IncTechnology.com > Internet Security

Tech Talk: Publisher Puts Kibosh on Spam

Elizabeth Wasserman — 2009-10-21T16:54:08-05:00

Hay House, a book publisher based in Carlsbad, Calif., was founded 24 years ago and has grown to become one of the largest self-help publishers in the world with 125 employees in the U.S. and locations in four different continents. The publishing house relies on e-mail for internal communication and for communicating with writers, often sending manuscripts back and forth. But employees were being deluged with spam – the company receives up to 10,000 spam messages per day – until information technology director Mike Fishell and his staff installed an e-mail security appliance.

Elizabeth Wasserman: What are the plusses and minuses of using e-mail in your business?

Mike Fishell: It's much faster for moving information around. Whether it's information for a book, fact-checking, public relations, or passing on quotes to be inserted into our books, we rely on our e-mail. We also have offices located in time zones that don't match up. We have offices in the U.K., Australia, South Africa, and India, in addition to the U.S. So if it's noon in London and someone e-mails us with something that has to be addressed that day, we can get back to them before they go home that night. We also may receive manuscripts via e-mail from our authors. Instead of sending a manuscript via FedEx, they can e-mail it to us directly.

Wasserman: What are the security risks to a business posed by relying on e-mail? Do you get a lot of spam?

Fishell: We get in the neighborhood of 10,000 spam messages a day.

Wasserman: What did you do about that?

Fishell: We were using software-based spam solutions in the past, but the spam problem was growing faster than our application could deal with it. I looked at appliances and Axway’s Mailgate was the first one I brought in-house for a trial. It worked so well that we couldn't even think of taking it out of production. The trial unit we were sent was kept in production for three years.

Wasserman: What does it do? How does it help you?

Fishell: It helps us with spam by using a context-based algorithm. Some of our books may deal with health and we may have the word Viagra show up in a book, maybe with someone giving medical advice related to it. It's not in the context of someone trying to sell it, because that wouldn't be delivered to the mailbox. Our users receive an e-mail every day at 5 p.m. showing everything that was quarantined by the filter. They have an option to release it to themselves or ignore it.

Wasserman: What have the results been?

Fishell: On the inbound side, the time savings is money savings. I do a report once a year for the directors explaining the cost savings associated with it. I have calculated out in the thousands and thousands of dollars in terms of man hours for our people not having to delete spam. The cost savings worked out to about $54,000 a year in terms of man-hours we would have spent deleting spam.

There are a lot of these e-mails being sent around maybe directing people to a website and it's not enough of an e-mail to be caught as spam or a virus. But it directs them to a website that may have malicious intentions. We're able to plug keywords into our filter and have it blocked in a matter of minutes instead of waiting for the virus companies to have something out there to block one. I don't have to worry about anyone clicking on the link.

It also allows me to set policies to prevent certain types of sensitive data from being e-mailed outside the office accidentally. Not only viruses, but personal information or confidential information, certain contracts we don't want leaving the building, or proprietary material we don't want leaving the building.

In terms of time management, it's nice having something in the business that doesn't require babysitting. I take a look at the reports once a day. If I skip looking at the reports once a day, I'm not worried. The box gets restarted once or twice a year. That and software updates a couple times a year and you can pretty much set it and forget it.

How to Fight Organized Cybercrime

Minda Zetlin — 2009-08-27T16:42:31-05:00

Kris Covino, CTO and co-founder of Date.com once received an e-mail that appeared to come from the United Kingdom. The writer explained that he had encountered a lot of fraudulent activity on Date.com, and asked for advice on how to detect fraudulent behavior.

Covino wanted to be helpful. “I responded with information on some anti-fraud databases, places to check if a photo of a supposed Date.com user had been used in online scams, and an online discussion group about scams,” he says. “It was pretty comprehensive and I sent it off…but something about it bothered me.” So Covino checked the sender’s e-mail address against Date.com’s database of known frauds, and it matched up with a known scammer in Nigeria. “The scammers had proactively contacted me to find out how they could disguise themselves better!” Covino says.

Not only that, at the same time he was answering the e-mail, the company’s customer service staff was fielding phone calls in which the caller claimed to be a Date.com user who’d been banned from the site, and asking for detailed information on how to avoid being banned in the future.

There’s no question that in the past few years cybercrime has taken on new dimensions. “Ten years ago, it was teenagers with pony tails sitting in their garages,” says Fred Rica, principal at PricewaterhouseCoopers. “We now see a high level of organization, a high level of sophistication, and a high level of funding. Whether it’s coming from a nation-state, or organized crime, or somewhere else, they seem to have a lot of resources at their disposal.”

And they operate across international borders. “We found many crime rings employed multiple teams that focused on different parts of a fraud operation,” Covino says. “For example, one team located in the U.S. would register free user accounts, but when it came time to input stolen credit card numbers to create fake pay accounts -- which is illegal here -- that was done from offshore. Then yet another team located predominantly in a few specific regions would use those accounts to perpetrate romance scams within our community.” Romance scams might include getting to know a Date.com member by e-mail or chat over a period of months, and then asking him or her to cash a check, for example.

