As we all know, online shopping is nothing new but as its popularity continues to grow so does the malicious threats that can occur during your shopping experience. That is why we want to provide you with some reminders and tips on how to make you’re online shopping a safer experience. We also encourage you to share these tips with your family who may make online purchases too.
There are a few simple precautions you can take to further secure yourself before you make your online purchases. First make sure you have a web filter in place that will warn you of suspicious websites. Keep your web browsers up to date too. Often times the site you are shopping on is legitimate but if your computer is infected with keyloggers and other malicious viruses you can run the risk of your credit card data being stolen.
It is always best to shop at familiar websites but if you are looking at products or services from an unfamiliar sight do a little research before you begin; find out what other consumers have to say about the store or seller. Epinions.com and BizRate.com give customer evaluations that may help you determine the legitimacy of the company. It is also a good idea to review the website for the BBB and or TRUSTe approval icons. Be sure to click those icons to ensure that they take you to those accredited sites and that you can find the companies name within their listings. Often times harmful sights will display the graphic with no link so be aware.
Remember, before entering your personal data and credit card information check the connection of the website out to make sure it is encrypted. The URL will start with (http“s”) and also look for the padlock icon in the address bar or right corner of the window. Be aware of any warnings that your computer gives you regarding the security certificate of the site, when in doubt find somewhere else to shop.
Keep in mind when choosing a payment method it is always best to use PayPal if it is an option, that way your credit card and bank account information will not be shared with the merchants and sellers. PayPal will also protect you against fraudulent charges and if there are problems with your purchases. Once your purchases are made it’s always a good idea to check your bank accounts and credit card statements to ensure the proper amount was charged; if the charges are wrong contact the website where your purchases were made immediately along with calling your Credit Card Company to inquire about a “charge back”.
We hope that by keeping these tips in mind that you will continue to enjoy shopping online and are more secure in doing so.
Gartner, the largest IT research firm in the world, is predicting that 2012 will be the year that more than 50% of Global 1,000 companies store customer data in a public cloud – a 30% increase from 2011. Of course, these firms have compliance and regulatory concerns which should make you ask how are they putting potentially sensitive data into a public cloud? Sadly, the answer isn’t some amazing new technology it’s actually technology that was developed in Egypt circa 1900 BC – encryption.
Encryption As A Service (EaaS) or “cloud encryption” as it is commonly called is being used by more and more global firms to enable them to leverage large public cloud vendors such as SalesForce, Amazon, and even DropBox. Cloud encryption isn’t really new, it hit the security industry scene in 2008 but more vendors, lower prices, and simpler implementation capabilities has put it into the list of “technology to learn about” for most CIOs and CSOs. Let’s discuss how these cloud encryption services work.
First, there are multiple types of cloud encryption. Some vendors offer encryption for virtual machines that run at cloud providers such as Amazon’s EC2 or Rackspace. Other cloud encryption vendors provide application level encryption by being an API proxy. For example, services such as SalesForce and Google Apps instead of storing a credit card number in plaintext in a field at SalesForce.com, the encryption proxy at your company’s data center encrypts it first and SalesForce.com stores the encrypted value instead of the plaintext. Lastly, some cloud encryption vendors provide file based encryption where individual files are encrypted and the names encrypted instead of encrypting the actual storage.
Regardless of the cloud encryption approach, you might notice a trend. Cloud encryption technologies are really just “cloud” versions of the same technologies that have been in use at data centers worldwide such as Full-Disk Encryption, Database Encryption, and File Encryption. The difference is that these cloud encryption vendors solve one problem that plagues organizations – staying up to date with the data sources and destinations the encryption technology works with. No more having to rewrite an application because SalesForce changed their API, the cloud encryption vendor does that for you.
The majority of failed encryption deployments we analyze fail because of key management. This problem is still in cloud encryption and may even be worse depending on how many cloud vendors your organization uses; however, most cloud encryption solutions allow you to use your own keys and most allow you to use your own key management system.
So what’s stopping you from moving to the cloud if you can simply encrypt any sensitive data that will go in and out of the public cloud? Our research from over 500 security professionals within the US shows that while cloud encryption greatly decreases the risk of using cloud services it does not change the fact that most organizations don’t know what data needs to be encrypted or even where that sensitive data is! While not a requirement, those firms that implement data centric security find it much easier to move their data to the cloud so perhaps you can use that cloud project as a reason to move to data centric security.
Risk Management is essential to a proper security program yet many organizations struggle with implementing risk management. Savid advises companies around the world and are frequently asked what risks really matter. Should we be worried about a zero-day attack? What about all these mobile devices? Many CISOs get caught up in the risk management process and when push comes to shove they end up making a decision based on their gut instinct using the data to rationalize their decision.
This phenomenon actually has a psychological name – Confirmation Bias. Confirmation Bias is the tendency for people to favor information that confirms their preconceptions. Confirmation Bias is the reason why managers and executives will spend 30% of their budget on a project that no one else seems to think is important but gets pushed through anyway.
At Savid, we have been researching confirmation bias for over two years now and have identified a few key areas that most CISOs can tweak to reduce the chance of making gut decisions that more often than not don’t succeed. Let’s discuss the biggest one: Bad Metrics.
