Your website is your window on the world – it’s your shop front, your brand on display and a key route to market and perhaps your most essential sales and marketing tool. And as such it critical to your business: and if something bad were t…
Ciphers have been in use since around 3,000B.C., but their importance and relevance for information security has really come to the mainstream with the growth of the Internet and the escalating volumes of data exchanged on line every day.
The history o…
What a summer of sport it has been. We’ve witnessed in our millions the British & Irish Lions rugby team triumphing in the Rugby Union Test series in Australia; Chris Froome winning the 100th edition of the Tour de France; Missy Franklin taki…
There are deep and disturbing sides to the Internet where businesses should fear to tread, if they want to keep themselves safe. So called ‘dark’ search engines, for example, certainly need to be approached with extreme caution.
Take Shodan, a search engine that navigates the Internet’s back channels. It’s akin to a ‘dark’ Google, helping hackers to find out the servers, webcams, printers, routers, systems, networks etc… that are vulnerable to tampering.
Shodan has been designed to help users track down certain types of software and hardware, determine which applications are most popular, identify anonymous FTP servers, or investigate new vulnerabilities and what hosts they could infect. All good stuff and useful to know. But Shodan also serves as a window into millions of unsecured online connections; and you definitely wouldn’t want those connections to be yours. It’s similar to a bank opening up for business in the morning and leaving the safe ajar by the front door – an open invitation to enter the inner workings of your organisation and see what riches are there to be had.
Shodan, it seems, runs non-stop, collecting data from hundreds of millions of connected devices and services each month. Through a simple search, a user can identify a number of systems that either have no security measures in place or generic passwords that can be hacked easily, leaving unwary organisations open to hazardous attacks.
There are accounts of one independent security penetration tester confirming that, amongst a number of unsecured systems he located using Shodan, were: a carwash that could be turned on and off remotely; an ice hockey rink in Denmark that could be defrosted with a click of a mouse; and a traffic control system for an unnamed city that could be put in ‘test mode’ with one command entry. But that is by no means the worst. Cybersecurity researchers are also said to have located command and control systems for nuclear power plants and a particle-accelerating cyclotron, using Shodan. Even allowing for apocryphal stories and a degree of hyperbole, that has to be worrying.
The biggest security flaw, argues Shodan’s creator John Matherly, is that many of these susceptible systems should not even be connected to the web. “Of course, there’s no security on these things. They don’t belong on the Internet in the first place,” he says. Many systems can now be controlled by computer, so IT departments hook them up to a server, instantly making systems and devices available to anyone with an Internet connection. It’s all part of that great unknown sometimes referred to as ‘The Invisible Web’ – the area of the WWW that isn’t indexed by the search engines. And it’s a high-risk place to be, if you don’t have the right protections in force.
Indeed, tightly targeted cyber-espionage attacks, designed to steal intellectual property, are hitting the manufacturing sector and small businesses with ever greater venom, warns Symantec’s latest ‘Webiste Security Threat Report’, with the latter, highly vulnerable, organisations the target of 31% of such attacks – a threefold increase on 2011. Targeted attacks overall have seen a massive 42% surge during 2012, compared to the previous year.
It’s also worth noting that in many cases protecting yourself, your company and your intellectual property online is not difficult, as long as you start with solid foundations such as securing your websites, intranets, extranets etc… with the latest encryption technologies from Symantec.
Using Symantec SSL is a cost-effective security measure for websites; when SSL is deployed site wide in a persistent manner it helps to protect the entire user experience from start to finish, making it safer to search, share and shop online. This encrypts all information shared between the website and a user (including any cookies exchanged), protecting the data from unauthorised viewing, tampering or use. The Online Trust Alliance is one leading organisation calling for websites to adopt the use of persistent SSL on websites (which is also known as ‘Always-On SSL’), with some of the world’s most successful names having successfully implemented it, including Google, Twitter and Facebook.
You might also want to look at Symantec Validation and ID Protection Service when shoring up your defences. This is a powerful cloud-based authentication service that enables enterprises to secure access to networks and applications, while keeping out malicious, unauthorised intruders. A unified solution providing both two-factor and risk-based tokenless authentication, VIP is based on open standards and can integrate readily into your enterprise applications.
With solutions such as these firmly in place, you should have the foundations in place be able to make light of even the Internet’s darkest places but don’t stop there. And as a colleague of mine writes here….”As we near the 2-year anniversary of Stuxnet, it is high time to check where your own organisation stands. While doing so could be relatively quick (particularly using such databases), dealing with the damage would take much longer so we strongly recommend the former course of action. “
There is no time like the present to review what you do and take the appropriate steps to ensure your organisation is protected both now and in the future.
Eräs ystäväni soitti minulle viime viikolla (olen ystäväpiirissäni se IT‑/tietoturvatyyppi). Hän kysyi, mitä pitäisi tehdä, jos on saanut alla olevan ilmoituksen, sillä hän ei ollut nähnyt vastaavaa aikaisemmin. Kuten alla näkyy, ilmoituksessa varoitetaan, ettei kyseinen sivusto ole välttämättä enää turvallinen, koska sen SSL‑varmenne on vanhentunut.