Cyber-gangs prey on small companies

“If you ask a small business about safety, the response is often: ‘Who would hack me? I have nothing of value,’” reports Dirk Morris, CTO and founder of Untangle, an open-source security gateway for small businesses.

They’re wrong. Organized cybercriminals are after two things that every company, large and small, has. The first is computers, which, if vulnerable, can be used as part of a botnet, sending out spam or performing other tasks without their users’ knowledge. The second is personally identifiable information, such as credit card or Social Security numbers, but also log-ins and passwords that could give the cybercriminals access to users’ accounts.

In fact, organized cybercrime often targets small companies rather than larger corporations. “It’s just too easy to exploit small or medium-sized businesses,” says Ron Plesco, president and CEO of the National Cyber Forensics & Training Alliance. “Large corporations have more funds to remediate and mitigate. Small businesses don’t, and the bad guys know it. They’re concentrating on small businesses, and have been for the past year.”

How you can avoid being a victim of cybercrime

Here are some steps that can help.

Get the best security you can afford. You can’t match a large company’s security arsenal, and that’s okay. All you need is enough to make your company an unappealing target. “If the door to your house is locked, you have an alarm sign in the window, and a sign that says ‘Beware of the dog,’ a thief will probably go on to the next house,” Rica explains. It works the same with cyber-gangs: if you make it difficult to gain access, they’ll go bother someone else.
Know your network patterns. It’s smart to review logs and usage on a periodic basis. For instance, by examining logs, Covino was able to determine that a user who appeared to be in the United Kingdom was actually in Nigeria when the scammer’s proxy server stopped working for a few moments, revealing the user’s actual location.
Know your customers’ patterns. “You have to understand your customer base and have some information about how they use the site,” Covino says. “It’s impossible to fight this without some of that information.”

Just as important, be aware of what user behaviors should be taken as red flags. For Modern Tribe, which sells Jewish themed t-shirts and other Judaica, that turned out to be large orders for t-shirts with overnight delivery and a shipping address that didn’t match the credit card billing address. The first time the company received such an order, it billed the credit card number and sent out the t-shirts for overnight delivery -- and received an irate phone call a few days later from the credit card’s owner who had not authorized the charge. By then, it was too late to stop or recover the shipment, so Modern Tribe wound up eating the cost of the t-shirts and expedited shipping.

However, there was a second order in process that also involved a large number of t-shirts, expedited delivery, and a shipping address that didn’t match the card’s billing address. “We immediately suspected that the second order was also fraudulent, so we looked into it, and when it turned out to be false, we were able to stop it,” says Jennie Rivlin, Modern Tribe’s founder.

Since then, she says, her firm has received many such orders, but since they know the pattern, they can take extra steps to make sure an order is real before filling it. “We have had some larger orders where the billing and shipping address didn’t match, so we contacted the customers and it turned out to be fine,” Rivlin says. “But it was well worth taking that extra precaution.”

Protecting Intellectual Property amid Layoffs

Mike Gorsage — 2009-03-18T15:27:06-05:00

Desperate times lead to desperate acts, including theft of valuable intellectual property. Protecting this information is challenging, but not impossible. Companies can prevent losses with the right combination of technology and detailed policies and procedures.

For companies struggling to weather today’s economic storm, the operative word is “downsizing.” Although layoffs generate cost savings, they also put companies at risk as vital information can walk out the door with frustrated employees. To insulate businesses from potentially massive losses, company officials must work closely with their IT and security resources to implement effective controls and fortify hiring and exiting procedures.

The costly reality

Consider some findings from a recent study conducted by computer security firm McAfee, Inc., which surveyed 800 companies worldwide. In the report titled Unsecured Economies: Protecting Vital Information, companies reported average losses of $4.6 million in intellectual property in 2008. What did they cite as the major cause? Their own employees.

When you combine today’s layoff-laden climate with the relative ease of transmitting information, the result is a virtual invitation to steal. Individuals motivated by fear of an uncertain future have easy access to flash drives, e-mail, and other back door avenues that enable them to penetrate vital areas to take, sell, or change intellectual property.

Imagine, for example, that a company has employed a mathematician for several years. The employee brought a unique outlook to the firm and made some significant contributions. But when the time comes to let that employee go, he feels resentment and a sense of ownership in the work he has done. He may then decide to “punish” the company by taking his work with him, despite the fact that he was paid a fair salary for his contributions.

Go back to basics

The first step in remedying situations like these is to return to the beginning -- revisiting your hiring policies. From day one, the rules must be spelled out so employees clearly understand their obligations about protecting intellectual property and the ramifications involved. Although it may be time-consuming, it is well worth the effort to make sure these policies are in place. An often overlooked option is in a well-formed employment agreement. If you don’t have one and do not have general counsel to help create one, seek advice from a law firm.

