Description
In business today, risk plays a critical role. Almost every business decision requires executives and managers to balance risk and reward. Effectively managing the business risks is essential to an enterprise’s success
LATEST DEVELOPMENT IN IT AND E-COMMERCE SECURITY
BySanjay Jha (70) Kevin Moses (80) Mohil shrivastav(91) Nidhi kumari(101) Pratik nayak (111)
CONTENTS
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.
INTRODUCTION SECURITY THREAT LATEST SECURITY ISSUES PROPOSED RESEARCH WORK ON IT SECURITY FEW LATEST TRENDS IN IT SECURITY WAYS TO TACKLE SOME THE MOST RECENT IT SECURITY ISSUES FEW LATEST TRENDS IN IT SECURITY INTRODUCTION TO E-COMMERCE THREATS SECURITY LEVELS AND E-COMMERCE SECURITY DEVELOPMENTS TOOLS FOR DETECTING AND PREVENTING FRAUD TRANSACTIONS KEEPING UP WITH THE LATEST THREATS SUMMARY REFERENCES
Introduction:
In business today, risk plays a critical role. Almost every business decision requires executives and managers to balance risk and reward. Effectively managing the business risks is essential to an enterprise’s success. Too often, IT risk (business risk related to the use of IT) is overlooked. Other business risks, such as market risks, credit risk and operational risks have long been incorporated into the corporate decision-making processes. IT risk has been relegated to technical specialists outside the boardroom, despite falling under the same ‘umbrella’ risk category as other business risks: failure to achieve strategic objectives. As Internet use is developing, more and more companies are opening their information system to their partners and suppliers. Therefore, it is essential to know which of the company's resources need protecting and to control system access and the user rights of the information system. The same is true when opening company access on the Internet Moreover, because of today's increasingly nomadic lifestyle, which allows employees to connect to information systems from virtually anywhere, employees are required to carry a part of the information system outside of the company's secure infrastructure. Goals of IT security: Information systems are generally defined by all of a company's data and the material and software resources that allow a company to store and circulate this data. Information systems are essential to companies and must be protected. IT security generally consists in ensuring that an organisation's material and software resources are used only for their intended purposes. IT security generally is comprised of five main goals:
? ?
Integrity: guaranteeing that the data are those that they are believed to be Confidentiality: ensuring that only authorised individuals have access to the resources being exchanged
? ? ?
Availability: guaranteeing the information system's proper operation Non-repudiation: guaranteeing that an operation cannot be denied Authentication: ensuring that only authorised individuals have access to the resources
SECURITY THREAT :
A threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. A threat can be either "intentional" (i.e., intelligent; e.g., an individual cracker or a criminal organization) or "accidental" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or event.
Security Assessment
Security Compass offers a broad range of information security assessment and remediation services to fit your needs. Our world-class consultants bring years of expertise and deep domain knowledge to all of our offerings.
?
?
?
?
?
Application Runtime Security Assessment — As attackers increasingly focus on exploiting software vulnerabilities, insecure applications leave your data at risk. Allow Security Compass to test your applications from a hacker's perspective. Application Source Code Security Assessment — Find vulnerabilities in the underlying source code and know exactly what to fix. Source code review is one of the most cost-effective methods of finding vulnerabilities. Let our seasoned experts assess the security of your source. Fulfill PCI DSS Requirement 6.6. Threat Modelling — Analyze your application's design to find vulnerabilities before development. Prioritize source code reviews and penetration tests. We use our extensive experience in threat modelling to bring security to the early phases of development. SDLC Security — Looking for a holistic approach to building secure applications? We can help you enhance your existing software development life cycle — waterfall, agile, or proprietary — to include security. Network Security Assessments — With simple point-and-click tools attackers can own your network. How secure is your infrastructure? We'll assess your network with a combination of automated and manual techniques from the perspective of an expert hacker.
Other Enterprise Assessment Services:
?
Wireless Assessment — Rouge access points and insecure wireless protocols anywhere
?
in your facility can expose confidential data. We can help you determine if you have any wireless network risks. Policy Assessment — Information security governance is critical to compliance with standards like ISO27002, COBIT, and others. Our security experts can assess your policies, procedures, standards, baselines, and guidelines for compliance with common standards
LATEST SECURITY ISSUES
Top Cyber Security Risks - Vulnerability Exploitation Trends
? ? ? ? ? ? ?
Vulnerability Exploitation Trends Origin and Destination Analysis for 4 Key Attacks Application vs. Operating System Patching Tutorial: HTTP Client-Side Exploitation Example Zero-Day Vulnerability Trends Best Practices in Mitigation and Control HTTP Server Threats
Application Vulnerabilities Exceed OS Vulnerabilities During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most "popular" applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch. Due to the current trend of converting trusted web sites into malicious servers, browsers and client-side applications that can be invoked by browsers seem to be consistently targeted.
Figure 1: Number of Vulnerabilities in Network, OS and Applications Web Application Attacks There appear to be two main avenues for exploiting and compromising web servers: brute force password guessing attacks and web application attacks. Microsoft SQL, FTP, and SSH servers are popular targets for password guessing attacks because of the access that is gained
if a valid username/password pair is identified. SQL Injection, Cross-site Scripting and PHP File Include attacks continue to be the three most popular techniques used for compromising web sites. Automated tools, designed to target custom web application vulnerabilities, make it easy to discover and infect several thousand web sites. Windows: Conficker/Downadup Attacks on Microsoft Windows operating systems were dominated by Conficker/ Downadup worm variants. For the past six months, over 90% of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08067. Although in much smaller proportion, Sasser and Blaster, the infamous worms from 2003 and 2004, continue to infect many networks.
Figure 2: Attacks on Critical Microsoft Vulnerabilities (last 6 months)
Figure 3: Attacks on Critical Microsoft Vulnerabilities (last 6 months) Apple: QuickTime and Six More Apple has released patches for many vulnerabilities in QuickTime over the past year. QuickTime vulnerabilities account for most of the attacks that are being launched against Apple software. Note that QuickTime runs on both Mac and Windows Operating Systems.
The following vulnerabilities should be patched for any QuickTime installations: CVE-20090007, CVE-2009-0003, CVE-2009-0957
Figure 4: Attacks on Critical Apple Vulnerabilities (last 6 months) Next Section: Origin and Destination Analysis for 4 Key Attacks Origin and Destination Analysis for Four Key Attacks Over the past six months, we have seen some very interesting trends when comparing the country where various attacks originate to the country of the attack destination. In order to show these results, we have characterized and presented the data in relation to the most prevalent attack categories. The analysis performed for this report identified these attack categories as high-risk threats to most if not all networks, and as such, should be at the forefront of security practitioners' minds. These categories are Server-Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and finally SQL Injection attacks. As you might expect, there is some overlap in these categories, with the latter three being subsets of the first two categories. However, the trends we see in separating this data is worth pointing out. The SQL Injection attacks that compose this category include "SQL Injection using SELECT SQL Statement", "SQL Injection Evasion using String Functions", and "SQL Injection using Boolean Identity". The most prominent "PHP Remote File Include attack" is one that looks for a very small HTTP request that includes a link to another website as a parameter that contains a very specific evasion technique used by a number of attacks to increase the reliability of their attacks. Also of note is a very specific attack against the "Zeroboard PHP" application, the only single application that made the top attacks. The final type of attack included in these statistics is one of the more popular "HTTP Connect Tunnel" attacks, which remains a staple in the Server-Side HTTP category. The HTTP connect tunnels are used for sending spam emails via mis-configured HTTP servers. Looking at the breakdown by country we see that the United States is by far the major attack target for the Server-Side HTTP attack category (Figure 5).
Figure 5: Server-Side HTTP Attacks by Destination Country (last 6 months) For years, attack targets in the United States have presented greater value propositions for attackers, so this statistic really comes as no surprise. An interesting spike in Server-Side HTTP attacks occurred in July 2009. This was entirely due to SQL Injection attacks using the SELECT command. Upon looking at the data, we saw a massive campaign by a range of IP addresses located at a very large Internet Server Provider (ISP). In this case, there were a number of machines located at a single collocation site that may have all been compromised with the same vulnerability due to the machines being at the same patch level. In addition, a number of gambling sites took part in this attack which peaked after hours on July Fourth, a major holiday in the United States.
Figure 6: Server-Side HTTP Attacks (last 6 months) Finally let's turn to the source of these HTTP Server-Side Attacks (Figure 7).
Figure 7: Server-Side HTTP Attacks by Source Country (last 6 months) Here we see the United States as by far the largest origin, which is a pattern that has continued for some time. In many cases we believe these to be compromised machines that are then being used for further nefarious purposes. The next four offenders on the HTTP Server-Side attacking countries list are Thailand, Taiwan, China, and the Republic of Korea. They also show up in other portions of this report, so this graph will be a useful reference in comparing some of the other attack categories and their relative magnitude. The last six months have seen a lot of activity with SQL injection attacks. Some typical patterns emerge with the United States being both the top source of and destination for SQL Injection events. SQL Injection on the internet can more or less be divided into two sub-categories: Legitimate SQL Injection and Malicious SQL Injection. Many web applications on the Internet still use "SQL Injection" for their normal functionality. It should be noted that this is only a difference in intent. The web applications that legitimately use SQL Injection are guaranteed to be vulnerable to the tools and techniques used by attackers to perform Malicious SQL Injections. The servers that house these applications may have a higher compromise rate not only because they are known to be vulnerable, but also because they need to distinguish between legitimate and malicious injects to identify attacks.
Figure 8: SQL Injection Attacks by Destination Country (last 6 months) Looking at the magnitude of these attacks broken down by month (Figure 9), we see the large-scale SQL Injection campaign pointed out in the Server-Side HTTP Attack section. A very large spike in SQL Injection attacks in July was caused mostly by an online advertiser who distributed code to many affiliates using SQL injection as functionality. The application was quickly pulled, resulting in a large drop in events for the month of August.
Figure 9: SQL Injection Attacks (last 6 months)
The source distribution of many of these attacks is much more diverse than the destination. China is now the single largest source outside of the United States. Again the overwhelming destination for these events is in the United States. (Figure 10).
