Application security

Debate

,

For, by Scott Harris, CEO, SecureTrust Corporation 

Research performed by SecureTrust Corporation has determined that nearly all phishing today is a result of ignorance or inattentiveness — a green bar is not going to change that.

The true value of the green bar at this point is mainly for marketing purposes. Unless you are a well-known name, such as Amazon or eBay, increasing your online sales is all about building consumer confidence and trust in your company through your website. A green bar goes a long way in building this online trust.

The bar will assure the consumer that the company has met established standards: they are who they say they are.

It was not very long ago that we were teaching our parents and friends to never put in their credit card information unless they saw the yellow padlock. As extended validation certificates become more common in the marketplace, we will encourage our friends and family to only do business with sites that have the green bar.

 

Against, by Steven Myers, assistant professor, Indiana University

Extended validation certs are unlikely to have much effect on the phishing phenomenon largely because they don't address the underlying security problems that currently lead users to be phished.

Very few phishing attacks succeed because users are fooled into accepting a certificate issued to a fraudulent entity. Rather, users have a poor understanding of the security technologies available in browsers, never mind how they are intended to be used.

The result is that many users will believe a site to be secured with the presence of an official looking padlock displayed on the web page itself, as opposed to the appropriate location on the browser chrome.

Extended validation certs do not solve this problem, nor its larger generalization of user interface spoofing, because the browser can interactively display images to the screen, and it can create user-interfaces that mimic those of varying security technologies, including those that are being suggested to highlight the use of an extended validation cert.

 

THREAT OF THE MONTH:
Data breaches

What is it?   
Any unauthorized access to stored sensitive data through network hacking, lost or stolen laptops or data tapes, or information posted to a website.

How does it work?    
Data breaches can be caused by innocent employee error, or can be the result of intentional malicious attacks. Data at risk includes a company's intellectual property and customer/personal data.

The customer information revealed through a data breach is often targeted for use in identity fraud.

Should I be worried?     
The financial costs of a data breach include legal fees, possible fines and potential lost revenue. The damage to reputation, brand and consumer confidence cannot be measured, but are extremely costly.

Reports put the total number of records compromised in data breaches since January 2005 at over 100 million.

How can I prevent it?    
Protect data from threats both inside and outside the company. Steps to take include encrypting data stored on computers, laptops and removable media; using firewalls to secure against viruses; and monitoring your databases for unusual activity. Most importantly, treat data security as a business issue, not just a security issue.

— Malte Pollmann, vice president, products, Utimaco

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.