It is also important to understand each employee’s roles and responsibilities. Think through what you will allow people to do and set up their security passwords and system rights accordingly. Those rights should be individually based as well as role-based, taking system integrity and support into consideration. Also consider increasing separation of duties of individuals who work on various applications and technologies.

For example, you may hire a great developer, but that person would not need access to the company’s financials unless they are specifically working on them. The key is being precise -- the more open the policies, the wider the employee access.

Exit with care

Just as you developed careful hiring procedures and policies, create a detailed checklist of exit procedures that are unique to your company. When layoffs occur, implement this checklist very quickly, particularly if employees had access to vital information.

As you refine your exiting policies, consider how your layoff procedures will affect your culture and the level of trust between management and employees. A particularly hard clamp-down before an employee departure may be good business, but it may also be perceived negatively by employees. When trust is compromised, people may react negatively, e-mailing or downloading files well in advance.

Employ the right tools

Beyond a physical check of materials carried by departing employees, a variety of technological tools are available to prevent and detect data theft. First, make sure your firewalls are up to speed. Immediately shut off a separated employee’s passwords and all other access points they have been granted. Also shut off the individual’s internal connections and company email.

When checking computers and e-mail, review where the employee sent files in the days preceding and following their departure. Consider how the separation occurred; there is a greater chance of information being transmitted if the employee was given several days warning. Pay special attention to e-mail sent with attachments and utilize tracking software to look for unusual activity, particularly files that have been downloaded to external drives.

Losing employees has never been easy, but it is an increasingly common aspect of daily business. Compared with the cost of losing valuable information, the cost of setting up good policies, procedures and checklists is relatively small. Precise implementation of controls and tools can mean the difference between a sad departure and a serious hit to your bottom line.

Mike Gorsage is a Partner and Technology Practice Leader for Tatum LLC. Tatum is the nation’s largest executive services firm, providing financial and technology leadership nationwide.

Software to Help Catch a Thief

Jean Thilmany — 2009-02-17T13:58:04-05:00

Small to mid-sized businesses with e-commerce arms can be duped by fraudsters who type in bogus credit card numbers and complete a transaction. But the credit card verification techniques frequently called upon may not catch the problem.

Specialized credit-card-fraud-detection software can help here.

The average company has seen a 22 percent increase in fraudulent activity since 2005, with information theft -- including stolen credit card use -- up by 27 percent, according to September 2008 report published by Kroll, a risk consulting company based in New York. Those increases are largely driven by the credit crunch and the tough economic climate, according to the report, titled the Kroll Global Fraud Report.

Fraud detection software can take a bite out of those numbers and help small to midsize business owners’ bottom line by slashing credit-card chargeback costs, say the makers of such software.

Costs can be high

But be forewarned, the software doesn’t come cheap to the small business owner -- running as high as $2,500 per month. So you’ll have to consider if it’s for you. If you’re selling expensive goods via the Internet, weigh software costs against chargeback costs that will affect your bottom line, experts say.

You can purchase fraud detection software that determines whether the buyer actually holds the credit card with which he or she is using to buy your goods online. Or you can choose hosted software.

Catch the thief before the crime

The software itself is activated when a customer purchases merchandise or services via the website. It analyzes each transaction to verify authenticity, says Kevin Johnson, chief executive officer at eBates.com, which offers what it calls online cash back shopping. Customers who join eBates.com receive discounts when they buy merchandise from several online retailers.

The online retailer had already developed algorithms to spot patterns of fraud in online transactions. The system might flag a returning customer who suddenly makes a much larger purchase than usual.

“But we’d always spotted it after a transaction,” Johnson said. “With fraud technology, we can prevent fraud from happening in the first past and never pass on a fraudulent transaction to our merchant partners.

“In a down economy where more people are tempted and desperate this is more important,” he adds.

Can’t corner every suspect

Consider such software if your company does any type of online commerce in which buyers use credit cards, says Reed Taussig, chief executive officer at ThreatMetrix of Los Altos, Calif., which makes the software used by eBates.

Michael Ferranti, chief executive officer at Endai of New York, which makes stolen credit-card screening software. admits no foolproof method exists to screen every stolen credit card purchase. The theft may have been so recent the victim doesn’t even know the card is gone, says Ferranti. Nevertheless, stepped-up algorithms means software can screen out more deceptive purchases than in years past, he says.

Today’s software mostly focuses on a common type of credit-card abuse: purchases made from a hacked computer.

ThreatMetrix, for example, can determine whether a user’s IP address has been compromised from abroad. Taking over a computer in this manner -- without the owner’s knowledge -- is the most common form of credit-card fraud, Taussig says.

But expect to pay for this type of protection. Costs for his company’s software -- offered via the software-as-a-service model -- run $2,500 per month.

Keep loyal customers

Taussig offers another benefit to the today’s credit-card fraud-protection software. Because it’s focused on isolating sales made from compromised computers it doesn’t flag the longtime, loyal customer who happens to make an out-of-character purchase.

