this an all-or-nothing proposition?

The Great Divide Between IT and Staff

Employees expect access. A recent article from HealthITSecurity notes that physicians often carry tech devices, such as tablets or smartphones, and expect immediate access to hospital networks. IT departments are told to “make things work” but struggle to manage certificates and access keys across a broad range of devices.

This can lead to a lockdown mentality on the part of IT: Users must either agree to install security-monitoring apps or restrict themselves to devices approved by IT admins. The problem? According to Harmon.ie, 41 percent of users circumvent these security measures, leaving corporate networks compromised and IT professionals in the dark.

Employees Don’t Feel Responsible for Security

When it comes to security, many employees take a  “not my problem” attitude, according to Centrify survey results discussed in a recent FierceCIO article.

Fifteen percent of survey respondents said their responsibility for protecting corporate information on their personal devices was “none to minimal”; 10 percent were still using devices without passwords or PINs. And although 45 percent of respondents said they understood the need for data diligence in BYOD, 43 percent admitted to accessing corporate services over insecure public networks. In other words, even employees with the best intentions put company data at risk.

Tech Republic, meanwhile, offers some specific examples. After granting “select executives” access to company networks using their iPads and smarthphones, a European firm found 10 times as many employees using the network without permission. A health and wellness company, meanwhile, discovered employees using public email services to send sensitive consumer data, such as credit card numbers and banking details.

Never the Twain Shall Meet?

Is it possible for BYOD and data security to coexist in the enterprise environment, or are IT professionals doomed to play catch-up and patch any holes left by well-meaning or overzealous employees?

One option is biometric mobile security, which includes the use of fingerprint, voice or iris identification, typically in combination with a password, to create a form of two-factor authentication.

News24 discusses this emerging technology and its possible benefits: For users, biometric options “feel” more secure and can seem less invasive than security apps. In addition, the use of a biometric service means authentication data is stored outside the mobile device; even in the event of a loss or theft, the phone or tablet itself can’t be mined for bio-identification data.

Forbes, meanwhile, offers companies more timely advice: Create backup plans. Start by making the data, not the user or the device, the priority. This means developing identity-management and remote-wiping protocols so admins always know who’s using a device and can cut off data access as needed.

It’s also important to engage employees and — given the power of social media — marketing departments. Education about device best practices, such as not using common passwords or relying on social media networks to transmit company data, is crucial. Ask employees what they expect from network access and get their input on mobile security; the democratization of technological power means IT staff must discuss rather than demand.

Data security and BYOD will never see eye to eye, but it is possible to maximize both access and authority with the right mix of technological forethought, backup planning and employee engagement.

[image: marinhristov/iStock/ThinkStockPhotos]

Fixing Heartbleed in All the Right Places

The OpenSSL vulnerability responsible for April’s Heartbleed bug has been patched — version 1.01g fixes the problem permanently. But for IT professionals, patching OpenSSL is just the beginning: Heartbleed hides in the most unlikely places.

First Steps to Stop the Bleeding

Clearing out Heartbleed starts with patching every version of OpenSSL a company uses. The problem is that this encryption technology is used by a host of internal and third-party web-facing processes. According to Forbes, enterprises need to make sure every website they operate has been properly patched; it’s worth checking with your web host to ensure that they’ve patched things on their end as well.

What’s more, you need to make sure any partner sites are similarly clean. If not, information securely entered internally can become compromised when it leaves corporate networks and ends up in the memory buffer of a Heartbleed-vulnerable website.

Refresh Your Keys and Certificates

Although patching OpenSSL means there won’t be any new information leaks, it doesn’t prevent malicious actors from causing trouble with data they’ve already obtained. As ReadWrite points out, it’s critical to generate new public–private encryption keys for every system on the network and to revoke old SSL certificates and generate new ones to verify the identity of other servers.

This prevents “certificate spoofing,” in which hackers use stolen SSL or private encryption-key data to set up dummy sites that appear legitimate but are in fact copycat versions intended to steal user information. Google recommends that its Compute Engine customers generate new keys, and certificate authorities like Symantec and GoDaddy are offering updated certificates for free.

CSO Online, meanwhile, reports that many security companies are also offering Heartbleed scanner tools for free, helping IT professionals track down this bug in hard-to-reach places. Newer versions are designed to scan Intranet websites, VPNs, FTP servers, databases, email servers, printers and smartphones. It’s worthwhile using more than one tool, however, since some released just after the bug was discovered were shown to report inaccurate results.

Heartbleed’s Impact on Mobile

In addition to websites and servers, it’s also possible for mobile devices to carry the Heartbleed bug. According to a recent Business Insider article, millions of Android users are potentially affected; any user running Jelly Bean 4.1.1 is a candidate for Heartbleed.

Google doesn’t release data for specific sub-version adoption, but over 34 percent of users worldwide are still running Jelly Bean 4.1, and security experts warn that “millions” of devices rely on 4.1.1.

