Malwarebytes Enterprise Edition debuts with features designed for the SMB

Malwarebytes has enjoyed a strong following with its consumer software for detecting and removing malware. Now, the company is launching a new version designed for small and midsize businesses.

Released Monday, Malwarebytes Enterprise Edition (MEE) features a management console that allows IT teams to handle large deployments.  Previously, if a company's IT technicians wanted to install the product onto office machines, they had to write their own script for the consumer software version and manually push it out to office machines, according to Marcus Chung, Malwarebytes executive vice president and chief operating officer. MEE eliminates this step.

Malwarebytes Anti-Malware is used by over 150 million people worldwide to block or remove over five billion pieces of malware. Company executives said the behavior-based software is designed to work in concert with antivirus software. The company, which is based in San Jose, Calif., began making a marketing push last summer.

New features in the company's enterprise version include the management console and an integrated virtual deployment simulator that tests policies before they are implemented. One of the features of the console is a listing of comprehensive reports so users can see current malware trends. MEE allows administrators to customize security policies for the entire company, or for individuals or groups within the enterprise.

MEE also includes features from the consumer version, such as Chameleon technologies that ensure malware protection can work even when an infection has taken root.

"Malwarebytes Enterprise Edition doesn't depend on typical definitions and uses heuristics to stop these intelligently architected attacks before they can execute on endpoints, providing an extra layer of defense today's corporations can  well use,"  Jon Oltsik, senior principal analyst at Milford, Mass.-based Enterprise Strategy Group, said in a prepared statement.

Pricing for 100 seat licenses of MEE begins at $1315, with some special pricing available for government, education and non-profit companies. MEE is compatible with Windows Server 2003, 2008 and 2008 R2 and supports XP, Vista, Windows 7 and Windows 8 operating systems.

Malwarebytes was founded in 2008 after Malwarebytes CEO Marcin Kleczynski's computer was infected with malware that was not caught by his antivirus. The company has offices in Europe and employs a global team of researchers and experts. Malwarebytes MEE is available beginning today.




New zero-day vulnerability targets Internet Explorer users

Security researchers are warning of a new zero-day vulnerability affecting Internet Explorer. The flaw has already been exploited in the wild.

The flaw, which affects Internet Explorer 7, 8 and 9 on Windows XP, Vista and Windows 7, was discovered over the weekend by researcher Eric Romang. In a blog post, Romang wrote that the Nitro gang -- the same group that apparently used the recent Java zero-day in targeted attacks -- could be connected to the IE vulnerability.

According to researchers at Boston-based Rapid7, users' computers can become infected simply by visiting a malicious website. In a blog post, they wrote that attackers have already been using the exploit in the wild.

Rapid7 advised users to switch to another browser such as Chrome or Firefox until Microsoft releases a security update.

A zero-day exploit module has been added to the Metasploit  penetration testing toolkit to give security pros a way to test their systems to see if they are vulnerable, the Rapid7 researchers said.




Yelp Lets Local Businesses Offer Gift Certificates

Small businesses now have the option to sell gift certificates directly from their business profile page on Yelp. The local reviews site, which also gives businesses to the opportunity to offer daily deal promotions, tested out the gift certificate feature earlier this year and just announced that it is now available to all businesses using the site.

Yelp

Unlike its daily deal promotions, the gift certificates are not discounted at all. It's just a simple way for businesses to reach out to customers. For local business owners, a feature like this can make a lot of sense, not only for gaining new customers but also for turning existing customers into loyal advocates.

For instance, some consumers might be less likely to purchase a discounted promotion for a local business if they're giving it as a gift, since it might be considered tacky. In addition, some of the deals offered on the site were too low to cover an entire product or service, so the customer was still left making up the difference. With the new option, businesses can offer gift certificates in different denominations of their choice, so customers can buy as much or as little as they want.

Yelp, which has about 78 million monthly users, will take a 10% cut of gift certificates sold on the site. But the certificate is full-value for the customer, so if someone wants to buy a $100 gift certificate for their friend's favorite restaurant, they pay $100 and get exactly that much to spend.