“You get to keep those customers,” Taussig says.

SIDEBAR: Tips to Prevent Online Fraud

Don’t rely on one solution to catch all online fraudsters. Here are some tips to help prevent online fraud.

Talk with other merchants. Sounds strange, but the Global Fraud-Fighting Community joins members who securely share order information to increase fraud knowledge while cutting down on fraud losses.
Know your numbers. Track the amount of fraud you see and your chargeback rate, Ferranti says. Measure these baseline metrics to determine whether newly implemented software is doing its job.
Aim for a low fraud rate -- less than 0.2 percent, based on chargebacks, say Global Fraud-Fighting community members.
Use a variety of fraud-prevention tools. In addition to verifying credit card user data, look to address verification services. And manually check around 10 percent of customer orders, members say.

A Breakout Year for OpenID

Michelle V. Rafter — 2009-01-27T09:42:01-05:00

Nothing turns off shoppers faster than having to go through the sign-in process every time they jump over to a website where they’re already a customer or subscriber. Once is enough -- and that’s the whole idea behind OpenID.

OpenID is a portable digital identity that lets someone type in their user name and password once to log onto any website with the application built into its user registration process.

OpenID has been around since 2005, initially created so people could leave comments on blog posts without having to sign in again and again as they hopped from one blog to another. It gradually caught on with other types of websites and took off in 2008, when users reached a half billion, the number of websites on it tripled to 30,000 and major players such as AOL, Microsoft, Google and Yahoo threw their weight behind it.

OpenID taking off

OpenID’s open source is a free open-source protocol is one reason it’s taking off. Because no one owns it, a company’s website developer can download the code from websites such as Vidoop or JanRain and write it into the registration process at their own site. Then, once an Internet user registers at a participating OpenID website with their name, e-mail address, user name, and password, they can visit any other OpenID website and the second site will ping the first to see if the visitor is who they say they are and if verified, forego the sign-in process.

Even Facebook -- whose 150 million members make it the 800-pound gorilla of social networking -- could be getting on board. Facebook has its own digital registration protocol called Facebook Connect, but is contemplating joining the OpenID movement, according to Scott Kveton, a Vidoop vice president and current vice chair of OpenID.net, the non-profit foundation that promotes the standard. Facebook chose a proprietary architecture because at the time it was the only option for adding extra profile data to a digital ID, but now “they’d love to be very open with what they’re doing. I foresee them getting more involved,” Kveton says.

Addressing security concerns

While Web developers, open-source programmers and social networking experts are big OpenID fans, they don’t expect the average Joe to care much about it -- or even know it exists. If companies are doing their jobs right, Internet users will simply realize their identity can follow them anywhere -- and that’s good enough, Kveton says.

But some small business owners worry about security. “I don’t think I’d use it and I know people who freak out about it because they don’t want all their [passwords] in one place,” says Clyde Lerner, proprietor of In the Moment Computing, a Sunnyvale, Calif., computer services company. Instead, Lerner uses a password manager called Roboform that stores his passwords on his computer’s hard drive.

According to Kveton, OpenID is no more or less safe than someone’s e-mail account. If security is a priority, people can choose to get their OpenID account through a provider that adds extra layers of security onto it, such as Vidoop or JanRain.

SIDEBAR: OpenID Resources

Want to learn more? Here are some resources:

OpenID.net -- Home of the OpenID Foundation, the non-profit organization promoting the portable digital personal identification.

What is OpenID -- A 4-minute video explaining how OpenID works produced by Vidoop, a Portland, Ore., OpenID platform vendor and employer of Kveton, the OpenID foundation backer.

TheSocialWeb.tv Episode 24 -- The Jan. 20 episode of this weekly Web TV show includes a segment highlighting the OpenID platform’s accomplishments in 2008.

OpenID Wiki -- A library of links to companies that have written OpenID software code in a variety of programming languages including Java, Perl, PHP, ColdFusion, and more.

OpenID providers – Individuals who don’t have an OpenID through a blog or other online service can create one at websites such as myVidoop, Verisign’s Verisign Labs, JanRain’sMyOpenID and ClaimID.

Is There Such a Thing as Secure E-mail?

Kim Boatman — 2008-12-18T20:06:37-05:00

E-mail just might be the most critical business application your company uses. Increasingly, businesses rely on e-mail even when it comes to sending sensitive information such as proprietary materials, private employee or customer account numbers, and confidential negotiations.

You depend on e-mail as a necessary form of communication. But is your e-mail really secure? “The important thing is for people to realize when they send an e-mail over the Internet, it’s the same thing as sending a postcard,’’ warns Bradley Anstis, director of technology strategy for Marshal8e6, an e-mail and Web security firm.

