Author: Lauren Papagalos Page 20 of 26

Security at the Source: Static Application Security Testing

application security testingCybercrime is often little more than a battle of wits, and much of that battle is focused on the bad guys finding and exploiting vulnerabilities in an web application that the good guys missed. Poorly or hastily written code can leave weak points for hackers to exploit, often to great effect. While a developer’s goal is usually to create a great app, sometimes security takes a backseat to style and function. Even the best and most security-conscious developers can still miss things, which is why the option of being able to automate a 100% comprehensive review of every app on your website is invaluable.

The Devil is in the Details

The security landscape is littered with massive security exploits that were traced back to simple mistakes in coding. Even the recent massive Heartbleed exploit, which affected the security of almost the entire internet, was traced to a few mistakes years ago by one of the many volunteers who helped create the open source technology.

Even more troubling: it now appears that hackers were aware of and actively exploiting that mistake for nearly two years before security experts discovered it. And who knows how much damage and havoc they managed to cause.

That’s why protecting your code from exploits is so critical. Most websites are really just a collection of different apps and plugins developed by third parties, and the security of your website depends on how careful and skilled those third parties are.

Identifying Your Vulnerabilities

To tackle this problem and shut down yet another point of attack, SiteLock recently added something called TrueCode to its arsenal. TrueCode uses Static Application Security Testing, or SAST, to peer as deeply as possible into the source code of the applications you use on your website, and then map what it finds. Those results are then delivered to you in a simple report that outlines the severity of any findings and what you can do about them.

It’s a powerful and important way to see how your applications are currently working, what other applications they interact with, and what vulnerabilities they could be creating. And it can even identify critical vulnerabilities and mistakes before you even launch the app, denying hackers the opportunity to exploit it.

As SiteLock put it “TrueCode is like having a hacker proofread your code.” And that’s a fundamental pillar of all security. Most vulnerabilities are small, isolated, and hidden from the untrained eye. But when you have experts go through that code, line by line, from the perspective of a hacker, you have a much better chance of finding and fixing that tiny error that could blow a massive hole through your security. And your business.

And it’s not as if TrueCode has to interrupt your business or website to complete this detailed probe. TrueCode actually takes a copy of the application code and does all the testing in its own cloud-based lab. Exactly how security should be – an enabler and not a disrupter or inconvenience. Your customers and your website will never notice the difference, but they will definitely appreciate it.

There are many simple rules to security – it should always consist of multiple layers, it should never stand still, and we should always try to look at website security from the perspective of the hackers. TrueCode hits on all counts. Contact SiteLock today and learn how to integrate TrueCode into your web development workflow.

Update: SiteLock has been recognized by Gartner as part of its magic quadrant for Application Secuirty Testing. Get the full report and learn what makes TrueCode so noteworthy.

Google Author: Neal O’Farrell

10 Takeaways From The 2014 Verizon Breach Report

2014 verizon data breach reportEvery year about this time, Verizon comes out with an annual review of the results of its investigations into thousands of data breaches and security incidents from around the world.

The report can be very data heavy and even a little depressing, but we can learn great things from it. Here are just ten:

Read More

Five Dos and Six Don’ts for Responding to a Data Breach

data breachWe hope that your business is never victim of a security or data breach. But, with some studies suggesting [updated for 2017] that not only are data breaches increasingly common, but increasingly expensive as well, it’s important to prepare. And part of that preparation includes knowing what to say — and what not to say.

Here are some Dos and Don’ts that might help guide your response:

Read More

Data Privacy and the Cybercrime Economy

data-privacySpeaking in a recent interview on CBS’ 60 Minutes, Tim Sparapani, a former privacy lawyer for the American Civil Liberties Union, commented “Most retailers are finding out that they have a secondary source of income, which is that the data about their customers is probably just about as valuable, maybe even more so, than the actual product or service that they’re selling to the individual.”

It was a chilling admission that the world has changed in ways most of us never expected, and that there may be more value in private data about people than in selling goods and services to those people. Or stealing from them.

Read More

11 Things You Should Know About the Heartbleed Bug

heartbleed bugIt won’t actually make your heart bleed and you can’t catch it. But it has caused a lot of heartburn since it was announced and probably caused lots of websites to bleed valuable data. Here is a list of eleven things you should know about the Heartbleed bug.

