INTERNET SECURITY INTERNET SECURITY

INTERNET SECURITY



Elizabeth Bowles

President

Overview

Summary:

Identity theft and malware are

increasing problems

Bad actors and ISPs are in a

technological arms race.

Business and consumers are

relatively helpless to address

malware on their own.

Topics:

Spoofing: phishing/pharming

Malware and spyware

Spam

Information Security

Spoofing:

What is it?

Spoofing

• The practice of using a domain

name in email that is not the

sender’s.



Why?

• To pretend the communication

came from a legitimate source.

How?

• By using false statements to trick

users (“social engineering”) and/or

false headers to trick filters.

Most forms of Internet piracy

involve some element of

spoofing – it is a popular way

for spammers and hackers to

hide their true identities.



After all, who would click on

an email if they knew it came

from a garden-variety

spammer, much less a

criminal?

Which Brings us to

PHISHING

A Word About Phishing

Phishing is…

The act of sending an email to a

user falsely claiming to be an

established legitimate enterprise.



It is an attempt to scam the user into

surrendering private information that will

be used for identity theft.



Phishing schemes have two parts:

• An email that looks authentic and

• A fraudulent website to collect and capture the

personal information.

A Word About Phishing

A Word About Phishing

Phishers are expert at

copying websites

precisely, making it

precisely

difficult to know which

is the phish. . . .

phish

A Word About Phishing

The average phishing website

is online for 3 days or less

and is usually located in a

foreign country (Anyone

speak Russian?).



This makes it very difficult

for ISPs and law enforcement

to track the bad guys down.

Add to this that most phishing

is now conducted by highly

organized “gangs” of hackers,

gangs

and you can understand the

vast scope of the problem.

Phishing





The number of

“phish” attacks

increases at an

average rate of

26% a month.

Phishing



US financial institutions have lost

$2 billion to phishing schemes.



The injury from lost consumer

data is immeasurable.



It takes the average consumer

600 hours to clear his name

following being the victim of a

phish.

Preventing

Phishing

Protecting Your Company’s Domain

Business-side

Phishing is bad for your rep:

If you host your own site, publish

your DNS records. This will allow

your domain server to authenticate

that it is the correct server.

OR

If you host with a third-party, ask them to

publish your records.

AND

If your domain has been phished, be sure

to notify consumers so that you can avoid

bad pub. . . .

Avoiding a Phish

How Consumers can

protect from the Phish:

Never click on an email that purports to

be from a financial institution unless

you are expecting it. If you are unsure,

call your financial institution.

institution

If you find yourself at a site asking for

personal information, such as PIN numbers

or verification codes, DO NOT enter this

information.



Finally, phishing is a form of spam, and the

spam

best protection is a good spam filter.

And

Malware

Is Worse

Definitions

MALWARE



The word “malware” is short

malware

for "malicious software.



“Malware” is traditionally, if

Malware

broadly, defined as any

software that compromises or

does harm to you or your

computer.

Definitions





A number of specific types of

programs are generally

considered to be included

within the definition of

malware.

malware

Definitions

Some of these programs are

clearly malware regardless of

application:

• Trojan horses

• Viruses/worms

• Rootkits



Other types of programs often

included may be malware or not

depending on how they are used:

• Backdoors

• Adware (a form of Trojan horse)

Malware

One goal is to steal your

personal information:



Financial Information

Logins/Passwords

SSNs

Malware



Another goal is to create a





Zombie. . . . . .

Malware

A “zombie” is a computer

zombie

that is used to send spam

without the owner’s

knowledge.



Spammers link zombie

computers together to create

“zombie networks.”

networks



There are 1 million

zombies worldwide.

Malware

By sending a smaller amount

of spam from more

computers, spammers can

better hide their tracks.

tracks



Zombie networks are also

used to “crash” other servers

in DDOS attacks.

Spyware

Spyware is a specific form of

malware intended to reside

secretly on your computer

and spy on its contents.





Thus the name.

Spyware

Technically speaking,

spyware is a piece of

software that collects and

sends information about

users or, more precisely,

about their computer

activity, typically without

explicit notification.

notification

Spyware



Spyware programs are often

spread like trojan horses – that

is, by residing inside innocent-

looking programs that

download the spyware along

with the rest of the program.

What types of programs should

be included in the definition of

“spyware” is the topic of some

debate.

Spyware





Everyone pretty much

agrees that spyware is

bad, but is “adware”

spyware?

Spyware

Adware (advertising-supported

software)



A piece of software that

automatically loads and displays

advertisements or banners when

the user goes online.



The message may change

depending on which sites the

user visits.

Spyware



Many adware programs track a

user’s personal browsing

information and pass that

information on to a third party

without the user’s knowledge

or consent.

consent

Spyware





These programs often do not

include an uninstall program

and are difficult, if not

impossible, to remove.

remove



This fits the definition of

spyware.

spyware

Anti-Spyware



The best way to protect

yourself from spyware is to

download an effective

spyware blocker that can find

and destroy spyware.

Spybot is one such program. It

works well with the spyware

blocker resident in Windows.

Spam



The problem that

started it all.

What is Spam?



According to the Can-Spam

Act, “spam” is any

unsolicited commercial

email.

email

In common usage, “spam”

refers to any email the

recipient does not want to

receive.

What is Spam?

