Security Experts Weigh in on Zappos Hack
Wednesday, January 18th, 2012In the wake of 24 million customer passwords getting stolen in the Zappos.com hack, the IT security world is warning enterprises not to be lax about breaches of any kind. It’s a black eye for the Amazon-owned property, and it may point to a new round of malicious hack attacks.
So far, Zappos is being tight-lipped about the root cause of the attack. Zappos has yet to disclose whether the breach was internal via a backdoor left open by an IT employee or malware installed intentionally or unintentionally by an employee. Zappos didn’t hint, either, as to whether or not the data breach was due to known, unpatched application vulnerability or a zero-day vulnerability.
For all that is not known about the Zappos hack, what is known is that Zappos is PCI compliant, and that all transactions are authenticated and encrypted using SSL. Ron Meyran, director of security at Radware, said PCI compliance is a minimum requirement.
Beyond PCI Compliance
“Invest in education to minimize the internal threat: Regularly educate employees about data breaches risks and be aware not to install any unauthorized software which may be disguised as malware,” Meyran said. He suggested deploying intrusion prevention and behavioral analysis tools that can alert on abnormal user or application behavior, as well as a security event information system that collects event logs from all security tools to maintain forensics.
As Meyran sees it, the wide use of SSL to secure transactions between users and applications may be creating a false sense of security: Attackers get sophisticated and deploy attacks over SSL encrypted channels. They can scan applications for vulnerabilities through the SSL channels and launch a Web application attack over SSL. Attacks may result with no traces as most security tools cannot inspect SSL encrypted traffic.
“The bottom line: PCI-DSS compliance is only the first…
View full post on NewsFactor Network