  1. It’s an exploit in OpenSSL, a type of security that protects a user’s communications with a website (the s in https) and around half a million secure web servers may have been affected.
  2. “Open” means it’s open source and free for anyone to use. It also means all the code is freely available and has been since Open SSL was first introduced more than 15 years ago.
  3. It’s a very big deal. According to Bloomberg “Heartbleed appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites.”
  4. It was discovered just recently by a security firm. But it’s apparently been known to the criminal community for a couple of years, and they may have been quietly exploiting it all that time.
  5. Heartbleed is not actually a virus or malware or a hack but simply a mistake in software coding made, probably innocently, by one of the many contributors to the Open SSL project.
  6. It can steal user passwords and credit card numbers – things that are most often protected by SSL.
  7. Some of the biggest sites on the web have been affected, from Gmail and Yahoo, to Facebook, Instagram, Pinterest, Google, Amazon, Netflix, and YouTube. However, it’s unlikely your bank’s website has been affected because few banks actually use Open SSL.
  8. A number of news outlets say that criminal weren’t the only ones who knew about Heartbleed and were quietly exploiting it. Some are accusing the NSA of knowing about Heartbleed for nearly two years and using the flaw as a spying tool.
  9. If in doubt, change passwords for all your important websites, then change them again in a few weeks. Some websites are slow to fix the flaw, so it might be safer to change passwords more than once.
  10. If you want to check whether or not a website is still unpatched and vulnerable to Heartbleed, there are plenty of places to do so. Try https://filippo.io/Heartbleed/.
  11. If you host a website, make sure you apply the security update. You can get more information at http://www.openssl.org/.

To help keep your website protected, all SiteLock plans SecureSpeed and higher include daily vulnerability scanning that detect Heartbleed and similar issues. To learn more call 855-378-6200.

eCommerce Website Security

7 Things You Need To Know About PCI

What is PCI compliance and how can it impact your business? We break down the 7 most important things you need to know about PCI compliance.

  1. It’s there for a reason. As the Target and many other data breaches have shown, there’s a huge underground market for stolen credit and debit card numbers. Crooks will go to great lengths to get these numbers, and the resulting breaches can be very costly. Even more important, credit card processors worry that more security and data breaches will hurt consumer confidence in using their credit and debit cards, and that’s bad for everyone. PCI Compliance
  2. PCI is like a guard dog that’s not afraid to turn on its master. It’s ultimately designed to protect you, and in the case of smaller firms, without much effort. But if you ignore PCI, it’s not afraid to bite. Failure to comply can mean penalties, fines, and even the inability to accept credit and debit cards.
  3. If you accept credit or debit cards, you can’t avoid it. One of the most common misconceptions is that PCI is only for bigger firms, only applies to businesses that process a minimum number of credit card transactions monthly, or that smaller firms are exempt. None of the above are true. If you accept credit cards, even one transaction, then you have to be PCI compliant.
  4. The world’s top credit card processors, who between them process the majority of credit card transactions in the world each day, created a free roadmap to help you protect against card breaches. And PCI is not just about protecting credit cards. It’s ultimately about protecting your business, your reputation, customer trust, and your future. Not a bad freebie when you think about it.
  5. It’s not a security guarantee. The more credit card transactions you process each year, the more complicated PCI can get. The higher the number of transactions, the more rules you have to follow and the more it will cost you. Yet in spite of all the rules, being PCI compliant is no guarantee that you’ll be secure. PCI should be seen as a baseline and a minimum standard, meant to be combined with other layers of protection.
  6. With so many breaches, and so much in-depth coverage of them, it’s become apparent that even major organizations with huge investments in security and compliance have still fallen victim to security breaches. That’s led to calls to make PCI even tougher. You can expect that to happen in the next few years.
  7. Becoming PCI compliance is easy –  remarkably easy. Compliance is based around a self-assessment questionnaire. That’s right – you answer some questions and you conduct the assessment yourself. A major focus of compliance is making sure that if you accept payments through your website, your website is secure. Luckily that’s also easy. Firms like SiteLock can manage that process seamlessly and affordably.

Becoming PCI compliant is necessary for all business who accept credit cards online. If you need help getting started, SiteLock is available 24/7/365 to help. Give our security experts a call at 855.378.6200 to help.

 

malware removal

7 Website Security Myths Hackers Want You To Believe

Learn the top 7 website security myths hackers are hoping you believe…

Myth #1: You’re too small to be of interest to them.

