15 May 2015

Monitoring

Posts relating to the category tag "monitoring" are listed below.

15 May 2015

The Bad and the Good of Ecommerce Fraud Detection

Vendor ThreatMetrix has published a short document about how online fraud detection systems often mistreat customers like they are criminals, leading to increased costs and decreased income.

Photograph of customers in a high street shop paying for their purchases at checkouts

Problems with common systems of customer authentication are discussed in "Are You Treating Your Customers Like Criminals?", including failure to recognise existing customers, time-consuming or awkward re-authentication and the poor user experience of payment verification processes like 3DSecure (e.g. Verified By Visa, MasterCard SecureCode, American Express SafeKey).

These lead to basket abandonment, payment failures and brand damage. The document describes other problems created such as making it difficult to enter new markets, increasing the customer support overhead, wasting marketing spend, and rising fraud levels during peak trading periods when barriers are lowered, leading to elevated chargeback rates.

It is suggested that retails need to simplify authentication, improve the identification of real customers, and mitigate the business impact of fraudulent activity. Recommendations for activities to undertake in real-time are provided. These measures can be implemented directly in code, as well as using vendor products and services. Also remember a post in March, User Interface Modifications to Combat Buyer Fraud.

The document can be downloaded free of charge after providing contact details including a valid email address. ThreatMetrix also publishes a quarterly cybercrime attack report.

Posted on: 15 May 2015 at 11:20 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

06 May 2015

Android Security 2014

Google announced early last month the release of a report analysing security in the Android ecosystem.

One of the charts from Google's report 'Android Security 2014 Year in Review'

Android Security 2014 Year in Review describes varies measures of security including occurrence of potentially harmful mobile applications, platform API abuse and network level abuse.

Information is provided on Google's 4-tier severity rating systems for vulnerabilities.

Security enhancements during 2014 are also discussed, together with newer changes such as the enhanced Google Play review process to help protect users.

Posted on: 06 May 2015 at 11:27 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 April 2015

AppSensor CISO Briefing

Following the release of the Introduction for Developers in February, the OWASP AppSensor team has now created and published a new document aimed at Chief Information Security Officers (CISOs) and others with similar responsibilities.

Cover of the 'AppSensor CISO Briefing'

The CISO Briefing is a high-level overview, with pointers to the more detailed resources for specifiers, architects, developers and operators.

The document's content was partially taken from the introductory sections of the AppSensor Guide and the AppSensor Microsite. This was then edited and changed by myself, John Melton and Louis Nadeau.

I incorporated several quotations from industry analysts, reports and standards to help set the context in the current security environment. The quotations are all publicly available but are mostly not OWASP AppSensor specific — instead they illustrate current trends and concerns about attack visibility, real-time detection, the need for automation, runtime application self-protection (RASP), and active defences.

The 12 pages comprise the following:

  • Defending Software Applications
  • Detect and Respond to Attacks From Within the Application
  • Benefits For Organizations and Users
    • Lower information security risk
    • Improved compliance
    • Reduced impact of attacks and breaches
    • Increased system survivability
  • Enterprise Ready
    • Extremely low false positives
    • Intelligence driven security
    • Low system resource overhead
    • Machine-speed response
  • Next Steps
  • Additional AppSensor Resources
  • About OWASP.

The CISO Briefing can be downloaded free of charge as a PDF, or purchased at cost in hardcopy from Lulu.com. There will also be some copies available during the CISO track at the AppSec EU conference in May.

Posted on: 24 April 2015 at 08:54 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 April 2015

PCI DSS v3.1 for Ecommerce Payments

Lots happening this week. The Payment Card Industry Security Standard Council (PCI SSC) has announced the release of an update to the PCI Data Security Standard (PCI DSS).

Partial view of the title sheet from the Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.1, April 2015

PCI DSS v3.1 (15 April 2015), includes several changes to reflect changing threats and recently discovered vulnerabilities, but also including some clarifications and additional guidance.

