OTA Recommendations Help Businesses, Consumers Know Who Their Friends Are
April Fool's Day is almost here. This annual celebration of silliness has endured largely because of trust - we all know who's playing the jokes on us and that those jokes will be harmless.
Unfortunately, this holiday also presents cyber criminals -- phishers, Web site spoofers and other scammers -- with a lure and smokescreen for their malicious attacks. These felons deliberately misrepresent themselves as legitimate organizations to gain unauthorized access to confidential or proprietary data. Their attacks are anything but playful and painless - rather, they can do incredible harm to industry, government and the citizens they serve.
To better protect the online community, the Online Trust Alliance (OTA) today released its 2011 Top 10 Recommendations to Help Businesses Protect Consumers From Being Fooled. OTA's recommendations provide a good cheat sheet of quick, effective IT security techniques and procedures that help maintain customer trust and confidence. Several recommendations in particular focus on authentication - steps to ensure that online users can trust that they are actually dealing with the organizations they seek, not a crafty impersonator out for their data.
These recommendations are:
- Use Extended Validation Secure Socket Layer Certificates (EV SSL) for all sites requesting sensitive personal or financial information, such as online registration, commerce and banking. EV SSL turns part of the browser address bar green, showing that the Web site (and, by extension, the organization behind it) are legitimate. This visual cue provides immediate verification and increases consumer confidence. â€¢ Implement email authentication, including both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). These technologies provide the capability to block deceptive emails and reduce false positives by anti-malware software. OTA endorsed some other best practices for authentication that weren't part of the Top 10 list:
- Support DNS Security Extensions (DNSSEC). DNSSEC authenticates the origin and integrity of Domain Name System (DNS) data as it traverses the Internet. The technology helps thwart man- in-the-middle attacks and DNS cache poisoning (corrupting stored DNS data to direct Web site visitors to fraudulent sites).
- Adopt third-party security, privacy and opt-out seal and certification programs. Symantec's VeriSign Trust Seal is one of many options available. OTA made other excellent recommendations grounded in IT security best practices, including:
- Update Web browsers to the latest versions
- Encrypt all confidential, personal and/or proprietary data everywhere it goes (in use, in transit, and in storage - especially on mobile devices)
- Encrypt all wireless access points and routers and frequently change encryption keys and Service Set Identifier Names (SSIDs)
- Enable automatic patch management
- Develop and test a proactive data breach/data loss incident plan
We support OTA's recommendations and urge all users to strongly consider implementing them if they haven't already. Doing so will boost IT security for everyone and make April Fool's Day - and every day - safer and more enjoyable for everyone.