However, it is possible to shore up the security of your business e-mail communications. Here’s how to protect your business' e-mail privacy:

Encrypt e-mail and server connections. If you simply send e-mail without ensuring it’s encrypted, it can be intercepted and read by hackers. It’s important to employ e-mail encryption software and to also make sure the connection between servers is encrypted as well, using Transport Layer Security (TLS), says Antsis. If you’re encrypting business communications, then it’s up to you to make sure your clients are provided with the software needed to de-crypt it. “Some of the secure e-mail services will have a website where the person who’s receiving it can go to the website to unlock the e-mail,’’ says Matt Sarrel, an information security expert and executive director of the Sarrel Group, an information technology consulting firm. If expense is an issue, freeware such as TrueCrypt is an option.
Verify. There are two things you need to be able to count on when it comes to business e-mail, says Sarrel. It’s critical to know that the person who sent the e-mail is indeed the person to whom the e-mail is attributed, and it’s vital to know the data in the e-mail hasn’t been altered along the way. Look for software, such as the tools available from PGP, that let you digitally sign an encrypted document.
Be wary of Web-based e-mail. The experts advise caution when using Web-based e-mail accounts. “Web-based e-mail accounts are regularly targeted for attacks,’’ Anstis says. He should know. His personal Yahoo account was hacked and all of his contacts received spam, supposedly sent by Anstis. It was an embarrassing debacle for an e-mail security professional. If you are using a Web-based browser, you need to ensure the connection is encrypted with Secure Sockets Layer (SSL) protection. Check for https in the Web address. Providers such as Hushmail and NeoMailbox promise secure e-mail.
Educate employees. The best security technology in the world can’t mitigate one of the primary sources of risk for your business: human curiosity. It’s not just a matter of securing outgoing e-mail; your company’s data can be at risk with incoming mail as well. Not only is there a rise in malicious spam, there’s an evolution in delivery methods, says Anstis. Ever creative, the bad guys now use botnets, hijacking unsuspecting victims’ computers to unleash barrages of what is known as blended attack spam. “Forty-two percent of all spam is what we call a blended attack -- an e-mail with a URL in it,’’ Anstis says. The malware that will compromise your network is not in the e-mail, so the e-mail slips past security gateways. The malware is delivered when the curious recipient clicks on the URL in the e-mail to visit a website. “Educate your employees about not following unsolicited invitations to click,’’ advises Anstis. “We’re pretty good, but some of these attacks are going to get through.” It’s smart to show users examples of what a blended attack looks like. That’s why Anstis’ company, Marshal8e6, offers a sampling of different attack methods on its website.
Update software. Too often, says Sarrel, “a lot of businesses just set up e-mail and leave it. Stay on top of e-mail server software.” Understanding vulnerabilities and religiously installing updates and patches is critical. Make sure you’re receiving updates from the vendor when it comes to anti-spam protection software, says Anstis.
Scan e-mail for content. Anstis advises using a software product that will filter for content such as inappropriate language and images, both incoming to provide a professional work environment and outgoing to protect your company’s reputation. Content can also be scanned for information you don’t want sent externally, such as social security numbers and credit card account data.
Vet your vendor. Chances are you’ll turn to a third party for e-mail security. Anstis, whose company competes in this market, offers this blunt assessment: “Don’t trust vendor promises. Try all products. Get references from people you know and trust.”

For most small businesses, simply taking the time to question and to evaluate e-mail security is a big leap in the right direction, says Sarrel. “A lot of these systems get rolled out without thinking about security, and people just keep using them. A lot of people don’t seem to understand that email is almost by nature not secure.”

Time to Take a Look at Digital Signatures?

Minda Zetlin — 2008-12-18T14:14:29-05:00

Aurora Lifetools helps disabled people win Social Security claims. The firm typically works with clients whose claims have been turned down as too small by law firms that traditionally handle such matters, although Aurora is not a law firm, and its professionals who represent claimants are not attorneys. Since the sums involved aren’t huge, Aurora’s success depends on its ability to represent large numbers of claimants. Electronic signatures are a huge help to that effort, according to Drew Hyde, senior partner.

“About 12,000 people apply for Social Security Disability every day -- that tells you how big the market is,” he says. The company’s staff of nine, using electronic signatures combined with customer relationship management and database technology can enroll about 200 cases a day in Aurora’s system, he adds. “Without electronic signatures, those same nine people could pull in about 35 cases a day -- maybe.”

And, even if the company had a staff of thousands, some clients would be impossible to help without digital signatures, he says. “In the old days, we couldn’t take on anyone with less than a week to go before a filing deadline,” he says. It would simply take too long to get the papers certifying Aurora as the client’s representative signed and in place in time to submit a claim or appeal. Today, Aurora can complete the process of interviewing and signing up a new client by phone and Internet in about 12 minutes, Hyde says. “Now, someone can call us at 3 p.m., and we can submit the claim at 3:45 and protect that client’s rights.”

The time is right to move to digital signatures

In 2000, the Electronic Signatures in Global and National Commerce (ESIGN) Act decreed that a properly obtained electronic signature has the same legal standing as a handwritten one. Since then, adoption of electronic signatures has been slow, except in certain industries, such as financial services. But acceptance of digital signatures has been building to a critical mass in the last year or two, perhaps in part because the general public has grown comfortable with the basic concept of a legally binding Internet transaction, such as filing an online tax return or clicking “Buy It Now” on eBay.