The most important aspects changed for ecommerce channels relate to the following PCI DSS requirements:

  • 2.2.3 and 4.1 - Removed SSL as an example of a secure technology. Added note that SSL and early TLS are no longer considered to be strong cryptography and cannot be used as a security control after June 30, 2016. Additional guidance provided in Guidance column. Also impacts Requirements 2.3 and 4.1.
  • 2.3 and 4.1.1 - Removed SSL as an example of a secure technology and added a note to the requirement.
  • 3.4 - Clarified in requirement note that additional controls are required if hashed and truncated versions of the same PAN are present in an environment.
  • 6.6 - Added clarification to testing procedure and Guidance column that if an automated technical solution is configured to alert (rather than block) web-based attacks, there must also be a process to ensure timely response.

The PCI SSC has provided an on demand webinar to assist with understanding all the changes. Version 3.1 is effective immediately and PCI DSS Version 3.0 will be retired on 30 June 2015.

Posted on: 16 April 2015 at 11:38 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 March 2015

The Hard Problem of Securing Enterprise Applications

This paper about securing enterprise applications has been sitting in my email since November. I eventually got round to reading it and apologise for not highlighting it sooner.

Vendor recommended security controls and compliance requirements leave huge gaps in application security. ... Most have no understanding of how the application platforms work, where security events should be collected, nor how to analyze application specific information.

Securing Enterprise Applications describes the problems modern enterprises have with application security: security use cases, security gaps and recommendations. These are my favourite selective snippets. This:

The biggest gap and most pressing need is that most monitoring systems do not understand enterprise applications. To continuously monitor enterprise applications you need to collect the appropriate data and then make sense of it.

And:

Traditional application security vendors who claim "deep packet inspection" for enterprise application security skirt understanding how the application actually works.

And:

Continuous monitoring of enterprise application activity, with full understanding of how that application works, is the most common gap in enterprise security strategies.

And:

This means that you can block activity, not just monitor. Properly configured with white/black listing, they help prevent exploitation of 0-day attacks and filter out other unwanted behavior. They work at the application layer so they are typically deployed one of three ways: as an agent on the application platform, as a reverse proxy for the application, or embedded into the application itself.

Read and implement AppSensor. It's free.

Posted on: 20 March 2015 at 08:16 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 February 2015

AppSensor Now A Flagship OWASP Project

I was extremely pleased at the release of the v2 AppSensor reference implementation inJanuary. Now I am excited that the Open Web Application Security Project (OWASP) has elevated the project's status.

Photograph of a green pendant flag flying against a blue sky

The completely voluntary OWASP project task force, led by Johanna Curiel, has been working through a backlog of project reviews. Over the last couple of years OWASP AppSensor Project has delivered significant steps in the coverage, quality, and depth of outputs. In fact it is also the only OWASP project that is both a documentation type of project, and a code one.

OWASP has promoted the project to the highest level - Flagship status. As co-leader with John Melton and Dennis Groves, and project founder Michael Coates, I am thrilled with this recognition.

OWASP's project inventory includes nine other Flagship projects and defines flagship status as:

The goal of OWASP Flagship projects is to identify, highlight, and support mainstream OWASP projects that make up a complete application security product of high quality and value to the software security industry. These projects are selected for their strategic value to OWASP and application security as a whole.

OWASP Flagship projects represent projects that are not only mature, but are also projects that OWASP as an organization provides direct support to maintaining. The core mission of OWASP is to make application security visible and so as an organization, OWASP has a vested interest in the success of its Flagship projects. Since Flagship projects have such high visibility, these projects are expected to uphold the most stringent requirements of all OWASP Projects.

It is important to remember all the people who have volunteered their time and effort to reach this stage. So many good and generous people.

Mark Miller has just interviewed John Melton about the OWASP AppSensor Project as part of the OWASP 24/7 podcast series. He provides an overview of application-specific attack detection and response, discusses what is new in version 2.0.0, explains the architectural options, describes the process flow, and mentions what else is on the roadmap.

AppSensor will be participating in this year's AppSec EU application security conference in Amsterdam, from 19th to 22nd May 2015. I hope you can make it.

Posted on: 17 February 2015 at 07:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

29 January 2015

Anti-Automation Monitoring and Prevention

It seems London's Heathrow Airport has very little in the way of anti-automation monitoring or prevention in place.

Headline from the London Evening Standard which reads 'Heathrow noise complaints sent by automated software'

According to the London Evening Standard newspaper on Tuesday, a five-fold increase in complaints was in large part due to automated email submission.

Luck would seem to have been what led to the discovery that the emails were computer-generated when complaints were received an hour ahead of the flight schedule after the clocks changed from summer time.

