Security audit for commercial sites

An interesting note found in a recent online security report has stated that malicious programmers have begun to target specific social websites for drive-by infections.

While in the past scammers would set up their own pages and attempt to drive traffic to them to gain control over a victim’s machine or network, there has been a shift in recent years towards compromising legitimate URLs.

According to the Malicious Code Trends section in Symantec’s Internet Security Threat Report 2011 – published back in April 2012 – approximately 61 per cent of all sites listed as containing shadowy programs are “actually regular web sites that have been compromised and infected with malicious code”.

The top five sites for these kinds of attacks are blogs, personal sites, business or economics pages, online shopping venues and educational references.

It could be that the largest of these – the blogs and personal communications sector at 19.8 per cent – are the least well defended because they tend to be utilised by their owners as a communications platform and journal rather than a money-making enterprise.

This theory seems to be backed up by the fact that the second-largest proportion of legitimate sites infected with malware is personal hosting services on 15.6 per cent – a result that seems to follow a noticeable trend.

It could be that the activities the pages are meant to support have a direct effect on the amount of effort that is put into ensuring their safety for visitors.

People who are in charge of commercial sites and sales channels – ten per cent and seven per cent respectively – are more experienced with controlling how their back end is accessed and how to defend against malicious activities.

The difference is that – while it is in everyone’s best interests to protect repeat visitors to online venues – commercial concerns simply have more to lose by allowing their customers and clients to suffer from their lack of in-depth vulnerability management schedules.

That being said, the fact is that 17 per cent of legitimate sites infected with malware belong to enterprises that either trade goods and services or relay economic and financial information to their customers.

This means that every incident of infection has the potential to disrupt their flow of income – be it from advertising revenue or customer transactions.

DSD finalises Apple iOS 5 security audit

After months of negotiations and security audits, Apple’s latest mobile operating system has finally been given the green light for use by government agents.

The Defence Signals Directorate (DSD) has given iOS 5 a security certification level – meaning that the iPod Touch, iPhone and iPad are all cleared for use with documents classified as Protected as long as they are running with the approved framework.

As part of its approval process, the DSD has issued a guide through the Department of Defence Intelligence and Security that details the steps required before a particular device can be used to store classified information.

While not cleared for storing or perusing information that has a rating of Confidential or above, devices running iOS 5 and set up in the configuration listed in the document can be used to handle data that is classified as Protected.

The DSD also noted that the instructions contained in the paper were quite technical and suggested that they only be carried out by qualified, experienced professionals.

“Some instructions in this guide are complex, and if implemented incorrectly could
cause serious effects to the device, the network and the agency’s security posture,” explained the directorate.

Secure Audits for Third-Party Providers

When firms sign up to a cloud service provider, the decision is usually in terms of utility versus cost – as external providers can usually supply better software and applications than are available to a firm using their own in-house assets, but without the initial purchase cost.

Of course, these transactions are only entered into with the understanding that the external partner will do their best to ensure the safety and security of their client's data.

However, the concentrated nature of the details stored by specialist service providers often make them a prime target for malicious parties, with the proprietary nature of the data making it highly valuable.

While the provider may assert that they are on top of their game in terms of online protection, due diligence demands that responsible firms have a clear picture of the measures currently in place.

A professional security audit from an external provider can deliver a clear report into the depth and breadth of a firm's digital capacities – providing an unbiased review of the promises made during the primary sales contact.

Everything from encryption standards, storage methods and transmission protocols can be covered – providing managers with peace of mind that their partnership is secure before they sign on the dotted line.