The Online Trust Alliance (OTA) recently released their “2011 Top 10 Recommendations to Help Businesses Protect Consumers from Being Fooled.” This document includes a list of techniques and procedures, which can easily be implemented to help businesses and government agencies protect their customers' and employees' personal and financial data from being compromised. OTA developed the list to address the most common and dangerous threats based on a review of thousands of fraudulent emails, data breaches, hacking, and identity theft incidents.
The 2011 Top 10 recommendations address the most frequent exploits including malicious email, phishing and deceptive websites as well as emerging threats impacting online trust and confidence. In addition, OTA encourages businesses to review existing OTA best practices to protect the DNS and users' data and privacy.
Click through for the top 10 recommendations addressing the most frequent online exploits, as identified by Online Trust Alliance.
Upgrade all employees to the most current version of browsers that have integrated phishing and malware protection and privacy controls including support of "Do Not Track" mechanisms and controls. Such controls provide users the control on third-party data collection, usage and data sharing of their online browsing activities, while balancing out the value of ad supported online services. Encourage consumers to update their browsers by notifying them of insecure and outdated browsers. In addition consider terminating support for end-of-life browsers with known vulnerabilities by preventing logons and providing instructions to upgrade.
Establish and maintain a domain portfolio management program that includes monitoring look-a-like or homograph-similar domains and tracking renewals to prevent “drop catching” of expiring domains. Domain locking is recommended to help guard against unintended changes, deletions or domain transfers to third parties. Such programs and practices can help protect a company's brand assets and consumers from landing on look-alike sites compromising trademarks and trade names.
Adopt email authentication including both SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) to help reduce the incidence of spoofed and forged email, helping to prevent identity theft and the distribution of malicious malware from tarnishing your brand reputation. Authenticated email allows ISPs, mailbox providers and corporate networks an added ability to block deceptive email, reduce false positives and protect online brands and sites from deception.
Encrypt all data files containing customer profiles, email address and or personally identifiable information (PII), which are transmitted externally or stored on portable devices or media including flash and USB drives.
Upgrade to Extended Validation Secure Socket Layer Certificates (EV SSL) for all sites requesting sensitive information including registration, e-commerce, online banking and any data which may request PII or sensitive information. Use of EVSSL certificates help to increase consumer confidence of your online brand. When an EVSSL is presented, the address bar turns green providing the user a higher confidence level the site and company they are visiting is a legitimate business.
Develop and test a proactive breach & data loss incident plan to be prepared for data breach and data loss incidents, minimizing the risk and impact to customers and business partners. Such plans help to inventory data collection policies, user access and destruction processes while developing a plan to respond to data loss and breaches.
Require strong passwords and educate users on effective password management to minimize the risk of account takeovers. Consider modernizing password/passphrase requirements. Include security questions with highly variable answers which are not publically discoverable on social networking sites. Consider requiring a) strong passwords for employees and restrict customers from using weak passwords, b) force password reset every 30 to 60 days, c) ensure services accounts are not used by staff or able to be used through customer facing applications, d) perform regular entitlement reviews and remove unused or terminated employee accounts immediately, e) limit the number of access attempts and force account shut down requiring administrative interaction.
Enable automatic patch management for operating systems, applications, including add-ons and plugins. Proactive patch management can harden your system from known vulnerabilities. End-of-life applications which are no longer supported should be removed or used in isolated and secure sessions.
Continuously monitor third-party code, links and advertising on your site to help prevent malicious content and ads being served on your site. Request that third-party content providers and ad networks adopt anti-malvertising guidelines.
Enable encryption on all wireless routers and access points and hide your SSID (Service Set Identifier Names), or name it to help ensure that SSID does not provide details which identify your business. Change your keys frequently to help prevent key disclosure or unauthorized use. If you are providing free wireless services, limit how and when your network can be used, monitor usage and keep the network isolated from your business network.
In addition, OTA recommends that private sector as well as government agencies consider the following:
Initiate planning to support DNS Security Extensions (DNSSEC). DNSSEC adds security to the DNS and is designed to help address man-in-the-middle attacks and cache poisoning by authenticating the origin of DNS data and verifying its integrity while moving across the Internet. DNSSEC is an Internet Engineering Task Force (IETF) set of specifications that secures communication between DNS name servers and clients. With the root zone signed for .org, .net, .gov and recently .com, the number of domains using DNSSEC and the number of resolvers conducting validation will increase.
Update privacy and data use policies to clearly state what data is being collected, who it is being shared with and how it is being used to increase consumer trust and self-regulation. Consider multilingual policies to support users where English is a second language
Adopt third-party security, privacy and opt-out seal and certification programs.