Malware scores 100 against Australian e-Stores
Earlier reports this year from staysafeonline and various media outlets advised that up to 100 online stores that utilise the popular Magento shopping cart software in Australia have been compromised with credential scraping Malware. Malware-hunter Willem De Groot published on twitter results showing that 4% of worldwide sites running Magento were leaking payment and customer data. If you’ve transacted online recently, particularly coming into the festive season, then it’s a good idea to double-check your statements to ensure that no fraudulent transactions have been made. For site owners, a patch is available to address this vulnerability.
Setting IoT standardsA set of standards have now been defined and agreed upon for the inherent security properties of IoT devices. Given their current proliferation and expected continuing growth, a baseline set of standards around security capabilities, patch-ability, data encryption and password protection have been created. The set of standards is below and while the list is not mind-blowing with what it covers; it draws a line in the sand for manufacturers of IoT devices moving forward.
- Password Management – Device supports local password management
- Authentication – Device supports user authentication
- Access Controls – Device enforces role-based access control
- Patch Management – Device supports automatic and manual installation of patches from an authorized source
- Software Upgrades – Device supports manual installation software upgrades from an authorized source
- Audit Log – Device supports the gathering of audit log events and reporting them to an EMS using IPsec, SSH, TLS, or DTLS for encryption and integrity protection
- Encryption of Data in Transit – Device supports encrypted communications using IPsec, SSH, TLS or DTLS
- Multi-Factor Authentication – Device supports multiple authentication factors
- Remote Deactivation – Device can be remotely deactivated by the EMS
- Secure Boot – Device supports a secure boot process to protect its hardware
- Threat Monitoring – Device supports logging of anomalous or malicious activity based on configured policies and rules
- IoT Device Identity – Device provides an IoT Device Type and a globally unique IoT Device Identity
- Encryption of Data at Rest – Device supports an effective mechanism for encrypting data stored on the device
- Digital Signature Generation and Validation – Device supports generation and validation of digital signatures
- Tamper Evidence – Device has the ability to alert a monitoring system when it is physically opened
- Design-In Features – Device includes features to fail secure, provide boundary security and ensure function isolation
Contact Us today to find out how Thomas Duryea Logicalis can support you with your organisation's security concerns and posture.