This may seem like a distant threat for IT professionals, since this version of Jelly Bean rolled out in 2012. But for any organization that does business with individual subcontractors or has offices overseas, the mobile vulnerability represents a very real problem. The good news? This is the perfect opportunity to draft solid companywide mobile-use standards; there should be no problem getting C-suite approval to protect networks from leftover Heartbleeds.

A New SSL?

According to Theo de Raadt, founder of OpenBSD, OpenSSL isn’t worth fixing. As a result, his team has forked the code to create LibreSSL, which should deal with what de Raadt calls OpenSSL’s “discarded leftovers.” In an email to Ars Technica, he said that his group “removed half of the OpenSSL source tree in a week.” Even with such extensive pruning, the fork still compiles with no problems. Currently, LibreSSL is designed to run only as part of OpenBSD, although the group is taking donations and hopes to release a standalone version in the future.

Heartbleed has been bandaged; it hasn’t been eradicated. IT professionals need to patch every website, make sure mobile devices are secure and consider the possibility that OpenSSL may have outlived its usefulness.

[image: Adrian Vamanu/Hemera/ThinkStockPhotos]

Websense Threat Report 2014: Biggest Cyberattack Threats Exposed

According to network giant Cisco, 100 percent of enterprises unknowingly host malware. But as a recent Websense Security Labs report revealed, threats like exploit kits and redirect attacks are also on the rise. Here’s what companies need to know.

Crimes of Opportunity

A CSO Online article from April 7 discusses the Websense Security Labs 2014 threat report, which states that cybercriminals’ attack methodologies are becoming more sophisticated.

Charles Renert, vice president of security research at Websense, noted that “while the determined, persistent attackers continue to have success in advanced, strategic attacks using zero-day exploits and advanced malware, there has also been a boom in cyber criminal activity on a massive scale.”

Perhaps the best examples of this burgeoning criminal economy come from exploit kits. Designed to take advantage of vulnerabilities in web browsers, the kits can compromise legitimate websites and send users to fake landing pages hosted by malicious servers. The end result? Malware infections.

The most popular kit used in recent years was called “Blackhole,” created by a hacker known as Paunch. Paunch was arrested in October 2013; without his expertise, Blackhole attacks became less frequent, thanks to an odd facet of the malware market: Just like their counterparts in web security, malware creators must provide a level of customer service to anyone who purchases their exploit kits. Bereft of Paunch’s “customer care,” his kit fell into disuse.

Other kits, including Neutrino and Magnitude, have stepped up to take Blackhole’s place.

Neutrino uses two Java vulnerabilities to perform a drive-by download attack and infect computers. For example, CVE-2013-0431 allowed Java applets created by Neutrino to bypass the Java 7 update 11 using a malicious serialized file.

Meanwhile, Magnitude (once known as Popads), relies in part on CVE-2013-2463 and the Click2Play bypass.

The market for both kits remains strong: After Paunch’s arrest, the cost to rent a Neutrino-enabled personal server in Eastern Europe jumped to over $10,000 a month. More recently, Neutrino’s creator indicated he was willing to sell his code for $34,000.

Crimes of Direction

Redirection was another major threat over the last year, according to Websense. On average, compromised websites sent users through four redirects before landing on a malicious page, but the security company found that some exploits used up to 20 redirects to confuse browsers and obfuscate their trails.

A recent IT Business.ca article points out that redirects may become even more popular with the release of new generic top-level domains (gTLDs). It works like this: Many IT professionals choose to assign names ­— “conference.room1.network” for example — to networked computers rather than IP addresses.

Before the release of new gTLDs, accidental requests for this address outside a local network went nowhere. But now it’s possible for attackers to register *.network addresses and redirect traffic to malicious websites. According to OpenDNS, thousands of “misfired” queries have already been sent by home routers.

Possible Protection?

Bottom line? The Websense report puts it best: “85 percent of malicious links used in web or email attacks were located on compromised legitimate websites.”

For enterprises, protection against this kind of misuse starts with a reputable web host — one that offers next-gen security plug-ins in addition to basic threat detection. Companies are also well served by investments in real-time, behaviorally based threat-detection programs.

Security company Kaspersky recently released a real-time threat map that shows the number and type of infections occurring worldwide; businesses must be ready to respond in kind.

Exploit kits and redirect attacks are more popular than ever — companies need to know how to spot these threats and, more importantly, be prepared to take action.

[image: PashaIgnatov/iStock/ThinkStockPhotos ]

The Next Online Crime: DDoS Extortion

Imagine you work at a company that does all of its business on the phone. Now imagine you receive a letter that says, “Pay us a bunch of money or we will overload your phone system so that you can’t get any calls.”