At the same time, evolving technology has made digitally signing easier, according to Jason Lemkin, CEO and co-founder of EchoSign, an electronic signature service. “It wouldn’t have been practical in 2000, because you needed today’s browsers and Ajax [asynchronous Java Script and XML] to make the experience as easy and elegant as it is today,” he says. At the same time, as business in general becomes more Web-oriented, using paper contracts seems less and less logical. “When everyone’s using Salesforce.com and LinkedIn, it doesn’t make sense to have to use FedEx or a fax machine in order to close a deal,” he says.

Avoiding revenue loss

But there’s another reason to consider electronic signatures today -- one Lemkin says has created an upsurge in EchoSign’s business in the past few months. “The most important thing in today’s economy is revenue assurance,” he says. Electronic signatures help by allowing companies to close a legally binding deal in minutes, while a customer is still on the phone. “When you have customers who want to buy, you don’t want to make them dig up a fax machine or go out to the mailbox -- because they might not do it,” he says.

Revenue assurance is the biggest benefit of using digital signatures for Hcareers, a job board for the hospitality industry. “With many of our one-time transactions, we would simply work by e-mail confirmation,” notes Jim Finn, vice president of sales. That made life easy from a logistical point of view, but customers occasionally reneged on their deals. “We had a certain percentage of write-offs,” Finn says. “It wasn’t a large percentage, but we weren’t really happy with any.”

Today, Hcareers customers must digitally sign using Agreement Express, showing their consent to the site's terms and conditions, which include a commitment to pay for services used. The result: “We’ve had 80 percent fewer clients being sent to collections in the six months after implementing digital signatures,” Finn says.

Working with digital signatures comes with other advantages as well, he says. “It’s far more efficient than a fax machine, and better for the environment. My contracts are all in cyberspace, so I can print them if I need to -- and I don’t have two file cabinets standing outside my office.” In fact, he says, “From an efficiency standpoint, electronic signatures are the only way to go about securing contracts.”

Help for Recovering Stolen Laptops

Marc Saltzman — 2008-11-25T13:43:25-05:00

If you’re one of the millions of Americans who travel with a laptop for business, it’s critical to make sure you’re doing enough to properly protect your computer companion.

According to security vendor Symantec, a laptop computer is stolen every 53 seconds in the U.S. -- 97 percent of which are never recovered.

Perhaps it’s no surprise, then, a variety of software and services available today are designed to help recover a lost or stolen notebook computer. Some of the more popular solutions include LoJack for Laptops and GadgetTrak Laptop Security.

Experts speak out

But losing the computer itself may be the least of your worries if you consider the valuable data that resides on it: sensitive company information, financial records, passwords, and other private documents. In fact, Symantec and the Ponemon Institute predict the value of an average data breach exceeds $10 million, usually caused by theft or loss of a laptop or storage device.

“It’s not about how much your laptop costs but rather, how much is your data worth to you,” says Michael Gartenberg, vice president of mobile strategy for Jupitermedia in New York City. “A device can be left behind, so you must make sure you’re safeguarding your information and have a back-ups of important files.”

Products like LoJack for Laptops, which is a tracking device installed on a laptop that helps pinpoint location when the laptop connects to the Internet, are a “great way” to physically recover the laptop, adds Gartenberg. But, he adds, passwords and encryption must also be employed to ensure sensitive company information doesn’t fall into the wrong hands. “At the end of the day these services are a good idea, they can be useful indeed, but it’s all about how secure your data is,” says Gartenberg. “In the end, protecting your data and having back-ups is what you need to care about -- not recovering the laptop itself.”

Steve Hilton, vice president for small and mid-sized businesses and enterprise research at the Boston, Mass.-based Yankee Group, agrees with Gartenberg on prioritizing your concerns: “If you have a top-of-the-line laptop a tracking application might be worthwhile, but more likely than not it’s the data you care about,” says Hilton. “So make sure you do regular back-ups of data on a NAS [networked-attached storage] box or through an online back-up service; if you're concerned about PC theft call your insurance agent and see if your business contents' policy covers you.”

Track it

Companies like Computrace, which makes LoJack, and WestinTech, which manufactures GadgetTrak, specialize in helping the authorities track down your laptop if stolen, while a few PC manufacturers also offer this as an additional service.

Available for Windows and Macs, tracking services are usually subscription-based -- so you’ll have to assess if you can justify the annual costs -- and they typically use GPS signals or silent alarms when the stolen laptop connected to the Net.

Computrace’s software, for example, is embedded in the firmware of computers, capable of surviving operating system reinstallations as well as hard-drive reformats and replacements. A premium edition of LoJack for Laptops includes a powerful “data delete” service that can remotely erase sensitive files, such as banking records and Internet cookies (as well as a service guarantee of up to $1,000 if the computer is not recovered or a data delete service cannot be performed). LoJack for Laptops costs $39.99 for one year or $89.99 for three years. The premium edition costs $59.99 a year or $109.99 for three years.