In reality, consumers consider

unsolicited email that contains

a valuable offer (e.g. a

coupon) not to be spam while

even solicited email is

considered spam if it contains

irrelevant information.

IN OTHER WORDS,

I KNOW IT WHEN

I SEE IT. . .

It’s expensive

and

It’s Scary

Scary Spam Stats

In 2004, spam cost U.S.

businesses $21.58 billion in

lost productivity.

Source: 2004 National Technology Readiness Survey (NTRS)









Filters eliminate over 20

Billion spam messages per

day and this number is

rising.

Source: IronPort Threat Operation Center

Scary Spam Stats



Most global spam is directed

at recipients in the U.S.



Spam is on the increase:

83% of all email in the U.S.

is spam according to

Messagelabs.



Postini puts the number at

over 90% and growing.

A Scary Graph

The Real World

Equivalent of Spam

The Can-Spam Act means

You Can Spam

Spam and Virus

Filtering:

The good, the bad, and

the functional

Anti-Spam Technology

Bad actors change their tactics

constantly, and what works today

won’t work tomorrow.



Inevitable Result:

Result

• Technology controls get tighter

• More control by IT departments

over business functions

• More “false positives” due to

unsophisticated filtering

• Legal issues arise from

unsophisticated filtering

How Good Filtering Works

Catching spammers who code from top to bottom

B U Y N o w a n d

S a v e T w o f o r

t h e P r i c e o f

o n e

Or add invisible text

B U Y N o w a n d

S a v e T w o f o r

t h e P r i c e o f

o n e O u R Ro to ry

W i l l m e e t W e d

How Good Filtering Works

Recognizing an embedded image



Buy Now and Save Two

for the Price of One



Catching misspelled words

ß Ü Y N Ø w a n d

$ a v ë T wo ƒ o r

t h e Þ r 1 c ê o f

w o n

Spam Solution?

Bill Gates said that spam would

be irrelevant by the year 2005.

2005

His timing was a little off. ☺



However, he was right that the

solution – for good or ill – is in the

hands of the ISPs.

ISPs

For example: Aristotle eliminates

99.9% of all spam and viruses

with almost no false positives.

positives

Spam Solution?



So far as Aristotle customers

are concerned, there is no

spam problem – but this is

an illusion created by

technology.

technology



ISPs and businesses must

constantly update in order to

keep up with the bad guys.

BUT, e-newsletters

are still effective!!



Given that filters often kick out

the good with the bad, how do

you get your message through?

Best Practices

Best Practices

Ask clients to agree in advance

to e-mail communication.

Include an opt-out in each and

every e-newsletter and honor

opt-out requests. (10 days)



Ensure that header, subject, and

from line information is accurate,

whether sent by you or a third party.

Consider double opt-in.

Best Practices

Centralize Lists



Distribution - Who can

distribute?

• Individual Employees

• Marketing Department

• Both?



Opt-Out List

• How do the opt-outs, out-ins

etc get tied to e-mails lists,

databases, CRM software?

Additional Considerations



Clean your lists!

Don’t be afraid to lose old

names

Is your subscriber more than

one year old?



Watch open and click rates closely …

Email Delivery Stats

Open rates are falling:

• Outlook 2003 “No images”



Older subscriber = lower

chance of open/click



7-8 impressions before

subscriber takes action

Exacttarget.com

Exacttarget.com

Email Delivery TIPS!

Never use images for

important content like

headlines, links and any calls

to action.

Use alt text for all images for

a better experience in Gmail

Add a text-based link to a

web version of your design at

the top of your email.

Email Delivery TIPS!

Most compelling content

should be at top left

Test your design in a preview

pane, full screen and with

images turned on and off

before you send it.

Email Delivery TIPS!

Use welcome message

effectively

• Offer content

• Offer a gift after opened

message

• Coupons!!



Ask your subscriber to add

your from address to their

address book at every

opportunity.

Information

Security:

Protecting Online Orders

and

Reservation Information

Information Security



ALL online orders and other

personal information

collected should be encrypted

using a Secure Socket Layer

(“SSL”)

Information Security

If done correctly, the following

will be visible to the user:



The URL will begin with

https:// rather than http://.

The “s” stands for “secure.”

A small padlock will appear in

the status bar of the browser

or in the lower right corner.

Information Security

Each encrypted page should

display the Versign logo or

similar logo from the

encryption company.

If the user clicks on the logo,

the secure certificate should

display.

If the certificate is valid, the

expiration date will not have

passed.

Information Security

Every site that collects any

form of personal information

(including email addresses)

should have a privacy policy

that is

• Clear

• Easy to understand

• Easy to locate from each page

of the site

Information Security

So long as your privacy

policy is clear and complete,

you can do what you want to

with the information you

collect.

If you act contrary to what is

in your privacy policy, you

open yourself up to legal

liability.

Information Security







EXAMPLES

Information Security



It is very important to make

visitors feel that it is safe to

place a reservation with you.



The key to this is proper

security and a clear privacy

policy that is easy to locate

on the site.

Information Security

Be sure your privacy policy

explains:

• That the information is secure

• What they should look for to

determine that the site is safe

• What you will do with the

information they enter

• Email them special offers?

• Sell to others?

• Maintain a record of purchases?

• Keep all information confidential?

Contact Information



Elizabeth Bowles

President

Aristotle Inc.

401 West Capitol, Suite 700

Little Rock, AR 72201

Phone: (501) 374-4638

Fax: (501) 376-1377