Since your company has a policy not to negotiate with “cyber terrorists,” you decide not to pay the extortion money. As a result, your phone bank is bombarded with robocalls that tie up your phone lines and prevent you from doing business.

The equivalent of this extortion process is happening online, with hackers using Distributed Denial of Service (DDoS) attacks as a means of bringing online companies to their knees.

Two high profile companies recently hit by DDoS extortion are Basecamp and Meetup.com. Both companies refused to negotiate with the extortionists and, as a consequence, were crippled by DDoS attacks that prevented customers from accessing the companies’ services for several hours.

The need to prevent or slow down DDoS attacks is particularly important to Software-as-a-Service (SaaS) companies like Basecamp or Meetup.com. These SaaS companies don’t have physical products, so service failures mean a loss of revenue for the companies, not to mention very unhappy customers.

What Is a DDoS Attack?

There is a distinction between a Denial of Service (DoS), which typically comes from a single computer, person or bot, and a Distributed Denial of Service (DDoS), which comes from several computers, people or bots.

There are many different ways that DDoS attacks happen. The most common is when the remote attackers overload a web server or infrastructure with a series of requests. To go back to the example at the beginning of this article, think of the phone line being so overloaded with inbound phone calls that legitimate customers get nothing but busy signals.

Denying various critical resources is a primary characteristic of a DDoS attack. They can manifest in various ways, including the following:

  • Consuming bandwidth, memory, processor resources or hard-drive space
  • Disrupting routing or other configuration information
  • Overloading physical network resources
  • Resetting TCP sessions

Some common methods include the following:

  • Internet Control Message Protocol (ICMP) floods, otherwise known as the “ping of death” or a “ping flood”
  • SYN flood, in which fake connection requests create half-open connections, causing the server to wait for the remaining part of the request
  • Teardrop attacks, in which oversized and fragmented requests can crash operating systems
  • Peer-to-peer attacks, in which peer-to-peer sharing hubs are redirected against a particular websites

The scary thing is, the sophistication of DDoS attacks is increasing, making it more difficult to mitigate, thwart and overcome new attacks.

What Happened to Basecamp and Meetup.com?

At the beginning of this year, Basecamp and Meetup.com, as well as some other web properties, received an email threatening a DDoS attack if the hackers did not receive a $300 payment. According to the meetup.com blog, the email stated:

Date: Thu, Feb 27, 2014 at 10:26 AM
Subject: DDoS attack, warning

A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer.

A DDoS attack started around the same time, bringing down Meetup.com. The site helps local groups organize via a variety of online services, such as online meeting invites and event planning.

Meetup.com’s services were offline for a period of 24 hours while employees worked to recover from the attack. As recovery was under way, Meetup.com was hit with another attack a few days later; a third attack occurred shortly thereafter.

As stated in a blog post, Scott Heiferman, co-founder and CEO of Meetup.com, decided not to pay the “ransom,” because his company does not negotiate with criminals. And although the dollar amount was low, the attack itself was fairly sophisticated.

Heiferman believed that paying the ransom would set a standard for future extortion of other companies in the space, and he thought Meetup.com could recover from future attacks of this nature. The service outage was carefully updated and documented on the Meetup.com blog.

Basecamp experienced a similar DDoS extortion. Basecamp is a project-management tool that is delivered as an online service. As explained by David Heinemeier Hansson, Basecamp founder and CTO, the site was flooded by bogus requests, preventing legitimate traffic from getting through. The company received an email, just as Meetup.com had, asking for payment to stop the attack.

Hansson says that the attack was up to 20 GBps, which saturated the Basecamp network. As is typical with recovery from these types of attacks, network issues remained after the attack was thwarted, which involved manually blocking the IP addresses of the attack’s sources.

How Can You Prevent DDoS Attacks?

As mentioned, DDoS attacks are evolving and becoming more sophisticated. While there is no 100 percent foolproof way to prevent your site or business from being victimized, there are several actions you can take to lessen the possibility of being fully shut down by an attack.

Some things to consider:

  • Set up firewalls to block or drop incoming traffic from attackers.
  • Use “stateful firewalls” that validate traffic requests instead of letting everything through.
  • Use attack detection and mitigation services.
  • Use properly configured switches and routers for rate limiting, which can slow down attacks to the network.
  • Talk to your hosting provider about the DDoS prevention and mitigation services they offer.

If your company does receive a DDoS extortion email, be prepared for a subsequent attack. It’s important not to negotiate with the extortionist, because it sets a precedent for other hackers or cybercriminals.

Remember, under most circumstances, your company can recover from a DDoS attack. It can take quite a bit of work, so it may be helpful to have a technical partner to guide you through an incident.

Unfortunately, these types of issues are a part of doing business on the Internet, so be sure to plan for the unexpected.