Deals still remain available for local businesses. So between the two options, businesses can reach out to new and existing customers in different ways. Since Yelp is so recognized and widely used by locals in many cities throughout the country, tying in this type of option can make patronizing local businesses even more convenient. And thus, businesses that are already on Yelp could really benefit from offering gift certificates on the site.




Why focus on SIEM integration, coverage maximizes anomaly detection

This lesson is part of SearchSecurity.com's Integration of Networking and Security School lesson, Using SIM for threat monitoring

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director
. For more on this topic, visit the lesson page; for additional learning resources, visit SearchSecurity.com's Security School Course Catalog.

Recognizing the benefit of SIEM technology, and making the decision to implement a SIEM system, are important initial steps for an enterprise that takes security and threat management seriously. SIEM systems can be invaluable for anomaly detection, but the challenge lies in how best to approach SIEM, and how to ensure the implementation supports the best possible coverage, insight and response.

It should be clear that a SIEM's maximum benefit is derived by including as comprehensive a set of security information feeds as possible.

As the security "nerve center" of an organization, a security information and event management (SIEM) implementation, when done well, gives an enterprise a holistic view of the security events that originate from a whole multitude of devices, applications and activities across the enterprise. The advantage of such a view is that correlation of events can be conducted and patterns can be identified in ways not possible without such a consolidation of security information.

By having a unified view of security-related activity on network devices, firewalls, servers, desktops and even applications such as antivirus or transactional systems, a vigorous SIEM integration effort provides security operations teams with a much richer and more accurate knowledge base from which to observe, interpret and react to possible threats to the organization.

The architecture of a SIEM system typically consists of a central processing engine, which is fed by agents or collectors that are distributed throughout the managed environment. A database or storage repository generally holds events, and a console for managing and visualizing event activity is presented. A wide range of SIEM implementations and products is available, but these general characteristics are commonly found in most products.

It should be clear that a SIEM's maximum benefit is derived by including as comprehensive a set of security information feeds as possible. Candidates for inclusion should range broadly from infrastructure devices, to application systems, as well as environmental feeds.

At an infrastructure level, SIEM agents can be placed on servers or desktops, firewalls or IDS/IPS devices to propagate security events from these sources to the SIEM database and processing engine. In some instances syslog events are incorporated by the SIEM, and this is one of the most direct and easy ways of integrating system information. 

At an application level, integration options depend on how accessible and map-able application originating events are. With many enterprise applications, especially those custom built in-house, it can be quite tricky to obtain a feed of security-related events that could be integrated into a SIEM for monitoring, analysis or response. More customized activity may be required to include security-related activities from a transactional system or business-specific application than from, for example, antivirus software deployed on a workstation or server. The latter type of software can be helpful in providing an evolving view of how (and where) virus detection is proceeding across an organization. In many instances, antivirus software does ship with its own console and management system that in and of itself provides sufficient reporting, but incorporating antivirus events into the SIEM can add a valuable dimension to the "view" of organizational security, especially when correlated and analyzed with other types of events.

From an environmental perspective, a SIEM can be enriched by having other types of information made available to it. In a process-control environment, this could include temperature, pressure or valve status information. In a building or facilities management scenario, this could include door access events or other traps relating to activities occurring in the environment (position of elevators, air conditioners or fire systems). One of the big areas of development for SIEM is that of cyber-physical systems, and the type of environmental feeds indicated can bridge the IT infrastructure world of an organization with its production systems as well.

With the integration options indicated, it is important for an enterprise to first consider which feeds will be prioritized. Most organizations should consider starting with the "pillars" of the IT infrastructure, and also the most mission-critical servers and systems. This would include primary servers, key networking and communications devices (firewalls, routers and the like), key security defenses (intrusion prevention systems) and then looking further to desktops and their applications. Prioritization should be, in a sense, threat driven: the areas where an attack could cause greatest damage should be identified first.

