Sunday, July 26, 2009

This Time Its Network Solutions Reporting a Data Breach

For a long time, various well known companies have been the target of hackers. This has resulted in huge data losses for the company as well as the client's that are associated with the company. Many companies have faced several financial charges by the government or by business partners to satisfy penalty fees.

Network Solutions, which specializes in the domain name registration industry, has recently reported an incident of a breach of data. The breach occurred during March 12 to June 8 2009 and was detected in a check carried out by the company. Though this breach was detected in June, the company took around a month's time to decipher the code that was used in hacking the domain. By that time the hackers had hacked their e-commerce services and had already diverted the transaction details of more than 500,000 registered companies. This shows that industries are still lacking in security measures to prevent the loss of important data.

Network Solutions company issued a statement saying that till now no incidence reporting misuse of information has been reported by any merchant company. The company is now enlisting all those merchant clients' who had made any transaction in between that period. These clients will in turn notify their customers who will then inform their banks to block the credit cards to avoid any misuse.

Network Solutions has offered to bear all the expenses that the customers have suffered. But isn't it more correct to take a few precautionary measures beforehand than facing such incidents? Data loss prevention and a network security assessment are the best tools available for the security assessment of any website and it also helps in avoiding such incidents.

There have been many such companies reporting breaches in the past that have resulted in the bad reputation of those companies. Heartland Payment Systems and RBS WorldPay are a few examples of such breaches. Both these companies had been removed from the Payment Card Industry Data Security Standard (PCI Audit) services' list. The loss of clients and market value was an additional issue.

These incidents indicate that various other similar companies are exposed to such risks. But if they take certain measures to keep their network system in check, they can surely avoid experiencing these kinds of losses. This also ensures the goodwill of the company in the market thereby attracting more clients.

An expert with knowledge of Information Security Risk Assessment has written this article.

Gary Bahadur
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Tuesday, July 21, 2009

Web Security Testing has come of age

Website security is the one of the most dangerous places for a company. If you look at a layered security approach, we start out with the internal network. There we have host security, patch management, host IDS and other server based technologies. Next we have the network security layers, network intrusion detection, network monitoring and firewall protection. So if we have the internal servers secured, the network protection place, what is left is the only wany an attacker can possible get into a secure environment.

The website is the open frontdor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?

So on Linkedin, I asked the quesion of what are the Web security tools that are favored by the security community ( These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.

1) Foundstone
2) Acunetix WVS
3) Scrawlr
4) N-Stalker
5) Nikto
6) Scarab
7) WebInspect
Fiddler -
9) Samurai Web Testing Framework –
10) FireCAT -
11) W3af
12) CORE Impact
13) Appscan

Having listed these and of course there a re a number of other tools. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, i am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.

The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls

Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.

Gary Bahadur

Monday, July 20, 2009

HIPAA Assessments are the next wave

In February, CVS was ordered to pay a fine of 2.5million dollars by the FTC. This fine was because their employees threw out personal information about patients. Who knew poor recycling programs could cost so much? HIPAA has been around for a number of years but not until recently did we see that it has teeth and companies are going to be held accountable. CVS has to have an assessment every other year now for 20 years. And assessments are not cheap! Assessments based on the Security Rule cover many areas of technology controls such as Firewall protection, Antivirus, Encryption, Vulnerability Scanning and much more. I am sure conducting an assessment rather than getting fines would have been much cheaper for CVS.

The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments.

There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments.

For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place.

Gary Bahadur
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Data Breaches are misunderstood

The Ponemon Institute and Ounce Labs ( released a study on the view CEOs have regarding data protection in their environment. In the study of 213 CEOs and other senior executives, CEOs did not share the same view on how secure their organization is with their executives. 92 percent of respondents said they were attacks. Who has the more realistic view of data security? Could it also be the fault of the executives who usually do not share all the bad information with the CEO? That is probably part of the security education challenge the CEO faces.

The study also found that 33 percent of C-level executives replied that attacks happened "hourly or more often," while only 17 percent of CEOs said the same thing. That’s a pretty big difference of opinion. Whose responsibility is it to manage, monitor and report on hacker activity? Obviously tactically speaking it fall under IT, the CIO or maybe even the Chief Compliance Officer. But ultimate responsibility in any company falls to the CEO. If a data breach happens such as in the case of TJ Max, its the CEO who has to appear on television to explain what happened and answer to their customers.

How do you apply metrics to report appropriately to the CEO? That magic "Dashboard" is what everyone is after and no one gets right. A good Compliance dashboard that you may want to check out comes with the reports from RiskWatch software ( Its worth a look.

The category of technology CEO's need to focus on these days is Data Loss Prevention (DLP). Every major company in security has a DLP product and the reason is probably because the education is finally in the market around the necessity of looking at all inputs and output of data in the organization. A data breach can be caused by lack of proper firewalls, no antivirus, no browser protection, not malware protection, lack of patch management or no vulnerability management. Or it could be a hundred other things. A CEO needs to know these terms, how data flows and what the data life cycle really means if they are to truly grasp the threat to their environment.

Prevention is really worth more than detection. If the CEO doesn’t bridge the gap to thinking they might be secure to understanding that they are under attack ever day and perhaps every minute, data breached will continue to occur.

Gary Bahadur
CEO KRAA Security,
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test