[image: daoleduc/iStock/ThinkStockPhotos ]

Anatomy of a Broken Heart: The Heartbleed Bug, Explained

On or before March 21, Google Security researcher Neel Mehta discovered the Heartbleed bug, which affects any website using the Secure Sockets Layer (SSL) tool OpenSSL, versions 1.01 through 1.01f. On April 7, the discovery went public on the Heartbleed.com website, and the Internet exploded with dire warnings of worst-case scenarios.

What is Heartbleed, how does it work, and what can companies do to protect themselves?

One Little Mistake, One Big Security Problem

It didn’t take much to make many of the world’s most popular websites — including Google, Yahoo, Amazon and YouTube — vulnerable to malicious attacks via OpenSSL, as reported by Mashable. But to understand the reach and the potential repercussions of this bug, we need to back up.

In the beginning, there was the Secure Sockets Layer (SSL), and it was good. Next came Transport Layer Security (TLS), and it, too, was good. Together, these protocols handle the encryption keys necessary for website servers and user computers to safely communicate.

OpenSSL evolved as a set of open-source tools that let developers easily integrate SSL/TLS functionality into their websites or web applications. Major Linux deployments, such as Debian, Suse and Red Hat, use OpenSSL, as do popular server platforms Apache and Nginx.

So what went wrong? According to Engadget, version 1.01 of OpenSSL, which was released on April 19, 2012, had a small flaw in its “heartbeat” function. Heartbeat is like a call-and-answer for user machines and web servers: When you access a website, your computer sends out a heartbeat request to the server. It responds, and your computer knows the server is listening and ready for your request.

The Heartbleed bug — superbly explained by this XKCD comic — happens when the requesting computer asks for extra information, causing the server to spit out up to 65,536 bytes of memory. The result? Not only do you get the response you wanted, but you get a host of other — theoretically protected — data as well.

Heartbleed’s Impact on the Web

Initial reports stated that up to 60 percent of all Internet servers had the Heartbleed bug, but that estimate has since been downgraded to 17.5 percent or less. But even with less than one-fifth of the World Wide Web compromised, the bug could have major impact.

Theft of personal data is one problem. The Canada Revenue Agency reported that social insurance numbers (SIN) belonging to 900 Canadians were stolen, thanks to Heartbleed. Much like Social Security numbers, the SINs could be used to create fake credit card accounts or obtain fake identification.

In addition, companies are now grappling with the problem of SSL certificates. Using Heartbleed, hackers can steal and spoof the identity of trusted sites, leading users to provide personal information under the guise of security. But as a recent Washington Post article points out, revoking all current SSL certificates and issuing new ones could force web browsers to download massive files just to access a single site.

What’s the Fix for Heartbleed?

On April 11, network provider Akamai, which handles nearly a third of the world’s Internet traffic, reported that it had patched Heartbleed. The company later recanted, saying a bug in the patch only addressed three of six RSA key values. OpenSSL, for its part, released version 1.01g on April 7, which fixed the toolkit’s vulnerability.

But the availability of this upgrade doesn’t mean every server is safe, so businesses must now take three steps to protect their privacy.

First, make sure your web host has upgraded OpenSSL to the latest version. Next, examine any SSL certificates to see whether they should be revoked — if expiration is near, the certificates can wait. Finally, change passwords at every level of your organization; consider password managers, such as LastPass or Dashlane, to make sure login credentials are regularly changed.

Don’t bleed out private information — get patched, change your passwords and stay ahead of Heartbleed.

As Bitcoin Grows, E-Commerce Retailers Consider Potential Benefits

The biggest advantage e-commerce has had over traditional brick-and-mortar stores has been the simplification of point-of-sales systems with solutions like PayPal and Google Checkout, which offer convenient and secure credit payments and lower start-up costs.

But now, Bitcoin is mixing things up. More retailers are taking the unstable digital currency as a legitimate payment for goods and services, leaving some retailers worried about keeping up. E-commerce experts say Bitcoin is already stable enough for most sites to use but warn that online retailers should research their options before diving in.

Bitcoin engenders fear because problematic, even illegal, activities have arisen from its open model. For example, Bitcoin was used to launder illegal money in the Silk Road marketplace scandal and has shown up in Ponzi schemes and tax violations.

But the idea that Bitcoin is a magnet for illegal activity is a misconception, says Jeffrey Neuburger, a partner at Proskauer and a professor at Fordham University. Neuburger points out that all currencies can be used illegally.

“In reality, there is a steady increasing adoption of Bitcoin by legitimate businesses — particularly in the retail world,” Neuburger says.

Bitcoin Gets Love from Big Names in Online Retail

While Bitcoin is still very much in its infancy, large companies are already latching onto the digital currency as a differentiator for their businesses. Overstock.com started accepting Bitcoin last year and immediately made a splash, receiving $124,000 in sales the first day. OKCupid, Etsy, Ebay, Tesla and Zynga all accept Bitcoin, and more companies are preparing to do so.

