With the holiday shopping season unofficially kicking off on Friday, additional security steps should be taken by end-users and website owners.
According to Symantec's annual internet security threat report, shopping outlets are among the top websites infected with malware. In addition, 61 percent of malicious sites are legitimate ones that have been compromised – a troubling finding for consumers scouring the internet for bargains.
Deena Thomchick, director for Symantec's website security solutions team, on Wednesday shared with SCMagazine.com ways website owners can shore up their business sites during busier times. Tactics include using separate test-signing and release-signing infrastructures when using code-signing services, as well as storing private keys in tamper-proof, cryptographic hardware devices to protect digital certificates.
“With the growth of applications, there is a tremendous amount of development going [on],” Thomchick said. “Code-signing services authenticate the developer and can confirm that the application hasn't been tampered with in any way. If you download a piece of software that is not signed, your browser will give you a warning message. Companies should use different infrastructure for this signing activity.”
While “security conscious” companies normally go the route of securely storing private keys, Thomchick said this has been an issue for some businesses, particularly small-to- medium sized organizations.
Other steps like implementing Secure Sockets Layer (SSL) for all web pages, getting digital certificates from a trusted source, and frequently monitoring company networks, servers and sites for malicious activity, can significantly improve an organization's chances of catching threats before they become costly, Thomchick added.
Those on the end-user side should be wary of email deals that sound too good to be true, a Symantec guide for staying secure online advised. Shoppers should also look for signs that the sites they visit are not phishing sites -- for instance, green text in the browser bar indicates a website has an extended-validation certificate.
Users also must keep their machines updated with the latest software fixes, especially considering the rise in exploit kits, which allow cyber crooks to easily foist attacks from seemingly legitimate sites.
A report from security firm Qualys, where data from more than one million end-user computers and installed browsers were analyzed, showed that more than half of the machines were not fully patched. The security issues could allow attackers to remotely control victims' machines, monitor keystrokes and and steal sensitive information like login credentials or bank account details.
Qualys found that Java, which was installed on 82 percent of all tested machines, rated as the worst plug-in security wise, with more than one-third of all installations being vulnerable. Out-of-date Adobe Flash installations left 24 percent of its users vulnerable.
In addition to using buggy or outmoded software, users should also be on the lookout for spam in their inboxes and on social networking sites. Opportunists already begun their holiday cons by luring victims with e-card and shopping deal scams to redirect them to fake offer sites.
Users should also make sure their passwords for online banking, email and social networking accounts are complex enough that they would be difficult to crack.