Pacific Coast Informer Blog

Myth of PCI DSS: Security Compliance is Hard

Vaclav Vincalek — Wed, 17 Dec 2008 14:11:04 -0700

While talking with Forrester analyst John Kindervag about IT security trends this week, we discussed the issue of educating companies about PCI DSS compliance. Of course, compliance is part of what PCIS helps companies achieve through a range of boxed services, so it came up naturally enough in the conversation. And as some of our readers may know, Kindervag is an expert on PCI DSS, so it was a great opportunity for us to learn as well.

PCI DSS stands for Payment Card Industry Data Security Standard. It is a worldwide security standard enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to ensure vendors and merchants protect your private credit card information when they are processing transactions. Even though the PCI standard has been around for some time, many companies have still not even heard of PCI, much less taken steps to improve their security measures.

Kindervag wrote an excellent analysis a while back entitled PCI Data Security Standard compliance: Setting the record straight. It’s an excellent overview of some issues in PCI DSS that I’d like to follow up in a series of posts here.

Myth #1: PCI Compliance is hard

One objection companies have to undertaking PCI compliance is because it’s hard. As Kindervag points out, what they usually mean is they think that it’s expensive. According to a Forrester study, The State of PCI Compliance, American and European companies seeking to meet PCI standards typically spend 1 to 5 per cent of their IT budget on the task.

While that can be significant in terms of total dollar outlay, it seems entirely reasonable when looked at as insurance against a security breach where records are exploited, that could cost between $9 million and $14 million even before the credit card companies get around to assessing fines for PCI non-compliance. Check out Tech//404’s handy Data Loss Calculator, which lets organizations get more accurate numbers on what to expect from a data security breach).

For companies that are already undertaking good practices for security, additional costs for PCI compliance may be negligible. The benefits of good security practices were clear even before PCI was developed and for organizations that have already done these things, PCI compliance is not hard at all. It pays to be proactive.

IT spending on the rise

Vaclav Vincalek — Fri, 5 Dec 2008 17:35:31 -0700

More than half of small-to-medium businesses plan to spend more on IT over the coming year to help increase productivity in a tougher economic climate, according to a new study from CompTIA Research (Thanks for the tip, Laptop Security Blog).

In the past, IT spending has been the first to get cut during hard times. Not any more. The use of technology is already so entrenched across industries and departments that managers realize that IT is no longer a fancy optional extra – it’s at the core of an organization’s ability to maintain operations.

Now crafty professionals will be looking at ways they can spend a buck on IT to save – or earn – five. This is a huge change, in that IT is recognized as a “need”, not a “want”.

The people in charge of spending the bigger IT budgets will be careful to avoid the nice-to-have purchases and zero in on the must-have items.

That new version of your application that might give you some fancy options if you have the time to learn how to use them, might be out. But that firewall that needs updating can't be put off. Same goes for the network security assessment.

The increased spending will go to investments that affect the bottom line, cash flow and security. The upside of a downturn is that it forces businesses to keep a sharp eye on their budget priorities.

Why Do Hackers Hack?

Vaclav Vincalek — Thu, 27 Nov 2008 15:08:12 -0700

Why Do Hackers Hack?

The online threats to business operations that I've been discussing on this blog aren't going away anytime soon. That's because when it comes to hacking, the promise of high rewards outweighs the risk of getting caught.

A ringleader of a group of hackers who stole 40 million credit card numbers from TJX made more than $11 million from his criminal activity (SearchSecurity.com). This was an extreme case (or so we hope, since much hacking goes undetected), but it’s safe to say that hackers who sell hundreds or thousands credit card numbers and other information they can extract in minutes make good money.

IT security analysts suggest cyber criminals earn $40,000 to $60,000 per attack (Information Week).

Meanwhile, just one out of every 7,000 cyber criminals gets convicted, although it could be as low as one out of every 600,000, suggests Lloyd Hession, chief security officer at British Telecom’s global financial services division (Wall Street Journal).

Why is it so hard for law enforcement to crack down on hackers and reduce the ratio of risk to reward? Here are a few reasons:

1. Without application layer firewalls and network firewalls, it is difficult for IT security experts (and impossible for everyone else) to directly detect hacking efforts. Attacks are often only inferred from slowed performance of web applications or computers – or bank accounts being emptied unexpectedly. No detection => no reporting of a crime => no investigation => hacker drives away in a new BMW.

2. Even when you find out you’ve been hacked, tracking down the hacker isn’t straightforward. There are ways for hackers to disguise their location of origin.