Vastasin välittömästi, ettei hänen pitäisi missään tapauksessa jatkaa eteenpäin. Jos epäilyttää, voi siirtyä toiselle sivustolle, käydä liikkeessä paikan päällä, yrittää soittaa tai lähettää yritykselle sähköpostia, mutta verkkosivustoa ei kannata käyttää. Ystäväni vastaus oli melko yllättävä: Tiedusteltuaan ongelmasta Twitterissä hän oli saanut kyseisen sivuston edustajalta neuvon, jonka mukaan ”tästä varoituksesta ei ole mitään syytä huolestua”. Pohdittuani asiaa hetken tajusin, että neuvo oli varsin kauhistuttava. Miksi luotettavalta sivustolta annettaisiin noin kummallisia ohjeita?
Syy numero 1: Sivusto ei halua menettää yhtäkään asiakasta.
Syy numero 2: Sivustolla ei ymmärretä edes perusasioita sen suhteen, kuinka kuluttajien luottamus rakentuu, mistä syystä asiakkaille annetaan vääriä neuvoja.
Syy numero 3: Sivustolla ei olla tietoisia, mitkä ovat seuraamukset, jos ihmiset noudattavat tämänkaltaisia huonoja neuvoja.
Oletin, että kysymyksessä oli syy numero kolme, joten soimasin sivuston omistajia. Sitten aloin tutkia tätä nimenomaista ongelmaa ja sivustoa tarkemmin selvittääkseni, mitä oikein oli tapahtunut. Tällä kertaa oli kyse verkkokauppasivuston ylläpitotiimin tarkkaamattomuudesta. Varmenne oli ehtinyt vanhentua huomaamatta, joten he yrittivät paikata tilannetta ja lieventää epähuomiossa sattuneen virheen vaikutuksia. Se, että asiakkaita käsketään ohittamaan varoitus, ei kuitenkaan ole minkään järkeenkäyvän parhaan käytännön mukaista. Antaisivatko he saman neuvon seuraavan kerran kun jotakuta asiakasta pyydetään sähköpostitse paljastamaan luottokorttitietonsa ja kotiosoitteensa? Toivottavasti eivät. Entäpä jos heidän sivustoonsa olisi tarttunut haittaohjelma? Tiettävästi 61 prosenttia haitallisista sivustoista on todellisuudessa aitoja verkkosivustoja, joiden tietoturva on vaarantunut tai joille on tartutettu haitallista koodia. Vuonna 2012 verkkosivustotyypeistä, jotka isännöivät haittaohjelmia, yritys‑, teknologia‑ ja ostossivustot olivat viiden yleisimmän joukossa (lähde: englanninkielinen Symantec ISTR 2013 -raportti). Jos tietokoneeni virustorjuntaohjelma havaitsisi haitallisen sivuston ja estäisi sen, kehotettaisiinko minua ohittamaan sekin varoitus ja jatkamaan vain eteenpäin?
Esimerkit edustavat ehkä ääripäätä, mutta jos käyttäjiä kehotetaan ohittamaan heidän suojakseen tarkoitetut tietoturvavaroitukset, kyseessä on huono käytäntö, eikä verkkokauppiaiden pitäisi missään tapauksessa heikentää asiakkaiden luottamusta tällä tavoin.
Minkä neuvon antaisin siis itse sekä ystävälleni että suurelle yleisölle? Valittakaa! Ja valittakaakin kunnolla. Käyttäkää live chat ‑keskustelutoimintoa, muualla verkossa julkaistua puhelinnumeroa ja sosiaalista mediaa. Laittakaa häpeämään ne ihmiset, jotka käyttävät luottamustanne hyväkseen ja saattavat teidät mahdollisesti vaaraan. Vaatikaa, että sivuston on vakuutettava teidät, jotta voitte käyttää sitä: sivustolla tulee olla näkyvissä Norton Secured Seal ‑tunnus tai muu luotettavuusmerkki, josta käyttäjät tietävät, että sivusto on tarkistettu, eikä sillä ole haittaohjelmia. Tehkää myös selväksi, ettette aio käydä kauppaa kyseisen yrityksen kanssa niin kauan kuin selaimessanne näkyy sivuston turvallisuutta tai tietoturvaa koskevia varoituksia. Kuluttajilla on paljon valtaa, ja jos valitamme ja äänestämme jaloillamme, viestimme tämänkaltaisten sivustojen omistajille pitäisi kyllä mennä perille. Toki monet meistä sulkevat epäilyttävän sivuston heti varoituksen nähtyään, mutta on myös käyttäjiä, jotka eivät vain ole varmoja, kuinka toimia, tai joita vedätetään kylmästi käskemällä ohittamaan asianmukaiset tietoturvavaroitukset tai antamalla muita huonoja neuvoja.
Jos me tällä alalla kehotamme toistuvasti käyttäjiä ohittamaan varoitukset, me saatamme aliarvioida luottamuksen ja verkkoturvallisuuden merkityksen – ja miksipä ottaisimme sen riskin, sillä verkko on täynnä mahdollisuuksia (ks. englanninkielinen blogikirjoitus).
