Cloud security is a hot topic throughout the industry and the discussion is not complete without mentioning how the Cloud Security Alliance (CSA) has been influential in ensuring major security issues are addressed and averted. Cloud Security Alliance (CSA), a non-profit organization formed to promote security in cloud computing and education on the uses of Cloud Computing to help secure all environments.

“FireHost’s deep experience in virtualized and secure hosting is a welcome expertise for The Cloud Security Alliance,” said Jim Reavis, executive director of the Cloud Security Alliance. “We’re confident FireHost will be an asset in helping the CSA continue to innovate in developing best practices for securing providers in the cloud.”

Joining the CSA is further confirmation of our devotion to security and compliance for our customers. This is another step towards building on a foundation of security, governance and compliance, including PCI DSS, HIPAA compliance, SAS 70 Type II & other compliance mandates.

For more information and details, view the following press release announcing our partnership with CSA – http://www.firehost.com/company/newsroom/firehost-joins-cloud-security-alliance.

Consumers may not know the term SSL certificate, but they do increasingly recognize “secured by”, “protected by” and “verified by” badges on the eCommerce websites they visit.

Unfortunately, each web browser has the ability to determine where and how SSL certificates display, and some of the most popular web browsers suppress SSL badge visibility by decreasing the opacity or moving them to an inconspicuous location on the web page.

Extended Validation (EV) certificates (aka “The Green Bar” to consumers) combat browser suppression because they’re displayed front and center on every page where the SSL certificate has been installed correctly.

Compared to basic SSL certificates, EV certificates take longer to obtain because they include physical and legal validation of your business. EV certs provide the same level of encryption as regular SSL methods, and they tend to be a little more expensive to maintain, but they are the most trusted and recognizable way to reassure shoppers.

SSL badges offer more than just “feel good” reassurance to shoppers. The encryption provides real protection for PII transmitted thru an eCommerce site, and SSL certificates purchased from a reputable and accredited, business-grade provider come with insurance ($250,000 for a single site EV for example) that provides financial backing for your business and consumers should the encryption fail.

With all the risks facing eCommerce websites, SSL certificates are an affordable “must-have” costing approximately $40/month for entry level protection.

SSL encryption and validation is a wonderful and necessary technology, however it comes with a few “special considerations” that could have negative repercussions if they’re not handled in a professional way. For example, SSL products are useless if they’re installed incorrectly, and the encryption / decryption process can slow down your application’s server.

For eCommerce websites requiring high availability, we provide expert installation and a process called SSL Acceleration to prevent these caveats from negating the SSL product’s wonderful benefits.

Expert SSL Installation involves knowing where to install an SSL certificate, not just how to technically enter the code on the page. Every page with user input should be accompanied by https:// protection. “My Profile”, “Your Account”, “Checkout Here” and “Login” pages accurately described by those handles should always be protected by SSL encryption.

It’s not as simple as that however. eCommerce websites in particular have a unique set of SSL certificate installation requirements. For example, the shopping cart should be protected, but not necessarily product pages. An SSL certificate must be installed in such a way that it’s encryption resides within the page not the user’s session. If these intricacies are left unattended, your SSL has a higher chance to fail and/or make your site load improperly and with errors.

SSL Acceleration is a Cadillac solution for high traffic eCommerce websites that want to maximize SSL capabilities. In simple terms, acceleration means offloading SSL validation to a load balancer instead of using the web application server’s valuable resources to deliver the SSL encryption/decryption process.

For eCommerce websites, SSL acceleration helps ensure optimal load times during peak traffic days (and weeks), but acceleration should not be considered a seasonal “nice to have”. On calmer shopping days, SSL acceleration allows eCommerce site administrators to protect more page content (perhaps even proprietary non-public facing page content) and use SSL technology in the way it was intended – to protect all (or as much of) the content located online from being intercepted and misused by malicious cyber criminals.

A lack of threat awareness is not the problem. The study shows that almost all businesses in this category have installed anti-virus programs and kept security systems up to date, but a large number of SMBs still become victims of cyber crimes. When disaster strikes, viruses (41%) followed by spyware (26%) are most often the cause.

In a conversation with SC Magazine, Luis Corrons, PandaLabs technical director suggested, “these companies often lack the in-house staff and resources to fight off increasingly sophisticated and exponentially more targeted Internet attacks.”

The study’s results support Mr. Corrons claim that SMBs are not or able (or willing) to allocate the appropriate resources to close vulnerabilities and properly secure their environment.

• 52% of survey respondents have no web filtering solution
• 39% are untrained/unaware of IT threats
• 29% have no anti-spam solution
• 22% are without anti-spyware technology
• 16% do not have a firewall

So what should small and medium size business owners do?

Network vulnerability scans provide extremely high value. A thorough scan of your website(s), database(s), and application(s) can identify disasters waiting to happen. With a starting pricepoint around $100 each, vulnerability scans provide SMBs an affordable way to identify open ports, SQL injections, cross-site scripting (XSS) attempts, holes in JavaScript and web forms, and much more.

Steve Hawkins, Raytheon’s VP of Information Security Solutions, told FoxNews.com that there are more than 30 different job descriptions available, and applicants must pass the most stringent security clearances. Qualified individuals must understand computer systems and have a handle on the interaction between hardware and software down to the nitty-gritty. Additionally, applicants should know how the adversary [ cybercriminals ] thinks and adopt their perspective, but in an ethical way.

Raytheon isn’t alone in the movement to beef up the US cyber army. The Center for Strategic and International Studies recently kicked off a nationwide talent search for high school and college students to encourage cybersecurity as a career path.

Aptly named, the US Cyber Challenge has set out to find 10,000 young Americans interested in becoming cyber guardians and cyber warriors. The program will nurture and develop participants’ skills and provide access to advanced education.

“We’re glad to see online security become a public concern. These competitions and recruitment activities reinforce our core belief that everyone is entitled to maintain an identity online without the threat of being hacked or defaced. Having more qualified individuals working to make the internet safer is only going to make our secure hosting services more effective,” states FireHost CEO, Chris Drake.

The Nine-Ball attack is deployed when a user visits a legitimate website that has been infected with the malicious code. From the legitimate website, unsuspecting users are redirected behind the scenes through a series of different sites owned by the Nine-Ball’s hackers.

The diagram below depicts a typical url progression that happens behind the scenes during a Nine-Ball deployment.

Nine-Ball Progresstion

When an infected site is visited for the first time, the user is directed to the ninetoraq.in exploit payload site where the visitor’s IP address is recorded and the trojan download is installed.

If a user on the same IP visits the legitimate website again, he or she is directed to the benign site of ask.com. Security experts speculate that the Nine-Ball hackers are using a benign destination url to throw cyber security investigators and cyber crime analysts off track.

The scary part is that most antivirus applications will not detect Nine-Ball’s malicious code. Websense experts report, that “the exploit is detected by only three of the 41 most commonly used AV programs.”