April Fool's Day is one of those days I wanted to avoid when going to the office. My former co-workers were pranksters who liked pulling April Fool's jokes, knowing there'd be someone who would fall for the spoof.
For cyber crooks, every day is April 1, as they are always hoping to fool someone in order to find a way to mine into corporate data and personal information. The Online Trust Alliance (OTA) wants to help folks avoid falling for the fake websites and phishing emails. So, in honor of April Fool's Day, OTA released its Top 10 Recommendations to Help Businesses Protect Consumers From Being Fooled. According to Craig Spiezle, executive director and president of the OTA, the reason for the list is to show that cyber security and identity theft threats can be prevented with simple but effective actions. He said in a release:
These recommended steps, which can be implemented quickly to help U.S. businesses and government agencies protect their data, and, just as importantly, their customers' privacy and identities. As stewards of data and consumer trust, the public and private sectors now have the opportunity to enhance online trust and confidence while promoting innovation, growth, and vitality of online services.
The OTA's 10 recommendations are:
- Upgrade all employees to the most current version of browsers that have integrated phishing and malware protection and privacy controls including support of "Do Not Track" mechanisms and controls. Such controls provide users the control on third-party data collection, usage and data sharing of their online browsing activities, while balancing out the value of ad supported online services. Encourage consumers to update their browsers by notifying them of insecure and outdated browsers. In addition, consider terminating support for end-of-life browsers with known vulnerabilities by preventing logons and providing instructions to upgrade.
- Establish and maintain a Domain Portfolio Management program that includes monitoring look-a-like or homograph-similar domains and tracking renewals to prevent "drop catching" of expiring domains. Domain locking is recommended to help guard against unintended changes, deletions or domain transfers to third parties. Such programs and practices can help protect a company's brand assets and consumers from landing on look-alike sites compromising trademarks and trade names.
- Adopt email authentication including both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to help reduce the incidence of spoofed and forged email, helping to prevent identity theft and the distribution of malicious malware from tarnishing your brand reputation. Authenticated email allows ISPs, mailbox providers and corporate networks an added ability to block deceptive email, reduce false positives and protect online brands and sites from deception.
- Encrypt all data files containing customer profiles, email address and or PII, which are transmitted externally or stored on portable devices or media including flash and USB drives.
- Upgrade to Extended Validation Secure Socket Layer Certificates (EVSSL) for all sites requesting sensitive information including registration, e-commerce, online banking and any data that may request PII or sensitive information. Use of EVSSL certificates help to increase consumer confidence of your online brand. When an EVSSL is presented, the address bar turns green providing the user a higher confidence level the site and company they are visiting is a legitimate business.
- Develop and test a proactive Breach & Data Loss Incident plan to be prepared for data breach and data loss incidents, minimizing the risk and impact to customers and business partners. Such plans help to inventory data collection policies, user access and destruction processes while developing a plan to respond to data loss and breaches.
- Require strong passwords and educate users on effective password management to minimize the risk of account takeovers. Consider modernizing password/passphrase requirements. Include security questions with highly variable answers that are not publicly discoverable on social networking sites. Consider requiring a) strong passwords for employees and restrict customers from using weak passwords; b) force password reset every 30 to 60 days; c) ensure services accounts are not used by staff or able to be used through customer facing applications; d) perform regular entitlement reviews and remove unused or terminated employee accounts immediately; e) limit the number of access attempts and force account shutdown requiring administrative interaction.
- Enable automatic patch management for operating systems, applications, including add-ons and plugins. Proactive patch management can harden your system from known vulnerabilities. End-of-life applications that are no-longer supported, should be removed or used in isolated and secure sessions.
- Continuously monitor third-party code, links and advertising on your site to help prevent malicious content and ads being served on your site. Request third-party content providers and ad networks to adopt anti-malvertising guidelines.
- Enable encryption on all wireless routers and access points and hide your SSID (Service Set Identifier Names), or name it to help ensure that SSID does not provide details that identify your business. Change your keys frequently to help prevent key disclosure or unauthorized use. If you are providing free wireless services, limit how and when your network can be used, monitor usage and keep the network isolated from your business network.