On a related note, GadgetTrak sniffs out the whereabouts of the laptop once it detects changes in location and network environments, and sends that info directly to you including IP address, internal network address, host names, and more. A one-year license costs $29.95, while a three-year license is $59.95.

What New PCI Standards Mean to You

Minda Zetlin — 2008-11-25T13:37:59-05:00

If your business accepts credit card payments, then the way you handle that data is governed by Payment Card Industry Data Security Storage Standards (PCI DSS), not as a matter of law, but as part of your contract with the credit card companies whose cards you accept. Depending on how much you follow such things, you may or may not know that those rules changed Oct. 1, when the Payment Card Industry Data Security Standards Council issued PCI DSS 1.2.

Most of the changes are relatively minor, and intended to clarify points of misunderstanding contained in PCI DSS 1.1, which has been in effect since 2006, according to Bob Russo, the Council’s general manager. “People call us every day and ask, ‘Do security rules apply to routers?’ or to ask what we mean by ‘a regular basis,’” he says. The current changes are mostly intended to clarify this kind of confusion and remove redundancies, Russo says, but, he adds, "We did draw some lines in the sand."

Crossing those lines is a bad idea, with consequences including stiff financial penalties and increased transaction fees. Rather than take the risk it, it makes sense to learn about the new rules and the changes your company might need to make to comply with them. There’s no room to list them all here, so to get a complete picture we recommend reviewing both the new standards, and a summary of the changes on the Council’s website. Meantime, here are the items most likely to affect your business.

WEP is disallowed. Wireless networks that contain or transmit cardholder data must be protected by encryption, and wired equivalent privacy (WEP) is no longer acceptable according to Requirement 4.1.1. It must be replaced with Wi-Fi protected access (WPA). “Over the years, WEP has been proven to be not as good as originally thought,” Russo says, and indeed the Internet offers many articles and videos that purportedly explain how to break WEP encryption in 10 minutes or less. “In the new standards, we said we don’t want to see any new WEP implementations after March 31, and existing implementations to be phased out by June 30, 2010,” Russo says.
All systems “commonly affected” by malware must run anti-malware software. “It’s two changes in one,” notes Anton Chuvakin, director of PCI compliance solutions for Qualys, a software-as-a-service provider of security and compliance software and services. “The previous requirement was to use anti-virus software; now you have to have anti-spyware as well, and you have to extend it to all systems.” Those running the Linux operating system, for instance, might previously have skipped this step because few, if any, viruses or other threats are directed at Linux. The Council won’t specify exactly which systems are considered “commonly affected” by malware, except to say that most mainframes and some Unix-based server operating systems are probably exempted. But, it notes, the world of malware changes quickly and compliance with Requirement 6.2 means staying vigilant about the possibility of malware threats.
Application firewalls are mandatory for Web applications. This was a recommended best practice until the Council made it part of Requirement 6.6 this past June. “Every Web facing application either has to go through a code review -- which is impractical for most small companies -- or install a Web application firewall,” Russo says. “You want to eliminate back doors and those sorts of things.” [A “back door” is secret access to software that bypasses passwords and other protections.]
Logs must be saved for a year. Servers, computers, and other devices, as well as some applications, retain an internal log of all their activities. (For more on logs see this IncTechnology article.) Requirement 10.7 now requires companies to retain those logs for at least a year, and keep the most recent three months immediately available (archived online or available for quick backup from disk). PCI DSS 1.1 instructed companies to retain logs, but did not specify how long, Russo says.
New-user passwords must be changed. It’s hard to believe anyone would be foolish enough to leave the factory-installed password on a router, server, or personal computer that processes cardholder information, but apparently, some companies are. Requirement 8.5 now makes that a violation of PCI DSS, and also requires that passwords include both letters and numbers.

Things to come

Before you get too attached to PCI DSS 1.2, keep in mind that yet another, newer version of the requirements will be arriving one day. During a recent conference on the PCI standards, representatives of the Council and industry representatives discussed items currently under review for future versions of PCI DSS. “They plan to work on addressing cardholder data after it's been collected but before it gets authorized,” says Amer Deeba, vice president of product marketing at Qualys. A second area, he says, has to do with the rapid growth of virtualization and the challenges of securing virtual machines. The third area, is internal transmission of cardholder data, for instance to employees who have no need to know them.

“There’s a huge desire in the credit card payment industry to address internal traffic,” he says. “PCI DSS 1.2 is still mostly focused on parameter threats.”

New Tactics in the War on Spam

Minda Zetlin — 2008-11-25T13:33:21-05:00

It’s depressing but true that most of the e-mail directed to your company is e-mail you don’t want. Overall, about 70 percent of the e-mail most businesses receive is spam, but that percentage can vary widely, depending on how well-known your business is, how available its e-mail addresses are, and how often employees submit their e-mail addresses on other websites. For a visible company with widely available e-mail addresses, the percentage can be much higher -- 95 percent or even more. “At one company we worked with 99.7 percent of the e-mail received was spam,” notes Peter Firstbrook, research director at Gartner.