Oops, let's hope that's not a metric used by the airport itself or a regulator.

Not that the airport would reasonably believe it to be the target of any activists! Surely not.

Posted on: 29 January 2015 at 16:04 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 December 2014

Business Failure at the Speed of Software

This week we saw two events where the automated nature of processes lead to major business failures.

Partial extract from the RepricerExpress showing some of the liability clauses in its terms and conditions of service published at http://www.repricerexpress.com/terms-and-conditions/

On Friday, a number of Amazon retailers were affected by a pricing problem. Those that had chosen to subscribe to the third-party RepricerExpress service that automatically adjusts prices to match or better competitors, found their products were being sold for as little as 1 pence. Those organisations that despatched their own goods were able to spot the problem themselves, but those that used Amazon to stock and ship product, were affected more seriously because Amazon simply carried on regardless for some time.

The cause of the hour-long issue has been fixed. RepricerExpress's clients are outraged, and of course for some of them this could put them out of business. I am sure RepricerExpress will be reminding its clients what they agreed to in the RepricerExpress end user licence agreement (partial screenshot in the image above). Including for example that the maximum liability "shall be limited to a sum equal to the total Licence Fees paid to the Licensor in the period of 12 months considered retrospectively from the date the cause of action arose". So, how much would you pay for something that can reduce your product prices by almost 100%? £20-70 per month apparently seems to be the answer.

Express indeed.

Then on Monday, taxi-like company Uber, which had another PR disaster last month, managed to incense everyone by rapidly escalating its prices in Sydney as "demand increased" i.e. people attempted to leave the city during the dreadful cafe hostage event. Later reacting to pressure, Uber cancelled the change and offered some free services instead and a refund to those affected by its pricing.

These have a common factor of automated software making unmoderated changes to pricing that would clearly be perceived as unreasonable to a human. And doing it fast.

Superfast fail.

Automation is good — but enumerate all the possibilities, and implement limits, checks and alerts. And monitor these. And more importantly, check your contracts and who is liable for what. Then do a risk assessment and make sure someone senior reviews this and makes some decision about the risks. Can you survive the unexpected?

Posted on: 17 December 2014 at 17:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

20 November 2014

TRUSTe Privacy Deception and Misrepresentation

US regulator Federal Trade Commission (FTC) has taken to task self-appointed privacy certifier TRUSTe (True Ultimate Standards Everywhere, Inc.) which labels itself as "powering trust and compliance".

Partial screen capture of a page from the TRUSTe web site showing some of its web privacy certification products

In a press release issued this week, the FTC states that TRUSTe has agreed to settle charges that it "deceived consumers about its recertification program for company's privacy practices, as well as perpetuated its misrepresentation as a non-profit entity".

Apart from a $200,000 fine, the proposed extensive settlement requires "TRUSTe will be prohibited from making misrepresentations about its certification process or timeline, as well as being barred from misrepresenting its corporate status or whether an entity participates in its program. In addition, TRUSTe must not provide other companies or entities the means to make misrepresentations about these facts, such as through incorrect or inaccurate model language.".

TRUSTe CEO Chris Babel's comment about the settlement can be found on the TRUSTe blog.

The United Kingdom TRUSTe web site is http://www.truste.co.uk/ which lists many UK clients. Sadly, a Google search indicates many of their clients haven't realised what's been going on and are still promoting the label.

Posted on: 20 November 2014 at 14:15 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

25 July 2014

Creative Content UK Alert Programme

An industry-led initiative will replace plans for the UK government's Digital Economy Act (DEA) copyright regime.

BT, Sky, Virgin and TalkTalk have committed to sending out up to four warning letters to each customer a year if their accounts have been identified as being used to breach copyright laws

The plans, announced just over a week ago, primarily relate to P2P file sharing of music, TV and movies, but may be of use to other content producers. Read the Virgin Media's blog post from and the press release from trade body BPI.

There is an in depth write-up on the Out-Law.com legal news site, and further comment here and also here.

Posted on: 25 July 2014 at 14:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Monitoring : Application Security and Privacy
https://www.clerkendweller.uk/monitoring
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/monitoring
Requested by 54.167.155.147 on Tuesday, 2 June 2015 at 06:20 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2008-2015 clerkendweller.uk