Author: admini

Visa rolls out new payment application security mandates

Posted on by admini

For many companies, especially large ones using older payment applications, Visa’s mandate could mean “tens of millions of dollars” in upgrades to new technologies over the next few years, said Jim Huguelet, an independent consultant in Bolingbrook, Ill. The mandates will also “by proxy” force vendors of payment applications to finally start implementing security features that have been recommended by Visa and others for some time now, he said.

“This is a really major step forward for the industry in asking payment application vendors to step up and support more directly the compliance efforts of their customers,” Huguelet said. “Now it has become clear that payment vendors have to make their software support security standards” or risk being cast aside by their customers, he said.

Visa’s mandates have been expected for some time and are designed to address long-standing security weaknesses in the applications merchants use to conduct payment card transactions. The biggest concern has been the fact that many payment applications now in use are designed to store data such as the full magnetic-stripe information from the back of cards, card-verification code numbers and PIN data. Storing that data has made payment systems an attractive target for hackers and has long been considered a fundamental security weakness. It is a practice that has been explicitly banned under PCI.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9044159&source=NLT_AM&nlid=1

Read more

Better IT Security Doesn’t Mean Spending More

Posted on by admini

A lot of companies spend too much money on security controls such as firewalls, anti-virus software and other desktop protection tools designed to defend against traditional mass attacks, said John Pescatore, a Gartner analyst. According to Pescatore, over the years such products have become highly commoditized and can be deployed for far less than many companies currently shell out for such protection. Such planning is important at a time when the costs associated with security breaches are going up sharply.

Over the next two years in fact, companies can expect breach-related costs to increase on average by 20 percent each year compared to today, according to Gartner. Increasingly, companies that suffer data breaches are getting sued by victims as well as by other affected parties.

http://www.pcworld.com/businesscenter/article/138494/better_it_security_doesnt_mean_spending_more.html

Read more

Nine out of ten websites have serious vulnerabilities

Posted on by admini

The report statistics were gathered through an outsourced service providing website vulnerability assessments on an ongoing basis.

With more than six hundred sites under management, including many of the Fortune 500, WhiteHat has access to an unparalleled amount of security data, which allows them to accurately identify which issues are the most prevalent.

Since the last report in April 2007, there has been a noticeable increase in several technical vulnerabilities including XSS, Information Leakage, SQL Injection and HTTP Response Splitting, which can be directly attributed to the discovery of new attack techniques and the improvement in vulnerability identification technology.

http://www.net-security.org/secworld.php?id=5539

Read more

F-Secure: User education no security solution

Posted on by admini

Runald said the rising occurrence of “drive-by” downloads is “most worrying”, referring to the situation whereby a Trojan, embedded in a website, surreptitiously downloads itself onto a user’s system when the page is visited. The only solution, the security expert said, is vigilance in ensuring all security software is constantly updated, so that the user can be protected from threats they do not see. “Even if people have been educated on safe surfing, they either forget or don’t care,” Runald said.

Mobile security Runald also noted that the technology is available to cause serious damage on mobile devices. According to the security expert, 99 percent of mobile malware is targeted at the Symbian operating system (OS) because it is the market leader and its source code is open, making it easier to examine the OS for vulnerabilities. Referring to Apple’s iPhone, Runald said: “In theory, by having a closed OS, it should be safer.

Offering an explanation as to why a mobile malware pandemic has not yet occurred, Runald said there has not been a concerted effort by mobile virus coders because they tend to be “kids” who are interested in “a bit of fame and mischief”, rather than being motivated by profit like those who code for PCs.

However, Runald cautioned that this does not rule out the possibility of a mobile malware outbreak.

http://news.zdnet.co.uk/security/0,1000000189,39289980,00.htm?r=1

Read more

Security spending soars

Posted on by admini

The survey, carried out by analysts TNS on behalf of CompTIA, also discovered that for every dollar spent on security about 42 cents goes on technology product purchases, 17 cents for security-related processes, 15 cents for training, 12 cents for assessments, nine cents for certification, and the balance on other costs.

http://www.channelregister.co.uk/2007/10/11/comptia_security_survey/

Read more

Survey: Office workers still the greatest security threat

Posted on by admini

While office-bound employees have consistently topped the list of those thought most likely to compromise network security in past surveys, they have lost some ground to remote and mobile employees, who are considered to be a greater security threat by 31 percent of respondents.

Sophos’ head of technology, Paul Ducklin, said, “This is a representation of how common telecommuting and remote working has become,” to the extent that half of those in the office are also remote workers.

http://news.zdnet.com/2100-1009_22-6213227.html

Read more