 |
|
The VeriSign Security Review
|
September 2007
In This Issue
Layer it on: Security for consumer
products and retail
In the “Any Era,” consumers can approach retailers
from virtually any channel, using any device, at any time. Unfortunately,
the Any Era also means threats come from all directions, and target
retailers’ key assets: consumers, brands, Web sites, and internal networks.
Successful attacks not only jeopardize a company’s
financial standing, reputation, and regulatory compliance; they also
undermine consumers’ confidence. As retailers open and extend their
channels to accommodate the demands of this “Any Era,” they need to
consider the security of each of these layers. A single approach to
security cannot be effective in the Any Era.
Layers provide security, with openness
Retailers need a layered, systematic approach to help protect
sensitive data, mitigate threats to digital assets, and address compliance.
Complementary security layers fortify each other to create a solution
that is stronger than the sum of its parts. Using this layered approach,
retailers can extend reach, reduce costs, and increase revenue—while
delivering rich, real-time experiences that enhance sales and increase
customer loyalty.
With the right security infrastructure, Any Era connectivity,
flexibility, and convenience provide multiple benefits to the entire
retail ecosystem—not just consumers. Retailers can use real-time data,
innovative content delivery strategies, and digital transactions to
differentiate brand and build loyalty, extend reach, reduce costs, and
increase revenue. Layered security enables retailers to take advantage
of these opportunities, while a piecemeal approach leaves them exposed
to identity theft, credit card breaches, phishing scams, counterfeit
products sold online, and other security issues.
Protect your online consumers, and they will buy
In one study, 53% of online consumers stated that concerns about
breaches had affected their purchasing behavior. Other studies have
shown that online sales are a net positive for retailing (i.e., they
don’t just cannibalize but increase overall sales), yet more than $2
billion in sales probably did not occur last year because of security
concerns.
As retailers modify their infrastructure to provide
legitimate users with easier, more integrated access to data of all
kinds, they must protect every layer of assets—consumers, brands, Web
sites, and networks. No single product or product suite provides a total
security solution—and no combination is foolproof. Retailers typically
cobble together dozens of point products and services to create a piecemeal
solution that offers only partial security to parts of the overall infrastructure.
These reactive, one-dimensional solutions often increase
complexity, cost, and risk, while decreasing business agility.
Build in the best security
VeriSign approaches asset protection differently. Instead of
point solutions, VeriSign uses a systematic, layered approach to security
that includes end-to-end services and expert assistance in enabling
and protecting networked interactions. “Layered security” acknowledges
that a single foolproof solution is probably not achievable, but that
carefully considered tradeoffs between risk, cost, and user experience
can result in the best security solution to support regulatory compliance
and protect a retailer’s consumers, brand, Web properties, and network.
While this approach leverages the features and functions of multiple
products and services, it focuses on the entire ecosystem of assets
and takes into account the entire user experience—evaluating and addressing
the steps at which consumers can gain or lose confidence in an online
interaction. In addition, VeriSign designs layered security to help
keep sensitive data under the control of the retailer—even VeriSign
personnel are not able to view the data that they protect.
Retailers can’t afford to pass up the opportunities
of mobile and online commerce: not now, with the total number of mobile
commerce transactions per year expected to increase from 498 million
globally in 2006 to 3.6 billion in 2010, and with the average m-commerce
transaction value expected to increase from $7 in 2006 to $13 in 2010
. And they can’t afford not to build the best possible security into
their systems to protect their assets and their consumers. Instead,
now is the time to prepare online security systems to take advantage
of tremendous opportunities for growth—and protect against increased
risks.
Back
to top
VeriSign approved to provide
ISO 27002 assessment services
VeriSign is now one of a small handful of companies—and
the only publicly held company—able to provide the ISO 27002 assessment
service to help companies ensure information security.
VeriSign now prepares organizations for the ISO 27002,
a code of practice for information security management that is the most
widely recognized and accepted standard basis for information security
programs worldwide. BSI, the organization that grants the ISO 27002
Certificate of Compliance, officially approved VeriSign’s ISO 27002
assessment service after carefully vetting VeriSign’s Global Security
Consulting practice, methodologies, and expertise around enterprise-level
security assessments.