Figure 10: SQL Injection Attacks by Source Country (last 6 months) In conclusion, we cannot overstate the importance of protecting DMZ-based web applications from SQL Injection attacks. Increasingly, the ultimate objective of attackers is the acquisition of sensitive data. While the media may consistently report attacker targets as being credit cards and social security numbers, that is more due to the popular understanding of the marketability of this data. They are not the only valuable data types that can be compromised. Since SQL Injection attacks offer such easy access to data, it should be assumed that any valuable data stored in a database accessed by a web server is being targeted. Although "PHP File Include" attacks have been popular, we have seen a notable decline in the overall number of attacks that have taken place. With the exception of a major attacks originating from Thailand in April, the number of PHP File Include attacks in August is less than half the March/May average. There are many ways to protect against these attacks. Apache configuration, input sanitization, and network security equipment are all very good at deterring these attacks, so it seems likely that the drop in total attacks is at least partly due to a positive response by application developers, system administrators, and security professionals. However, due to the extreme ease with which these attacks are carried out, and the enormous benefit of a successful attack (arbitrary PHP code is executed.), attacks such as these are likely to remain popular for some time.
Figure 11: PHP Remote File Include Attacks (last 6 months) Let us look at the sources of "PHP Remote File Include" attacks. A major attack campaign was launched out of Thailand in April that caused Thailand to show up at number 1 in this list.
Figure 12: PHP Remote File Include Attacks by Source Country (last 6 months) Cross Site Scripting (XSS) is one of the most prevalent bugs in today's web applications. Unfortunately, developers often fall in the trap of introducing XSS bugs while creating custom code that connects all of the diverse web technologies that are so prevalent in today's Web 2.0 world. Another very common "use" of XSS is by various advertisers' analytic systems. For example, an advertiser's banner might be embedded in a web page which is set
up to reflect some JavaScript off of the advertiser's HTTP server for tracking purposes. However, in this case, there is little risk because the site in question (usually) has full control over his/her page, so this request to the advertiser is not generally malicious. It is the "reflection" attacks, along with attacks that leverage flaws in form data handling, that make up the vast majority of XSS attacks that we have seen in the last six months.
Figure 13: XSS Attacks by Source Country (last 6 months) Attacks sourced from the United States have been on a steady decline month-over-month. The Republic of Korea has seen a 50% reduction in the last 30 days. These two events however have been offset by a sudden 20% increase in the last 30 days in attacks from Australia. The other three major players, namely, Hong Kong, China and Taiwan have remained stable over the past three month periods in this category. Application Patching is Much Slower than Operating System Patching Qualys scanners collect anonymized data of detected vulnerabilities to capture the changing dynamics in the vulnerability assessment field. The data documents changes such as the decline of server side vulnerabilities and the corresponding rise of vulnerabilities on the client side, both in operating system components and applications. A Top 30 ranking is used often to see if major changes occur in the most frequent vulnerabilities found. Here is the ranking for the first half of 2009 TH edited to remove irrelevant data points such as 0-day vulnerabilities.
Figure 14: Microsoft OS Vulnerabilities But at least half of the vulnerabilities in the list, primarily vulnerabilities found in applications, receive less attention and get patched on a much slower timeline. Some of these applications, such as Microsoft Office and Adobe Reader are very widely installed and so expose the many systems they run on to long lived threats. The following graphs plot the number of vulnerabilities detected for Microsoft Office and Adobe Reader normalized to the maximum number of vulnerabilities detected in the timeframe. Periodic drops in detection rates occur during the weekends when scanning focuses on servers rather than desktop machines and the detection rates of vulnerabilities related to desktop software fall accordingly.
Figure 15: Microsoft PowerPoint and Adobe Vulnerabilities Patching Cycles Attackers have long picked up on this opportunity and have switched to different types of attacks in order to take advantage of these vulnerabilities, using social engineering techniques to lure end-users into opening documents received by e-mail or by infecting websites with links to documents that have attacks for these vulnerabilities embedded. These infected documents are not only placed on popular web sites that have a large number of visitors, but increasingly target the "long-tail", the thousands of specialized websites that have smaller but very faithful audiences. By identifying and exploiting vulnerabilities in the Content Management Systems used by these sites, attackers can automate the infection process and reach thousands of sites in a matter of hours. Attacks using PDF vulnerabilities have seen a large increase in late 2008 and 2009 as it became clear to attackers how easy it is to use this method of getting control over a machine. Adobe Flash has similar problems with the applications of its updates TH there are four Flash vulnerabilities in our Top 30 list that date back as far as 2007:
Figure 16: Flash Vulnerabilities Flash presents additional challenges: it does not have its automatic update mechanism and one needs to patch Internet Explorer in a separate step from other browsers. For users that have more than one browser installed, it is quite easy to forget to completely close Flash vulnerabilities and continue to be unwillingly vulnerable. One of the other software families that is high on the Top 30 list is Java, which is widely installed for running Java applets in the common browsers and also increasingly for normal applications. It is quite slow in the patch cycle, with actually increasing numbers of total vulnerabilities as the introduction of new vulnerabilities outweighs the effect of patching. Java has the additional problem that until recently new versions did not uninstall the older code, but only pointed default execution paths to the new, fixed version; attack code could be engineered to take advantage of the well-known paths and continue to use older and vulnerable Java engines.
Figure 17: Sun Java Vulnerabilities
Zero-Day Vulnerability Trends A zero-day vulnerability occurs when a flaw in software code is discovered and code exploiting the flaw appears before a fix or patch is available. Once a working exploit of the vulnerability has been released into the wild, users of the affected software will continue to be compromised until a software patch is available or some form of mitigation is taken by the user. The "File Format Vulnerabilities" continue to be the first choice for attackers to conduct zeroday and targeted attacks. Most of the attacks continue to target Adobe PDF, Flash Player and Microsoft Office Suite (PowerPoint, Excel and Word) software. Multiple publicly available "fuzzing" frameworks make it easier to find these flaws. The vulnerabilities are often found in 3rd party add-ons to these popular and wide-spread software suites, making the patching process more complex and increasing their potential value to attackers. The notable zero-day vulnerabilities during past 6 months were:
? ? ? ? ? ?
Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE2009-1862) Microsoft Office Web Components ActiveX Control Code Execution Vulnerability (CVE-2009-1136) Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (CVE-2008-0015) Microsoft DirectX DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2009-1537) Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493) Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556)
The ease of finding zero-day vulnerabilities is a direct result of an overall increase in the number of people having skills to discover vulnerabilities world-wide. This is evidenced by the fact that TippingPoint DVLabs often receives the same vulnerabilities from multiple sources. For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability. The implication of increasing duplicate discoveries is fairly alarming, in that the main mitigation for vulnerabilities of this type is patching, which is an invalid strategy for protecting against zero-day exploits. There is a heightened risk from cyber criminals, who can discover zero-day vulnerabilities and exploit them for profit. Add to this that software vendors have not necessarily lowered their average time for patching vulnerabilities reported to them, and that TippingPoint is aware of a number of vulnerabilities that were reported to vendors two years ago and are still awaiting a patch.
Proposed Research Work on IT Security
RE: Trends in Security I am writing a proposal for reconsidering hardware controls over software controls, when such controls can be made practical and usable. We need to return to the discussions of the early 1980's, because we are now seeing so many targeted viruses in environments that cannot keep track of all changes to their code. We need to ask operating systems vendors to harden and stabilize their code, with a goal of eventually having parts that will never need to change again. We need hardware manufacturers to synchronize with the operating systems vendors, to make sure that a common set of device drivers can be permanent, and that new features will be added that is segregated/apart from the unchanging base. We need software that maintains its layer integrity and reliably fixes itself to it's own work area. We need a temporary work area and data area strategy that can be applied across platforms, but keeps software and data separate and verifiable as secure. We need to be able to reinstall software from scratch easily, so as to eliminate unaccountable invading malware apart from a base of accountable software. And then, we need to use the EPROM to PROM strategy to fix stable base of software as a solid unchangeable base. This last part is what I am proposing as the new solution to keep viruses from invading online systems. Software as long as it is changeable, is subject to viruses, but once it can be fixed in place, then progress in anti-virus strategies can again go forward. With some AV packages catching only 18% of the malware, strategies from the 1980's should again be considered. Data Leak Prevention : Data leak prevention (DLP) is a suite of technologies aimed at stemming the loss of sensitive information that occurs in enterprises across the globe. By focusing on the location, classification and monitoring of information at rest, in use and in motion, this solution can go far in helping an enterprise get a handle on what information it has, and in stopping the numerous leaks of information that occur each day. DLP is not a plug-and-play solution. The successful implementation of this technology requires significant preparation and diligent ongoing maintenance. Enterprises seeking to integrate and implement DLP should be prepared for a significant effort that, if done correctly, can greatly reduce risk to the organization. Those implementing the solution must take a strategic approach that addresses risks, impacts and mitigation steps, along with appropriate governance and assurance measures
WAYS TO TACKLE SOME THE MOST RECENT IT SECURITY ISSUES
1. Session Replication Load balancing is a must have for applications with a large user base. While serving static content in this way is relatively easy, challenges start to arise when your application maintains state information across multiple requests. There are many ways to tackle session replication– here are some of the most common: • Allow the client to maintain state so that servers don’t have to • Persist state data in the database rather than in server memory • Use application server’s built-in session replication technology • Use third party products, such as Terra-Cotta • Tying each session to a particular server by modifying the session cookie Out of these, maintaining state on the client is often the easiest to implement. Unfortunately, this single decision is often one the most serious you can make for the security of any clientserver application. The reason is that clients can modify any data that they send to you. Inevitably, some of the state data shouldn’t be modifiable by an end user such as a price for a product, user permissions, etc. Without sufficient safeguards, client-side state can leave your application open to parameter manipulation at every transaction. Luckily, some frameworks provide protection in the form of client-side state encryption; however, as we’ve seen with the recent Oracle Padding attacks, this method isn’t always foolproof and can leave you with a false sense of security. Another technique involves hashing and signing read-only state data (i.e. the parameters that the client shouldn’t modify), however trying to decide which parameters should be modifiable and which ones shouldn’t can be particularly time consuming – often to the point that developers just ignore it altogether when deadlines become pressing. If you have the choice, elect to maintain state on the server and use one of the many techniques at your disposal to handle session replication. 2. Authorization Context Many senior developers and architects we’ve spoken to understand that authorization is a challenging topic. Enterprise applications often perform a basic level of authorization: ensuring that the user has sufficient access rights to view a certain page. The problem is that authorization is a multi-layer, domain-specific problem that you can’t easily delegate to the application server or access management tools. For example, an accounting application user has access to the “accounts payable” module but there’s no server-side check to see which accounts the user should be able to issue payments for. Often the code that has sufficient context to see a list of available accounts is so deep in the call stack that it doesn’t have any information about the end user. The workarounds are often ugly: for example, tightly coupling presentation & business logic such that the application checks the list of accounts in a view page where it does have context information about the end user. A more elegant solution is to anticipate the need for authorization far into the call stack and design appropriately. In some cases this means explicitly passing user context several layers deeper than you normally would; other approaches include having some type of session / thread-specific lookup mechanism that allows any code to access session-related data. The key is to think about this problem upfront so that you don’t waste unnecessary time down the road trying to hack together a solution. See our pattern-level security analysis of Application Controller for more details on this idea.