An effective approach can be to identify phases whereby an initial round of integration is implemented (especially where off-the-shelf connectors can be used, as opposed to custom-built connectivity for in-house applications, for example). If there are already connecter elements in the SIEM software (as a mechanism to import events from a particular system), then those feeds would also be easier than complex event formats that may require customisation of the connecters. This is followed by another phase of integration where connectivity and event-format mapping may require more customization and time.

Once the feeds are incorporated and the best possible coverage has been achieved, security operations teams must spend time understanding the event patterns and getting a "feel" for normal activity vs. unusual activity. The beauty of using a SIEM system is that different views and visualizations are generally provided, and combinations of event streams can be overlaid to offer further insight into activity patterns that may seem suspicious. In this way SIEM operators can "zoom in" and get detailed insight into the managed environment.

Naturally, initial analysis will quickly dictate the need for tuning, which often includes the narrowing or broadening of focus. Voluminous event feeds such as antivirus may actually be to filtered out if they are not providing useful information. Pre-processing at nodes and/or servers is done in SIEMs so only some or certain most relevant event types are propagated. A related approach some may consider is integrating the antivirus management system as a consolidated feed into the SIEM. For example, using SNMP messages from the antivirus management system itself, incorporating aggregated and/or interpreted information, may be easier than drawing in raw antivirus system data. This sort of tactic can help to reduce some of the volume that can overwhelm a SIEM (and make it difficult to "find" the relevant activity that is crucial in any anomaly detection effort). The danger of filtering out too much too soon is that it can dilute the insight and effectiveness that can be achieved.

The final question relating to using SIEM for anomaly detection is how to ensure appropriate and necessary response. The intent of the SIEM is that security operations teams can become more proactive and equipped to detect and respond to security threats. Once the SIEM has been implemented and "tuned" to the environment, response and intervention plans should be tested and assessed so that, if necessary, technical or personnel originating actions can be performed quickly and exactly to mitigate a perceived threat. In the best case, early warning and detection of attacks should be possible, but after-the-fact review and analysis can also be highly valuable to understand what may have happened and to implement rules or pattern profiles to ensure such activities (or combinations thereof) do not become a threat to an organization again.

More powerful techniques of anomaly detection and big data-type processing hold the promise of ever more effective SIEM deployments in the future. But by following the SIEM coverage, integration and response recommendations outlined here, organizations become poised to benefit from these new and helpful analysis techniques as they are embraced by SIEM software and service providers.

About the author:
Andrew Hutchison is an information security specialist with T-Systems International in South Africa. An information security practitioner with 20 years of technical and business experience, his technical security work has included secure system development, security protocol design and analysis, and intrusion detection and network security solutions. He has held executive responsibility for information security in a large enterprise, establishing its chief security officer role and initiating an ISO27001 security certification program. As business sponsor for large SIEM rollouts, he has experience in deploying and operating SIEM systems in a managed service provider environment. He is an adjunct professor of computer science at the University of Cape Town in South Africa.

This was first published in September 2012



BSIMM study expands scope, identifies new software security activities

Software security consulting firm Cigital is issuing the fourth version of its Building Security In Maturity Model (BSIMM), Tuesday marked an expansion of the project, which assessed 51 firms to get an accurate snapshot of their software security activities.

I think it's important that our developers know this team exists and we're looking for this code written for malicious intent.

David Smith, vice president of the application security group, Fidelity

BSIMM4 is a measuring stick that gauges the differences in product security between the participating firms.  It helps anyone responsible for creating and executing a software security initiative to understand the commonalities and differences in the software security activities among the firms studied.

BSIMM4 includes two new activities identified by the BSIMM assessment team: Malicious Code Detection, which is used to identify dangerous code written by malicious in-house developers or outsource providers, and Software Security Crisis Simulation activities, which evaluate how the incident response team and product groups can effectively respond to incidents.

The study assesses the firms against 95 distinct measurements, said Gary McGraw, chief technology officer of Dulles, Va.-based Cigital. The study found that of the firms studied, two people are doing software security full time for every 100 developers, McGraw said. Of more than 3,000 people identified as performing software-security-related activities in their firms, nearly 975 were identified as directly working in their software security group every day, full time, according to McGraw.

