Beruflich Dokumente
Kultur Dokumente
Myths Revealed
An essential guide from Thawte
Contents:
Introduction 3
Myth #1: Hacking? It wont happen to me!
Myth #3: Looking after security practices? Thats the CISOs job
Myth #6: All types of certificates issued by a CA are the same, arent they?
Myth #7: Only shady-looking websites are really dangerous. Mines safe and secure
Myth #9: I have great anti-virus software on my network, so my systems are safe
Myth #3: Looking after security practices? Thats the CISOs job
Its true that the Chief Information Security Officer (CISO) should be the senior-level executive within an organisation
responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets
and technologies are adequately protected. But should it be his or her sole responsibility to define and enforce security
practices?
Unloading this responsibility onto one person is not a good idea. Instead, a company should build an information security strategy and process around the specific needs of the business and that means involving a multitude of people
and departments across the organisation.
In the early days of large-scale corporate use of the Internet, many basic technical precautions were not being taken
and the sheer scale of the work to be undertaken in IT seemed to require that Information Security specialisations
existed solely within IT.
However, Information Security is no longer solely a technical problem, but encompasses management of people, process, legal affairs, risk management, public relations, physical security, organisational change and many other areas,
alongside technical management of the threat.
It is also now clear that, with such a complex threat landscape, a risk-managed approach to Information Security is critical. The assessment of such risk requires the involvement of many stakeholders right across the business and, critically,
an individual to manage this process, who might well be the CISO.
Myth #5: I dont store credit card data, so I dont need SSL
So your business doesnt store credit card data. That of itself is a good thing, bearing in mind the levels of credit card
fraud that now take place and how often this is linked to identity theft. However, that doesnt automatically make you or
your customers safe. Not storing sensitive financial information might make you feel as though you are better protected
from cyber-attacks, but that is only one aspect of what keeps you secure online.
There are many other ways that cyber attackers can wreak damage on your organisation and its reputation, other than
by stealing financial data, and you need to have the highest levels of protection in place to keep them firmly at bay.
That means having safe and trusted areas for your customers where they know they are out of harms way, as well
as operating the highest levels of security for log-ins and passwords.
Secure areas: these are interactive and personalised portals on a website that provide customers with online
access to sensitive information in a secure and confidential environment. Moreover, this can be restricted to users
Log-ins/Passwords: anyone logging in to your site should be using passwords that are at least 10 characters long
and contain multiple character types, including lowercase, uppercase, numbers and special characters. The harder
a password is to guess or crack with a brute force attack, the safer those customers will be. Login information,
including passwords, should always be unique and never reused across multiple web sites; once such details have
been compromised on one site, other accounts may also be hit and that could be the slippery path to financial loss
Personal details: such as names, email addresses, contact numbers and mailing addresses. If you collect enough
personal data, identity theft may become a plausible threat to your customers. Take the necessary precautions;
otherwise it can be devastating to your customer and the reputation of your business. More and more customers
are educated online shoppers nowadays and wont buy from you if you dont have an SSL certificate installed on
your website.
Remember: Even if you dont sell online, your customers will appreciate the care you take to protect their personal
data especially where you operate a secure access area on your site.
Myth #6: All types of certificates issued by a CA are the same, arent they?
No, they are not. There are several types of certificate on offer and not all can be trusted to the same degree.
Here are the main ones:
Domain Validated (DV) The lowest cost means of securing a website, this does not provide authentication or
validation of the business behind the website.
Organisation Validation (OV) These certificates include full business and company validation from a certificate
authority using currently established and accepted manual vetting processes, but are still not validated to the highest
standards set by the CA/B Forum*.
Extended Validation (EV) EV certificates are fully validated to the meticulous guiding principles set by the CA/B
Forum, providing the highest levels of security and trust to end users.
Always opt for an SSL (Secure Socket Layer) certificate with EV from a globally recognised certificate authority, such as
Thawte. The entire address bar will turn green (for safe), if you are on a site using EV certification. These certificates
guarantee the business is legitimate, whereas many other types are only validated with respect to the domain, but not
the owners and operators of the domain.
With EV, you will know youve made a safe, secure connection to a website when the beginning of the URL changes
from HTTP to HTTPS (with the S standing for Secure). Also, a padlock will be displayed to the left of the address bar
(which will have turned green), showing your customers that the page is using an EV SSL certificate to encrypt all
communications between them and your website.
Trust marks/seals are another important means retailers use to reassure customers that it is safe to shop on your site,
demonstrating they have passed various security and privacy tests. The Thawte Trusted Site Seal, for example, gives
your web site instant credibility in the online world by visually reassuring customers that your sites identity has been
verified and that it is secured with SSL.
* CA/B Forum, an independent standards body that requires in-depth verification of the legality and probity of a company before it is issued with a certificate
Myth #7: Only shady-looking websites are really dangerous. Mines safe and secure
Its a given that, however much money, time and technology you have, your website will never be 100% secure.
Dont imagine what looks okay is okay. Its all about what lies beneath. Hackers are constantly seeking out and
discovering security flaws in systems that were once thought all but impregnable. The time between these discoveries
and the required patch software will make you highly susceptible to a full-on assault. One thing you need to be aware
of is that hackers have already probed your systems, checked out your software and are ready to take advantage of any
zero-day vulnerabilities that might open you up.
Even the simplest websites rely on software - and software is inherently flawed and contains errors or bugs. You should
know the components your website relies on to operate and keep tabs on the known issues, and releases of updates
and patches.
Its common practice to harden, or lock down, access to only the resources that need to be accessed. This should
include the operating system, web server and web application itself. And use strong passwords!
Even though total website security is a myth, the goal should always be to make yours as secure as possible. Attackers
are opportunists, seeking out the path of least resistance, and the harder you make it for them, the more likely they will
move on and find a site that is not as robust as yours is.
Myth #9: I have great anti-virus software on my network, so my systems are safe.
Your anti-virus software may well be excellent of itself but that isnt enough of itself. Anyone who thinks AV is still all
they need is, quite bluntly, living in the past. The world has changed and attackers (and malware threats) have moved
on apace, with far too many variants now flying around for traditional signature-based anti-virus products to cope.
As always, while security vendors, IT administrators and end users adapt new measures to block security threats,
attackers are constantly creating new, sophisticated ways to get through their defences. However good your AV might
be, they will target a weakness in the system, network or indeed end users themselves in their mission to break
through.
With brute force threats designed to target different weaknesses on different systems, never using the same technique
twice, its no surprise that AV products, used as the sole or main means of defence, are increasingly failing, causing
costly downtime, clean-up efforts and data loss.
A successful attack can now be the passport to significant revenue streams, and the resources and skills employed to
undermine security defences are formidable, so you can be certain that the tenacity and guile of the cybercriminals will
only increase, too.
For all of these reasons, AV-only is not enough. Companies need comprehensive attack prevention that integrates the
full range of security technologies.
More Information
Via phone
US toll-free:
UK:
Germany:
France:
+33 1 57 32 42 68
sales@thawte.com
security budget
Thawte Trusted Site seal
BUY
TRY
LEARN MORE
Protect your business and translate trust to your customers with high-assurance digital certificates from Thawte, the worlds first international
specialist in online security. Backed by a 17-year track record of stability and reliability, a proven infrastructure, and world-class customer support,
Thawte is the international partner of choice for businesses worldwide.
2014 Thawte, Inc. All rights reserved. Thawte, the Thawte logo, and other trademarks, service marks, and designs are registered or
unregistered trademarks of Thawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks
are property of their respective owners.