3. Tags vs. Code in Views Over the years, most web application development frameworks have made it practical to code entire views/server-pages completely with tags. Dot Net’s ASPX or Java’s JSF pages are examples of this. Building exclusively with tags can sometimes be frustrating when you need to quickly add functionality inside of a view and you don’t have a ready-made tag for that function at your disposal. Some architects and lead developers impose a strict decision that all views must be composed entirely of tags; other architects and lead developers are more liberal in their approach. Inevitably the applications that allow developers to write in-line coding (e.g. PHP, classic ASP, or Scriptlets in Java) have an incredibly tough time eradicating Cross Site Scripting. Rather than augmenting tags with output encoding, developers need to manually escape every form of output in every view. A single decision can lead to tedious, error-prone work for years to come. If you do elect to offer the flexibility of one-off coding, make sure you use static analysis tools to find potential exposures as early as possible. 4. Choice of Development Framework Call us biased, but we really believe that the framework you choose will dramatically affect the speed at which you can prevent and remediate security vulnerabilities. Building antiCSRF controls in Django is a matter of turning on adding “@csrf_protect” to your view method. In most Java frameworks you need to build your own solution or use a third party library such as OWASP’s CSRFguard. Generally speaking, the more security features built into the framework the less time you have to spend adding these features into your own code or trying to integrate third party components. Choosing a development framework that takes security seriously will lead to savings down the road. The Secure Web Application Framework Manifesto is an OWASP project designed to help you make that decision. 5. Logging and Monitoring Approach Most web applications implement some level of diagnostic logging. From a design perspective, however, it is important to leverage logging as a measure of self defense rather than purely from a debugging standpoint. The ability to detect failures and retrace steps can go a long way towards first spotting and then diagnosing a breach. We’ve found that securityspecific application logging is not standardized and, as a result, any security-relevant application logging tends to be done inconsistently. When designing your logging strategy, we highly recommend differentiating security events from debugging or standard error events to expedite the investigative process in the event of compromise. We also recommend using standard error codes for security events in order to facilitate monitoring. OWASP’s ESAPI logging allows for event types to distinguish security events from regular logging events. The AppSensor project allows you to implement intrusion detection and automated responses into your application.
Few latest trends in It security:
Web 2.0: What isn't Web will become Web
I was consulting for a customer a few weeks ago, and the company's developers asked me to perform a security review of a new database application. I found the normal SDL (security design lifecycle) bugs, but I was more concerned that the team was using a traditional programming language for the code -- with absolutely no Web interface. I brought up this point along with my normal review findings. The programmers' answer was that the Web wasn't right for all applications, and performance-wise, their software outperformed Web apps by a factor of 3 to 1. I agreed with the latter point but strongly disagreed with the former. Yes, the Web isn't the best choice for all applications in a world where we can design programs in a stand-alone box or without consideration for the rest of the infrastructure -- but we can't. The whole world is going Web 2.0. Nearly every app is going Web 2.0. What isn't Webified today will be tomorrow. The future consumer will expect to be able to access your app through a Web browser or as a Web service, no matter what type of computer they're using -- PC, smartphone, tablet, and so on. Separate interfaces and VPNs won't cut the mustard. If your app isn't easily available on the Web, it won't be used or will eventually be phased out or recoded. The writing is on the wall. Programmers, take note. I don't mean that the app should simply be available on the Web -- you can't merely offer it as a Web-based app, especially if the app itself isn't Web-based. That will work for the short and midterm, but not in the long run. Today's traditional virtualization technologies, non-Web VPNs, and application gateways are short-term shims. In the future, for the app to survive, it must be Webified to its core. I may agree with you that the app is faster and performs better when not accessed using a Web interface, but it doesn't matter. Virtualization & private cloud Security: EMC is a leader and visionary in how companies today - and in the future - migrate from physical to virtual services, and how the cloud will change the fundamental premise and business model for information services. In cryptography, RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography.[1] It is the first algorithm known to
be suitable for signingas well as encryption, and was one of the first great advances in public key cryptography The inherent value of virtualization in today's IT infrastructure, combined with economic pressures and the resulting impact on resources and budget, is accelerating many company's plans to virtualize their enviroments.
We can help companies accelerate the benefits of virtualization and accelerate their journey to the private cloud by identifying new benefits while mitigating security concerns which arise from virtualization technologies. The RSA Security Practice of EMC Consulting, leveraging RSA's security expertise and EMC's leadership in virtualization and cloud, offers broad based security assessments for virtualized environments and new services to secure Virtual Desktop Infrastructures, leverage RSA best practices and established safeguards to help build secure virtualized and private cloud environments through technology, policy and program development.
Our security consulting services for Virtualization and Private Cloud Security include:
?
Security
Assessment
for
Virtualized
Environments
We help customers understand the security posture of their virtualized infrastructure and establish optimum plans to achieve policy or compliance objectives - without compromising the value of virtualization technology. These services establish virtualization security policies, management and technology plans that support both virtualization and security objectives.
?
Securing
Virtual
Desktop
Infrastructure
Our clients are beginning to exploit the advantages of virtualization at the end point, realizing significant capital expense reductions, improved operational cost advantages, and - equally important - increasing the security of critical data at the desktop. Too often, the lack of endpoint security controls results in information risk. We help our clients apply Virtual Desktop technology in a secure fashion to mitigate this risk while accelerating the overall value of virtualizaton to the enterprise. RSA Professional Services apply a range of authentication, data protection, and security event management solutions into virtualized enviornments to accelerate the return on investment of this technology while maintaining the appropriate security controls and posture. Our services span ever aspect of design, implementation, optimization and lifecycle use of RSA solutions such as SecurID, DLP Suite and enVision, in conjunction with our knowledge of virtualization technologies, to ensure our client's benefit from their investment.
Token protection: The Web and all the cloud iterations -- private, public, b-to-b, hybrid, and more -- will require that you bring single sign-on to everything computing, even though it has never functioned 100 percent reliably within a private network. Users will want full-range access through one logon name and password/logon token. As such, you will be asked to make that happen, even between systems you don't control. You'll do this by using Web-based federation standards, cloud gateways, and claims-based identity metasystems. Instead of being worried about authentication protocols and password hashes, you'll be protecting XML-based SAML (Security Assertion Markup Language) tokens. If you're not sure what all this is, visit identityblog.com for intro material.
code obfuscation: Software is also said to be tamper-resistant when it contains measures to make reverse engineering harder, or to prevent a user from modifying it against the manufacturer's wishes (removing a restriction on how it can be used, for example). One commonly used method is code obfuscation. However, effective tamper resistance in software is much harder than in hardware, as the software environment can be manipulated to near-arbitrary extent by the use of emulation. If implemented, trusted computing would make software tampering of protected programs at least as difficult as hardware tampering, as the user would have to hack the trust chip to give false certifications in order to bypass remote attestation and sealed storage. However, the current specification makes it clear that the chip is not expected to be tamper-proof against any reasonably sophisticated physical attack; that is, it is not intended to be as secure as a tamper-resistant device. A side effect of this is that software maintenance gets more complex, because software updates need to be validated and errors in the upgrade process may lead to a false-positive triggering of the protection mechanism.
Introduction to E-commerce threats:
In spite of a weak economy, one business segment eCommerce has continued to experience significant growth. In 2009, eCommerce sales grew by 5.5%, to $205 billion.According to Javelin Strategy & Research, online retail sales are expected to increase by another 13% in 2010. Although eCommerce fraud rates have stabilized in recent years due, in part, to retailers’ increased vigilance in 2009 merchants still lost $3.3 billion to online fraud.The sustained growth of eCommerce continues to attract criminals who continuously develop new schemes to defraud merchants and their customers. These cyberthieves persist in devising increasingly sophisticated ways to steal personal account information from merchants, and to accumulate goods, services, and quasi-cash through unauthorized use of that information at merchant Web sites. According to mobile marketing experts Mobi Thinking, there are 5.3 billion mobile subscribers, that’s 77 percent of the world’s population. As mobile phone applications are further developed and used across multiple forms of commerce, criminals will continue to enter this space. There is a particularly acute issue of its safety in era of rapid development of electronic commerce and trade on the Internet with the participation of relevant organizations. Serious threat for the normal functioning of the economy is connected with the penetration of criminal elements in the system and the network of credit institutions and banks are computer crimes. Also this argument applies to e-commerce. Security problems for business information in electronic business are voluminous, so the methods and technologies are saturated that it would be a program for specialized conferences. Information technology is one of the most important influences on the formation of modern society.
Security Levels:
The e-commerce security depends on the development of appropriate legislation and other normative and technical documents. Evaluation of commercial security in the IT sector occupies a special place. Standardization will allow for comparative analysis and to assess.Security measures for effective protection of commerce on the Internet should be implemented at four levels: ? in a legislative level. ? in a administrative level. ? In a procedural level. ?in a software and hardware levels. A national regulatory framework has to be consistent with international practice at the present stage of economic development. National standards and certification standards are had to be brought into line with international levels of development of information technologies as well as with effective evaluation criteria to ensure the e-commerce security.
E-commerce security developments:
?Internet Identity Internet Identity, currently referred to as IID, is a privately held Internet security company based in Tacoma, Washington. It primarily provides anti-phishing, malware and domain control security services to financial service firms, e-commerce,social
networking and Internet Service Provider(ISP) companies. Microsoft uses IID as a data feed for its anti-phishing software as well as a partner in their Domain Defense Program. Other publicly-mentioned customers include BECU(Boeing Employees’ Credit
Union), Monster.com and Yakima Valley Credit Union.
?IBM WebSphere Commerce IBM WebSphere Commerce is a software platform framework for e-commerce, including marketing, sales, customer and order processing functionality in a tailorable, integrated package. It is a single, unified platform which offers the ability to do business directly with consumers (B2C), with businesses (B2B), indirectly through channel partners (indirect business models), or all of these simultaneously. WebSphere Commerce is a customizable, scalable and high availability solution built on the Java - Java EE platform using open standards, such as XML, and Web services. ?Bitcoin: Bitcoin is a digital currency created in 2009, based mainly on a self-published paper by Satoshi Nakamoto. Bitcoin enables rapid payments (and micropayments) at very low cost, and avoids the need for central authorities and issuers. Digitally signedtransactions, with one node signing over some amount of the currency to another node, are broadcast to all nodes in a peer-topeer network. Aproof-of-work system is used as measurement against double-spending and initial currency distribution mechanism.
