Business Security Information

Late last year it was announced by a couple of security researchers that cPanel was vulnerable to cross-site request forgery attacks (CSRF).  If you manage your business’ website, you know that cPanel is an administration interface that allows you to perform many tasks related to running a website.  This includes accessing website stats, email accounts, and log files, submitting tickets to the support desk, and a variety of other tasks.  Cross-site request forgery attacks allow attackers to exploit web-based services after the user has already logged into the web-based service.  In a cPanel attack, once you are logged in, you must be lured by the attacker to visit a malicious website that the attacker runs or has compromised.  Once you go to the malicious website, the attacker can execute unauthorized commands since you are already logged into cPanel, and no password would be necessary.

Just last month I wrote an article on “Choosing a Secure Web Browser” after a recent attack using vulnerabilities in the Internet Explorer 6 (IE) web browser.   In that article, I stated that security researchers and some governments were recommending that people change to a different web browser or at least upgrade to IE8 (you can read the full article using the above link).  Just this weekend, a couple of other security researchers announced another vulnerability involving IE web browsers including IE8.  This vulnerability was confirmed on Monday by Microsoft.  The question now is whether to wait for a patch from Microsoft or to change web browsers?  Let’s look at the highlights of the vulnerability to determine the right answer for you and your business.

If you have not already heard, in mid-January Internet Explorer was under attack by the same attack method that was used by the Chinese to break into Google’s network.  Since then, a number of security researchers, security companies ,and even some governments have recommended that computer users switch to other web browsers such as Firefox, Chrome, Opera and Safari.  Currently, it appears the attack code is mainly geared towards IE (Internet Explorer) 6 and possible IE 7 so businesses that are still using IE 6 should change to another web browser or at least upgrade to IE 8.

If you have not read my two articles on phishing, I would recommend that you do that before reading this article.

1. Do I need My Boat to Go Phishing?
2. VOIP Phishing Scam

A new twist on this scam has come out recently, and I wanted to make sure everyone was aware of it.  RSA Security, a security firm that provides businesses with a variety of consulting services and products, has discovered what they call “chat-in-the-middle” attack.  Like most phishing scams, the attacker uses a fake web page which is set up to look like a banking website.  They get people to go to the site by sending out e-mails which contain a link to the fake website.  The difference in this attack is that the website has live chat support so the attackers can interact with their victims.

Data Leakage

An article just came out about the Secret Service’ safe house plans for the president and his family as well as the president’s motorcade routes having been found on a file-sharing network.  Also in the recent past, details of nuclear facilities in the country as well as details regarding the president’s helicopter have been found to have been leaked through file-sharing or P2P networks.  This may sound like government incompetency, but in this case it can happen to private business as well as government.  Listings of company acquisitions, patients health records as well as a variety of other sensitive business data have been found on file-sharing networks.

It is usually not the purpose of this blog to write about every type of virus or malware that is discovered–there are  plenty of websites out there that do a good job of that.  Sometimes, however, I do like to make note of malware that I feel can affect your business in a broad way.  I wrote about the conflicker worm back in May of this year for similar reasons.  Some of the security measures that I mention in both articles will help protect your business from a variety of malware, not just the ones noted in these two articles.

Secure Socket Layer (SSL) is used on the internet to encrypt connections to such sites as e-commerce and banking sites.  Most everyone has used and seen these sites.  They have the “https” at the beginning of the website URL along with a little padlock symbol that is usually found on the lower right hand side of your web browser.  If you click on the padlock icon, it will open up and give you information regarding the encryption method and the encryption certificate.  The purpose of SSL is to keep your information confidential while it is being transmitted over the internet from your browser to the website.

Web Application Firewalls

Web Application Firewalls are a market that is still hard to define, meaning what one vendors says is a web application firewall may not be what another defines as such.  For right now, many products fall under the web application firewall term.  For a business such as yours, this makes it hard to evaluate and compare products.  To overcome this confusion, first look at what your security needs are, the structure of your network, and the applications that are you using.  Then, look at what is available that fits your criteria.  Just by doing this first, you will narrow your search down from many to probably a few products that you are interested in researching and maybe testing further.  A few requirements for a web application firewall include:

Kaspersky Lab, an anti-virus/malware company, recently published a “Stop Cybercrime Guide” which I have read, and I think is an excellent overview of many of the computer security threats a business, home office or individual users may face.  Information covered in this short, 10-page document includes:

• Types of malicious programs and how to protect yourself against them.  Some of these protections you may have heard of before, such as installing security software, updating your software, backing up your data, and not using the administrator account except when needed, which I discussed in a previous article.

Websites and Phishers

I had just got done writing about recent website attacks on a variety of small business websites when I came across updated statistics from the Anti-Phishing Working Group that show even more of a need to protect your website.  The statistics indicate that the majority of criminals are actually using legitimate business websites when carrying out phishing scams.  The information shows that the fake or forged websites are only used by these con artists in 13 percent of the phishing attacks.  With a total of 30,454 domain names used by phishers in the last half of 2008, only 5591 of these domains were ones the phisher had set up themselves.  The remaining phishing attacks were using legitimate business domains.  This contradicts some of the information in my phishing article and is all the more reason to protect your business website and brand.