Even more significant, investment analysts at major banks, including Bank of America, have backed up the currency with positive, long-range value estimates.

In a recent report, Bank of America’s leading analyst, David Woo, said Bitcoin could become a major means of payment for e-commerce and “may emerge as a serious competitor to traditional money transfer providers.”

The Use of Bitcoin in SMBs

For small to medium-sized businesses thinking of using Bitcoin, the path to success is not fully clear, though being cautious seems prudent. A report from Entrepreneur noted that Overstock.com only accepts Bitcoin from orders inside the U.S. and from desktop terminals, which helps the online retailer limit its threat landscape.

E-commerce expert Emma Kane said that in order for sites to use Bitcoin, they need to be moving toward standard federal regulation and basic currency stability. Stability, in particular, is something that’s going to take time, because the hype is leading large amounts of Bitcoin to be exchanged in short periods of time.

“A stable market, fewer scare stories and a proven track record are all going to help,” Kane says. “I think Bitcoin is too new for most [average companies].”

Even though Bitcoin was created as a complex protocol that many people don’t understand, the biggest challenge is economic, not technical. The difficulty in using Bitcoin as a currency is in defining the value it holds in relation to regular currency. Fixing Bitcoin to a traditional currency is hard to do when the digital currency is under constant threat of heavy fluctuations.

“No one wants to lose money, and repricing each SKU daily is near impossible on some e-commerce platforms,” Kane says.

Although Bitcoin exchange groups have enforced web applications that give users full protections against deep fluctuations (even if they happen within 24 hours of a purchase), it’s not a comfortable situation for most e-retailers.

Small and medium-sized businesses might be interested in the small- or no-fee benefit of using Bitcoin. While there’s a minimum fee for exchanges of Bitcoin from one address to another, many more transactions have no fee at all.

Charise Flynn, CEO at Dwolla, told BizReport that the transaction fees most e-businesses face from credit card manufacturers and newer processors, such as Square, affect the businesses to such an extent that they are forced into tight financial margins.

“Small businesses have low and/or tight margins and are more risk and complexity averse. The money they pay in credit card fees makes a big impact on their bottom lines,” Flynn said.

Any relief from this fee, then, is very attractive. If you’re not convinced, check out the fee structure for Visa transactions. Every time a customer uses a card on a retailer’s site, Visa takes out a huge chunk — the fees usually end up being 3 to 4 percent of the purchase price. Multiplied over hundreds of transactions, the figures start to add up.

For Those Who Like Taking Risks

There are other benefits to using Bitcoin, too. One is that international consumers can use Bitcoin without fearing a site will reject their country’s native currency. If the retailer is prepared to serve customers all over the world, accepting Bitcoin is a potential opportunity for huge growth.

Kane says that, for the moment, it’s probably not worth it for most e-retailers to invest their time in Bitcoin functionality unless their sites cater to the “techie/geekie” crowd. She says people who are heavily invested in Bitcoin are most likely to be consumers on those niche sites.

Smart small and medium-sized retailers should not be intimidated by competition from businesses using Bitcoin; they already deal with the nearly insurmountable advantages presented by big retailers just fine. Clever marketing and quality customer service and IT can earn business from consumers anywhere.

The steps needed to build Bitcoin into e-commerce sites aren’t too technically difficult. The most critical component is establishing dual pricing throughout the site and creating a functional and secure Bitcoin account.

For now, Kane and other e-commerce experts believe Bitcoin is best left to online retailers that embrace both an early-adopter status and the inherent risks that come with using emerging technology.

[image: Dorottya_Mathe/iStock Editorial/ThinkStockPhotos ]

Cisco Arms Itself with New Weapons in War on Malware

According to Christopher Young of Cisco’s Security Business Group, companies are constantly under attack from malware. “We’ve got not only a proliferation of attack vectors,” says the senior vice president, “but also an advanced set of adversaries willing to innovate themselves.” But as a recent ZDnet article notes, Cisco isn’t standing idly by; instead, they’re gearing up for battle.

Intelligent Acquisitions Fuel Innovation

Cisco acquired security firm Sourcefire in October 2013 and then snapped up Czech company Cognitive Security at the beginning of 2014. The plan? To develop preventive rather than reactive malware weapons — ones able to perform in real time and respond to emerging threats as well as those that are well-known.

It starts with Sourcefire’s FireAMP detection technology, which Cisco will integrate into email and web gateways along with existing cloud security products. The company is calling the deployment “AMP Everywhere,” since it will be available to Cisco’s 600 million end users as either back-end software or as part of the FirePOWER 8300 Series appliance lineup for data centers. FirePOWER offers high-speed threat detection from 15 gigabytes per second (GBps) to 60 GBps, and up to 120 GBps if stacked. The result is a 50 percent speed increase along with real-time threat detection.