3. Diplomatic immunity? Not quite, but close enough to protect the bad guys. A lot of hackers are based out of places with weak legal systems, where lawmakers have little incentive to crack down on cyber crime that disproportionately exploits us supposedly rich, decadent Westerners -- meaning they're targeting everyone from Bill Gates down to the poor owner of a small corner hardware store that finally got around to posting a website.

The ratio of risk to reward? Not even close. That’s why hackers hack.

"We’re too busy to do IT security”. Really? That’s the point. Time to outsource

Vaclav Vincalek — Mon, 24 Nov 2008 17:12:14 -0700

Let’s face it: convincing companies on being proactive and taking a holistic approach web and network security isn’t always an easy gig. Many of companies "get it", unfortunately, many more remain in denial. Their response is similar to poking your fingers in your ear and saying "la-la-la, I can't hear you".

Some objections are pretty standard. For example:

“We haven’t budgeted for conducting security analysis, so we unable to do it.” OK - understood. No money to check for potential attack vectors that could cost your business time, money, and effort. I understand, many IT departments are challenged with doing more with less these days.

Consider this: have you budgeted for the damage-control campaign when all your customers’ financial information ends up in the hands of joe hacker who in turn resells the information to willing buyers? In this same budget, are there funds set aside for emergency IT work to plug security holes that could have been identified before the attack? Then there is the added chore of reporting to the company's executive an attack took place, and that it was both foreseeable, and preventable.

I'd much rather tell my boss what the problems were, than for them to learn about it from an angry customer. By knowing what needs to be secured in advance, you can easily plan for costs related to securing your applications, rather than paying in multiples to solve it when a crisis occurs.

Another objection goes:

“We’ve never had a problem in the past. Why do we need help with IT security? Our website is so small nobody will try to attack us.” I'm sure that the IT managers at eBay and CIBC probably raised the same objection before they had some very public problems regarding web application security.

Waiting for a security incident to happen to justify the investment is just like waiting to buy car insurance AFTER you have an accident. My experience has been that small business has a lot to be concerned about. Often with limited resources, a compromised web application can operate for weeks undetected due to limited monitoring resources in smaller companies. By the time the issue of security is discussed - it is more often during a crisis, rather than planning to avoid one.

I think perhaps one of my favourite objections to security assessments has to be the following:

“My staff and I are so busy, we don’t have time for IT security scans or testing”. Again, lack of resources is not an excuse for lack of planning. Security analysis is a highly specialized discipline and it is completely unrealistic to expect any day-to-day IT team could manage the depth of analysis a third-party consultant focused in this area could provide, likely for less cost to your business.

Many firms contract and outsource IT services, prepared on-demand, not when someone is capable of 'getting around to it'. The other advantage is that the detailed reporting provided makes your department look like geniuses, for identifying risks, and for obtaining an actionable plan for dealing with them. Let someone else do the work, you take the credit.

“I don’t have time to take care of IT security” is the the very reason why companies should seriously consider outsourcing this critical part of maintaining their organizations electronic assets. Your web applications and network aren't going to fix themselves.

(Contributed by Emerson Killam, PCIS Web Security Analyst)

How Much Would You Trust Third-Party Web Applications with Your Medical Records?

Vaclav Vincalek — Fri, 7 Nov 2008 14:04:19 -0700

As I’ve mentioned before on this blog (What are Strangers Doing With All of Your Information?), when you willingly hand over your information to Google via Gmail or a third-party application, they own it. Once they own it, they can sell it.

But businesses, non-profits and individuals willingly provide this information because it’s convenient. They are assured that this information is protected, perhaps out of a projected sense that it ought to be protected.

So the development of Google Health has caught my attention. Now you can store your medical records online. When it comes to your medical information, some of the most private data you’ve got, when that info gets turned over by hospitals to a private company, the data is no longer protected by regulations like HIPAA (as noted in a recent Technologist column by Steven Levy). Nonetheless, there is definitely a trend for public institutions to put this information in third-party web apps like the Google Health project before we have better security.

Google has millions of dollars to spend on security, but simply by browsing hacked sites, the people uploading their data to the Internet have made the multi-million dollar investment in security pretty much irrelevant.

The point being, while there may be efficiencies, possibly even life-saving ones, from putting this data in third-party online databases, the framework isn’t quite there yet. So long as the vast majority of Internet users are vulnerable to spyware and other threats, the system is not ideal for storing of your most private information

The movement of all business functions to virtual apps is definitely happening, but my advice to businesses looking into it to hold off for a little while longer… at least until you're willing to accept the risk.