Let’s face it, it’s the most common excuse made by business owners. It seems preposterous to them that of the tens of millions of businesses around the world, many of them very lucrative, busy hackers would have time for them. What they don’t realize is that cybercrime has become automated and the hackers have sophisticated tools that will scour the internet looking for unprotected websites and poorly protected or unpatched computers and networks.

Myth #2: You have nothing worth stealing.

“I don’t take credit cards,” or “It’s all handled by a third-party processor” are common responses, and based on the belief that hackers are only after credit cards. All data, any data, is of value. That can include names, addresses, phone numbers, email addresses, buying habits, purchasing history, employee records, Social Security Numbers, intellectual property, passwords. And often the hackers don’t want to take, they want to give. Like using your unprotected websites to hide malware that will be spread to visitors to your site.

Myth #3: If there is a breach, it won’t be a big deal.

In reality, the smallest security breach can be a really big deal. There have been many cases of smaller firms being wiped out by a single piece of malware accidentally downloaded by an employee. And if the hackers don’t get you, the lawyers might. There is now an army of lawyers whose only focus is to sue businesses on behalf of customers whose data was exposed in data or security breaches. And of course there are all the regulators and the fines they can impose, not to mention the long-lasting damage to your brand and reputation if your customers think they can’t trust you.

Myth #4: Antivirus software and a firewall are all you need to be safe.

Don’t get me wrong, they’re essential, but there’s so much more to security. Businesses that have relied on just the basics have found out the hard way that hackers are way too determined to be deterred by the basics.

Myth #5: A website is really just a flashy billboard to advertise your business.

Your website is so much more. It’s often the only way customers can find your business, so if it’s compromised, blacklisted, or otherwise not available, your customers are going elsewhere and probably not returning.

Myth #6: Your employees pose no risk.

No one would ever accuse Irene in accounts of being a hacker’s best friend, right? But many security and data breaches are as a result of exploitations by hackers of mistakes by employees. If your employees are not trained to be sentries, they’ll be quickly turned into vulnerabilities.

Myth #7: Your password is perfectly fine.

How often do you think about your own passwords, let alone those of every other employee in your business? One weak password is all it takes. But in reality, most passwords are weak and exploitable. And if that include FTP access, a complete stranger may end up owning your web site.

Don’t be fooled by these myths. To learn how you can protect your website and keep hackers out, give the SiteLock security experts a call at 855.378.6200. We are available 24/7/365 to help.

10 Business Cybersecurity Tips

CybersecurityBudget should never be a reason for ignoring security. Neither should worries that you’re technically challenged. Here is a list of ten things you can do to help defend against cyber risks.

  1. Look in the window. Most business owners look at their websites and security risks from the inside-out, and never see what it looks like from a hacker’s perspective. Even a cursory inspection, but even better a basic website scan, could easily help you spot vulnerabilities quickly.
  2. Understand what the risks are. After all, you can’t fix them if you don’t know what they are. A little light reading on common business and website risks could tell you all you need to know. Focus on technical and procedural risks – from exploits of unpatched vulnerabilities to common errors by employees.
  3. Focus on passwords, and especially to your FTP account. Passwords can be the keys to the kingdom, and even the biggest security breaches at the biggest businesses have been traced to the smallest password mistakes.
  4. If your business has a lot of sensitive information to protect, consider having your website developers use a dedicated computer to access the website. This can significantly reduce the risks of things like keyloggers, which can steal website passwords and give hackers access. By using a dedicated computer that’s not used for anything else, you eliminate the risk of downloading a keylogger or other malware through drive-by downloads, email attachments, or infected files.
  5. Create a list of your Top 10 security rules, that everyone has to follow, and make that everyone knows what those rules are. Ten is a good number. You could easily have a hundred but too many could cause more harm than good. Focus on the biggest risks and vulnerabilities and pursue them relentlessly.
  6. If you accept credit cards, make sure you’re PCI compliant. Achieving PCI compliance is not difficult or expensive, especially for smaller businesses. Not only is PCI a great security place to start, you don’t have an option. Failure could mean big fines and the inability to accept credit card payments.
  7. Don’t forget to get physical. Not all attacks or exploits have to be digital or virtual. Hackers can walk into an unprotected business or rummage through a dumpster. And many of the information-rich laptops and tablets stolen in burglaries end up in the hands of cybercrooks.
  8. Control who you give access to. That can range from access to buildings and rooms to access to computers, networks, and websites, to access to specific files and privileges. It’s not about people getting access to sensitive data, it’s about the wrong people getting access.
  9. Choose your web hosting provider carefully. There are thousands to choose from so pick yours thoughtfully and focus on what they say about security. If they don’t talk about it at all, that could be a warning sign. If they do mention security, present them with your list of top security worries and risks and see what their response is.
  10. Review your security regularly, with a comprehensive top-down review at least a couple of times annually. Nothing stands still, and new vulnerabilities are being discovered or created daily.