?GEMs (Guaranteed Electronic Markets): For e-commerce to thrive, other than security, new methods and new businesses are required. One new method is as described by Wingham Rowan in his BBC report, i.e. GEMs (Guaranteed Electronic Markets). One centralized shop for everything that is secure, controls product cost & quality, reduces business cost of e-marketing, provides utmost customer satisfaction. This could be a private player or a government agency, in agreement with standards authority & financial agencies. The standards authority will be responsible for approving the cost & quality of the product/service before it is allowed to be sold at the GEM.
The customer has to be a registered user of the GEM, to enhance customer data security, GEMs can provide kiosks or tie-up with the ISPs to allow access to the GEM. More ecommerce revenue can be generated by providing better and new services. Here in India, I can call the grocery shop & ask for the items to be delivered at home. The vegetable shop owner maintains a mobile phone, fresh vegetables are delivered at home on call. The online grocery shop (with pickup or home delivery options) can save time for a garden walk, gym, movie, more time at work without worrying about home cores. Can IPV6 fill the fridge or Buy Detergent. The consumer wants instant service, its faster to pickup an article from the nearby store. How about placing an order just before leaving the office or going to a club & pickup the bag on the way or get it delivered at home. Payment is done online when order was placed - the customer must trust the provider for the best. More employment - home delivery person, store employs to take the online orders & fill the bag, e-education for consumers & employees.
?Payment Card Industry Data Security Standard: One of an eCommerce business’s primary responsibilities related to data security and fraud management is the requirement to comply with the Payment Card Industry Data Security Standard (PCI-DSS), which is a set of obligations mandated by card networks to help protect consumers’ personal information. These PCI requirements pertain to how the data is stored, accessed, and handled by a business. Organizations that store account information are required to certify that they are in compliance with PCI standards. This certification process, which must be done periodically, can be expensive and time- consuming. Large numbers of small- and medium-sized merchants are somewhat bewildered by PCI compliance, according to a July 2009 survey conducted by ControlScan, the National Retail Federation and the PCI Knowledge Base. “The standard is meant to keep their customers’ data safer but understanding it has proven difficult for small merchants,”asserts the group’s research report. Fortunately, there are services and solutions available to help eCommerce merchants both avoid data breaches and achieve cost-effective PCI compliance. These services assess the
overall cardholder data environment, recommend ways to minimize compliance costs, protect transmitted data, and conduct annual audits to maintain compliance. Data security and PCI compliance services are often available from payment processors, and these services can be well worth the investment. Large payment processing companies handle enormous amounts of personal data, and they must maintain the highest standards of compliance to stay in business. Outsourcing data security to organizations equipped to manage it can reduce the cost and burden of maintaining PCI compliance certification. PCI-DSS compliance is one important step toward maintaining secure eCommerce operations. According to a recent study, retailers that experienced a data breach were 50 percent less likely to be PCI compliant than the overall merchant population.5 However, it is important to note that PCI-DSS is narrowly focused on keeping stored data from being hacked or compromised. Complying with PCI-DSS does not prevent identity thieves from using data already compromised from another source. While providing a more secure transaction environment and helping to reduce the overall quantity of stolen card data in circulation, compliance with PCIDSS does not protect the merchant from accepting potentially fraudulent transactions at checkout.
Tools for Detecting and Preventing Fraud Transactions
Because of the risk inherent in a CNP transaction environment, many merchants have attempted to develop comprehensive strategies for detecting and preventing fraud. With the right tools and technologies, merchants can apply these strategies to safely conduct business online without simply accepting fraud as a “cost of doing business.” Until recently, many of the best risk assessment and fraud management solutions were designed and targeted only towards larger merchants—even though merchants of all sizes are equally vulnerable. In fact, merchants with smaller sales volumes can be at even greater risk due to relative inexperience in fraud detection and a lack of dedicated fraud management resources. Fortunately, powerful tools and technologies for fraud management are now available—and affordable—for merchants of all sizes.
With these technologies, eCommerce merchants have the opportunity to implement fraud management programs using any or all of these three key functions:
1. Automated transactional risk scoring Specific logic and settings can help to distinguish normal purchase behavior from risky transactions. Fraud risk is calculated based on multiple data factors and assigned a numerical score for each transaction. The scores, which serve as relative risk indicators, determine “next steps” for that transaction according to a merchant’s preferred operating procedures.
2. Real-time categorizing and resolution Transactions with risk scores exceeding certain thresholds determined by either the merchant or the fraud solution provider can be automatically placed into different categories for further action. Generally, a transaction is either immediately accepted or rejected—but it can also be flagged for manual review if it falls somewhere between those two categories. Depending on the fraud solution provider, this categorization process may require manual efforts to synchronize with the authorization, settlement, and fulfillment procedures. Fortunately, some providers allow the fraud service to operate “in-line” with the payment
authorization flow, requiring minimal intervention by the merchant, and streamlining business processes.
3. Post-purchase transaction management Optimal fraud service offerings should also include an interface for reviewing transactions that fall between the “accept” and “reject” thresholds, so that members of the merchant’s staff can determine the appropriate activity on a transaction with a single dashboard. The dashboard can include multiple tools and features to assist merchants not only with the initial resolution of a transaction, but follow-up activities such as reporting and performance analysis.
It is important to note that the life cycle of fraud management does not begin and end simply with the purchase attempt. In order to continue proactively handling fraud attempts (as well as to resolve chargebacks and disputes efficiently), merchants need a database that can maintain detailed records and be used to understand transaction trending over an extended period of time.
Re-presenting and resolving fraudulent chargebacks can be a complex and time-consuming effort. Dashboards like the ones mentioned above can help easily extract details about a transaction to help win re-presentment attempts. Some fraud solution providers will outsource transaction review and chargeback re-presentment efforts for an extra cost. Merchants need to evaluate the appropriate level of risk management they can administer internally versus outsource, dependent on budget, staff, and other resources available.
4. Adjusting Fraud Rules and Parameters One common pitfall to avoid is the “one and done” mentality too often, merchants dedicate a resource to configuring fraud parameters once, but not to ensuring that the parameters are still relevant weeks, months, or years later. Fraud trends evolve rapidly and detection tools need an equally quick response to remain effective. Regardless of which tools merchants are using to prevent fraud, those tools should be referenced against reports and analytics on a regular basis. Merchant staff should also be trained to react to immediate critical occurrences, such as a sudden attack from a fraud ring in a particular geographical location. These may require significant but temporary changes to the existing fraud settings. With these powerful fraud management capabilities, online retailers of all sizes can efficiently determine what levels of
risk are acceptable for various products, order profiles, shopping
behaviors, and other
combinations of factors adjusting rules and logic as needed, based on evolving fraud patterns easily categorize all orders, ideally including a resolution procedure that flows “in-line” with the payment process streamline administrative processes during the entire life cycle of a transaction
Keeping up with the Latest Threats
Cybercriminals don’t stand still—and neither should the security measures of online retailers. That is why successfully managing eCommerce Web site fraud needs to be an ongoing process, not a one-time fix. Payment processors and other service providers can help new and growing merchants keep up with the constantly changing security landscape. They typically observe fraud trends closely and update their services promptly to protect against emerging fraud methods and techniques. For example, some of the more sophisticated fraud management tools now employ device fingerprinting, which tracks specific details of the computer or smart phone a shopper is using to place orders. By checking to see if the buyer’s device has ever been associated with fraud (along with other device-specific risk factors), this new technology has exciting potential to curtail fraudulent purchases. Shared databases of individual factors associated with fraud (e-mail, card number, IP address, and more) are another innovative opportunity merchants can take advantage of. Multiple merchants contributing millions of data points over time help fraud systems evolve and adapt across the board, and collectively help put us one step ahead of the fraudsters’ game.
Summary:
Today it is a well established fact that the world has become dependent on Information Technology like never before. IT has empowered the world in the true sense but as the well known adage goes-‘With great powers comes great responsibilities’.This also holds good in the IT scenario. Here we have tried to understand the ways in which security assessments are done, got a preview on the latest security issues and potential ways to encounter and prevent . The better understanding of these issues helps current and future managers in being well equipped to face real life scenario in the business world and ensure as well the smooth managing of business. Whether a retailer’s online revenues are $50,000 or $500 million, protection from cybercrime needs constant attention.Even without putting a fraud expert on the payroll, an eCommerce operation can take steps to effectively minimize the risks of transaction fraud at checkout. Advanced fraud management services are fast, flexible, and affordable. Even small online retailers can utilize sophisticated, real-time risk assessment as an integral part of the checkout process, and lay a foundation of security best practices on which their business can grow. Online retailers should consider implementing these best practices: Deploy a combination of end-to-end encryption and tokenization to simplify PCI compliance and protect customers’ payment card data from being stolen and used fraudulently. Make sure all employees understand the risks of card-not-present transactions. Compensate for the lack of in-store controls with real-time screening using both payment information and anti-fraud intelligence from other sources. Enable proactive security measures. Don’t accept fraud as “just another cost of doing business.” Every eCommerce merchant can wield the power to detect and stop most attempts to make fraudulent online purchases. Configuring the right kind of fraud logic in the early stages of your business can help you avoid problems later. Leverage as many tools as are available to you through your payment provider and other resources. Experiment with the use of automated order screening early on, when transaction volume is low and suspicious behavior anomalies are more easily recognized. Constantly re-evaluate the risk settings and resolution rules that will catch most fraud attempts without requiring many transactions to be reviewed or denied.
Participate in forums, webinars, and other shared experiences with fellow merchants; in many ways, collaboration is the greatest advantage we have against fraud. Additionally, for support
and guidance on the nuances of fraud management, eCommerce merchants should talk to their payments processor. Ask how to use both payment and non-payment information to detect fraud and gain visibility into shopper behavior. Get recommendations on how to define rules that effectively assess order risk and determine the appropriate resolution of each order.
Find out what level of support to expect in implementing industry best practices for reporting, scoring, order resolution and scoring parameters. Find out if the payment processor’s solution has a user-friendly workflow for resolving transactions and managing chargebacks and reversals.