"If you use software on any given day, it's very likely you'll use software that BSIMM had directly impacted," McGraw said. "If your firm is not doing software security, you are behind and are getting further behind every day."

McGraw said BSIMM is being used to justify expenditures on software security by savvy executives because it can show how a particular firm compares to its peers. The study is big enough that it now enables software security pros to compare their firms' performance against their industry peers, according to McGraw. For example, 19 financial services firms can be assessed against each other.

"When people can compare what they are doing to their peer group, it is powerful and helpful to the field," McGraw said.

Intel undergoes software simulation drills


Jeffrey Cohen, head of product security assurance at Santa Clara, Calif.-based Intel Corp., indicated that Intel is one of several firms that experienced the newly identified activity: software simulation drills. As the lead of Intel's product security incident response team (PSIRT), Cohen said he organizes table-top exercises with the company's product groups, walking through different hypothetical scenarios to see how teams respond.

"These simulations help build awareness of what some of the risks might be.  It makes it more concrete when you're looking at an actual scenario," Cohen said. "You learn things about how teams might respond to a real issue and how they might respond better.  That helps improve response plans."

Intel was first assessed by the BSIMM in early 2010, several years after having established their formal company-wide product security initiative. “The two day BSIMM assessment was rigorous,” Cohen said. “More than a dozen people were interviewed as part of the assessment, getting a sampling of individuals that support software security activities at the company.”

Cohen said the BSIMM helped Intel to assess and advance its capabilities.

"The BSIMM assessment seemed to be a reasonable assessment of how we stacked up against the different measurements in the model and really helped accelerate our understanding of our peers," Cohen said. "One of things that makes Intel different is that we address hardware and software as part of our security program. The BSIMM itself and its different measurements work quite well, whether you're talking about anything from a Web app to a driver to a piece of hardware. The same kinds of principles apply."  

Cohen also participates in a mailing list and an annual conference of BSIMM participants, where software security experts share ongoing activities, new initiatives and some of the challenges they are encountering. “In my opinion, prior to the BSIMM study, communication between security-conscious software experts in the industry was more "hit-or-miss," Cohen said. The BSIMM community has created a forum of like-minded people to get together and share their experiences, he said.  

Participants in the BSIMM are finding that if 30 to 40 other companies are doing an activity, a firm can determine whether it too would gain any benefit in implementing an activity. It helps guide an organization's focus and gives supporting data to managers that control budgets and can invest in new initiatives.

Fidelity adds malicious code detection team

Fidelity created a malicious code detection team to be proactive about monitoring in-house developers and outsource providers who work for the financial giant, said David Smith, vice president of the application security group at Fidelity. The code review uses automated tools to look for insider threats versus external hacker threats.

"I think it's important that our developers know this team exists and we're looking for this code written for malicious intent," Smith said. 

Fidelity continues to invest in new software security activities because executive management values it and has created a security-aware culture, Smith said. Executive support and creating an environment where security can thrive is difficult for firms getting a program started, he said.

Smith said he was able to strengthen his group's architectural design and security testing processes, following a BSIMM assessment. The program improvements reduced security vulnerabilities by half, he said. The company uses the BSIMM results to identify areas for improvement in its program and as evidence that an independent third party has assessed its program compared to the industry's best, he said.

"BSIMM gave me the ammo to show why certain areas were important," Smith said. "Armed with BSIMM data, we proposed some programs, and it's proved very fruitful."




Ileane Smith Argues That Content Isn\'t King

If you're like me, you're getting tired of hearing “content is king” everywhere you go. Ileane Smith, founder of Basic Blog Tips, goes as far as saying that content, in fact, isn't king:
Ileane Smith

“For me, what's more important are the connections and the relationships you can build through your blog. Those connections will lead to collaborations and eventually help you build the skill set, along with the confidence you need to succeed.”

So while having a blog is becoming increasingly important, Smith (@ileane) says it's more about having the right strategy for how a business will use a blog to market itself. She founded Basic Blog Tips to provide actionable advice on how to use blogs and social media as marketing tools. Her tutorials and forums provide tips to all levels of bloggers and social media users, and cover everything from creating a successful WordPress site to the benefits of sites like StumbleUpon.