ISO 27002 is particularly relevant now, as risk of
unauthorized access to organizational information continues to grow,
placing increased emphasis on organizations’ data security and privacy
management practices. With security breaches on the rise, regulators,
consumers, and business partners are requiring and demanding the protection
of information. Organizations must enable the business and manage
risk by implementing an effective data security strategy and framework.
Defining ISO 27002
The ISO 27002 Information Technology – Security Techniques –
Code of Practice for Information Security Management is a complex and
detailed international information security standard that recently superseded
the more familiar ISO 17799 and ISO 17799:2005 Codes of Practice.
The ISO 27002 Certificate of Compliance is the gold standard for demonstrating
a commitment to information security and helps companies to create brand
trust and consumer confidence. Compliance enables companies to
demonstrate to their business partners and customers that they have
met and maintain a high standard of security. The requirements,
which are programmatic in nature, cover eleven core areas:
- Security policy
- Organization of
information security
- Asset management
- Human resources
security
- Physical and environmental
security
- Communications and
operations management
- Access control
- Information systems
acquisition, development, and maintenance
- Information security
incident management
- Business continuity
management
- Compliance
The VeriSign service
In an ISO 27002 assessment, the VeriSign Global Security Consulting
(GSC) team performs a focused risk assessment of a client’s information
security program based on the objectives and controls within ISO 27002.
VeriSign may also help fix control gaps identified by the assessment.
VeriSign can now help organizations implement today’s
most complete and comprehensive data security strategy—and, just as
important, it helps them prove it. Certification enables an organization
to demonstrate to its partners, customers, and regulators that it can
be trusted with high-value data—without having to go through extensive
new scrutiny by each of these constituents. As a result, organizations
with ISO 27002 certification should find it easier to win new business,
keep customers, and thrive despite the challenges of today’s business
environment.
Learn
more about specific services and solutions where VeriSign
can assist in remediation and implementation.
Back
to top
Cybercrime: the Russian threat,
on your territory
Russia is the single greatest source of malicious
cyber activity and cybercrime, with the possible exception of the US.
Whether or not you do business in Russia or with Russian companies,
you need to know what’s going on there, and how it might affect you.
The “perfect storm” for cybercrime
Russia’s geography and socio-economic conditions come together
with the country’s difficult recent history and an often draconian political
order to create “perfect storm” conditions in which criminality, including
cybercrime, flourishes. Excellent schools produce tens of thousands
of exceptional technical minds who enter a job market with prospects
almost universally below their abilities. A culture of criminality and
acceptance of corruption leads many into the criminal underground. There
they find easy prestige and money in improperly secured western companies
and gullible individuals.
The Russian cyber crime underground has evolved into
a sophisticated, if loose-knit community with its own periodical literature
and cultural mores. Russia has a large population of talented hackers
that are under less pressure from the law than their counterparts elsewhere.
Western firms must be able to secure themselves from the relentless
challenges of Russian cyberspace—and those working in Russia must prepare
for other challenges, too.
Russian police are largely apathetic towards cybercrime,
which is not considered a worthwhile use of officers’ time, especially
when cyber criminals’ main victims are foreign entities. However, when
a cyber criminal acts upon important domestic companies or government
assets, the invasive powers of the Russian police are often brought
to bear swiftly and forcefully. With fewer legal checks on their investigative
strategies, Russian police can often get fast results.
Local turmoil, global threat
The most sophisticated attack tools and techniques of 2006 all
emerged from Russian groups: WebAttacker, MetaFisher, Snatch, and now
Rock Phish, not to mention thousands of Trojans. For Russia as a whole,
2006 was a momentous year. Political violence increased, the economy
surged ahead, the criminal underground grew larger and more sophisticated
and the police scored a few notable but ultimately token victories.
Carders and bot herders in particular grew more advanced, generating
the most sophisticated tools ever for commanding bot armies and stealing
the personal financial information of (mostly Western) consumers.
There is no end in sight. Western companies doing
business in Russia face a number of challenges, including corrupt officials
at all levels of power. They will experience repeated, attempted attacks
on their information systems. Companies not physically doing business
in Russia will also face challenges from the Russian underground. The
next year, and the several after that, will see Russian hackers and
their successors develop more intricate and effective tools as they
group together in synergistic ways to extract money from the global
information networks. Companies need to inform themselves about the
nature of this growing threat in order to protect themselves from it.