Cisco is also taking aim at application visibility and control to limit the spread of malware. The concept is called OpenAppID, an open-source technology that can detect and control apps in the cloud. OpenAppID will be rolled out in the popular Snort open-source community and be detection-ready for over 1,400 apps, reports NetworkWorld. In addition, app information collected by OpenAppID can be sent to security information and event management (SIEM) or third-party analytics tools.

Why Is Malware So Dangerous

Malware comes in many forms. Some of the most popular types are included email attachments with malicious payloads or hosted on websites that ask users to download “video players” or “antivirus tools” that are in fact keyloggers, rootkits or Trojans. But is the situation really as dire as Young believes?

According to Mohammad Mannan, assistant professor at the Concordia Institute for Information Systems Engineering in Montreal, it’s actually worse. He calls existing antivirus programs “totally useless” against malware and argues, “If you use them, you might even be vulnerable [to malware] to some extent.” The sheer amount of malware — and innovative malware creators — means antivirus tools designed to detect and react to specific code structures can’t keep up.

The sheer number of malware attacks has prompted agencies such as India’s telecom department to mandate that all Internet service providers (ISP) in the country provide advice to users on how to protect their computers and modems from malware threats. Many reputable web hosts also provide information on basic malware defense.

Thinking Outside the Box

Consider the recent Mt. Gox Bitcoin disaster — when Japanese Bitcoin exchange Mt. Gox went bust, users the world over wanted information on exactly what happened. Enterprising malware developers created a 620-megabyte file called “MtGox2014Leak.zip,” according to PCWorld, which claimed to be a Mt. Gox database access tool. In fact, it contained malware designed to sniff out and steal any bitcoins on a user’s computer.

In other words, social engineering has become an integral part of malware development, leaving most existing tools in the dark. Governments looking to get a handle on malware have developed initiatives like the U.K.’s Cyber Security Challenge, which puts the country’s best and brightest IT minds through a series of fake malware challenges, helping to find the next generation of experts. But Cisco’s 2014 threat report notes there’s a shortage of security professionals — at least 1 million worldwide — meaning soldiers alone can’t win the malware war: New weapons are required.

[image: Wavebreak Media/ThinkStockPhotos]

Preventing Server Hacks: Four Easy-to-Implement Solutions

From Adobe to Target, high-profile companies were the victims of serious data breaches in 2013. In October, at least 38 million Adobe users discovered their encrypted passwords were no longer secure. And in December, more than 40 million consumers had their credit card data compromised when Target’s servers were hacked.

Why the sudden upswing? In part, because attack surfaces are expanding, bolstered by the flow of Big Data and the increasing reliance on cloud-based technologies. For IT admins, the task of completely locking down a server can seem overwhelming.

Here are four easy-to-implement security solutions.

1. Always Be Patching

Even if you’re running custom-built software on an in-house server, you’re not an island. From operating systems (a version of Linux or Windows) to hypervisor technology or database admin software, something in your system was coded by someone else. This means there are vulnerabilities, both documented and as-yet unrecognized. Bottom line? You need to patch.

As noted by Null Byte, you need to check for new patches, updates and vulnerabilities every day, and have at least passing familiarity with any existing security issues. Zero-day bugs can be detected and corrected within a matter of hours, or a day at best, but only if you’re on the lookout. Best bet? Follow the company Twitter feeds and Facebook pages of the software products you use, and never delay a patch install.

2. Protect the Passwords

No server protection article is complete without a discussion of passwords. All the basic rules apply: Don’t use anything easily guessed, such as your company name or a sequence of numbers. If your server admin console came with a default password, change it immediately. It’s also important to fiercely guard login credentials. This means you should never send full IP, login and password information in a single email or instant message. Instead, send some of the data via email and some using Skype or another voice service. In addition, use an entropy tool to test password strength.

There are two camps when it comes to strong passwords: One advises passphrases that contain no actual words, just numbers, alternating cases and special characters. The risk? They’re difficult to remember.

The other camp recommends the use of common words, but in an uncommon order. For example, using four unrelated words produces a long, high-entropy password, and if you create a small story around the words, chances are you won’t forget. The risk? A high-level dictionary attack could crack the code.

3. Limit the Software and Services Running in Your Environment

The big benefit of the cloud? Resources on demand. Unfortunately, this is also a boon to hackers. It’s important to periodically take a good look at your server stack and remove any software you don’t absolutely need. Culling not only speeds up response times but also limits the number of vulnerabilities available for hackers to leverage.

Want to go a step further? Examine any services running in the background. Stop any that aren’t necessary, and remove their companion software. If you see one you don’t recognize, remove it immediately and go hunting for malware.

