Don't be Fooled on April Fool's Day
Top 10 ways to avoid the malware boogie man on April Fool's Day.
The vast majority of cybersecurity and identity theft threats can be prevented with simple but effective actions. These recommended steps, which can be implemented quickly to help U.S. businesses and government agencies protect their data, and, just as importantly, their customers' privacy and identities, said Craig Spiezle, executive director and president of the OTA, in a statement. "As stewards of data and consumer trust, the public and private sectors now have the opportunity to enhance online trust and confidence while promoting innovation, growth, and vitality of online services.
What follows are OTAs 2011 recommendations to address the most frequent exploits including malicious email, phishing, and deceptive websites and deceptive business practices:
- Protect site visitors by notifying them of insecure and outdated browsers that do not have integrated anti-phishing, malware protection and online tracking privacy controls. This is particularly important given the increase in social media targeted exploits and use of cloud services.
- Establish and maintain domain portfolio monitoring, which includes monitoring look-a-like domains and tracking renewals to prevent "drop catching" of expiring domains and domain locking to help guard against unintended changes, deletions or domain transfers.
- Email authentication to reduce the incidence of spoofed and forged email, helping to prevent identity theft and the distribution of malicious malware from tarnishing your brand reputation. Authenticated email allows ISPs, mailbox providers and corporate networks an added ability to block deceptive email and protect online brands and sites from deception.
- Upgrade to extended validation SSL certificates (EV SSL) for any banking and ecommerce sites which collect personal or financial information. Use of EV SSL certificates help to increase consumer confidence of online brands by turning the address bar green.
- Continuously monitor third party code, links and advertising on your site to help prevent malicious content and ads. Request third-party content providers and ad networks to adopt anti-malvertising guidelines.
- Develop and test a proactive breach and data loss incident plan to be prepared for data breach and data loss incidents, minimizing the risk and impact to customers and business partners. Such plans help to inventory data collection policies, user access and destruction processes while developing a plan to respond to data loss and breaches.
- Require strong passwords and educate users on effective password management to minimize the risk of account takeovers. Include security questions with highly variable answers which are not publically discoverable on social networking sites. Require a) strong passwords for employees and restrict customers from using weak passwords; b) force password reset every 30 to 60 days, c)) ensure services accounts are not used by staff or able to be used through customer facing applications; d) perform regular entitlement reviews and remove unused or terminated employee accounts immediately; e) limit the number of access attempts and force account shut down requiring administrative interaction.
- Enable automatic patch management for operating systems, applications, including add-ons and plug-ins. Proactive patch management can harden your system from known vulnerabilities. End-of-life applications which are no-longer supported, should be removed or used in isolated and secure sessions.
- Continuously monitor third-party code, links and advertising on your site to help prevent malicious content and ads being served on your site. Request third-party content providers and ad networks to adopt anti-malvertising guidelines.
- Enable encryption on all wireless routers and access points and hide your SSID (service set identifier names), or name it to help ensure that SSID does not provide details that identify your business. Change your keys frequently to help prevent key disclosure or unauthorized use. If you are providing free wireless services, limit how and when your network can be used, monitor usage and keep the network isolated from your business network.
Initiate planning to support DNS Security Extensions (DNSSEC). DNSSEC adds security to the DNS and is designed to help address man-in-the-middle attacks and cache poisoning by authenticating the origin of DNS data and verifying its integrity while moving across the Internet. DNSSEC is an Internet Engineering Task Force (IETF) set of specifications that secures communication between DNS name servers and clients. With the root zone signed for .org, .net, .gov and recently .com, the number of domains using DNSSEC and the number of resolvers conducting validation will increase.
Update privacy and data use policies to clearly state what data is being collected, who it is being shared with and how it is being used to increase consumer trust and self-regulation. Consider multilingual policies to support users where English is a second language.
Adopt third-party security, privacy and opt-out seal and certification programs.
The 2011 list of 10 also includes steps regarding protections of internal infrastructures to safeguard customer data and business uptime. The list comes on the heels of the OTAs 2011 Data Breach & Loss Incident Planning Guide, which identifies key questions and recommendations to help businesses in breach prevention and incident management.
The guide highlighted that in 2010 over 26 million consumer records were compromised, costing businesses over $5.3 billion dollars. Based on OTA analysis, and confirmed by the 2010 Data Breach report by Verizon and the U.S. Secret Service, over 90% of breaches are avoidable through simple or intermediate controls as outlined in OTAs recommendations.