REFERENCES: www.securitycompass.comhttp://www.isaca.org/KNOWLEDGE-CENTER/RESEARCH/ISSUES/Pages/default.aspxhttp://www.zerodayinitiative.com/advisories/upcoming/http://www.isaca.org /riskithttp://www.firstdata.com/Strategies for Reducing the Risk of eCommerce Fraud/
doc_520060338.pdf
In business today, risk plays a critical role. Almost every business decision requires executives and managers to balance risk and reward. Effectively managing the business risks is essential to an enterprise’s success
LATEST DEVELOPMENT IN IT AND E-COMMERCE SECURITY
BySanjay Jha (70) Kevin Moses (80) Mohil shrivastav(91) Nidhi kumari(101) Pratik nayak (111)
CONTENTS
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.
INTRODUCTION SECURITY THREAT LATEST SECURITY ISSUES PROPOSED RESEARCH WORK ON IT SECURITY FEW LATEST TRENDS IN IT SECURITY WAYS TO TACKLE SOME THE MOST RECENT IT SECURITY ISSUES FEW LATEST TRENDS IN IT SECURITY INTRODUCTION TO E-COMMERCE THREATS SECURITY LEVELS AND E-COMMERCE SECURITY DEVELOPMENTS TOOLS FOR DETECTING AND PREVENTING FRAUD TRANSACTIONS KEEPING UP WITH THE LATEST THREATS SUMMARY REFERENCES
Introduction:
In business today, risk plays a critical role. Almost every business decision requires executives and managers to balance risk and reward. Effectively managing the business risks is essential to an enterprise’s success. Too often, IT risk (business risk related to the use of IT) is overlooked. Other business risks, such as market risks, credit risk and operational risks have long been incorporated into the corporate decision-making processes. IT risk has been relegated to technical specialists outside the boardroom, despite falling under the same ‘umbrella’ risk category as other business risks: failure to achieve strategic objectives. As Internet use is developing, more and more companies are opening their information system to their partners and suppliers. Therefore, it is essential to know which of the company's resources need protecting and to control system access and the user rights of the information system. The same is true when opening company access on the Internet Moreover, because of today's increasingly nomadic lifestyle, which allows employees to connect to information systems from virtually anywhere, employees are required to carry a part of the information system outside of the company's secure infrastructure. Goals of IT security: Information systems are generally defined by all of a company's data and the material and software resources that allow a company to store and circulate this data. Information systems are essential to companies and must be protected. IT security generally consists in ensuring that an organisation's material and software resources are used only for their intended purposes. IT security generally is comprised of five main goals:
? ?
Integrity: guaranteeing that the data are those that they are believed to be Confidentiality: ensuring that only authorised individuals have access to the resources being exchanged
? ? ?
Availability: guaranteeing the information system's proper operation Non-repudiation: guaranteeing that an operation cannot be denied Authentication: ensuring that only authorised individuals have access to the resources
SECURITY THREAT :
A threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm. A threat can be either "intentional" (i.e., intelligent; e.g., an individual cracker or a criminal organization) or "accidental" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or event.
Security Assessment
Security Compass offers a broad range of information security assessment and remediation services to fit your needs. Our world-class consultants bring years of expertise and deep domain knowledge to all of our offerings.
?
?
?
?
?
Application Runtime Security Assessment — As attackers increasingly focus on exploiting software vulnerabilities, insecure applications leave your data at risk. Allow Security Compass to test your applications from a hacker's perspective. Application Source Code Security Assessment — Find vulnerabilities in the underlying source code and know exactly what to fix. Source code review is one of the most cost-effective methods of finding vulnerabilities. Let our seasoned experts assess the security of your source. Fulfill PCI DSS Requirement 6.6. Threat Modelling — Analyze your application's design to find vulnerabilities before development. Prioritize source code reviews and penetration tests. We use our extensive experience in threat modelling to bring security to the early phases of development. SDLC Security — Looking for a holistic approach to building secure applications? We can help you enhance your existing software development life cycle — waterfall, agile, or proprietary — to include security. Network Security Assessments — With simple point-and-click tools attackers can own your network. How secure is your infrastructure? We'll assess your network with a combination of automated and manual techniques from the perspective of an expert hacker.
Other Enterprise Assessment Services:
?
Wireless Assessment — Rouge access points and insecure wireless protocols anywhere
?
in your facility can expose confidential data. We can help you determine if you have any wireless network risks. Policy Assessment — Information security governance is critical to compliance with standards like ISO27002, COBIT, and others. Our security experts can assess your policies, procedures, standards, baselines, and guidelines for compliance with common standards
LATEST SECURITY ISSUES
Top Cyber Security Risks - Vulnerability Exploitation Trends
? ? ? ? ? ? ?
Vulnerability Exploitation Trends Origin and Destination Analysis for 4 Key Attacks Application vs. Operating System Patching Tutorial: HTTP Client-Side Exploitation Example Zero-Day Vulnerability Trends Best Practices in Mitigation and Control HTTP Server Threats
Application Vulnerabilities Exceed OS Vulnerabilities During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most "popular" applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch. Due to the current trend of converting trusted web sites into malicious servers, browsers and client-side applications that can be invoked by browsers seem to be consistently targeted.
Figure 1: Number of Vulnerabilities in Network, OS and Applications Web Application Attacks There appear to be two main avenues for exploiting and compromising web servers: brute force password guessing attacks and web application attacks. Microsoft SQL, FTP, and SSH servers are popular targets for password guessing attacks because of the access that is gained
if a valid username/password pair is identified. SQL Injection, Cross-site Scripting and PHP File Include attacks continue to be the three most popular techniques used for compromising web sites. Automated tools, designed to target custom web application vulnerabilities, make it easy to discover and infect several thousand web sites. Windows: Conficker/Downadup Attacks on Microsoft Windows operating systems were dominated by Conficker/ Downadup worm variants. For the past six months, over 90% of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08067. Although in much smaller proportion, Sasser and Blaster, the infamous worms from 2003 and 2004, continue to infect many networks.
Figure 2: Attacks on Critical Microsoft Vulnerabilities (last 6 months)
Figure 3: Attacks on Critical Microsoft Vulnerabilities (last 6 months) Apple: QuickTime and Six More Apple has released patches for many vulnerabilities in QuickTime over the past year. QuickTime vulnerabilities account for most of the attacks that are being launched against Apple software. Note that QuickTime runs on both Mac and Windows Operating Systems.
The following vulnerabilities should be patched for any QuickTime installations: CVE-20090007, CVE-2009-0003, CVE-2009-0957
Figure 4: Attacks on Critical Apple Vulnerabilities (last 6 months) Next Section: Origin and Destination Analysis for 4 Key Attacks Origin and Destination Analysis for Four Key Attacks Over the past six months, we have seen some very interesting trends when comparing the country where various attacks originate to the country of the attack destination. In order to show these results, we have characterized and presented the data in relation to the most prevalent attack categories. The analysis performed for this report identified these attack categories as high-risk threats to most if not all networks, and as such, should be at the forefront of security practitioners' minds. These categories are Server-Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and finally SQL Injection attacks. As you might expect, there is some overlap in these categories, with the latter three being subsets of the first two categories. However, the trends we see in separating this data is worth pointing out. The SQL Injection attacks that compose this category include "SQL Injection using SELECT SQL Statement", "SQL Injection Evasion using String Functions", and "SQL Injection using Boolean Identity". The most prominent "PHP Remote File Include attack" is one that looks for a very small HTTP request that includes a link to another website as a parameter that contains a very specific evasion technique used by a number of attacks to increase the reliability of their attacks. Also of note is a very specific attack against the "Zeroboard PHP" application, the only single application that made the top attacks. The final type of attack included in these statistics is one of the more popular "HTTP Connect Tunnel" attacks, which remains a staple in the Server-Side HTTP category. The HTTP connect tunnels are used for sending spam emails via mis-configured HTTP servers. Looking at the breakdown by country we see that the United States is by far the major attack target for the Server-Side HTTP attack category (Figure 5).
Figure 5: Server-Side HTTP Attacks by Destination Country (last 6 months) For years, attack targets in the United States have presented greater value propositions for attackers, so this statistic really comes as no surprise. An interesting spike in Server-Side HTTP attacks occurred in July 2009. This was entirely due to SQL Injection attacks using the SELECT command. Upon looking at the data, we saw a massive campaign by a range of IP addresses located at a very large Internet Server Provider (ISP). In this case, there were a number of machines located at a single collocation site that may have all been compromised with the same vulnerability due to the machines being at the same patch level. In addition, a number of gambling sites took part in this attack which peaked after hours on July Fourth, a major holiday in the United States.
Figure 6: Server-Side HTTP Attacks (last 6 months) Finally let's turn to the source of these HTTP Server-Side Attacks (Figure 7).
Figure 7: Server-Side HTTP Attacks by Source Country (last 6 months) Here we see the United States as by far the largest origin, which is a pattern that has continued for some time. In many cases we believe these to be compromised machines that are then being used for further nefarious purposes. The next four offenders on the HTTP Server-Side attacking countries list are Thailand, Taiwan, China, and the Republic of Korea. They also show up in other portions of this report, so this graph will be a useful reference in comparing some of the other attack categories and their relative magnitude. The last six months have seen a lot of activity with SQL injection attacks. Some typical patterns emerge with the United States being both the top source of and destination for SQL Injection events. SQL Injection on the internet can more or less be divided into two sub-categories: Legitimate SQL Injection and Malicious SQL Injection. Many web applications on the Internet still use "SQL Injection" for their normal functionality. It should be noted that this is only a difference in intent. The web applications that legitimately use SQL Injection are guaranteed to be vulnerable to the tools and techniques used by attackers to perform Malicious SQL Injections. The servers that house these applications may have a higher compromise rate not only because they are known to be vulnerable, but also because they need to distinguish between legitimate and malicious injects to identify attacks.
Figure 8: SQL Injection Attacks by Destination Country (last 6 months) Looking at the magnitude of these attacks broken down by month (Figure 9), we see the large-scale SQL Injection campaign pointed out in the Server-Side HTTP Attack section. A very large spike in SQL Injection attacks in July was caused mostly by an online advertiser who distributed code to many affiliates using SQL injection as functionality. The application was quickly pulled, resulting in a large drop in events for the month of August.
Figure 9: SQL Injection Attacks (last 6 months)
The source distribution of many of these attacks is much more diverse than the destination. China is now the single largest source outside of the United States. Again the overwhelming destination for these events is in the United States. (Figure 10).
