web analytics

AntiPhishing

May 14

Anti-Phishing, I am writing my second article about phishing. After getting good response over my last phishing article. I thought to start again. I know, I  have been away from blogging since last week. It was tiring week at office though. Deadlines and Deadlines..

So,  lets start about Anti Phishing..

What is Antiphishing?

As you have read in my previous article about social engineering and hacking your account.  Hacker would still your confidential personal and financial information.

Now a days, we are hearing more social networking site’s security flow. Like we heard lot about facebook and yelp this week. Please read following URL:

http://techcrunch.com/2010/05/11/another-security-hole-found-on-yelp-facebook-data-once-again-put-at-risk/

That would help hackers/phishing attackers to get access to your personal data.

Here are couple of AntiPhishing software or tools which would help you with phishing attacks:

NetCraft Antiphishing toolbar:

http://toolbar.netcraft.com/

Google Safe Browsing for Firefox and Chrome:

http://www.google.com/tools/firefox/safebrowsing/

Bit Defender Anti-Phishing Tool

http://www.bitdefender.com/PRODUCT-2237-en–BitDefender-Antiphishing-Toolbar-2009-(without-ask.com).html

PhishTank:

http://www.phishtank.com/

Earthlink:

http://www.earthlink.net/software/domore.faces?tab=toolbar

McAffee SiteAdvisor:

http://www.siteadvisor.com/

GeoTrust TrustWatch:

http://geotrust.com/?dmn=trustwatch.com

There are couple of tools available at server level as well to protect your network from phishing:

Untangle AntiPhishing toolkit:

http://www3.untangle.com/Pricing/Value-Packages

Above all software would help you to prevent for any phishing attacks. Make sure that your AntiVirus and Anti spyware would also helps you with phishing attacks.

Author: Gaurav Maniar – MCITP – Windows Server Specialist Window Hosting Security,Exchange Messaging SystemServer Security AuditDomain (ADS) Infrastructure

Read More

Accomplise PCI Data Security Standards

May 02

Accomplise PCI Data Security Standards

Tips to accomplish PIC Data Security Standards.

Primarily you must hire a technology certified people who must have strong experience on security stiffs. You know that we all learn when the fingers are burn. Then why you let your business suffer with again. I strongly recommend hiring a certified people to keep your business safe and secure for long term. Incase you hire third party services. You must check the people profile and knowledge standards whom you want to be your guards. Most companies commit best services and standard, but you must make sure before you believe their words.

A. Build and Maintain a Secure Network

It is not easy to build a secure network and more tough is maintain the established secure networks, as you know hackers are smarter than you guess. Hackers always used bunch of technologies to hack and crack your business security.

1. Install and maintain a firewall configuration to protect cardholder data

A firewall is a piece of software or hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. If you are a home user or small-business user, using a firewall is the most effective and important first step you can take to help protect your computer. It is important to turn on your firewall and antivirus software before you connect to the Internet.

Hardware firewall is type of application server box installed with firewall security programs. Firewall server box firewall is a secure and trusted machine that sits between a private network and a public network. The firewall machine is configured with a set of rules that determine which network traffic will be allowed to pass and which will be blocked or refused. In some large organizations, you may even find a firewall located inside their corporate network to segregate sensitive areas of the organization from other employees. Many cases of computer crime occur from within an organization, not just from outside.

PCI Compliance Data Security Firewall

PCI Compliance Data Security Firewall

Firewalls can be constructed in quite a variety of ways. The most sophisticated arrangement involves a number of separate machines and is known as a perimeter network. Two machines act as “filters” called chokes to allow only certain types of network traffic to pass, and between these chokes reside network servers such as a mail gateway or a World Wide Web proxy server. This configuration can be very safe and easily allows quite a great range of control over who can connect both from the inside to the outside, and from the outside to the inside. This sort of configuration might be used by large organizations.

2. Do not use vendor-supplied defaults for system passwords and other security parameters

You also know the importance of password privacy and what happen if others have your password. Here I light on PC, Server, Routers, Application software password security. Most security hardware and programs are built and supplied with common user name as well password and both are open to public. That’s what vendors warn you changing password on device set up. Use of default credentials is high risk as anyone can easily attack your servers and networks. Always use strong password in combination of upper case, lower case, numbers and sign characters. It is strongly recommended password change on regular time interval.

Soon I ‘ll let you know detailed information about PCI standards. Till then you may directly ask me for server security tips.

Author: Gaurav Maniar – MCITP – Windows Server Specialist

Window Hosting Security, Exchange Messaging System, Server Security Audit, Domain (ADS) Infrastructure

Read More

PCI Data Security Standards

May 02

PCI Data Security Standards

What is the PCI DSS (PCI Data Security Standards)?

By the Payment Card Industry Security Standards Council introduced worldwide Payment Card Industry Data Security Standard (PCI DSS). The standard was created to help organizations that process card payments (instant check out) prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission

The current version of the standard specifies 12 requirements for compliance, organized into six logically related groups, which are called “control objectives.”

Here is set of control objectives and PCI DSS.

A. Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

B. Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

C. Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

D. Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

E. Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

F. Maintain an Information Security Policy

12. Maintain a policy that addresses information security

PCI DSS history and updates release information.

PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company’s intentions were roughly similar: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was formed, and on 15 December 2004, these companies aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).

In September 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0. Version 1.2 was released on October 1, 2008.[3] Version 1.1 “sunsetted” on December 31, 2008.[4] v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats. In August 2009 the PCI SSC announced the move from version 1.2 to version 1.2.1 for the purpose of making minor corrections designed to create more clarity and consistency among the standards and supporting documents.

Author: Gaurav Maniar – MCITP – Windows Server Specialist
Window Hosting Security, Exchange Messaging System, Server Security Audit, Domain (ADS) Infrastructure

Read More