Zombie PCs Lurking On the Internet

Vaclav Vincalek — Fri, 31 Oct 2008 17:03:18 -0700

It is a scary time for those of us concerned with IT security. Just in time for Halloween comes a report that zombie PCs are spreading their evil about as fast as the rotting-flesh versions do in the movies. According to Microsoft’s Internet Safety Enforcement Team (quoted in the New York Times), it takes less than five minutes for computers to become infected and added to the horde of 300,000 computers worldwide that are already in the thrall of unscrupulous hackers.

Zombie PCs are computers that were then taken over by hackers in order to send out spam, look for private financial information and install malicious software to infect more PCs. Any computer that is used to go online is vulnerable.

As the NYT article suggests, computer owners are well-advised to run commercial malware detection programs, use a firewall and install security patches for operating systems and applications. As well, talk to your trusted IT expert. The more the better. Remember, a hacker has to get to your PC only once.

If all else fails, get the zombie in the head.

Do Developers Want to Become IT Managers?

Vaclav Vincalek — Thu, 9 Oct 2008 12:45:09 -0700

There’s a funny article in the CIO online magazine about “5 Reasons Why a Developer Might Want to Become a CIO” – with a follow up article with 8 reasons why they might not want to do it (read here).

To summarize writer Meridith Levinson’s points on why developers might want to become CIOs:

1. Money.
2. Boss perks.
3. CIOs don’t get outsourced.
4. Golden parachutes are handy when it is time to jump.
5. At some point, even developers get tired of fixing bugs.

But the real question is “should developers become IT managers?” As it stands right now, most shouldn’t, unless they work for the kind of employer that can provide the training for transition. Good programmers are not necessarily good decision-makers. It’s not their fault – CIOs are made, not born.

To help more developers transition into management, the universities and colleges that offer training to computer programmers could consider offering more courses teaching the link between technology and business needs.

These courses might include:
1. Case studies in implementing IT solutions for business from both a technical and management standpoint.
2. Measuring return on investment for IT solutions.
3. Project management techniques.

To those who would counter that it seems like a waste of time to provide this kind of training to developers who have not expressed an interest in IT management, I would pose the following question: how many full-time programmers over the age of 45 do you know? How about over 50? Many have moved on to management, if they haven’t burnt out and shifted into other careers.

For those programmers hitting their later years, it's time for them to transition into something else that makes use of their skills other than programming code for their next career -- and if they haven't been picking up those skills along the way, then it's time to get on it (or if you're their manager, it's time to help them on that path). Believe me, I've been there. Changing careers is a tough thing, but if people think they can keep learning new programming languages into their autumn years, they better think again.

If security isn’t built in, it’s not there

Vaclav Vincalek — Fri, 3 Oct 2008 16:13:17 -0700

It's a common myth that big companies and famous celebrities have the best security because they have huge resources. But fame and brand recognition seem to be no substitutes for taking the time and effort to be proactive about security, online or otherwise. To illustrate, eight-time Olympic gold medalist swimmer Michael Phelps may be top dog in the water, but in cyberspace, he’s just another target to amateurish hackers.

Phelps’ site got defaced a short time ago by a Turkish hacker (SC Magazine). SC reporter Dan Kaplan writes:

A screenshot of the hack -- which did not appear to carry any payload, malicious or otherwise -- was posted Thursday on Digg. The defacement contained a link that led to a Turkish language website featuring some text, a picture of the Turkish flag and a portrait of the country's first president, Mustafa Kemal Ataturk. The text appears to be a patriotic quote from Ataturk.

My take? The hackers were probably script kiddies looking to make a political statement. A few points I want to make:

1. Famous people are bigger targets for juvenile hackers looking to use up their 15 minutes of fame engaging in stupid mischief that they think makes them look smart. What these script kiddies are doing is showing off their ability to copy and paste code written by real hackers. They're not smart, but they can be very annoying, or even dangerous for an organization's reputation and brand.

2. If security hasn’t been explicitly built into your operation, whether that's a website, network or a hotel lobby, it’s not there. For businesses in particular, ignoring security is akin to operating without insurance.

3. Focusing on SEO optimization for websites while neglecting security just makes these websites into a more effective tool for hackers to find and infect every visitor. The best hackers don't operate like the ones that defaced Phelps' site; they hide their tracks, so that popular and trusted sites end up causing problems for thousands of users, for months or even years before the malicious code is discovered.

The Web Browser: Security Threat Number One

Vaclav Vincalek — Fri, 26 Sep 2008 09:23:01 -0700

Do you use Firefox? Internet Explorer? Safari? Which one do you think is the safest?

Right now, Firefox is thought by many to be the most secure browser available (although a new report from Microsoft conveniently rates IE as the best bet -- CNET). And even the supposedly impregnable Macs seem to be vulnerable through the Safari browser (eWeek).

