October is National Cyber Security Awareness Month. It gives all of us that are security focused the opportunity to spread some information about security and safety to others.

To do our part DC509 is putting on another community outreach event. This time it’s going to be bigger and better than ever. We have 4 speakers on the agenda this time, speaking on a wide variety of topics. To not put the audience to sleep, each speaker will have 15 minutes to speak and 15 minutes for Q&A. Please join us and show support for helping to secure our community.

Speakers:

• Aaron Howell - Phishing; Don’t take the bait
• Adam Baldwin - Building trust with website visitors
• Lynda True - Information sharing on social networks
• Thomas Feduk, Jr - Basic best practices for staying safe online

You can find out more information about the event by going to ngenuity-is.com/events or more information about National Cyber Security Awareness Month by going to www.staysafeonline.org

This is a fantastic deal that PayPal and Ebay should be seriously promoting. PayPal and Ebay are both giant phishing targets. They have been offering a 2 factor authentication token for a while now. The cost to you, $5. Includes shipping, no other costs, no hidden fees and it’s easy to use. I highly recommend anybody with a paypal or ebay account get one immediately.

Find out more here:
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside

Side Note:
If you are in the Tri-Cities, WA area and want to learn more about Phishing (and other security topics) come to the DC509, National Cyber Security Month Event being held in October. Aaron Howell from nGenuity will be presenting on Phishing. I will post more information as the event nears.

This is the first in a three part series on responsible disclosure, taking over where the vendor leaves off and the release of the advisory.

I subscribe to the school of thought that responsible disclosure is the way to handle critical vulnerabilities. The kind of issues that place the privacy, welfare or money of people or businesses at risk need to be handled in such a way that it reduces the risk of all parties involved and everyone wins (before somebody gets owned).

Months back nGenuity found that commercial and really expensive healthcare application exposed patient information through a forced browsing vulnerability. (there will be a follow-up on this soon about how I found this vuln) This web application’s purpose and design is to provide doctors access to these records over the web in a secure fashion. We proceeded to write up the vulnerability details and provided them to the vendor, trying to be as responsible as we could. We notified our client, which immediately blocked application access from the Internet. The only one left to play nice was the vendor, but the vendor response was less than adequate.

Now I’m at a cross-road with responsible disclosure. If the vendor does not play ball, fix the vulnerability and notify their customer deployments then I am left with the burden of contacting those other deployments. Should this really fall on me? Yes if I’m going to follow through with my pact with responsible disclosure. I don’t have any other option if I want any of my clients to trust that I would do right by them with their confidential information. I’m also sure that somewhere in the fine print of my ISC2 and Certified Ethical Hacker ethics agreements it says I shouldn’t do that.

If you are an organization that makes software (yes this includes all you web developers), please make sure you make it easy for researchers to contact you about security issues in your products. When (not if) an issue is found in your software, coordinate with the finder and address the issue as quickly as possible. I have a rule about developers.

Stay tuned in to find out what our experience is notifying all of the medical organizations out there on the Internet running this application.

Every so many years the paradigm shifts from internally hosted content and applications to managed services and eventually finds it’s way back again. Back in the 90’s application service providers were all the rage and quickly diminished with the dot com boom. Today that shift is back and is moving towards “cloud computing.”

One popular aspect for consumers of cloud computing is Software as a Service (SaaS). These services are typically a subscription based service that run on a pay by use or time based schedule. This is great for businesses that want to adopt a technology quickly and consume low overhead. These services are increasingly allowing small businesses the opportunity to compete with large corporations where they were not able to in the past. Technology can be a great equalizer, but just below the surface of some services can loom hidden cost and risk.

Consider a credit union that nGenuity recently consulted for. The banking application they use that allows them to do all critical banking transactions, is a hosted application. This application is accessed over the Internet via a Virtual Private Network (VPN). This is a great solution for them, or at least they thought so up until it stopped working. In a blink of an eye every business transaction at that credit union stopped. Even though there was money in the vault, they couldn’t give it to customers because “the computer system was down.” This does not make for happy customers. The question they forgot to ask, like so many companies, is “what do we do if this doesn’t work?”

Let’s take a look at a few ways you and your business can avoid getting into the same situation

Critical Business Functions:

Identify the technology and resources your business requires to do critical functions. This exercise will be a lot easier for smaller businesses than larger ones. In each business, as more technology, staff, roles and functions are added, the more complex the dependency matrix becomes. A third-party that knows and understands the risk that technology can bring to businesses can help quickly rank risks and identify ones that may be missed by the inexperienced professional.

Service Level Agreements (SLA):

Whenever you lose control of your information and/or infrastructure to a third-party, always have the proper service level ageements in place. 100% uptime (while not impossible) is impractical and hard to achieve most of the time. Realize that the service will fail and be unavailalbe sometimes. Make the third party responsible for that downtime. This compensation should be proportional to the loss your business will receive due to the down time. Consider lost customers, income, and productivity as some of the metrics when calculating this value. You have to motivate that third-party to give you stellar service and the only time to do this is before you buy the service!

Business Continuity Plan (BCP):

Write down the process for doing business when the technology or resources to support those critical business functions fail or are unavailable. Make this process as simple and straight forward as possible. Do not stop there. Train and enable your employees to handle these situations without the aid of management or somebody technically trained. Finally run mock scenarios (fire drills) to give your businesses added confidence in being able to handle a disaster.

“If we hear, we forget; if we see, we remember; if we do, we understand. ” –Proverb

It all starts with asking the simple question “What happens if this breaks and we can’t do business?”

Security is an integral part of deploying and managing a successful website or web application. I’m was very pleased when Craig Sutton from BrightWeb Marketing asked me to speak at Learn About Web 2008 on web security.

Security is by far not the only thing one has to focus on for a successful business online, but it should be a major concern. The Learn About Web conference has something for everyone via three different tracks Business, Graphics and Design, and Social Media. I will be speaking in the Graphics and Design track on how to build customer trust and loyalty via a properly implemented security program.

Learn About Web 2008 will be held at the Tri-Cities Convention Center on November 7th, 2008. Register today!