Figure 10: SQL Injection Attacks by Source Country (last 6 months) In conclusion, we cannot overstate the importance of protecting DMZ-based web applications from SQL Injection attacks. Increasingly, the ultimate objective of attackers is the acquisition of sensitive data. While the media may consistently report attacker targets as being credit cards and social security numbers, that is more due to the popular understanding of the marketability of this data. They are not the only valuable data types that can be compromised. Since SQL Injection attacks offer such easy access to data, it should be assumed that any valuable data stored in a database accessed by a web server is being targeted. Although "PHP File Include" attacks have been popular, we have seen a notable decline in the overall number of attacks that have taken place. With the exception of a major attacks originating from Thailand in April, the number of PHP File Include attacks in August is less than half the March/May average. There are many ways to protect against these attacks. Apache configuration, input sanitization, and network security equipment are all very good at deterring these attacks, so it seems likely that the drop in total attacks is at least partly due to a positive response by application developers, system administrators, and security professionals. However, due to the extreme ease with which these attacks are carried out, and the enormous benefit of a successful attack (arbitrary PHP code is executed.), attacks such as these are likely to remain popular for some time.
Figure 11: PHP Remote File Include Attacks (last 6 months) Let us look at the sources of "PHP Remote File Include" attacks. A major attack campaign was launched out of Thailand in April that caused Thailand to show up at number 1 in this list.
Figure 12: PHP Remote File Include Attacks by Source Country (last 6 months) Cross Site Scripting (XSS) is one of the most prevalent bugs in today's web applications. Unfortunately, developers often fall in the trap of introducing XSS bugs while creating custom code that connects all of the diverse web technologies that are so prevalent in today's Web 2.0 world. Another very common "use" of XSS is by various advertisers' analytic systems. For example, an advertiser's banner might be embedded in a web page which is set
up to reflect some JavaScript off of the advertiser's HTTP server for tracking purposes. However, in this case, there is little risk because the site in question (usually) has full control over his/her page, so this request to the advertiser is not generally malicious. It is the "reflection" attacks, along with attacks that leverage flaws in form data handling, that make up the vast majority of XSS attacks that we have seen in the last six months.
Figure 13: XSS Attacks by Source Country (last 6 months) Attacks sourced from the United States have been on a steady decline month-over-month. The Republic of Korea has seen a 50% reduction in the last 30 days. These two events however have been offset by a sudden 20% increase in the last 30 days in attacks from Australia. The other three major players, namely, Hong Kong, China and Taiwan have remained stable over the past three month periods in this category. Application Patching is Much Slower than Operating System Patching Qualys scanners collect anonymized data of detected vulnerabilities to capture the changing dynamics in the vulnerability assessment field. The data documents changes such as the decline of server side vulnerabilities and the corresponding rise of vulnerabilities on the client side, both in operating system components and applications. A Top 30 ranking is used often to see if major changes occur in the most frequent vulnerabilities found. Here is the ranking for the first half of 2009 TH edited to remove irrelevant data points such as 0-day vulnerabilities.
Figure 14: Microsoft OS Vulnerabilities But at least half of the vulnerabilities in the list, primarily vulnerabilities found in applications, receive less attention and get patched on a much slower timeline. Some of these applications, such as Microsoft Office and Adobe Reader are very widely installed and so expose the many systems they run on to long lived threats. The following graphs plot the number of vulnerabilities detected for Microsoft Office and Adobe Reader normalized to the maximum number of vulnerabilities detected in the timeframe. Periodic drops in detection rates occur during the weekends when scanning focuses on servers rather than desktop machines and the detection rates of vulnerabilities related to desktop software fall accordingly.
Figure 15: Microsoft PowerPoint and Adobe Vulnerabilities Patching Cycles Attackers have long picked up on this opportunity and have switched to different types of attacks in order to take advantage of these vulnerabilities, using social engineering techniques to lure end-users into opening documents received by e-mail or by infecting websites with links to documents that have attacks for these vulnerabilities embedded. These infected documents are not only placed on popular web sites that have a large number of visitors, but increasingly target the "long-tail", the thousands of specialized websites that have smaller but very faithful audiences. By identifying and exploiting vulnerabilities in the Content Management Systems used by these sites, attackers can automate the infection process and reach thousands of sites in a matter of hours. Attacks using PDF vulnerabilities have seen a large increase in late 2008 and 2009 as it became clear to attackers how easy it is to use this method of getting control over a machine. Adobe Flash has similar problems with the applications of its updates TH there are four Flash vulnerabilities in our Top 30 list that date back as far as 2007:
Figure 16: Flash Vulnerabilities Flash presents additional challenges: it does not have its automatic update mechanism and one needs to patch Internet Explorer in a separate step from other browsers. For users that have more than one browser installed, it is quite easy to forget to completely close Flash vulnerabilities and continue to be unwillingly vulnerable. One of the other software families that is high on the Top 30 list is Java, which is widely installed for running Java applets in the common browsers and also increasingly for normal applications. It is quite slow in the patch cycle, with actually increasing numbers of total vulnerabilities as the introduction of new vulnerabilities outweighs the effect of patching. Java has the additional problem that until recently new versions did not uninstall the older code, but only pointed default execution paths to the new, fixed version; attack code could be engineered to take advantage of the well-known paths and continue to use older and vulnerable Java engines.
Figure 17: Sun Java Vulnerabilities
Zero-Day Vulnerability Trends A zero-day vulnerability occurs when a flaw in software code is discovered and code exploiting the flaw appears before a fix or patch is available. Once a working exploit of the vulnerability has been released into the wild, users of the affected software will continue to be compromised until a software patch is available or some form of mitigation is taken by the user. The "File Format Vulnerabilities" continue to be the first choice for attackers to conduct zeroday and targeted attacks. Most of the attacks continue to target Adobe PDF, Flash Player and Microsoft Office Suite (PowerPoint, Excel and Word) software. Multiple publicly available "fuzzing" frameworks make it easier to find these flaws. The vulnerabilities are often found in 3rd party add-ons to these popular and wide-spread software suites, making the patching process more complex and increasing their potential value to attackers. The notable zero-day vulnerabilities during past 6 months were:
? ? ? ? ? ?
Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE2009-1862) Microsoft Office Web Components ActiveX Control Code Execution Vulnerability (CVE-2009-1136) Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (CVE-2008-0015) Microsoft DirectX DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2009-1537) Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493) Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556)
The ease of finding zero-day vulnerabilities is a direct result of an overall increase in the number of people having skills to discover vulnerabilities world-wide. This is evidenced by the fact that TippingPoint DVLabs often receives the same vulnerabilities from multiple sources. For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability. The implication of increasing duplicate discoveries is fairly alarming, in that the main mitigation for vulnerabilities of this type is patching, which is an invalid strategy for protecting against zero-day exploits. There is a heightened risk from cyber criminals, who can discover zero-day vulnerabilities and exploit them for profit. Add to this that software vendors have not necessarily lowered their average time for patching vulnerabilities reported to them, and that TippingPoint is aware of a number of vulnerabilities that were reported to vendors two years ago and are still awaiting a patch.
Proposed Research Work on IT Security
RE: Trends in Security I am writing a proposal for reconsidering hardware controls over software controls, when such controls can be made practical and usable. We need to return to the discussions of the early 1980's, because we are now seeing so many targeted viruses in environments that cannot keep track of all changes to their code. We need to ask operating systems vendors to harden and stabilize their code, with a goal of eventually having parts that will never need to change again. We need hardware manufacturers to synchronize with the operating systems vendors, to make sure that a common set of device drivers can be permanent, and that new features will be added that is segregated/apart from the unchanging base. We need software that maintains its layer integrity and reliably fixes itself to it's own work area. We need a temporary work area and data area strategy that can be applied across platforms, but keeps software and data separate and verifiable as secure. We need to be able to reinstall software from scratch easily, so as to eliminate unaccountable invading malware apart from a base of accountable software. And then, we need to use the EPROM to PROM strategy to fix stable base of software as a solid unchangeable base. This last part is what I am proposing as the new solution to keep viruses from invading online systems. Software as long as it is changeable, is subject to viruses, but once it can be fixed in place, then progress in anti-virus strategies can again go forward. With some AV packages catching only 18% of the malware, strategies from the 1980's should again be considered. Data Leak Prevention : Data leak prevention (DLP) is a suite of technologies aimed at stemming the loss of sensitive information that occurs in enterprises across the globe. By focusing on the location, classification and monitoring of information at rest, in use and in motion, this solution can go far in helping an enterprise get a handle on what information it has, and in stopping the numerous leaks of information that occur each day. DLP is not a plug-and-play solution. The successful implementation of this technology requires significant preparation and diligent ongoing maintenance. Enterprises seeking to integrate and implement DLP should be prepared for a significant effort that, if done correctly, can greatly reduce risk to the organization. Those implementing the solution must take a strategic approach that addresses risks, impacts and mitigation steps, along with appropriate governance and assurance measures
WAYS TO TACKLE SOME THE MOST RECENT IT SECURITY ISSUES
1. Session Replication Load balancing is a must have for applications with a large user base. While serving static content in this way is relatively easy, challenges start to arise when your application maintains state information across multiple requests. There are many ways to tackle session replication– here are some of the most common: • Allow the client to maintain state so that servers don’t have to • Persist state data in the database rather than in server memory • Use application server’s built-in session replication technology • Use third party products, such as Terra-Cotta • Tying each session to a particular server by modifying the session cookie Out of these, maintaining state on the client is often the easiest to implement. Unfortunately, this single decision is often one the most serious you can make for the security of any clientserver application. The reason is that clients can modify any data that they send to you. Inevitably, some of the state data shouldn’t be modifiable by an end user such as a price for a product, user permissions, etc. Without sufficient safeguards, client-side state can leave your application open to parameter manipulation at every transaction. Luckily, some frameworks provide protection in the form of client-side state encryption; however, as we’ve seen with the recent Oracle Padding attacks, this method isn’t always foolproof and can leave you with a false sense of security. Another technique involves hashing and signing read-only state data (i.e. the parameters that the client shouldn’t modify), however trying to decide which parameters should be modifiable and which ones shouldn’t can be particularly time consuming – often to the point that developers just ignore it altogether when deadlines become pressing. If you have the choice, elect to maintain state on the server and use one of the many techniques at your disposal to handle session replication. 2. Authorization Context Many senior developers and architects we’ve spoken to understand that authorization is a challenging topic. Enterprise applications often perform a basic level of authorization: ensuring that the user has sufficient access rights to view a certain page. The problem is that authorization is a multi-layer, domain-specific problem that you can’t easily delegate to the application server or access management tools. For example, an accounting application user has access to the “accounts payable” module but there’s no server-side check to see which accounts the user should be able to issue payments for. Often the code that has sufficient context to see a list of available accounts is so deep in the call stack that it doesn’t have any information about the end user. The workarounds are often ugly: for example, tightly coupling presentation & business logic such that the application checks the list of accounts in a view page where it does have context information about the end user. A more elegant solution is to anticipate the need for authorization far into the call stack and design appropriately. In some cases this means explicitly passing user context several layers deeper than you normally would; other approaches include having some type of session / thread-specific lookup mechanism that allows any code to access session-related data. The key is to think about this problem upfront so that you don’t waste unnecessary time down the road trying to hack together a solution. See our pattern-level security analysis of Application Controller for more details on this idea.
