PCI DSS or short for Payment Card Industry Data Security Standard, is designed as a security protocol that has been agreed upon by industry for applications in Credit card payment systems. Due to ever increasing problems and losses incurred by firms due to credit card fraud they have agreed to implement a data security protocol that encrypts data in transit to the various local card centers. The standard calls for a unified set of rules or parameters to be used in card centers to prevent and maintain security at all levels from the retail store where the data is collected, in-transit as it travels through the internet and as it is processed and stored in the data centers.
IBM has introduced the first PCI-DSS End to End system for implementation on the HughesNet Broadband Network Service. At a time when compliance is at a mere 50% these types of data security become imperative to prevent more losses and other problems associated with fraud and other criminal activities. The standard also applies and recognizes the needs of wireless networks through which a set of analytic and diagnostic processes are required. The PCI Standards Security Council who formulated the said standards are in constant process of reviewing and revising the said set standards as needed due to the ever-changing status of the internet and the business that goes through it.
Around 90% or more of most credit card transactions go through a public network in one stage or another as it makes its way to the central data center which makes it vulnerable to attack. The adoption of cheaper high-speed internet has companies turning to the public net opposed to the previously expensive dedicated T1 lines usually used by businesses. It also allows transaction data to be transferred through one single phone line thus lowering overhead costs making it the better choice for businesses.
It Security – Interpol
The threat of IT security has reached such a level that even Interpol has gotten involved in the action. Many crime syndicates operate beyond the normal bounds of borders and business organizations that the Policing Agency has information for all concerned regarding the security and intrusion prevention of computer systems.
The said Interpol IT Security document aimed for investigators of crimes related to IT security, highlights the need for an established set of rules that should be enforced for all people in business or other locations such as the home and elsewhere. In the said document, there is an extensive article that deals with information interception which is now becoming the most prevalent form of attack on networked computers. Firewalls are also not that effective if not configured properly and the addition of an internal and other security is needed to increase the level of protection that is needed. File deletion as may of us in the IT community knows deletes only the directory entry of the said file and not the file itself. It can be compared to deletion of a filing cabinet label without actual removal of the folder that contains the document itself. Utilities like Wiperaser Ultra for clearing deleted data are available on the market which routinely scans all tagged free-space on a hard drive and erases all the data contained within. There are also utilities available for the recovery of deleted files like software from Handy Recovery, a data recovery software which can prove valuable in security breach investigations checking for unauthorized files in an employee’s workstation. There are even recovery companies who specialize in recovery of data from tragically destroyed hardware such as those that have suffered fire damage and many more such as SalvageData whose specialty is to recover information from damaged hardware.
The Security problems of Torrents
Ever since it was introduced, torrents have flourished into one of the world’s most widespread file sharing protocols in use today. It was introduced as a method of sharing huge files without the worries of heaving one source or having to consider the varying bandwidth’s people are linked to the internet through all the world’s providers ( different providers offer different bandwidths and speeds and they vary from country to country). The system is a no-fuss file transfer protocol that does not rely much on bandwidth. Another advantage is that there is no spy-ware or pop-up advertising on bit-torrents.
The system has a server that hosts the bit-torrent file sharing system and all the users have a client side program that connects to that said server facility. When a user conducts a search, the server provided the user with the most likely source of the said file and allows the user to get the said file from those sources that are mirrored or specified in the server’s database. The future of bit-torrents is to eliminate the need for centralized servers running the host applications and to get both server-side and user or client side programs installed onto a pc without a need for the remote server.
Now for the dark side, the said ongoing improvement of eliminating the server side of the system is to eliminate the need for toughened security at the server end where one can get the history and IP addresses a user has gone through. There is also growing concern for the said file sharing technology has now being used as a propagation grounds for pornographic materials over the internet. Do a quick search on torrents sites and you’ll se what I mean. Also, being a straight-forward file sharing system, as the data travels through the internet anyone intercepting the said file can easily get any information they want for the simplified processing and file transfer is accomplished by taking away most of the security features other systems employ. The elimination of security makes transactions (file transfers) faster but less safer and vulnerable to attack.