Bottom line, though: all of the web browsers are essentially vectors for malware if you happen to be browsing the wrong kind of website.

It used to be easy to know what that 'wrong' kind of website was. If you searched for porn or downloaded free software, you were asking for trouble (Of course, that’s still true today). But now a non-profit charity or gardening website can be just as compromised. When you visit a site that has been hacked, your computer gets infected. Now your private and personal information is at risk and you could be infecting others… and this easy sleazy process explains why one new infected web page is discovered every five seconds (Sophos).

I talked about how the humble web browser has emerged as the number one threat to web security at the 1st Annual Critical Infrastructure Protection Conference in Calgary earlier this month on the theme "Cyber Security for Energy and Communications". This conference looked at understanding the threats and hazards that the industry faces and explored solutions. Some of the most senior IT security experts in North America were there, so it was very exciting to take part. Here are some of my key tips about web security that I presented:

1. Educate your workforce. You pay a software maintenance fee every year for upgrades and support for your anti-virus and firewall programs. But you also need to invest a corresponding amount in ongoing education for your staff. Train them in best practices for security. The human factor can be your greatest vulnerability... or your best defense.

2. Demand security from your business partners. If your suppliers, distributors or outside consultants don't have the same commitment to IT security that you do (or better), drop them. In an increasingly symbiotic business network, their security holes are your security holes. On the other hand, their security measures can help keep your organization safe. Requiring high standards helps protect your own business and the industry as a whole.

3. Make a business case for security within your company. Show your people how vulnerabilities can affect your business, and close them off. This can mean implementing technology solutions like firewalls and spam filters, or proactive measures such as web vulnerability audits. It also could mean implementing policies about what websites employees can browse. This may sound harsh, or even unworkable at first; but weighed against the risk of your IT infrastructure getting hacked, your people will realize the business rationale.

If any of my loyal readers have a tip to add, the comments section awaits.

Can You “Spot” The Password?

Vaclav Vincalek — Wed, 3 Sep 2008 16:08:02 -0700

I've suggested that pattern recognition is the key to developing secure passwords that are easy to remember (See my post, Would You Give Me Your Password For A Candy?). I still like the idea of a series of images on standard themes (eg. fruit, mountain scenes, animals, etc) that represent a password. But others are still taking a different approach.

Password authentication and identity management wonks are plugging the latest idea for password management (New York Times) that seems to work well, at least amongst college students (if not the general population, which may have problems with it):

While registering for a site, users are asked to select from a long list things they like and dislike (punk music, golf, southern food, for example). If they forget their password, they return to the site and are presented with the list of items they selected. Then they have to specify whether they like or dislike those things – a quick personality test.

According to a research study of 423 college students, the system worked remarkably well:

…the group honed their questions and determined that the probability that an attacker can answer all the questions accurately was less than one percent. The chances of a legitimate user failing their own personality test was close to zero.

Sounds promising. But maybe this concept isn’t so new – or valuable – as the study makes out. One of the first comments on the article from a J. Greene is less than hospitable:

There are a few sites that are also starting to use these questions as a verification device–you log in with your user name and password, and it then asks you to answer two questions. I absolutely hate it, and if I didn’t have to go to the site to conduct business, I would never go back.

Ouch. But even more interesting were the comments on the article where contributors added their own tips for managing passwords. First, Karyn:

Call me foolish, but I usually use different passwords with the many accounts I open (probably too many). I often forget them although I remember my pet, my mom’s maiden name, etc…

Sounds typical… but isn’t that already the default “solution” for password management with a large number of accounts? Next up, Richard Miller of Evanston, IL:

There is a much easier way to manage this — simply choose one answer, and only one answer that you can remember and put it everywhere, whatever the question, e.g., Question “Name your favorite pet?”, Answer “spot”. Question “Name your 3rd grade teacher”, answer “spot”. Question “On what street did you first live”, Answer “spot”.

But what if the one answer is not so contextually neutral as you think, or a hacker gets hold of the one password that rules them all?

I'm still keen on the idea of pattern-based passwords. In the meantime, at least easy password reset is available for those of us who don’t possess the keen memories of caffeine-addled college students.

So You Followed Proper IT Security Procedures and Still Got Burned? (Part 2 of 2)

Vaclav Vincalek — Fri, 29 Aug 2008 15:53:55 -0700

Continued from Part 1 of So You Followed Proper IT Security Procedures and Still Got Burned?

My innocent laptop computer was stuck in a dreamless sleep because my password no longer worked – even though I had followed the manufacturer’s own procedures when setting up and updating security on the machine. According to the tech wizards at the manufacturer, the only thing that could awaken the computer from the dead was a $1,300 motherboard.

