Monthly Archives: March 2012

Online payments: PCI DSS

March 31, 2012

The days when making a payment represented the end of a transaction could be well and truly over, according to the acting managing director of PayPal Australia.

Speaking earlier this month about the country's changing retail space, Elena Wise asserted that retailers – particularly those who take payments online – are perfectly positioned to use these transactions to begin an ongoing relationship with their customers.

She said: "Payments no longer signal the end of a transaction, and if retailers use their data intelligently, they can connect with customers in new ways to drive demand and build loyalty."

Wise added that this process can be approached in a number of different ways – either by presenting online customers with relevant product information while they are browsing a retail site, or by utilising knowledge of a customer's purchase history to their advantage.

All retailers – regardless of size, are required to comply with PCI DSS standards. These international requirements can vary depending on the size of your company – and may be particularly relevant to Australians who shop online with overseas merchants.

PayPal figures from January indicate that with the Australian dollar at a historic high against the British pound, UK retailers such as TopShop, ASOS and Book Depository are particularly popular among an Aussie clientele.

PayPal advises Australian customers shopping online from international retailers to also take matters into their own hands when it comes to protecting their digital footprint – ensuring their personal data remains secure.

Good Business with Ethical Hacking

March 30, 2012

It is universally recognised that a brand that keeps good security measures in place is able to enjoy a better share of market confidence than one that publicly fails to manage the data it holds effectively.

While this may be an obvious marketing benefit of being seen to be conscientious in managing digital security, the financial effects can also be substantial.

Some firms may baulk at the prospect of ethical hacking – having a team of specialists delve into a system from the outside could seem counter-intuitive.

However, the benefits of this sort of activity are also quite weighty, as the trained professionals can uncover blind spots and security gaps before they are ever made public.

This helps to demonstrate a level of corporate responsibility that goes above and beyond legislative requirements, with a proactive stance that improves public perception and client morale.

On top of this, an ethical breach audit helps to serve as an investment in security – allowing the firm to make improvements to their defences and practices before a potentially expensive situation occurs.

In this way, good online security helps to act as a sort of digital insurance that protects against future events – a practice that is always good for business.

Covering your client’s assets with PCI DSS

March 28, 2012

Following in the wake of the news that a major card processor had been breached by hackers in the US, it is understandable that customers and clients are more wary when considering parting with their payment details online.

While Australian consumers are often protected from credit fraud by law – they are not liable to pay for the purchases and transactions they do not make – this does little to ease the disquiet of consumers who have had to cancel their cards in the past.

This is because the act of purchasing a good or service – whether it be in person or online – implies a level of trust that both parties are going to honour their end of the transaction.

On the customer side, the patron is placing their faith in the vendor to have the systems in place that protect their personal details – and by extension their financial assets.

Being able to demonstrate commitment in this area can be difficult without a visible certification from a leading authority – and for most businesses this is the payment card industry data security standard.

With an evolving set of guidelines that are laid out by leading industry providers, the PCI qualification means that a firm has the systems in place that actively protect their client's details, removing the opportunity for malicious parties to gain access to privileged information.

Secure Audits for Third-Party Providers

When firms sign up to a cloud service provider, the decision is usually in terms of utility versus cost – as external providers can usually supply better software and applications than are available to a firm using their own in-house assets, but without the initial purchase cost.

Of course, these transactions are only entered into with the understanding that the external partner will do their best to ensure the safety and security of their client's data.

However, the concentrated nature of the details stored by specialist service providers often make them a prime target for malicious parties, with the proprietary nature of the data making it highly valuable.

While the provider may assert that they are on top of their game in terms of online protection, due diligence demands that responsible firms have a clear picture of the measures currently in place.

A professional security audit from an external provider can deliver a clear report into the depth and breadth of a firm's digital capacities – providing an unbiased review of the promises made during the primary sales contact.

Everything from encryption standards, storage methods and transmission protocols can be covered – providing managers with peace of mind that their partnership is secure before they sign on the dotted line.

Vulnerability management plans for employee flash drives

March 27, 2012

As the price of memory used in USB flash drives plummets, the capacities of the devices seems to grow at an equal rate, improving their usefulness across a range of applications.

In turn this makes the ubiquitous 'memory stick' something of a baseline commodity that is used in almost every industry to transfer data and documents from one machine to another without using wireless connection, content management systems or other digital options.

However, this same level of familiarity makes USB drives something of a target for malicious activities, both as a source of valuable details and as a point of injection for future attacks.

A common practice is to pick up a device, check it for information, and then return it with a hidden installer that activates when it is plugged into a victim's machine.

In response, many firms issue blanket bans on the use of such devices across their in-house facilities – the reasoning being that if no information is stored or received on flash memory sticks, there is no chance of them falling into the wrong hands.