3. Tags vs. Code in Views Over the years, most web application development frameworks have made it practical to code entire views/server-pages completely with tags. Dot Net’s ASPX or Java’s JSF pages are examples of this. Building exclusively with tags can sometimes be frustrating when you need to quickly add functionality inside of a view and you don’t have a ready-made tag for that function at your disposal. Some architects and lead developers impose a strict decision that all views must be composed entirely of tags; other architects and lead developers are more liberal in their approach. Inevitably the applications that allow developers to write in-line coding (e.g. PHP, classic ASP, or Scriptlets in Java) have an incredibly tough time eradicating Cross Site Scripting. Rather than augmenting tags with output encoding, developers need to manually escape every form of output in every view. A single decision can lead to tedious, error-prone work for years to come. If you do elect to offer the flexibility of one-off coding, make sure you use static analysis tools to find potential exposures as early as possible. 4. Choice of Development Framework Call us biased, but we really believe that the framework you choose will dramatically affect the speed at which you can prevent and remediate security vulnerabilities. Building antiCSRF controls in Django is a matter of turning on adding “@csrf_protect” to your view method. In most Java frameworks you need to build your own solution or use a third party library such as OWASP’s CSRFguard. Generally speaking, the more security features built into the framework the less time you have to spend adding these features into your own code or trying to integrate third party components. Choosing a development framework that takes security seriously will lead to savings down the road. The Secure Web Application Framework Manifesto is an OWASP project designed to help you make that decision. 5. Logging and Monitoring Approach Most web applications implement some level of diagnostic logging. From a design perspective, however, it is important to leverage logging as a measure of self defense rather than purely from a debugging standpoint. The ability to detect failures and retrace steps can go a long way towards first spotting and then diagnosing a breach. We’ve found that securityspecific application logging is not standardized and, as a result, any security-relevant application logging tends to be done inconsistently. When designing your logging strategy, we highly recommend differentiating security events from debugging or standard error events to expedite the investigative process in the event of compromise. We also recommend using standard error codes for security events in order to facilitate monitoring. OWASP’s ESAPI logging allows for event types to distinguish security events from regular logging events. The AppSensor project allows you to implement intrusion detection and automated responses into your application.
Few latest trends in It security:
Web 2.0: What isn't Web will become Web
I was consulting for a customer a few weeks ago, and the company's developers asked me to perform a security review of a new database application. I found the normal SDL (security design lifecycle) bugs, but I was more concerned that the team was using a traditional programming language for the code -- with absolutely no Web interface. I brought up this point along with my normal review findings. The programmers' answer was that the Web wasn't right for all applications, and performance-wise, their software outperformed Web apps by a factor of 3 to 1. I agreed with the latter point but strongly disagreed with the former. Yes, the Web isn't the best choice for all applications in a world where we can design programs in a stand-alone box or without consideration for the rest of the infrastructure -- but we can't. The whole world is going Web 2.0. Nearly every app is going Web 2.0. What isn't Webified today will be tomorrow. The future consumer will expect to be able to access your app through a Web browser or as a Web service, no matter what type of computer they're using -- PC, smartphone, tablet, and so on. Separate interfaces and VPNs won't cut the mustard. If your app isn't easily available on the Web, it won't be used or will eventually be phased out or recoded. The writing is on the wall. Programmers, take note. I don't mean that the app should simply be available on the Web -- you can't merely offer it as a Web-based app, especially if the app itself isn't Web-based. That will work for the short and midterm, but not in the long run. Today's traditional virtualization technologies, non-Web VPNs, and application gateways are short-term shims. In the future, for the app to survive, it must be Webified to its core. I may agree with you that the app is faster and performs better when not accessed using a Web interface, but it doesn't matter. Virtualization & private cloud Security: EMC is a leader and visionary in how companies today - and in the future - migrate from physical to virtual services, and how the cloud will change the fundamental premise and business model for information services. In cryptography, RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography.[1] It is the first algorithm known to
be suitable for signingas well as encryption, and was one of the first great advances in public key cryptography The inherent value of virtualization in today's IT infrastructure, combined with economic pressures and the resulting impact on resources and budget, is accelerating many company's plans to virtualize their enviroments.
We can help companies accelerate the benefits of virtualization and accelerate their journey to the private cloud by identifying new benefits while mitigating security concerns which arise from virtualization technologies. The RSA Security Practice of EMC Consulting, leveraging RSA's security expertise and EMC's leadership in virtualization and cloud, offers broad based security assessments for virtualized environments and new services to secure Virtual Desktop Infrastructures, leverage RSA best practices and established safeguards to help build secure virtualized and private cloud environments through technology, policy and program development.
Our security consulting services for Virtualization and Private Cloud Security include:
?
Security
Assessment
for
Virtualized
Environments
We help customers understand the security posture of their virtualized infrastructure and establish optimum plans to achieve policy or compliance objectives - without compromising the value of virtualization technology. These services establish virtualization security policies, management and technology plans that support both virtualization and security objectives.
?
Securing
Virtual
Desktop
Infrastructure
Our clients are beginning to exploit the advantages of virtualization at the end point, realizing significant capital expense reductions, improved operational cost advantages, and - equally important - increasing the security of critical data at the desktop. Too often, the lack of endpoint security controls results in information risk. We help our clients apply Virtual Desktop technology in a secure fashion to mitigate this risk while accelerating the overall value of virtualizaton to the enterprise. RSA Professional Services apply a range of authentication, data protection, and security event management solutions into virtualized enviornments to accelerate the return on investment of this technology while maintaining the appropriate security controls and posture. Our services span ever aspect of design, implementation, optimization and lifecycle use of RSA solutions such as SecurID, DLP Suite and enVision, in conjunction with our knowledge of virtualization technologies, to ensure our client's benefit from their investment.
Token protection: The Web and all the cloud iterations -- private, public, b-to-b, hybrid, and more -- will require that you bring single sign-on to everything computing, even though it has never functioned 100 percent reliably within a private network. Users will want full-range access through one logon name and password/logon token. As such, you will be asked to make that happen, even between systems you don't control. You'll do this by using Web-based federation standards, cloud gateways, and claims-based identity metasystems. Instead of being worried about authentication protocols and password hashes, you'll be protecting XML-based SAML (Security Assertion Markup Language) tokens. If you're not sure what all this is, visit identityblog.com for intro material.
code obfuscation: Software is also said to be tamper-resistant when it contains measures to make reverse engineering harder, or to prevent a user from modifying it against the manufacturer's wishes (removing a restriction on how it can be used, for example). One commonly used method is code obfuscation. However, effective tamper resistance in software is much harder than in hardware, as the software environment can be manipulated to near-arbitrary extent by the use of emulation. If implemented, trusted computing would make software tampering of protected programs at least as difficult as hardware tampering, as the user would have to hack the trust chip to give false certifications in order to bypass remote attestation and sealed storage. However, the current specification makes it clear that the chip is not expected to be tamper-proof against any reasonably sophisticated physical attack; that is, it is not intended to be as secure as a tamper-resistant device. A side effect of this is that software maintenance gets more complex, because software updates need to be validated and errors in the upgrade process may lead to a false-positive triggering of the protection mechanism.
Introduction to E-commerce threats:
In spite of a weak economy, one business segment eCommerce has continued to experience significant growth. In 2009, eCommerce sales grew by 5.5%, to $205 billion.According to Javelin Strategy & Research, online retail sales are expected to increase by another 13% in 2010. Although eCommerce fraud rates have stabilized in recent years due, in part, to retailers’ increased vigilance in 2009 merchants still lost $3.3 billion to online fraud.The sustained growth of eCommerce continues to attract criminals who continuously develop new schemes to defraud merchants and their customers. These cyberthieves persist in devising increasingly sophisticated ways to steal personal account information from merchants, and to accumulate goods, services, and quasi-cash through unauthorized use of that information at merchant Web sites. According to mobile marketing experts Mobi Thinking, there are 5.3 billion mobile subscribers, that’s 77 percent of the world’s population. As mobile phone applications are further developed and used across multiple forms of commerce, criminals will continue to enter this space. There is a particularly acute issue of its safety in era of rapid development of electronic commerce and trade on the Internet with the participation of relevant organizations. Serious threat for the normal functioning of the economy is connected with the penetration of criminal elements in the system and the network of credit institutions and banks are computer crimes. Also this argument applies to e-commerce. Security problems for business information in electronic business are voluminous, so the methods and technologies are saturated that it would be a program for specialized conferences. Information technology is one of the most important influences on the formation of modern society.
Security Levels:
The e-commerce security depends on the development of appropriate legislation and other normative and technical documents. Evaluation of commercial security in the IT sector occupies a special place. Standardization will allow for comparative analysis and to assess.Security measures for effective protection of commerce on the Internet should be implemented at four levels: ? in a legislative level. ? in a administrative level. ? In a procedural level. ?in a software and hardware levels. A national regulatory framework has to be consistent with international practice at the present stage of economic development. National standards and certification standards are had to be brought into line with international levels of development of information technologies as well as with effective evaluation criteria to ensure the e-commerce security.
E-commerce security developments:
?Internet Identity Internet Identity, currently referred to as IID, is a privately held Internet security company based in Tacoma, Washington. It primarily provides anti-phishing, malware and domain control security services to financial service firms, e-commerce,social
networking and Internet Service Provider(ISP) companies. Microsoft uses IID as a data feed for its anti-phishing software as well as a partner in their Domain Defense Program. Other publicly-mentioned customers include BECU(Boeing Employees’ Credit
Union), Monster.com and Yakima Valley Credit Union.
?IBM WebSphere Commerce IBM WebSphere Commerce is a software platform framework for e-commerce, including marketing, sales, customer and order processing functionality in a tailorable, integrated package. It is a single, unified platform which offers the ability to do business directly with consumers (B2C), with businesses (B2B), indirectly through channel partners (indirect business models), or all of these simultaneously. WebSphere Commerce is a customizable, scalable and high availability solution built on the Java - Java EE platform using open standards, such as XML, and Web services. ?Bitcoin: Bitcoin is a digital currency created in 2009, based mainly on a self-published paper by Satoshi Nakamoto. Bitcoin enables rapid payments (and micropayments) at very low cost, and avoids the need for central authorities and issuers. Digitally signedtransactions, with one node signing over some amount of the currency to another node, are broadcast to all nodes in a peer-topeer network. Aproof-of-work system is used as measurement against double-spending and initial currency distribution mechanism.