Most security organizations manage risk using metrics that don’t matter. The percentage of machines with high risk vulnerabilities, patch latency, or anti-virus metrics are important, don’t get us wrong, but they don’t help the CSO make decisions because most metrics simply provide data. Properly built metrics will provide the data in addition to answering a question. Let’s use an example to explain.
If we have 122 machines with more than 5 high risk vulnerabilities per machine what does that mean to the organization? The answer: who knows? There are many other questions that must be answered first before we can use this data to make a decision, such as were the 122 machines the entire environment or was I only able to scan 122 out of 3,244? Are the 5 high risk vulnerabilities all unique (meaning I have 610 separate risks) or are they the same problem appearing 122 times? While these questions are important, the ultimate question that is usually never answered is this: Is having 122 machines with more than 5 high risk vulnerabilities above my organization’s tolerance for risk?
And that is where confirmation bias jumps in. CISOs, executives, and decision makers might look at the data and start running around concerned that the 122 machines are a massive threat to the organization and we must fix the problem immediately or they might ignore it, and it all depends on the risk tolerance and the risk aversion of the person responsible for making decisions.
So how do you address bad metrics? First, never use a metric that does not have the following properly defined: Name, Category, How to Measure, Purpose/Decision to be made from the metric, baselines, Target Audience, and Reporting Frequency/Period. If you went through all the data your team collects today how many metrics would you keep if you actually assigned a Decision/Purpose to each one? Our research shows that you will end up with less than 15 but will keep some others around when deep diving is needed.
Each metric must have a baseline defined and not just a single baseline but areas. For example, if we take our example above, we should have a defined baseline for the minimum number of machines that must be scanned, the threshold for when this metric indicates an acceptable amount of risk (Green) such as less than 1 high risk per machine, when it is a moderate risk (Yellow) of more than 2 but less than 5 per machine, and an immediate risk when greater than 5 (Red).
While this example isn’t a perfect example that you can use in your environment today, it should illustrate the picture we want you to see – Metrics thresholds are not metrics, they are measurements and you cannot manage risk without decisions being linked to each metric.
Once you implement and define metrics appropriately, the chance of Confirmation Bias causing a problem is greatly reduced because the decision parameters are already laid out and decided within the metric itself – the CISO won’t have to make a gut decision on whether to address the problem or not, the organization has defined when the problem will be addressed based on the status of the metric.
Well who better to ask about tech gifts or gadgets than the tech guys themselves? Here at Savid we are always interested in finding the coolest and latest tech gadgets out there. So to help you out this holiday season we have put together our 2011 Holiday tech gift guide to help you with your shopping.
Get ready this will be a quick shopping trip and you will never have to leave your comfy office chair! Our engineers have these items on their shopping list this year and we are sure they will make someone happy on yours.
We have all seen the graphs, three pies: one marked aggressive, conservative, and moderate. Usually associated with 401K or IRA accounts, these graphs show an allocation of various assets in order to meet a specific return level given a certain amount of acceptable risk. You pick one and the company handles the reallocation and dirty work of making sure you never have more risk than you want.
Is your risk management program structured the same way? It should be.
Most risk management programs involve committee meetings, an excel file with many risks identified by a high, medium, or low, and the committee arguing over which one should be addressed. Besides the confirmation bias problems we discuss in our other article, most risk management programs don’t have goals. Think about those 401K accounts, you pick the conservative model because the goal you want is a return of 4% with very low risk. If you had a higher risk tolerance you could have selected the aggressive model which gives an 8% return with a much higher risk.
Your risk management program should be structured in a similar way. All of the risks in that excel file are there to help the organization understand their current risk exposure and how it compares to the risk tolerance for the organization. If there is a gap between the current risk exposure and the risk tolerance of the organization, that is an opportunity to introduce additional risk for additional gain. The problem is most organizations haven’t defined their risk tolerance and have defined metrics to determine if they are above or below that risk tolerance.
How do you implement this approach to risk management? It’s actually rather simple. Instead of looking at metrics and the individual risks to make decisions, take a step back. First, categorize the metrics into projects they apply to; if you can map these projects to business goals, even better. Next, for each project, have the owner of the project create a success state and failure state for the project. For example, if our critical apps are available for 98% or more of the time, the project is a success. Lastly, have them review their metrics, and answer a simple question: On a scale of 1 to 5, where 1 is unlikely and 5 is very likely, what is the likelihood the project will meet the success state?
Using qualitative, instead of quantitative, metrics on the likelihood of success is similar to what a mutual fund manager does. If the conservative portfolio you selected has stock, it becomes much riskier and the likelihood of meeting the 4% return has gone down, they will adjust the portfolio to meet the goal.
Risk management isn’t about eliminating risk, it is about managing risk to an acceptable level so that the business can innovate and grow. Our guess is, if you start adjusting your audit items based on the likelihood of meeting project outcomes instead of just their risk level you will have more items addressed, less meetings talking about why things need to be done, and will be able to start identifying opportunities where you can take additional risk because the organization is managing their current risk appropriately.