While this approach may have its merits, it still pays to have vulnerability management plans in place should the potential for a security breach arise.

<br /

Vulnerability management for social media

March 26, 2012

The explosive growth experienced in the realm of social media makes it an obvious channel for malicious parties to probe for vulnerabilities in commercial organisations.

Because it is such a new medium for many users, they may not be aware of the security steps needed to ensure the safety of the firm's digital assets.

However, this does not mean that a blanket ban on social pages is the most appropriate response to the threats they pose to a firm.

This is because, when properly applied, the reach available to a company through these channels is quite significant and can deliver efficiencies of scale previously unattainable.

To this end, a hybrid approach may be beneficial, with a modern plan to vulnerability management ensuring that systems are in place to handle threats should a situation arise, as well as providing ongoing training for staff members in the appropriate use of social channels.

In essence, this will allow employees to continue to make use of online media to interact with target audiences and colleagues in value-adding activities while keeping the necessary systems in place to protect a firm from malicious activities.

ACMA website helps users perform DNSChanger security audit

A recent release from the Australian Communications and Media Authority (ACMA) has alerted individuals and businesses about an online threat that could affect thousands of unsuspecting victims.

Known as the DNSChanger, the malware interrupts the usual lookup activities performed by the computer when searching for an IP address associated with a particular URL.

As the ACMA explains it: "DNSChanger is a class of malicious software (malware) that changes a user's Domain Name System settings, enabling criminals to direct unsuspecting internet users to fraudulent websites and otherwise interfere with their web browsing."

The FBI has announced its plans to pull the plug on a set of DNS servers that where initially set up to redirect a user's infected browser to a site of the controller's choosing – setting the date of July 9.

When the servers are taken offline, the affected computers will be unable to access the service that converts URLs into actual websites – meaning that users would be forced to enter IP addresses manually.

In conjunction with the Australian government's Computer Emergency Response Team (CERT), the ACMA has launched the DNSChanger Diagnostic website – – to allow users to perform a quick security audit of their system.

If it is found to be infected, the site provides advice, documentation and online tools to assist the user in removing the malware.

Security audit helps workers get on with their duties

March 24, 2012

In organisations around the world, it is often the case that there are two definitions of how work is supposed to 'get done'.

On one side there are the managers and policy-setters who set up frameworks and regulations in order to make the best use of the business' resources, while at the same time trying to protect it from outside threats.

However, if these restrictions cause slowdowns in workflow – and many do – then employees will be tempted to explore options outside the required framework in order to complete their tasks.

The problem is that while most third-party professional applications are benign, they still create opportunities for malicious parties to exploit a breach in the organisation's defences.

On top of this, the potential improvements rendered by external services can be quite valuable to the entire firm – as long as it passes a security audit.

Trusting this process to the individuals who use the system is not always a wise idea, as their familiarity and appreciation for its services may cloud their judgement.

A more diligent approach is to have a work system reviewed by an impartial team of security experts who are trained in the techniques used by malicious parties to gain access to privileged information through external services.

Ethical hacking specialists to assess online defenses

March 22, 2012

When malicious parties attempt to access the digital assets of a firm, it may not always be to try and gain control over financial information.

The contact details stored by a business can be just as valuable to third parties as bank accounts and credit card numbers, simply because of the opportunities they represent.

While many companies are quite diligent in storing their sensitive information away from prying eyes, it can be tough for those on the inside to know exactly how much information is available during a committed attack.

To get a clear view of the digital features that are the most easily accessible – but without the dangers of actually losing data – an ethical hacking team can be organised to examine the defences.

Reporting their findings directly back to the company, an online security team can perform penetration testing to all areas of a firm – or limit their activities to specific areas that are of concern to the business.

This allows managers in charge of the protection of digital assets to know which parts of their framework represent the biggest threat, allowing them to act before an actual attack occurs.

Why social information systems require extra vulnerability management efforts

March 21, 2012

As firms move away from a 'knowledge management' mindset – where the information available to employees is strictly controlled – there are a number of important considerations that need to be addressed.

While the free exchange of ideas available through transparent data exchanges such as internal wikis and open archive servers can be of great value to a firm, they can also open doors for malicious parties to gain access to privileged information.

Being able to access details can enable staff members to make informed decisions faster, but the trusting nature of such a build means that a company needs to be extra vigilant in terms of vulnerability management.

This is because once an intruder has access to a system, they may be able to freely access a range of material that would otherwise be segregated according to the firm's hierarchy.

It also means that social engineering attempts and online lures can be more dangerous to a company than other, more direct efforts of penetration – as all a party needs is a set of employee credentials in order to be able to gain access to privileged details and valuable digital assets.