Web Application Security Newsletter -
May 2007
A MESSAGE FROM THE EDITOR- Rising consumer awareness about the threat of data breaches, identity theft,
and online fraud seem to coincide with a call on the state and federal levels
for stricter laws and penalties in dealing with both institutions and
criminals. The Bush administration recently released the Identity Theft Task
Force Plan that calls for the private sector to better safeguard personal data
and to establish breach notification standards. By the way, if your
organization should experience a data breach, and according to one source,
there were 268 counted in 2006, are you prepared? Do you have a contingency
plan in place, and would you be able to move quickly? In this month's issue,
read some tips about how to develop and execute a plan should the unfortunate
need arise. Another PCI Payment Card Industry deadline looms at the end of the
year. Apparently more than sixty percent of merchants fail to comply. Read
about why one CISO's recommendation is to lower, not raise, the compliance bar.
We also feature an article that discusses smart JavaScript attacks and shares
some tips about defending against them.
1. Data breach? Here's what to do, when and how Plan in advance and act quickly
The Privacy Rights Clearinghouse reported 268 data breaches in 2006. If it
happens to your organization, what would you do? Do you have a plan in place
that designates details, roles, actions, and timelines? There are approximately
33 state laws that govern when and how you should notify people whose sensitive
information has been compromised. For financial institutions, specific federal
laws apply. Once a breach occurs, the situation is complex and best navigated
with a written contingency plan already in place. Read about how to develop a
plan and what to include.
Read
More
2. Another vendor joins Open Web Application Security Project
Cenzic recently joined Open Web Application Security Project (OWASP), a
not-for-profit foundation, as a Vendor Organization member and will sponsor
projects focused on application security. "Cyber crimes against applications
are rising at an alarming pace, and the efforts of organizations like OWASP are
crucial in helping to raise awareness and reduce vulnerabilities in Web
applications," stated John Weinschenk, President and CEO of Cenzic. The company
will support projects including Site Generator, Corporate Application Security
Guide, and Security across Software Development Lifecycle (SDLC).
Read
More
3. Protecting Data Online Is a Top Priority for Consumers
Twenty-six million adults have been victims of identity theft or fraud in their
lives cites Javelin Strategy and Research in a recent study. Crimes span the
misuse of credit or debit cards and bank and utility accounts, to stealing
personal information. According to the study, forty-one percent of respondents
would use online banking less or switch institutions should a data breach
happen. The study reveals current consumer attitudes following a slew of
high-profile data security breaches.
Read
More
4. A New Fight Against ID Theft
President Bush's recently released Identity Theft Task Force Plan
recommendations call for the private sector to better safeguard personal data
and to establish breach notification standards for data theft that pose a risk
of identity theft. The plan would add a mandatory two-year prison sentence for
identity thieves under the existing aggravated identity-theft statute. The plan
drew mixed reviews from some groups involved in battling identity theft, citing
a need for strong federal consumer privacy legislation and enforcement of the
Federal Privacy Act by the current administration.
Read
More
5. First Data security chief calls for PCI DSS changes
Credit card processing giant First Data Corp. is in a constant struggle to lock
down its systems from hackers seeking access to a constant stream of credit
card data. The company's CISO Phil Mellinger calls it an uphill battle as
attacks grow in sophistication. He recently addressed merchants at a PCI DSS
conference. Mellinger developed the precursor to the current PCI DSS rules and
is now calling for an overhaul that would involve easing restrictions to get
more merchants on board. Although deadlines have been set for merchant
compliance by year end, more than sixty percent of merchants fail to meet
current standards.
Read
More
6. Researcher: JavaScript Attacks Get Slicker
Malicious JavaScript is now capable of fingerprinting victims' Web browsers and
other vulnerable components to deliver custom-tailored exploits. According to
Senior Security Engineer, Dr. Jose Nazario, a new malware tool called NeoSploit
carries at least seven exploits to infect a PC, basing its attack on the
system's specific vulnerabilities. He stressed that researchers are more often
finding increasingly sophisticated exploit code that security systems might not
detect. Read about some ways to counter the JavaScript malware miscreants'
exploits.
Read
More
|
