Cyber Monday: How Secure Companies Are Keeping Their Websites Safe10:00 AM EST Mon. Nov. 26, 2012
The holiday season is now officially underway. Everywhere you look, people are heading to the stores to buy presents for loved ones. Meanwhile, many others are trolling the Internet, trying to do the same thing. Are your retail clients ready to keep their customers safe while doing so? Symantec has issued a list of some best practices designed to help your clients bring happy holidays to their customers. Here a look at what's on the list.
The secure sockets layer, while falling short of being a complete security solution, does provide a measurable difference to the security of websites. Retailers should make sure that each of their pages bears the familiar HTTPS designation at the beginning of the URL. This designates that the sensitive traffic necessary to complete the transaction is encrypted during transport. Failure to engage the secure sockets layer indicates that credit card numbers and similar data are not encrypted and are thus much more susceptible to theft.
Extended validation certificates denote adherence to a specified set of identity verification criteria. This goes a long way towards further assuring that the identity is not being spoofed. While the cryptography associated with the certificates is not demonstrably better than the alternative, certificates issued under these guidelines are formatted in such a way that a higher level of proof is enabled. Extended validation certificates are visible to the customer by way of a green bar over the URL. A growing number of customers are beginning to watch for those and recognize them as a security differentiator.
Technologies designed to monitor traffic are more important than ever before. Therefore, security companies have been developing exhaustive lists of hosts used by hackers and other cyber criminals for the theft of data and the penetration of networks. These nefarious activities are usually kicked into high gear during the holiday season because of the high volume of consumer transactions. Channel partners and IT administrators are advised to be on extra alert.
While physical security has always been distinct from information security, the enhanced technology associated with physical security is starting to blur the borders. Thus, many channel partners are beginning to get more involved in the physical security realm, or are forging alliances with physical security practitioners in order to deliver a more complete solution. This poses a strengthened value proposition for the partners, as well as enhances unified security for customers.
According to Symantec, it is advisable to set up a parallel code-signing infrastructure using test certificates generated by an internal test root certificate authority. The objective is to ensure that business-critical private certificates, which are used to sign officially released software, are not stored on insecure systems used for routine software development tasks. Taking this extra step reduces the likelihood that the business-critical certificates will be compromised.
Not all certificate authorities are created equal. Proper protection of certificates is depending on a comprehensive mix of physical security, digital security and policy security that are combined to ensure that access to the certificate keys remains limited to the appropriate parties. At least one certificate authority was forced out of business due to issues in this regard, thereby raising the stakes for all companies functioning in this role. Channel partners are advised to help their customers research their selection and choose the certificate authority that best meets their needs.
Although scanning has gotten something of a black eye for its inability to scale to the ever-increasing number of threats, it is still a useful tool in keeping websites and networks safe. Therefore, it is highly advisable to maintain strict policies around scanning frequency and to further ensure that these requirements are properly executed. While scans do not catch every threat, they still catch enough of them to be useful.
Proper monitoring goes far beyond watching the traffic between hosts and servers. As every channel partner knows, it is critical to keep an eye out for improper access, the propagation of specific applications and generally suspicious traffic flows. Given that these attacks tend to increase in volume during the holidays, technologies that assist in these areas of security are more important than ever.
Protection of certificate keys is not merely the domain of certificate authorities. Clients, as well as people who serve those clients, need to ensure that the keys are kept safe at the customer premises, or wherever they might be stored. High-security cryptographic hardware is a very worthwhile investment, given the level of importance of these keys and the fact that they are often highly targeted by the criminal element.
Not all of your clients' customers are sophisticated in computer security. Therefore, adding vendor-based seals of approval supporting the security of your website can go a long way towards alleviating any concerns they might have about entering their credit card data and clicking the button to complete their purchases. Even if you know that the site is secure, it is critical that they have that same level of confidence.