The conventional wisdom from identity management and security wonks is that you should change your passwords frequently. WiseGeek puts it at once every three months. Some say as often as every day. But is it practical?
With an ever-growing number of work applications, social networking and cloud computing sites to log in for, and a unique password for each one, changing passwords can be a time-consuming, frustrating process. Ideas like implementing a national “Change Your Password Day” sound great to those of us who live and breathe security awareness, but is it a practical idea?
Vaclav Vincalek June 30th, 2009 10:00:00 AM
The people in charge of countries that do things like block Facebook tend to be the same ones where online identities and private data seem most likely to be hacked – sadly, by the authorities you’d be expecting to protect these things.
Fortunately, this doesn’t appear to be as much of an issue in the West (notwithstanding the infamous wiretaps by the NSA). But in places like Iran, where regime-backed hackers and their handlers appear to be keeping tabs on bloggers they don’t like, shutting down websites, stealing their identities and even throwing their online opponents in prison, data privacy and security issues comes in a different context (See Iran’s New Internet Attack On Dissenters).
Scary stuff. Anyone out there want to offer a solution to the question, “What do you do when the government hacks your online identity?” To be honest, I’m a bit stumped on this one. Leave your solution in a comment, please.
Contributed by Jonathon Narvey, Communications
Comments (3)Vaclav Vincalek June 29th, 2009 10:00:00 AM
A Web Application Firewall (WAF) is an intermediary device sitting between a web-client and a web server that analyzes messages for violations according to a programmed security policy (Web Application Security Consortium). It analyzes OSI Layer-7 messages for violations in the programmed security policy. In this way, it protects the web server from attacks including cross-site scripting and SQL injection.
WAFs are getting plenty of attention among an increasingly security-minded business community, despite analysts' observation that the product space is still a challenge to define. Only last month, Gartner approved research on a Magic Quadrant on WAF with a target release date of Q4. Many WAF-focused products provide functionality above the "standard" WAF definition while other non-WAF focused venders are adding WAF capabilities to provide a more integrated solution.
Companies are finally beginning to realize that the vast majority of attacks are targeted at the application layer, which may explain growing interest in WAFs. As well, PCI DSS compliance can be achieved with WAFs as an option to code reviews.
Our research shows WAFs are an essential part of application security, along with regular scans and code reviews. WAFs can be configured according to the finding of web scans to provide even better security.
How does a company choose a WAF? Companies can start with two main questions:
1) What sort of functionality is required for my applications and my organization?
2) What sort of time and resource commitment is needed to tune the WAF and ensure it is working effectively?
They'll need to consider things like frequency of false positives, types of vulnerabilities detected, out-of-box setup and capability, learning mode capability, configurability, scalability and performance.
We suggest that before an organization makes a purchasing decision on a WAF, they first consult with experts on what kind of product will meet their needs and how it can be deployed.
Contributed by Karen Chiang, PCIS Program Manager
WEBINAR INVITATION: Want to learn more about WAFs and whether a WAF solution would be effective for your organization? Register for our Case for Security webinar coming up on July 8: Fundamentals of Web Application Firewalls
Vaclav Vincalek June 26th, 2009 10:01:00 AM
Great briefing for IT professionals on why an organization might want to upgrade to Lotus Notes and Domino 8.5.
Good features regarding Lotus Domino Attachment and Object Services, Notes ID Vault and Notes Shared Login.
Vaclav Vincalek June 25th, 2009 03:48:49 PM
If I know you, I bet I can guess your password within five guesses. The truth may set you free, but honesty will get you into trouble when it comes to your security questions for banking, social networking and other applications.
Once again, Bruce Schneier has come upon some excellent research reminding us about why it’s a bad idea to use the standard security questions online, or to answer them truthfully. Read it and weep: Secret Questions
Comments (0)Vaclav Vincalek June 20th, 2009 11:00:00 AM
If your company does business transactions online, you could be one of the unlucky online retailers who helped lose more than $4 billion to transaction fraud, according to payment management company (Cyber Source). The number of e-commerce fraud incidents may be down, but a large chunk of change is still stolen by thieves despite the best efforts of merchants to become compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
A singular focus on PCI DSS may be part of the problem. Often, I hear the comment, "I just need to get through this PCI DSS audit and get my stamp of approval." PCI DSS are mandated regulations. Regulations provide good guidance for security but does it truly address the specific needs for your business? Companies that achieve certification often breathe a sigh of relief until despite these efforts something happens. Indeed, network scans, encryption and web application code checks are a good start, but there’s a long list of things organizations ought to be doing.
As Practical Ecommerce contributor Armando Roggio notes, and as we’ve noted in conversations with some of our customers when helping them with their PCI compliance efforts, the regulations ought to be seen as more of a starting point than the end goal:
Roggio: “Although no fully-compliant merchant has been known to ever lose customer data to a hacker, compliance is not a once-a-year, or even once-a-quarter, check up. Compliance is something that has to be maintained all of the time. When brick-and-mortar retailer TJX, which operates brands like T.J. Maxx, Marshalls, and HomeSense, was compromised in 2006, it had been PCI-certified, but was not in complete compliance when the incidents occurred. A small breakdown in policies can give a thief just the opportunity he or she needs to pilfer customer data.”
Contributed by Karen Chiang, PCIS Program Manager
WEBINAR INVITATION! If you want to learn more about how PCI DSS relates to your company’s data security, register for our Case for Security webinar on PCI DSS and the Basics of Data Security Compliance on Wednesday, June 24 at 8:30 am. Hope you can make it!
Comments (0)Vaclav Vincalek June 19th, 2009 12:00:00 PM