?GEMs (Guaranteed Electronic Markets): For e-commerce to thrive, other than security, new methods and new businesses are required. One new method is as described by Wingham Rowan in his BBC report, i.e. GEMs (Guaranteed Electronic Markets). One centralized shop for everything that is secure, controls product cost & quality, reduces business cost of e-marketing, provides utmost customer satisfaction. This could be a private player or a government agency, in agreement with standards authority & financial agencies. The standards authority will be responsible for approving the cost & quality of the product/service before it is allowed to be sold at the GEM.
The customer has to be a registered user of the GEM, to enhance customer data security, GEMs can provide kiosks or tie-up with the ISPs to allow access to the GEM. More ecommerce revenue can be generated by providing better and new services. Here in India, I can call the grocery shop & ask for the items to be delivered at home. The vegetable shop owner maintains a mobile phone, fresh vegetables are delivered at home on call. The online grocery shop (with pickup or home delivery options) can save time for a garden walk, gym, movie, more time at work without worrying about home cores. Can IPV6 fill the fridge or Buy Detergent. The consumer wants instant service, its faster to pickup an article from the nearby store. How about placing an order just before leaving the office or going to a club & pickup the bag on the way or get it delivered at home. Payment is done online when order was placed - the customer must trust the provider for the best. More employment - home delivery person, store employs to take the online orders & fill the bag, e-education for consumers & employees.
?Payment Card Industry Data Security Standard: One of an eCommerce business’s primary responsibilities related to data security and fraud management is the requirement to comply with the Payment Card Industry Data Security Standard (PCI-DSS), which is a set of obligations mandated by card networks to help protect consumers’ personal information. These PCI requirements pertain to how the data is stored, accessed, and handled by a business. Organizations that store account information are required to certify that they are in compliance with PCI standards. This certification process, which must be done periodically, can be expensive and time- consuming. Large numbers of small- and medium-sized merchants are somewhat bewildered by PCI compliance, according to a July 2009 survey conducted by ControlScan, the National Retail Federation and the PCI Knowledge Base. “The standard is meant to keep their customers’ data safer but understanding it has proven difficult for small merchants,”asserts the group’s research report. Fortunately, there are services and solutions available to help eCommerce merchants both avoid data breaches and achieve cost-effective PCI compliance. These services assess the
overall cardholder data environment, recommend ways to minimize compliance costs, protect transmitted data, and conduct annual audits to maintain compliance. Data security and PCI compliance services are often available from payment processors, and these services can be well worth the investment. Large payment processing companies handle enormous amounts of personal data, and they must maintain the highest standards of compliance to stay in business. Outsourcing data security to organizations equipped to manage it can reduce the cost and burden of maintaining PCI compliance certification. PCI-DSS compliance is one important step toward maintaining secure eCommerce operations. According to a recent study, retailers that experienced a data breach were 50 percent less likely to be PCI compliant than the overall merchant population.5 However, it is important to note that PCI-DSS is narrowly focused on keeping stored data from being hacked or compromised. Complying with PCI-DSS does not prevent identity thieves from using data already compromised from another source. While providing a more secure transaction environment and helping to reduce the overall quantity of stolen card data in circulation, compliance with PCIDSS does not protect the merchant from accepting potentially fraudulent transactions at checkout.
Tools for Detecting and Preventing Fraud Transactions
Because of the risk inherent in a CNP transaction environment, many merchants have attempted to develop comprehensive strategies for detecting and preventing fraud. With the right tools and technologies, merchants can apply these strategies to safely conduct business online without simply accepting fraud as a “cost of doing business.” Until recently, many of the best risk assessment and fraud management solutions were designed and targeted only towards larger merchants—even though merchants of all sizes are equally vulnerable. In fact, merchants with smaller sales volumes can be at even greater risk due to relative inexperience in fraud detection and a lack of dedicated fraud management resources. Fortunately, powerful tools and technologies for fraud management are now available—and affordable—for merchants of all sizes.
With these technologies, eCommerce merchants have the opportunity to implement fraud management programs using any or all of these three key functions:
1. Automated transactional risk scoring Specific logic and settings can help to distinguish normal purchase behavior from risky transactions. Fraud risk is calculated based on multiple data factors and assigned a numerical score for each transaction. The scores, which serve as relative risk indicators, determine “next steps” for that transaction according to a merchant’s preferred operating procedures.
2. Real-time categorizing and resolution Transactions with risk scores exceeding certain thresholds determined by either the merchant or the fraud solution provider can be automatically placed into different categories for further action. Generally, a transaction is either immediately accepted or rejected—but it can also be flagged for manual review if it falls somewhere between those two categories. Depending on the fraud solution provider, this categorization process may require manual efforts to synchronize with the authorization, settlement, and fulfillment procedures. Fortunately, some providers allow the fraud service to operate “in-line” with the payment
authorization flow, requiring minimal intervention by the merchant, and streamlining business processes.
3. Post-purchase transaction management Optimal fraud service offerings should also include an interface for reviewing transactions that fall between the “accept” and “reject” thresholds, so that members of the merchant’s staff can determine the appropriate activity on a transaction with a single dashboard. The dashboard can include multiple tools and features to assist merchants not only with the initial resolution of a transaction, but follow-up activities such as reporting and performance analysis.
It is important to note that the life cycle of fraud management does not begin and end simply with the purchase attempt. In order to continue proactively handling fraud attempts (as well as to resolve chargebacks and disputes efficiently), merchants need a database that can maintain detailed records and be used to understand transaction trending over an extended period of time.
Re-presenting and resolving fraudulent chargebacks can be a complex and time-consuming effort. Dashboards like the ones mentioned above can help easily extract details about a transaction to help win re-presentment attempts. Some fraud solution providers will outsource transaction review and chargeback re-presentment efforts for an extra cost. Merchants need to evaluate the appropriate level of risk management they can administer internally versus outsource, dependent on budget, staff, and other resources available.
4. Adjusting Fraud Rules and Parameters One common pitfall to avoid is the “one and done” mentality too often, merchants dedicate a resource to configuring fraud parameters once, but not to ensuring that the parameters are still relevant weeks, months, or years later. Fraud trends evolve rapidly and detection tools need an equally quick response to remain effective. Regardless of which tools merchants are using to prevent fraud, those tools should be referenced against reports and analytics on a regular basis. Merchant staff should also be trained to react to immediate critical occurrences, such as a sudden attack from a fraud ring in a particular geographical location. These may require significant but temporary changes to the existing fraud settings. With these powerful fraud management capabilities, online retailers of all sizes can efficiently determine what levels of
risk are acceptable for various products, order profiles, shopping
behaviors, and other
combinations of factors adjusting rules and logic as needed, based on evolving fraud patterns easily categorize all orders, ideally including a resolution procedure that flows “in-line” with the payment process streamline administrative processes during the entire life cycle of a transaction
Keeping up with the Latest Threats
Cybercriminals don’t stand still—and neither should the security measures of online retailers. That is why successfully managing eCommerce Web site fraud needs to be an ongoing process, not a one-time fix. Payment processors and other service providers can help new and growing merchants keep up with the constantly changing security landscape. They typically observe fraud trends closely and update their services promptly to protect against emerging fraud methods and techniques. For example, some of the more sophisticated fraud management tools now employ device fingerprinting, which tracks specific details of the computer or smart phone a shopper is using to place orders. By checking to see if the buyer’s device has ever been associated with fraud (along with other device-specific risk factors), this new technology has exciting potential to curtail fraudulent purchases. Shared databases of individual factors associated with fraud (e-mail, card number, IP address, and more) are another innovative opportunity merchants can take advantage of. Multiple merchants contributing millions of data points over time help fraud systems evolve and adapt across the board, and collectively help put us one step ahead of the fraudsters’ game.
Summary:
Today it is a well established fact that the world has become dependent on Information Technology like never before. IT has empowered the world in the true sense but as the well known adage goes-‘With great powers comes great responsibilities’.This also holds good in the IT scenario. Here we have tried to understand the ways in which security assessments are done, got a preview on the latest security issues and potential ways to encounter and prevent . The better understanding of these issues helps current and future managers in being well equipped to face real life scenario in the business world and ensure as well the smooth managing of business. Whether a retailer’s online revenues are $50,000 or $500 million, protection from cybercrime needs constant attention.Even without putting a fraud expert on the payroll, an eCommerce operation can take steps to effectively minimize the risks of transaction fraud at checkout. Advanced fraud management services are fast, flexible, and affordable. Even small online retailers can utilize sophisticated, real-time risk assessment as an integral part of the checkout process, and lay a foundation of security best practices on which their business can grow. Online retailers should consider implementing these best practices: Deploy a combination of end-to-end encryption and tokenization to simplify PCI compliance and protect customers’ payment card data from being stolen and used fraudulently. Make sure all employees understand the risks of card-not-present transactions. Compensate for the lack of in-store controls with real-time screening using both payment information and anti-fraud intelligence from other sources. Enable proactive security measures. Don’t accept fraud as “just another cost of doing business.” Every eCommerce merchant can wield the power to detect and stop most attempts to make fraudulent online purchases. Configuring the right kind of fraud logic in the early stages of your business can help you avoid problems later. Leverage as many tools as are available to you through your payment provider and other resources. Experiment with the use of automated order screening early on, when transaction volume is low and suspicious behavior anomalies are more easily recognized. Constantly re-evaluate the risk settings and resolution rules that will catch most fraud attempts without requiring many transactions to be reviewed or denied.
Participate in forums, webinars, and other shared experiences with fellow merchants; in many ways, collaboration is the greatest advantage we have against fraud. Additionally, for support
and guidance on the nuances of fraud management, eCommerce merchants should talk to their payments processor. Ask how to use both payment and non-payment information to detect fraud and gain visibility into shopper behavior. Get recommendations on how to define rules that effectively assess order risk and determine the appropriate resolution of each order.
Find out what level of support to expect in implementing industry best practices for reporting, scoring, order resolution and scoring parameters. Find out if the payment processor’s solution has a user-friendly workflow for resolving transactions and managing chargebacks and reversals.
REFERENCES: www.securitycompass.comhttp://www.isaca.org/KNOWLEDGE-CENTER/RESEARCH/ISSUES/Pages/default.aspxhttp://www.zerodayinitiative.com/advisories/upcoming/http://www.isaca.org /riskithttp://www.firstdata.com/Strategies for Reducing the Risk of eCommerce Fraud/
doc_520060338.pdf