Back
to top
Healthcare and life sciences
security: it’s about more than money
For companies in the healthcare and life sciences
areas, security is about so much more than protecting money. VeriSign’s
deep experience with such organizations has lead to its unique layered
security approach for these industries.
Life sciences: enabling secure collaboration
For pharmaceutical, biotechnology, and medical device companies,
security is essentially about the ability to enable greater collaboration
across their ecosystems. To get more new products out of their research
and development pipeline and maximize the value of the products they
already offer, these companies are increasingly opening their internal
networks to entities outside the organization. However, as they open
and extend their networks, they must also protect key business assets
including internal networks, brands, Web sites, and consumers, patients,
and other constituents. Attacks on these assets jeopardize revenue,
reputation, and regulatory compliance. They also undermine trust, and
can even jeopardize patient health.
An average of 55.3 million people per month, or 31%
of U.S. Internet users, visited a Web site in the health information
category in the first quarter of 2007.1 Consumers also turn to the Internet
for access to discount pharmaceuticals. Counterfeiting, product tampering,
theft or exposure of intellectual property, negative sentiment, consumer
activism, and other forms of brand abuse can destroy hard-earned credibility,
decrease shareholder value, drain revenue, and harm consumers. To protect
brands, life sciences companies must have early warning systems to detect
and thwart fraud attempts. They must also be able to manage, monitor,
and respond quickly to counterfeiting, reputation damage, affiliate
noncompliance, and other threats.
When developing and implementing a layered defense
for a life sciences company, VeriSign consultants work with the company’s
existing infrastructure and third-party technology and service providers
to provide the best solution for the company’s unique assets. VeriSign
considers not only the company’s security needs and the end-to-end user
experience, but also its overall business: solutions are designed in
compliance with standardization of industry architecture (e.g., the
Clinical Data Interchange Standards Consortium (CDISC) and the Pharmaceutical
Research and Manufacturers of America (PhRMA). By layering multiple
integrated technologies, VeriSign’s provides a cumulative effect that
offers as secure a solution as practical when risk, user experience,
and cost are weighed.
Healthcare: a prescription for digital security
Today’s patients shop around for the best and most affordable
care, and demand greater transparency of healthcare records. The Internet
is contributing to this shift toward value-driven healthcare. People
can research health issues and communicate from virtually anywhere,
and they increasingly expect healthcare networks, insurance companies,
and other providers to provide access to services and information anytime,
from any device. However, as healthcare organizations open and extend
their networks to accommodate the demands of this “Any Era,” they must
also protect their key digital assets.
Healthcare companies must maintain a delicate balance
between openness and security. Many constituents have a valid need to
access certain kinds of confidential data. Patients want online access
to appointment scheduling, health records, lab results, insurance plans,
payment information, and prescription renewals. Physicians, pharmacies,
payers and employers all need certain types of confidential information.
But healthcare organizations must protect against
medical identity theft, credit card data breaches, phishing scams, counterfeit
products, and other security issues. Such concerns overshadow the user
experience and dampen adoption of online services and products. Unless
they trust healthcare organizations to protect sensitive data, constituents
of the healthcare system will not fully embrace value-driven healthcare
or participate in connected healthcare communities.
VeriSign’s layered solutions for healthcare organizations
help organizations to grow and increase their effectiveness, while protecting
constituents, reputation, Web sites, and networks. This end-to-end security
is necessary not only to preserve trust and encourage online usage,
but also to avoid financial losses and regulatory penalties associated
with the Health Insurance Portability and Accountability Act (HIPAA),
data breach reporting laws, and other regulations.
Back
to top
In the News
8/6/07
VeriSign
Positioned in the Leaders Quadrant for 1H07 North America Managed Security
Service Provider Magic Quadrant
7/26/07
VeriSign
Reports Second Quarter 2007 Results In Line with Guidance
7/10/07
VeriSign
Powers Online Video Service for World's Largest Broadcaster
Back
to top
Date Book
Forrester Security
Forum
Sept. 5-6, 2007
Atlanta, GA
INTA Trademark
Administrators Conference
October 1 – 3
Long Beach, CA
DTCC Security Expo
Sept. 25, 2007
New York, NY
Back
to top
|
|
Worldwide Sites