Spam overall continues to grow, experts say, driven by a simple economic reality: spamming is a pretty good way to make money. “The spam industry, if you can call it that, has evolved over time,” notes Bill Kasje, vice president of development for spam solution Abaca. “There are now development programs for spammers and people and organizations who specialize in different areas of enabling spam. There are people who control botnets and rent time on their botnets to spammers.” A “botnet” is a group of computers that have been taken over by malware, usually without their owners’ knowledge, and can be set to secretly send out spam or perform other tasks.

“Spam exists because it continues to provide real economic benefit to spammers,” Kasje says.

Spam-fighting tools have grown more sophisticated as well, with two important weapons now available in the never-ending fight against spam -- these should be components of whatever ant-spam solution you choose:

Reputation Filter: A reputation filter examines the behavior of a website, automatically blocking those that send spam so that not only e-mail, but even mail connections are blocked;
Tarpit: A tarpit slows down an incoming message, forcing the sending server to wait and retry after a few minutes. A legitimate e-mail application will do this, but spam generally won’t, since reaching the largest number of addresses in the shortest time is essential to spammers’ success.

When it comes to fighting spam, there used to be three viable options, Firstbrook says: using a hosted anti-spam service, using a gateway device to block spam, or installing spam-blocking software. Though software solutions such as SpamAssassin remain quite popular, the need to constantly maintain the software and update information means software may not be the best approach for a small company, according to Firstbrook. Instead, he recommends either a gateway device that filters all incoming e-mail, or a hosted service, which filters your e-mail at its servers, and passes legitimate messages along.

Gateway device

The advantage of a gateway is that it may give you better control over spam filtering, and may provide some peace of mind if, for security reasons, you’re uncomfortable having your mail on someone else’s servers. On the other hand, you’re responsible for the hardware, and for providing enough bandwidth to handle ever-growing mail volumes. If you’re considering a gateway device, here are some questions to ask:

How frequently do you update? Gateway devices generally come with a connection to the maker’s servers, which automatically download new spam definition lists. You should find out how often these new definitions go out. Spammers often use the window between when a vulnerability is discovered and when that hole is closed to launch as much spam as they can.
Real or virtual gateway? These days, virtualization means never having to buy specific hardware, so it might make sense to consider using virtualization to create a virtual email gateway instead.
What if I increase bandwidth? Limited bandwidth can act as a tarpit, discouraging spam because access to your system is too slow. Therefore, it’s best to make sure spam is under control before increasing that bandwidth. “I’ve talked to companies that scaled up their bandwidth to help handle spam volume -- and their spam percentage immediately went up,” Firstbrook says.

Hosted anti-spam service

The argument for a hosted anti-spam service is that these services can respond to new spam threats instantly, with no delay while new information downloads to your gateway. They take most of the hassle out of fighting spam because you no longer have to worry about maintaining hardware or increasing bandwidth to handle e-mail. On the negative side, their system may not integrate quite as seamlessly with your e-mail application as a hardware solution would. If you’re interested in using hosted anti-spam, here are some questions to ask the provider:

What are your guarantees? Does the provider offer a service level agreement (SLA) or other form of guarantee? If you can get one, an SLA provides added assurance that the service will work, and keep working.
Is it customizable? Some services allow you to separately set filtering levels for messages that contain sexual words compared with, say, messages bearing business propositions from Nigeria. Given the particulars of your business, this might be handy: a medical practice, for instance, might not want to aggressively filter out messages mentioning body parts.
What if I need other services later? Many anti-spam services have ancillary products such as archiving of (non-spam) e-mails, backup e-mail systems in case you are unable to use your usual e-mail software and other services. Even if you don’t need any of these right now, it’s a good idea to plan for the possibility that you might need them in the future, and negotiate option prices for the possible purchase of ancillary products at the same time as you make your original deal. “If you wait two years after you sign your contract, they’ll be less motivated to offer you a good deal,” Firstbrook says.

SIDEBAR: Popular Spam-Fighting Products

Here are some popular gateway appliances that fight spam:

IronPort, now part of Cisco, provides gateway appliances for large corporations, but its lower-end boxes are both effective and affordable for small businesses.

Secure Computing, recently acquired by McAfee, uses multi-layered techniques for added safety.

Abaca’s gateway security comes with a 99 percent accuracy guarantee.

There are also some hostedanti-spam services:

Postini, now owned by Google, offers low-cost and flexible spam solutions for even the smallest of companies, with the ability to scale as your company grows.

MessageLabs, recently acquired by Symantec, can both block spam and enforce company policy. The site keeps a monthly tally of spam percentage overall (69.7 percent in October).

Microsoft Exchange Hosted Filtering (formerly FrontBridge) blocks both inbound and outbound spam, as well as disaster recovery.