4. Stay on the Lookout for Signs of a Hack

Despite your best efforts, a hack may still happen, but you can limit its impact by knowing the telltale signs. Check to see whether any new user accounts have been created that you don’t recognize, and also take a look at the /etc/syslog.conf file, which is often modified or replaced, and then make sure /etc/shadow and /etc/passwrd haven’t been deleted. If you suspect a hack, don’t change your password, because the hacker will receive notification of both the event and the new passphrase. Instead, roll back to previous versions where possible, use reputable anti-malware tools and, if necessary, wipe the server and reinstall.

Total server security? A myth. Cut low-hanging hacker branches, however, and you’ll make it much harder for attackers to scale your tree.

[image: iStock/ThinkStockPhotos]

Life After the Target Breach: Where Does Payment Card Data Go from Here?

The well-publicized data breaches that hit retailers Target, Michael’s and Neiman Marcus have raised lots of questions about the security of payment card data. Some experts say the technology already exists for merchandisers and payment processing companies to keep this data safe — it’s merely a matter of whether they will use it effectively.

Clearly, the industry must take action in the aftermath of the recent security breaches.

“Retail companies individually, and the industry collectively, [need to] make substantial investments in the technology, and experts need to aggressively counter these threats,” says Brian Dodge, senior vice president of communications and state affairs at the Retail Industry Leaders Association (RILA), a trade organization that represents retailers, product manufacturers and service suppliers.

“However, the payment system is an ecosystem that relies on interoperable cooperation across sectors,” Dodge says. “For years, U.S. retailers have urged card issuers and card networks to provide U.S. cardholders with the same enhanced fraud prevention technology used throughout the rest of the world. Merchants can’t wait any longer for these changes.”

A Call to Action

In late January, RILA called for collaboration across the debit and credit card ecosystem to require personal identification numbers (PINs) on all retail transactions, the retirement of antiquated magnetic stripe systems and a migration to “chip and PIN” technology. Chip and PIN is the brand name adopted by the banking industry in the United Kingdom and Ireland for the rollout of the EMV (Europay, MasterCard and Visa) smart-card payment system for credit, debit and ATM cards.

The technology has been in place available for years, Dodge says, “yet in the U.S., the card networks and issuing banks still rely on antiquated magnetic stripe technology,” he says. “The ease with which criminals can use stolen data to create counterfeit cards is unsettling, to say the least. If the card networks and banks don’t adopt better security features, the frequency of fraud will only increase.”

RILA says it will expand its commitment to cybersecurity and data privacy by launching a comprehensive initiative to address evolving cyberthreats and promote additional safeguards for personal data in the payment ecosystem.

Retailers Renew Commitment to Data Protection

The RILA Cybersecurity and Data Privacy Initiative seeks to bring together public- and private-sector stakeholders to improve existing cybersecurity and privacy efforts, inform the public dialogue and build and maintain consumer trust.

By working together with public–private sector stakeholders, the industry’s ability to develop innovative solutions and anticipate threats will grow, enhancing the collective security and giving customers peace of mind, says Sandy Kennedy, RILA president.

The RILA initiative is organized around three major components. One is to strengthen overall cybersecurity through the formation of a Retail Cybersecurity Leaders Council, to be made up of senior retail executives responsible for cybersecurity; and to engage with lawmakers to develop federal data-security-breach notification legislation that sets a national baseline.

Another component is to improve payments security through the elimination of the existing magnetic-stripe technology used on credit and debit cards, replacing it with Chip and PIN. RILA says it will continue to press the card networks and issuing banks to migrate to universal PIN security and chip-based smart-card technology.

RILA aims to forge deeper partnerships with other members of the payments ecosystem to collaborate on migration to near-term card-security enhancements, new technologies and long-term, comprehensive solutions to the threats.

The third component is to address consumer privacy. RILA will work with partners to describe how data is used to provide the experience that consumers demand, and it will “share the great lengths that retailers go to, to protect the data they collect.”

While retailers place an “extremely high priority on data security and invest tremendous resources to prevent attacks, cybercriminals are persistent, and their methods of attack are increasingly sophisticated,” Dodge says. 

Some actions will have immediate effects, and others will take time, Dodge says. “But through the collaboration laid out in RILA’s cybersecurity initiative, the industry’s ability to develop innovative solutions and anticipate threats will grow.”

What Can Retailers Do Now?

One near-term solution retailers can try is to require PINs on every card transaction and to move quickly to Chip and PIN, Dodge says. “However, long term we must accept that all the players in the payments ecosystem have an obligation to innovate to stay ahead of very sophisticated criminals,” he says. “That is why we have called on the banks and the card networks to come together with merchants to identify long-term solutions.”

One very effective way to bolster the security of payment card data is to use encryption extensively, says John Kindervag, vice president and principal analyst at Forrester Research, Inc.

Retailers who depend on payment cards to fuel their businesses need to encrypt data “from the moment a card is swiped, all the way through the process, including the back end,” Kindervag says. “It appears that the Target breach was a result of [improper] encryption.”