I didn’t believe them. I went online and instantly found a company that specialized in just this kind of problem: Datronics Custom Computers. They said they could fix it, and for a lot less than the manufacturer was asking for a new motherboard. They had hundreds of glowing testimonials from people all over the world.

It looked legit… but how could this be? The manufacturer insisted the only thing they could do for me was provide a new motherboard. But if Datronics had enough clients to justify a full-time business, that meant two things: the password protection was next to useless (since it can be removed by a third party at no significant cost), and the manufacturer was not offering this effective and much cheaper solution to the hundreds and potentially thousands of customers affected by this bug.

I gave Datronics a call. They confirmed everything on their website. I was still a little leery because of what the original manufacturer was saying, but for $75 Datronics quoted to fix the problem, I’d give it a try.

I shipped them the computer. In about a week, I had it back – working just fine. My password with the unusual characters that the patched BIOS had rejected was erased from the motherboard. Now I could set up my computer’s password again.***

But I’m left feeling unsettled. The password on this laptop (and possibly on many other brands) will only protect my information from being accessed by my kids, or someone in my office who might want to snoop on my work. It does not stop a tech-savvy thief from stealing my laptop and sending it off to a legitimate company to remove the password.

Three morals to my true story:

1. Improving IT security is still a reasonable goal for all organizations and claims by vendors that their technology solution will improve security may still be trusted (after undertaking due diligence). But be wary of any business claims of having an “unbreakable” security solution. According to Datronics’ Ali Dabiri, they could read and replace my supposedly unbreakable password in minutes using their own technology solution.

2. Password security is just one part of an overall security strategy to ensure your data is protected. See my tips on laptop security and the value of website security.

3. Your IT security technology and procedures may not work the way you think it should. This is the sad truth that most IT experts won’t want you to hear.

But as my loyal readers know, I am concerned with the current state of the IT industry, which allows some vendors to get away with products that don’t work the way they should.

So You Followed Proper IT Security Procedures and Still Got Burned? (Part 1 of 2)

Vaclav Vincalek — Fri, 8 Aug 2008 11:42:22 -0700

I got my laptop computer shipped back to me today and its working perfectly fine – which upsets me a great deal. You see, the computer isn’t supposed to be working.

The manufacturer’s finest customer service reps assured me repeatedly that the only fix for my password-locked machine was replacing the motherboard. For the price they quoted me for that critical piece of hardware, I could have just bought a brand-new laptop. They thought they had me over a barrel.

How did I get into this mess? Ironically, it happened because I did exactly what I was supposed to do to ensure proper security on my laptop. While setting up the computer, I created a complex password with numbers, upper and lower case letters and a punctuation mark to block unauthorized access. To use my computer for anything at all, you had to have the proper log-in password.

It was working fine. Then I downloaded updates and patches, to ensure optimum performance and security. The computer restarted and… my password didn’t work anymore.

I typed in my password. No good. I tried again. No dice. Fine, let’s try something fancy.

But my usual techie work-arounds had no effect. That’s when I called the manufacturer… and they told me that since my warranty had expired, they couldn’t help me reset the password. I had to go through their channel partners. All they could do was offer their sympathies, and a motherboard for $1,300. They told me there was no other solution. So no computer, no encrypted data.

I contacted the business partners and they exhibited absolutely no interest in helping me. F $#%# s

You guessed right. This got me mad. I had done exactly what I was supposed to do according to the manufacturer’s own procedures for setting up their computers. And now I had to pay through the nose because they hadn’t tested properly for this bug back in development.

I wasn’t going to give in to the manufacturer’s shakedown. I made a phone call…

How To Protect Your Information On Your Laptop From Being Stolen

Vaclav Vincalek — Mon, 28 Jul 2008 12:53:39 -0700

Pretty much everyone and their dog has a laptop, Macbook, Blackberry or some other kind of portable computing device (all hereafter referred to as "device"). Protecting your information on that device from cyber thieves (or just plain ordinary thieves) isn't easy. But it gets easier if you take security precautions.

A recent case of government actually doing something right when it comes to security highlights one security solution. The Canadian federal government recently confessed that a laptop with the private information on 32,000 farmers was stolen a little while back. (Winnipeg Free Press).

But there is a slim ray of hope that the information might not be compromised: the laptop was reportedly password-protected and secured with biometric fingerprinting, even if the data itself was not encrypted.

As identity management blogger Dave Jevans (Thieves Steal Canadian Laptop With 32,000 Farmer’s Personal Information) has noted, the biometrics security measure doesn’t stop the thieves from simply removing the disk in the computer and inserting it in another computer to get access to all of the information. But it’s better than nothing.

