Posts Tagged ‘Business’
Bad Business Reputation
Last Updated on Sunday, 15 April 2012 11:16 Written by Celframe Security Team Saturday, 8 September 2012 02:08
One of the major business risks is a bad business reputation which can have devastating consequences on the business profits or even the viability of the business as consumers might not want to do business with a company which has a bad image due to integrity issues and other reasons. Customer loyalty takes time to build and all it takes for it to disappear is bad word of mouth and negative business publicity. As mentioned, bad business publicity might be due to lack of business integrity or other factors such as mass unorganized and unmanaged layoff, employee mistreatment, lack of investment in communities where the company does business, lawsuits, hiring employees with criminal background, etc. However, one of the major contributors to the negative business image is the publicized theft of customer private information for curiosity or fraud purposes.
Often when businesses lose their customer information or detect fraud, they offer identity monitoring services to their customers which is cost free to customers but not headache free. Businesses offer the identity monitoring services to their customers primarily for two reasons. First, because it is sometimes the law and second because it is a good business practice to minimize fraud losses and contain brand damage. However, there is also a third reason why companies offer identity monitoring services which is to dump the responsibility for their negligence on customers while they try to save their company image after damage is done. Actions taken after identity theft and fraud occur are less productive than actions taken to prevent theft and fraud. Even when consumers follow the company instructions to sign up for identity monitoring services, they still have to follow up with suspicious activities to make sure they are authorized or fraud cases to clean up the mess. Therefore, the loss of customer information by businesses and more importantly the occurrence of identity fraud can be devastating to business reputation especially if they are highly publicized. A bad business reputation due to loss of private information which consumers have shared with the company when they were asked to share can take time to reverse course and gain the customer trust again. Identity theft and fraud can be prevented with proper risk assessments, documented and communicated policies and procedures, employee training, monitoring of account activities and management oversight. We all understand the increased sophistication and impact of identity fraud cases as time goes by, however, there are many less sophisticated fraud cases which can be prevented if companies are willing to take this crime seriously and take the necessary actions to prevent identity theft and fraud. Financial losses from unjustified risk acceptance and bad business practices may be written off, however, lost customer loyalty and trust as well as bad business reputation can not be written-off or reversed overnight which can ruin a company.
In conclusion, it is very important for businesses to implement an effective identity theft and fraud prevention program to comply with the identity theft regulations and reduce their risk of bad business reputation. If businesses successfully implement practices which prevent identity theft and stop fraud, they can save their business reputation and money spent for fraud write-off, recovery and identity monitoring. And more importantly they can keep their customers and maintain competitive advantage within their respective industries.
To prevent bad business reputation due to identity theft and fraud, visit Identity Management Institute for solutions.
Dear Verizon Business: I Have Some Questions About Your PCI-Compliant Cloud…
Last Updated on Monday, 12 March 2012 01:20 Written by Celframe Security Team Monday, 23 July 2012 06:35
You’ll forgive my impertinence, but the last time I saw a similar claim of a PCI compliant Cloud offering, it turned out rather anti-climatically for RackSpace/Mosso, so I just want to make sure I understand what is really being said. I may be mixing things up in asking my questions, so hopefully someone can shed some light.
This press release announces that:
“…Verizon’s On-Demand Cloud Computing Solution First to Achieve PCI Compliance” and the company’s cloud computing solution called Computing as a Service (CaaS) which is “…delivered from Verizon cloud centers in the U.S. and Europe, is the first cloud-based solution to successfully complete the Payment Card Industry Data Security Standard (PCI DSS) audit for storing, processing and transmitting credit card information.”
It’s unclear to me (at least) what’s considered in scope and what level/type of PCI certification we’re talking about here since it doesn’t appear that the underlying offering itself is merchant or transactional in nature, but rather Verizon is operating as a service provider that stores, processes, and transmits cardholder data on behalf of another entity.
Here’s what the article says about what Verizon undertook for DSS validation:
To become PCI DSS-validated, Verizon CaaS underwent a comprehensive third-party examination of its policies, procedures and technical systems, as well as an on-site assessment and systemwide vulnerability scan.
I’m interested in the underlying mechanicals of the CaaS offering. Specifically, it would appear that the platform – compute, network, and storage — are virtualized. What is unclear is if the [physical] resources allocated to a customer are dedicated or shared (multi-tenant,) regardless of virtualization.
According to this article in The Register (dated 2009,) the infrastructure is composed like this:
The CaaS offering from Verizon takes x64 server from Hewlett-Packard and slaps VMware’s ESX Server hypervisor and Red Hat Enterprise Linux instances atop it, allowing customers to set up and manage virtualized RHEL partitions and their applications. Based on the customer portal screen shots, the CaaS service also supports Microsoft’s Windows Server 2003 operating system.
Some details emerge from the Verizon website that describes the environment more:
Every virtual farm comes securely bundled with a virtual load balancer, a virtual firewall, and defined network space. Once the farm is designed, built, and named – all in a matter of minutes through the CaaS Customer Management Portal – you can then choose whether you want to manage the servers in-house or have us manage them for you.
If the customer chooses to manage the “servers…in-house (sic)” is the customer’s network, staff and practices now in-scope as part of Verizon’s CaaS validation? Where does the line start/stop?
I’m very interested in the virtual load balancer (Zeus ZXTM perhaps?) and the virtual firewall (vShield? Altor? Reflex? VMsafe-API enabled Virtual Appliance?) What about other controls (preventitive or detective such as IDS, IPS, AV, etc.)
The reason for my interest is how, if these resources are indeed shared, they are partitioned/configured and kept isolated especially in light of the fact that:
Customers have the flexibility to connect to their CaaS environment through our global IP backbone or by leveraging the Verizon Private IP network (our Layer 3 MPLS VPN) for secure communication with mission critical and back office systems.
It’s clear that Verizon has no dominion over what’s contained in the VM’s atop the hypervisor, but what about the network to which these virtualized compute resources are connected?
So for me, all this all comes down to scope. I’m trying to figure out what is actually included in this certification, what components in the stack were audited and how. It’s not clear I’m going to get answers, but I thought I’d ask any way.
Oh, by the way, transparency and auditability would be swell for an environment such as this. How about CloudAudit? We even have a PCI DSS CompliancePack
Question for my QSA peeps: Are service providers required to also adhere to sections like 6.6 (WAF/Binary analysis) of their offerings even if they are not acting as a merchant?
Related articles by Zemanta
Client work: Inside the Business of Malware
Last Updated on Sunday, 18 March 2012 02:23 Written by Celframe Web Team Sunday, 6 May 2012 01:41
Hi, I see that you are new here. The WallStats.com blog explores information with original visualizations and ideas. You may want to subscribe to my RSS feed. Thanks for visiting and don’t forget to comment!
This one is cool. It takes a look at underground malware and trojan market, exposing prices, scams, and financial motivations. I worked with some cool people on this one in some sensitive security areas.
It’s pretty large so will have to click through to see/read the whole thing.
To support my work please digg, retweet or other wise spread the word!
Tags: client work, flow chart, infographic, malware, security