PCI DSS and the Cost of Data Breaches

The Payment Card Industry (PCI) Data Security Standard (DSS) calls for merchants to use encryption to protect stored cardholder data, but the intent of the standard isn’t always fully appreciated.

“Some retailers spend a lot of effort trying to go around the intent [of the standard] to find cheaper ways of doing things,” Kindervag says.

Technologies such as data encryption and tokenization — another means of protecting sensitive cardholder data — if used properly, would thwart the kinds of attacks recently experienced by retailers.

“Forward-thinking [merchants and payment processing companies] are already doing this,” Kindervag says. He predicted several years ago that use of these technologies for payment card data would become common. “But some companies have refused to implement [these technologies] because of the cost, or because they’re afraid something could go wrong.” 

As it turns out for the retailers hit with data breaches, the cost of not doing something has ended up being much greater.

“These technologies exist, but companies have to make the choice to use them in their systems,” Kindervag says. He hopes the breaches against the retailers serve as a wake-up call to all companies that rely on payment card data to do business.

“We had a rash of breaches several years ago, where a number of retailers were attacked, and that caused a lot of people to start implementing better security controls, especially tokenization,” Kindervag says.

But threats are constantly evolving, and companies need to keep their security posture up to date. “For many, the risk-mitigation strategy is merely ‘hope’, as in, ‘I hope that doesn’t happen to me,’” Kindervag says. “Others say it will never happen to them.”

cisco's annual security report

Cisco’s Annual Security Report: Key Trustworthy Takeaways

According to Cisco’s Annual Security Report, 2013 was a banner year for organized cybercrime. Many companies were infected with malware, yet completely unaware, and employees relying on trusted services inadvertently exposed business assets to hackers. It sounds grim, but knowledge is power.

Here are three key takeaways from the Cisco report.

Trust Me!

Effective use of technology depends on trust. Employees must trust systems, IT professionals must have confidence in applications and executives must trust the people they hire. Although businesses are now more discerning when it comes to selecting web hosts and cloud providers, abuse of trust remains the No. 1 cause of malware infections — anything from socially engineered password theft to “hide-in-plain-sight infiltrations that execute in minutes.” The result? Diminished consumer confidence and corporate concern that even high-level trust mechanisms can fail.

Who’s Infected?

ZDnet‘s examination of the Cisco report points to a sobering fact: In a 30-company sample from the Fortune 500, 100 percent generated visitor traffic that was redirected to malware sites. In other words, everyone’s infected — but no one knows it.

Part of the problem is increased attack-surface area. From the cloud to local perimeter to crucial enterprise network, there are a number of entry and exit points that malware actors can use. Cisco describes a common malware progression: Devices outside the corporate network are compromised and then spread infections to campus networks. From there, infection moves to enterprise data centers and wreaks havoc.

But attack surface alone isn’t enough to propagate malware; this code needs a backdoor. Enter Java, responsible for 91 percent of web exploits in 2013. It’s no surprise; according to Java’s Webpage, 97 percent of Enterprise desktops use this programming language. While its newest version, Java 7, deflects most exploits, Cisco discovered that 76 percent of companies still use a Java 6 Runtime environment alongside Java 7, in effect providing hackers with an opening.

Mobile Malware

Mobile is also a key takeaway from the annual report. Although only 1.2 percent of all malware encounters on the web were mobile-focused, Cisco argues this is a growth industry. Ninety-nine percent of all mobile malware targeted Android devices (not surprising, given more lenient app store policies and the open source nature of the Android OS) but didn’t always focus on compromising the actual devices. Many malicious programs use smartphones and tablets to bridge the public–private gap and make their way onto secure company networks. For the moment, mobile is the middleman, but that’s likely to change as devices take on essential corporate roles.

Crimeware-as-a-Service (CaaS)

Ultimately, the Cisco report points to the development of Crimeware-as-a-Service (CaaS), where only a few technical innovators and criminal resellers are needed; much like public clouds have made compute power available to nontechnical users on demand, so too will CaaS make malware tools a third-party “service.” Search IT Channel points to a significant shortage of security professionals in 2014 — by more than a million. And in a recent TechRepublic security round table, director of career services for ECPI University Kenton Scearce notes that the top hot skill for IT professionals this year is network security.

But hiring additional security pros isn’t the only way to combat CaaS, according to Cisco. Initiatives like the Common Criteria for Information Technology Security Evaluation are attempting to create worldwide standards, which technology products must meet in order to be deemed trustworthy. Increased focus on heuristic threat analysis may also improve defense by focusing on the behavior of potentially malicious programs rather than code.

It was a good year for the bad guys; compromised trust, unwitting infections and the spread of mobile malware all contributed to the rise of CaaS throughout 2013. Improved threat recognition and the development of common standards, meanwhile, may help limit cybercrime’s impact in 2014.

[image: iStock/ThinkStockPhotos]