There are other steps one can take for better security -- some are just common sense, while others require a technology solution:

1. Never share your device with anyone. "But we were going out! I thought I could trust her!" -- doesn't cut it when high-resolution images of your hairy butt end up in all your relatives inboxes.

2. Don't turn your back on your device, particularly in a public place. Would you leave your wallet full of all your ID on a desk at the library, even eight steps away as you answered your cellphone? Thieves can snatch your stuff in an instant.

3. Use a remote data storage backup solution. This may not prevent thieves from looking at your information, but at least you won't have lost all of your data. You'll be able to access all your data even if your device is nowhere to be found.

4. Ensure your data is encrypted and password-protected. To the thieves, your device will be about as valuable as a lump of plastic and copper.

5. Use a laptop security tracking device. Not all portable computing devices may have this capability built in, but you can get it for laptops.The thieves are going to be awfully sad when the cops show up at their door fifteen minutes after they turn on your computer -- and you may just get it back before the goons have even had a chance to go on an on-line shopping spree with your credit card number.

If you have any other tips for protecting your info from thieves, feel free to share. People need this info.

How to Calculate Return On Investment (ROI) for Web Security

Vaclav Vincalek — Mon, 21 Jul 2008 17:22:36 -0700

Calculating ROI on web security doesn’t have to be tricky. Actually, it can be pretty straightforward. And it's critical for organizations to do the calculation, since we can reasonably assume that unprotected web applications will get hit eventually.

Industry analysts suggest just one in 30 websites may be secure and security breaches get reported virtually every day. Big or small, locally-hosted or run from China, all those websites are vulnerable. So we know that the likelihood of your organization getting hacked is much higher than the probability of pretty much any other kind of business disaster, from arson to a robbery or an earthquake.

So it's safe to assume that your web app is open to abuse from hackers using cross site scripting and other tactics. Now it's time to do an ROI calculation for web security.

Now let’s imagine a medium-sized company does $1 million in sales or donations every year through its website. Every day, the website brings in about $2,740. Finally, let us assume an initial investment of about $10,000 for regular web security scanning and IT consulting over one year to fix hacker vulnerabilities.

If this security solution prevented a security breach (or several) that forced a shutdown of the website for just four days out of an entire year, the investment will have more than paid for itself (Security investment = $10,000, Retained revenue = $10,960).

This doesn't even include the money saved from not having to deal with legal costs and crisis management (potentially millions of dollars). In this calculation, ROI is similar to that for purchasing insurance.

Then there's the added value web application security ROI calculation. Looking at the same business as before, we'll add on a 15 per cent extra revenue from web trafffic conversion (Ask Dave Taylor) that a security solution can add if publicized properly (which is negated in the event of a well-publicized breach).

In this case, the extra 15 per cent means an extra $150,000 in revenue per year. This means that every day, this organization earns $410 per day extra from the web application security solution, even if there is no security breach all year long.In 24 days, the solution would pay for itself..

As we've seen, the ROI of web security can be easily demonstrated.

Other resources and ROI tips that an IT manager, marketing manager, sales manager or CFO may find helpful:

Calculating security ROI is tricky business. A Computer World article about the metrics of calculating security ROI.

WSI Website Traffic Conversion Rate Calculator. Use it to calculate how much your website traffic is worth – and how much your organization will lose if a hacker takes you down.

Hopefully, this example will help you get started on some long-overdue web security ROI number-crunching.

PCI DSS 6.6 Web Security Tips For Business

Vaclav Vincalek — Fri, 11 Jul 2008 11:22:35 -0700

The new PCI DSS 6.6 rules for businesses that process credit card transactions to protect their web applications from hackers went into effect on June 30. Merchants that fail to meet the Payment Card Industry Data Security Standard (PCI DSS) may face heavy fines of up to $500,000 levied by credit card companies.

The rules are important because if businesses take them seriously and try to mitigate web application attacks, credit card number thefts could be reduced by nearly half, according to the vigilant authors at PCI Blog (PCI DSS Requirements 6.6).

But these web application security regulations that used to be best-practices are now mandatory and it’s going to catch a lot of businesses off-guard. Businesses that fail to deploy a web security audit tool from recognized experts simply won’t be security compliant.

Many businesses may want to comply with PCI but need more information. Here are some tips:

1. There are four levels of merchant classifications that require different standards of compliance. Check which merchant level applies to you on the Visa Cardholder Information Security Program page. Your merchant classification affects the kinds of steps your business needs to take to become PCI compliant.