Handhelds : Still the Biggest threat to Corporate Security
Employee’s love them, Network Administrators hate them, the advent of more function packed handheld devices have sparked a re-evaluation of the threat these small devices pose. Traditionally, networks were quite safe for to gain access to it you needed to be hooked up to the network, physically with a LAN cable. Now that the shift to wireless has become the network engineer’s best friend the network has surely been simplified and companies are switching to the new technology. Thy no longer needed wires and all existing computers are either replaced with ones that support Wi-Fi or bought individual dongles that allowed connection within the office. That was still an easy security agenda for they usually had a range of a couple of hundred feet.
Then came wireless internet hotspots which commercial developers started to put up to get more workers out of the office into their shops allowing them to work while, say having coffee. That’s where the problems began for the more office correspondence left the walls of the office, the more harder was it to secure. VPN’s were implemented that allowed a secure channel within existing networks making it a bit better. But that was still quite vulnerable to attack and security experts needed a better way of securing corporate data where-ever the user might be. Projections by business and security analysts estimate volume to increase to 100 million email transactions to and from outside the office locations that is still causing nightmares as the next step is found in the drive to secure this network without physical bounds.
[tags]Handheld Computing, Mobile Computing[/tags]
Another Bug hiding in the Thick – Exploits
The evolution of the internet has given us the Web 2.0 which is a more open form of the previous internet. The traditional internet had people and companies make their own web sites on their own computers or servers, with anybody else just logging in and getting (actually it’s more of reading) the stuff that you need and leave without getting a chance to tell the site’s owner if the information was either very helpful or a complete waste of time. Net 2.0 has allowed the opening up of borders between the said linked computers allowing people to become more interactive in their use of the web. You search for an article on the web through a search engine and find yourself in a blogging site. The information you find is very much useless so you leave a comment telling the owner such. He then reads the post and makes the information on the blog more informative thus giving him feedback on the contents of the site. This was totally unheard of in the old internet days when, what you see was what you got (literally).
The social Net 2.0 has allowed users to influence the way the internet is setup along with the information it contains. Companies get instant feedback from users thus allowing them to improve customer services. The problem, exploits or another form of malicious code that is up to no good. Imagine a social web site like MySpace where you have a page that you share over the net with your pal’s. A hacker finds a hole in the security net and leaves a few short lines of code in the form of a hidden program. It then takes all information you send and receive or use, such as purchase information from internet-based companies. This exploit, turns your page or rather the information gathered from it into his personal atm machine, using the information he has leeched and goes on a shopping spree online. Sounds crazy? You figure it out. Google found almost half a million of such exploited sites out of only 4.5 million surveyed sites (which is only a fraction of the total computers linked on the internet).
You do the math….
Corporate Internal Security – The Continuing Battle
The last post tackled the damage an internal threat might do to a person on the outside of a business organization. This post deals more with the threat from within from the viewpoint of the targeted organization itself. The problem with an internally planted backdoor or some other form of malware is that it is integrated with the programs themselves that are supposed to provide security to the system. The system that is affected can most of the time be freed of these stated threats by re-installing the said application with a version that is free of the problem code.
Just imagine the amount of information that has to be moved, re-processed and re-stored just to make up for a few lines of code that has been very well placed, hidden from view. Firewalls were supposed to prevent intrusion to links of the organization from the outside and inside but if the firewall was not to know the workings of the said code, it would recognize it as a legitimate process and allow the transfer of data without taking a second look. Corporate espionage has rival companies trying to get at the other’s secrets in hopes of getting ahead of other competitors. In the US, the FBI and other Internal security forces continuously monitor such activities such as the problem when stocks were manipulated within the Stock Exchange itself to boost the value of a particular stock to favor investors.
The risks the information we entrust to companies who serve us is great and sure they do take all necessary preventive measures as much as they could, but a threat from within is truly an adversary to be dealt with.