Tietoturva‑alan toimijat tekevät parhaansa luodakseen varoituksia ja kehittääkseen suojausmenetelmiä työkaluihin, joiden avulla verkossa harjoitetaan liiketoimintaa. Kenenkään tällä alalla työskentelevän ei pitäisi ikinä neuvoa ketään ohittamaan varoituksia. Verkkokauppasivusto, joka antaa asiakkaalle huonoja neuvoja, ansaitseekin menettää kyseisen asiakkaan, sillä kun luottamus on kerran menetetty, sitä on lähes mahdoton voittaa takaisin. Ja siinä vaiheessa tappio on meidän kaikkien yhteinen.
The public sector has a somewhat mixed record when it comes to staving off security breaches within its walls. In the UK, for example, the hugely embarrassing data losses at HMRC (Inland Revenue/Taxation services) – when the personal details of 25 million people were heavily compromised, due to what were described as “serious institutional deficiencies” – still linger in the mind a few years down the line.
On the plus side, the UK government has been heavily engaged in getting its own house in order, identifying information security as a key priority for 2013 and beyond. In recent months, new initiatives to address growing cyber security threats have been announced, with a cyber security ‘fusion cell’ established for cross-sector threat information sharing. The intention is to put government, industry and information security analysts side-by-side for the first time. The analysts will be joined by members of intelligence agencies, law enforcement and government IT, as they exchange information and techniques, and monitor cyber attacks in real time.
However, many of today’s businesses work across international boundaries, so preventing breaches and loss of data has become a world-wide challenge. According to a report from Ernst & Young, ‘Data loss prevention: Keeping your sensitive data out of the public domain’, companies in every industry sector around the globe have seen their sensitive internal data lost, stolen or leaked to the outside world.
“A wide range of high-profile data loss incidents have cost organisations millions of dollars in direct and indirect costs, and have resulted in tremendous damage to brands and reputations,” it states. “Many different types of incidents have occurred, including the sale of customer account details to external parties and the loss of many laptops, USB sticks, backup tapes and mobile devices, to name just a few. The vast majority of these incidents resulted from the actions of internal users and trusted third parties, and most have been unintentional.
“As data is likely one of your organisation’s most valuable assets, protecting it and keeping it out of the public domain is of paramount importance. In order to accomplish this, a number of DLP [Data Loss Prevention] controls must be implemented, combining strategic, operational and tactical measures.”
In the face of such global threats, governments are responding. The European Commission, for example, has introduced a computer emergency response team in each member country to promote reporting of online attacks and breaches. The recently published draft EU Cybersecurity Directive makes it compulsory for all ‘market operators’, including utilities, transport and financial services businesses, as well as public authorities who use ‘network and information systems’ within their businesses, to implement technical and organisational measures to manage cyber risks.
These organisations will be subject to independent regulation, have to disclose security breaches to the regulators, submit to compulsory regulatory audits and be sanctioned, if they fail to comply with the law.
All good news, then… But the simple reality is that any public sector department or body intent on ensuring its own security could readily put in place measures to stop such data breaches and losses, such as, for example, secure File Transfer Protocols and Data Guardians (a secure database application with up to 448-bits of Blowfish encryption), enabling the locking down of data.
Public sector organisations are often, by their nature, large and complex, making it relatively easy for a rogue employee to access a sub-set of highly sensitive data; or simply to move on to another job, with the organisation unaware that a certificate relating to that employee is about to expire, all due to a lack of adequate central management. So they need such solutions.
Take Symantec’s Managed PKI for SSL service, for example, which enables organisations to manage and deploy SSL certificates from a single centrally managed platform, while also tailoring the deployment to meet their individual requirements (such as, if your organisation needs to issue multiple SSL certificates to different internal organisations or business units. Managed PKI for SSL allows for both centralised control and delegated administration). This cloud-based approach dramatically lowers the cost and complexity of managing multiple SSL certificates by eliminating the time it takes to authenticate multiple different business units, individual purchasing, personnel, training, and maintenance expenses and complexity associated with deploying multiple SSL certificates.
What SSL does is to protect applications that demand the highest level of security – enabling the secure transmission of sensitive data, Web services-based business process automation, digital form signing, enterprise instant messaging and electronic commerce. It also protects firewalls, virtual private networks (VPNs), directories and enterprise applications. Trust lies in knowing that the people, networks and devices accessing, modifying or sharing information within a community are verified.
There can be a tendency to imagine things are worse in our own backyard, but the security issues we face in the UK are, by and large, no different from those in other countries or indeed in other industries. One manufacturer in Europe, for instance, saw its production line go down when a certificate suddenly expired. Eventually, the problem was traced to an expired SSL certificate. Symantec’s solution, through a complete audit of the company’s architecture, using a product called Certificate Intelligence Center, would have identified any certificates that were about to expire and immediately notified the business – and (if a Symantec SSL certificate) automatically have renewed the offending certificate. Instead, the outcome was estimated to be in the millions of Euros, in terms of lost production, damage to their brand, corporate reputation and a workforce standing idle.