2. You need to fill out a self-assessment questionnaire (except if you are a Level 1 vendor) to evaluate your current level of PCI compliance. The document can be downloaded from the PCI Security Standards Council Website.

3. The PCI Security Standards Council site also has an FAQ for detailed answers to common PCI questions that businesses might have. For example, "is the implementation of encryption of cardholder data alone sufficient for PCI DSS compliance?" (Short answer: No).

The process of becoming PCI compliant involves many other questions, but fortunately, there are experts who can help. Other PCI tips are welcome.

Better Marketing and Promotion Through Improved Web Security

Vaclav Vincalek — Thu, 10 Jul 2008 09:30:33 -0700

More companies might consider the positive benefits for promotion and marketing that they can take advantage of after improving web security.

Here’s the situation: Your organization has invested in some kind of technology to protect your customers’ information from unscrupulous cyber criminals. You are confident that your customers will feel safer using your site or purchasing your products and services.

Wouldn’t you want to publicize that? Here’s your press release:

“XYZ Company Helps Its Customers Shop Safe”
Anytown, Anywhere July XX, 2008 – XYZ is proud to announce new web security measures that are going to make visitors to its website safer. “We’re just doing what our customers have been asking for,” says XYZ President Bob Moneybags. “Millions of people have already suffered ID theft from hackers through insecure websites. The ABC solution we’re using means that visitors to our site can feel confident that we’re taking steps to improve their security.”

“This is a great example of a company being proactive about its users’ security,” says Privacy Commissioner Suzie Hideaway, who has previously criticized corporations for not taking even basic steps to protect information. “Frankly, if I have a choice between 100 different websites about the same topic and I know for sure that one has implemented security to make me safe when I visit, where do you think I’m going to get my information or shop online? Obviously, I’m going to visit the site of the company that cares about my safety and privacy”…

But why stop with a press release? How about a white paper about your security efforts? An education campaign via social media? A speech to associations about how other businesses can become more secure? All of these PR methods will bring more attention to your organization.

Investing in security helps to market your brand and bring in more customers.The ideas above are just for starters. If anyone has ideas about other PR ideas to publicize a good-news story about improving security, please leave a tip in the comments.

Don’t Blame The Glitch.

Vaclav Vincalek — Sun, 6 Jul 2008 16:18:31 -0700

“I’m sorry, sir. But it’s not our fault. And there’s nothing we can do to reverse this. We had a computer glitch.”

Hmmm. That’s strange. What did he mean, a computer glitch? Who is really in charge, us or the computers? Who is accountable?

I’d recently gotten an offer in the mail to upgrade my credit card. I didn’t want the upgrade. But here’s the rub – to not get the upgrade, I actually had to opt out.

OK, no big problem. I called the credit card company and after waiting for 10 minutes, I told someone I didn’t want the upgrade. They thanked me for taking the time, I said you’re welcome, and that was that. Case closed. Or so I thought.

A month later, I have a voicemail from the bank about some important information the bank wanted to share with me. I am informed through the message that I have a brand new credit card. My old credit card number is gone.

Now I have to waste time going through my credit card statements. I have to check off my automatic payments so I can get the bank to contact a bunch of vendors to get them to change my information so I won’t appear to be a deadbeat. It’s a hassle. It’s what I was trying to prevent in the first place. I didn't want or need the new features they were offering. And if the credit card company’s own process had been followed, it could have been avoided.

Let’s assume conservatively that 50,000 other credit card users (out of about 40 million or so) had the exact same issue and needed to contact their vendors to change their info. That’s 50,000 hours wasted because of a “glitch” that the company felt it was too unimportant to bother to correct.

The situation reminds me of a post by Vancouver-based social media and occasional technology blogger Darren Barefoot wrote a little while back when dealing with his bank (I Wanted to Like Vancity, But Now I Loathe Them). He wrote:

“I’m out of patience and goodwill. That’s three errors in six months, in our first year with a new bank. If we performed like this at Capulet, all of our clients would fire us.”

No one is demanding the impossible here.The program bug could have been avoided if the bank had only thought to not outsource its hassles to its customers. No one needed to resort to the lame excuse of the inoperable computer glitch. Indeed, most of the time, these kinds of “glitches” are swiftly corrected by companies that try to be accountable.

When was the last time you were pleasantly surprised by someone who went that extra mile to fix a problem instead of just giving up because of a glitch?

Sony PS3 Website Hacked

Vaclav Vincalek — Thu, 3 Jul 2008 16:03:11 -0700

Sony’s web security disaster is just the latest example of when bad things happen to good websites.

