All is not lost in the wake of the recent spate of hacking. If you have assets of importance or if anything about your site puts you in the public spotlight then your web security will be tested. I hope that the information provided here will prevent you and your company from being embarrassed – or worse:
1. Should businesses spend money on employing security consultants?
Businesses should absolutely set aside funding in their budgets for security consultants. Unless there is an expert on staff, and there usually is not, it needs to be outsourced. What happens with smaller businesses is that they give in to the misconception that their site is secure because the system administrator deployed standard security products — firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. But those things can be exploited.
They need a security expert — not just an expert at installing security software. They also need to have someone monitor security. Most people assume that once security software is installed, they’re protected. This isn’t the case. It’s critical that companies be proactive in thinking about security on a long-term basis.
2. What is social engineering?
Social engineering is when an attacker does thorough research on the company, using various simple investigative techniques to hack a company based on human error. They attempt to identify the business relationships that a company has, such as what customers, suppliers, and vendors they do business with. This is especially successful with large companies who have call centers. An attacker would call to ask a simple question; once they get that information, they make another phone call using the previous information provided. Each employee who answers the next call believes the attacker to be a genuine customer or client based on the information they have acquired from the previous phone calls.
After a string of inquires, enough information has been obtained to hack the system. The hacker will go after the weakest link and if he can get one person in the business to make a bad decision, none of the security precautions taken will matter.
3. How can a company protect itself against social engineering?
Businesses can protect themselves through proper training and education.Proper training demonstrates how hackers are able to manipulate the system through human error. One way to do this is through inoculation — planning a fake attack. When you plant attacks on the employees to test them, they are able to learn from their mistakes and will be less likely to make the same ones in the future.
4. How can e-commerce web sites protect themselves from credit card fraud?
To have transactions made on your web site via credit card, you must be PCI compliant. Businesses make the mistake of thinking that because you passed the requirements and are PCI certified, you are immune to attacks.
Just because you meet certain requirements doesn’t mean you’re secure. According to one study, 83% of successful hacking-related data breaches are as a result of compromised customers cards. Having someone look over your system and code is extremely important if you are processing credit transactions on your server.
5. How often should you review and update your site’s security?
It’s important to note that information security policies cannot be written in stone. As a business needs change, new security technologies become available, and security vulnerabilities evolve, the policies need to be modified or supplemented. You should review security at least on an annual basis, but if you’re a bigger company, on a quarterly basis.
6. What is the hardest form of security breaching to prevent?
Threats within the company’s own networks. This happens a lot with ex-employees, who leave the company with detailed inside information. One of the things to do is set up booby traps. If an unauthorized employee, such as a mail man, attempts to access something like the payroll, it sets off an alarm. One way to do this is through DLP software, which protects data breaches. When data is invaded, it advises the administrator of the intrusion.
7. If credit card information or other data is stolen, can one figure out exactly what has been taken?
It depends. In some cases, one can go into the system and see the logs of exactly what information was viewed, taken, and when it was retrieved. If the hacker deletes those logs, they are irretrievable; they won’t be seen.
1. Should businesses spend money on employing security consultants?
Businesses should absolutely set aside funding in their budgets for security consultants. Unless there is an expert on staff, and there usually is not, it needs to be outsourced. What happens with smaller businesses is that they give in to the misconception that their site is secure because the system administrator deployed standard security products — firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. But those things can be exploited.
They need a security expert — not just an expert at installing security software. They also need to have someone monitor security. Most people assume that once security software is installed, they’re protected. This isn’t the case. It’s critical that companies be proactive in thinking about security on a long-term basis.
2. What is social engineering?
Social engineering is when an attacker does thorough research on the company, using various simple investigative techniques to hack a company based on human error. They attempt to identify the business relationships that a company has, such as what customers, suppliers, and vendors they do business with. This is especially successful with large companies who have call centers. An attacker would call to ask a simple question; once they get that information, they make another phone call using the previous information provided. Each employee who answers the next call believes the attacker to be a genuine customer or client based on the information they have acquired from the previous phone calls.
After a string of inquires, enough information has been obtained to hack the system. The hacker will go after the weakest link and if he can get one person in the business to make a bad decision, none of the security precautions taken will matter.
3. How can a company protect itself against social engineering?
Businesses can protect themselves through proper training and education.Proper training demonstrates how hackers are able to manipulate the system through human error. One way to do this is through inoculation — planning a fake attack. When you plant attacks on the employees to test them, they are able to learn from their mistakes and will be less likely to make the same ones in the future.
4. How can e-commerce web sites protect themselves from credit card fraud?
To have transactions made on your web site via credit card, you must be PCI compliant. Businesses make the mistake of thinking that because you passed the requirements and are PCI certified, you are immune to attacks.
Just because you meet certain requirements doesn’t mean you’re secure. According to one study, 83% of successful hacking-related data breaches are as a result of compromised customers cards. Having someone look over your system and code is extremely important if you are processing credit transactions on your server.
5. How often should you review and update your site’s security?
It’s important to note that information security policies cannot be written in stone. As a business needs change, new security technologies become available, and security vulnerabilities evolve, the policies need to be modified or supplemented. You should review security at least on an annual basis, but if you’re a bigger company, on a quarterly basis.
6. What is the hardest form of security breaching to prevent?
Threats within the company’s own networks. This happens a lot with ex-employees, who leave the company with detailed inside information. One of the things to do is set up booby traps. If an unauthorized employee, such as a mail man, attempts to access something like the payroll, it sets off an alarm. One way to do this is through DLP software, which protects data breaches. When data is invaded, it advises the administrator of the intrusion.
7. If credit card information or other data is stolen, can one figure out exactly what has been taken?
It depends. In some cases, one can go into the system and see the logs of exactly what information was viewed, taken, and when it was retrieved. If the hacker deletes those logs, they are irretrievable; they won’t be seen.