Read More

Malware

8 Malware Threats To Watch Out For

Malware threatsSo many malware threats, so little time. We’ve rounded up the eight most dangerous malware threats every business needs to be aware of.

1. Banking Trojans

From Citadel to Zeus, banking Trojans have proven to be some of the most potent and profitable malware tools. This malware focuses on stealing bank account logins, which in turn can be used to steal whatever is in those accounts. It is believed that Zeus alone has been used to steal more than $120 million from compromised accounts.

2. Backdoor Trojans

Backdoor Trojans are designed to give hackers the very same access and rights to a computer or network as the administrator in charge of managing them. Which means hackers can do a lot of damage over an extended period – from stealing information and deleting files to changing passwords and modifying security settings.

3. Keyloggers

Keyloggers have once again become a favored tool of cybercrooks. They’re designed to steal anything that’s typed on a keyboard and even on a touch screen. In recent tests, only one of 44 of the most popular antivirus software products in current use was able to detect even the simplest keylogger.

4. Ransomware

Ransomware like Cryptolocker is also on the rise, and researchers claim that the malware has been so successful in making money for its creators that it’s likely to spawn lots of copycats. Ransomware makes money by encrypting all the data on an infected computer and then charging a fee or ransom to release that data back into the custody of its owners. One small cyber gang is believed to have made more than $27 million using Cryptolocker.

5. Exploit Kits

Exploit kits can include Trojan downloaders and droppers and are really the road crew of the malware industry. Their job is not so much to commit the crimes but set them up. Once installed on a victim computer or network, they give the criminals the options of what kind of malware they want to upload. In 2013, the Blackhole Exploit Kit was most commonly used to deliver the Zeus banking Trojan.

6. Bots

Bots are tiny pieces of malware, at least compared to their malware cousins described above. And unlike their cousins, they’re not specifically designed to attack the host computers they infect. Instead, bots take control of the infected computers, sometimes millions of infected computers at a time, to assist in other crimes. Those crimes could be to share or hide stolen information, distribute child pornography, or attack other computers.

7. Drive-by Downloads

Drive-by downloads, like APTs, are not really malware but attacks designed to help malware. They don’t necessarily break into the bank, just cut the hole in the roof for others to climb through.  Vulnerable websites are infected with malware that’s not designed to attack the website itself, but to spread the malware to visitors to that site. Once recent report found that crooks now prefer to spread malware through websites versus email by a ratio of 5-1 because it’s much more effective.

8. Advanced Persistent Threats

Advanced Persistent Threats, or APTs, may not really be a type of malware either but a type of attack that usually involves malware. And usually the most sophisticated kind. APTs have been growing in popularity because they work, and get their name because the attackers will often pick very specific targets and attack them relentlessly over a long period and using some very sophisticated attack tools. Some companies and even individuals targeted by APTs have been attacked as often as thirty times in thirty days.

Constant vigilance and layers of security are your best defense against malware. It’s much more cost-effective to put security in place proactively rather than react after an attack. SiteLock’s website security solutions can find and even automatically remove malware, as well as block malicious traffic from accessing your website in the first place. Call our security experts today at 877.563.6200. We are available 24/7 to help.

 

Don’t Let Your Employees Become The Enemy

top8Of all the threats that could be stalking your business daily, it is most unpleasant to think about the fact that the biggest threat could already be inside your walls, maybe even on your payroll. Unfortunately there’s plenty of evidence to suggest that the biggest source and cause of security incidents is the humble employee.

The good news is that few of these incidents are deliberate attacks or frauds by your most trusted insiders. Instead they tend to be innocent mistakes which could easily be avoided but which are quickly taken advantage of by hackers.

Read More

Page 20 of 26

Powered by WordPress & Theme by Anders Norén