Hackers used SQL injection to “add unauthorised code to pages promoting PlayStation games SingStar Pop and God of War. The malware claims to undertake an antivirus scan and displays a fake message stating that the visitor's computer has been infected. The visitor is then urged to purchase a bogus security product to clean up the 'infection'” (Vnunet.com).

Big websites are simply big targets for cyber-criminals. Not that being small is any protection; hackers can and do use tactics that can attack hundreds of thousands of websites at the same time, and the size of the website is completely irrelevant.

These kinds of attacks happen pretty much every day and can potentially leave millions of people vulnerable to ID theft. But don’t take my word for it. Check out the latest updates on security breaches in the Tech//404 Data Loss Archive. Or calculate what a security breach could cost your organization with the Tech//404 Data Loss Cost Calculator.

The calculator tool shows an "average"-sized security breach could cost an organization between $9 million and $14 million in legal bills, damage control and after-the-fact security application deployment. Even the biggest organizations can be crippled by these kinds of damages. Smaller ones would be put out of business overnight. Whether organizations are big or small, web application security needs to be taken seriously -- ideally in the development stage, before the application even goes "live".

Has your company's website undergone a web application security audit? Bad things happen to good websites all the time.

What Are Strangers Doing With All Of Your Information

Vaclav Vincalek — Fri, 27 Jun 2008 09:39:28 -0700

As I mentioned a little while ago on this blog (How Much Do You Cost?), online providers of email, storage and assorted business applications are in the business of knowing exactly what is stored on their system. For instance, the information you have stored in your Gmail and other Google applications is available for Google’s internal use.

Thanks to David Rubinstein for picking up on this threat to our privacy and allowing me a bit of a soapbox on SysManBlog, an excellent resource for IT system administration and data center managers. David quotes me as saying:

"When e-mail was new and organizations wanted to install e-mail systems, we offered to host them, but they wanted the server in their server room. The mentality that e-mail would be moved out of the office was unheard of….”

It's part of a larger trend. It's now quite common for organizations to store critical data in third-party web applications that would be awfully tempting to hackers and ID thieves using a little human intel to gain access to customer databases.This has been a very fast shift, and not just for business people using on-line applications like Salesforce.com.

At the extreme end of this trend, people are uploading their personal information to social media sites like Facebook and MySpace. They do this with the knowledge that these sites retain ownership of any information they upload and that any random visitor to a profile page.

Actually, the random visitors might not be a problem. But employers routinely snoop Facebook regarding potential job candidates (Stanford Daily). How about those tagged photos of you getting into shenanigans at your buddy's stag?

More disturbingly, predators use these sites to lure young victims. Cyber-bullies send threatening and anonymous messages. And of course, ID thieves and fraudsters mine a bonanza of personal information on these sites (TimesOnline).

You can't read a newspaper or magazine these days without a story about people's information and identities being tampered with. So why have most of us become so trusting in a short period of time? Is it because these applications are "free"? Is it the convenience? Or perhaps it is the need to share. This may be all it takes for us to give up control, ownership and privacy.

What’s The Difference Between a Drug Dealer and a Software Vendor?

Vaclav Vincalek — Fri, 20 Jun 2008 15:35:37 -0700

Less than you might think. Both businesses call their customers “users”. Both of them typically offer you a free trial of their product before you buy. And when it comes to guarantees of quality of the product, it’s definitely a case of buyer beware.

But at least drug dealers don't try to make their users sign a contract that looks like the standard software license agreement. Here's what it would look like:

“The drug is provided on an "AS IS" basis, without warranty of any kind, including, without limitation, the warranties of merchantability, fitness for a particular purpose and non- infringement. The entire risk as to the quality and performance of the drug is borne by You. Should the drug prove defective, You, not Vendor or its licensors, assume the entire cost of any service and repair…”

But here's the best part:

“UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, TORT, CONTRACT, OR OTHERWISE, SHALL VENDOR OR ITS LICENSORS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR WORK STOPPAGE, OVERDOSE OR LOSS OF REVENUES, PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE OR ECONOMIC LOSSES…”

According to the real license agreement that every software buyer signs off on, the software vendor assumes no liability if their product is a piece of junk. Even if the product turns out to be so disruptive that it actually threatens to drive you out of business, don’t call them. It was your fault for buying their product.

No other industries get away with this. You would never buy a television or a car if the manufacturers and sellers told you up-front that if it doesn’t work, there’s no recourse.

Maybe software vendors think we’re all smoking something funny? They tell us that software is complicated. So is a car or an airplane. Isn't it time for users (aka customers) to expect better - at least from the software vendors? Would the technology industry be forced to listen, or would all of the users just be blowing smoke?