Born Out of Necessity

When Smith began blogging in 2009 (at her daughter's urging), she was frustrated to find so few genuinely useful resources to help her make the most of her blogging efforts. So, like any smart entrepreneur, she decided to fill the gap herself by starting Basic Blog Tips. Smith provides most of the content on the site, but does have guest contributors pitch in as well.

And while the primary focus of the community was initially blogging, as social media rose in popularity, Smith began offering more tutorials and blog posts to help small business owners navigate the worlds of Facebook, Twitter, LinkedIn, Google + and more.  Smith practices what she preaches about social media, with active profiles on all the major sites. She recognizes the importance of maintaining profiles on multiple social sites, though she does have her favorites:

“Twitter will always be my first love when it comes to social media because it's fast and easy to master, but I'll admit I spend way more time on Facebook these days than I care to admit. And I'm seeing a nice increase in traffic and engagement from Facebook that goes a lot deeper than what I can achieve on Twitter.”

Simply Being There Isn't Enough

In addition to participating as a Media Partner in the 2012 Small Business Influencer Awards, Smith received an Honorable Mention in the 2012 Small Business Awards, and Basic Blog Tips was chosen as a Community Choice Honoree. It's clear she practices what she preaches: that simply being online isn't enough. You have to get involved in the community.

Through Basic Blog Tips, Smith works to help businesses align their marketing goals and strategies when using social media and blogs. Because, after all, some businesses expect overnight success with these tools, and that's simply not how they work.

“I started Basic Blog Tips two years ago to help people build better blogs and learn to use social media the right way. Entrepreneurs are starting to realize that having a blog and an online presence is an important component to the success of their business and my blog provides tips and strategies that help put them on the right path.”

Editor's Note: This article is one of a series of interviews of key players in the Small Business Influencer Awards.




Unencrypted laptop that contained sensitive information on children stolen from Edinburgh City Council consultant

Edinburgh City Council is conducting an investigation after a laptop, containing sensitive details on vulnerable children, was stolen from a member of a fostering and adoption panel.

According to the Scotsman, the laptop was stolen from the home of an independent consultant who conducts reviews of foster and adoptive parents in Edinburgh. The data included files and minutes from dozens of reviews. The laptop has not yet been recovered and the council said it was not encrypted.

Council officials are particularly concerned because some of the information on the laptop may relate to children who were removed from their parents by social services.

A council spokeswoman said: “The police advice is that it's unlikely the information was targeted and that the laptop was probably wiped for resale. However, we won't take any chances even when there is a low risk of individuals being identified. We have contacted the majority of those involved and have apologised. We're working with our external advisers to stress the importance of information security.”

A spokeswoman for Lothian and Borders Police said: “We are following a positive line of inquiry following a house-breaking at an address in the south-east of Edinburgh.”

Chris McIntosh, CEO of Viasat UK, said: “Nobody expects organisations to keep every single piece of IT equipment safe at all times: the world is simply too unpredictable. However, the same doesn't hold true for data: there is no reason that Edinburgh City Council couldn't have, at the very least, made sure that all sensitive information on children and other members of the population were encrypted.

“At the same time, all those charged with carrying and using that data should have been fully aware of security best practice.

“No doubt the council will learn lessons from this event, both from the theft itself and any likely actions from the Information Commissioner's Office. However, wisdom with the benefit of hindsight is simple. Organisations still need to realise that data loss or theft can happen to anyone, at any time, for any reason. Failure to anticipate this could once be explained as a sad accident. As time goes on it will look more and more like negligence.”



US National Cyber Security Hall of Fame announces first inductees

The first inductees to the US National Cyber Security Hall of Fame have been announced.

The 11 men and women will be inducted on Wednesday 17th October at a gala banquet at the Four Seasons Hotel in Baltimore, Maryland. In its debut year, the first inductees were nominated by qualified organisations engaged in cyber security and were ranked and reviewed by the board using established criteria in five categories: technology; policy; public awareness; education; and business.

The 11 inductees are:

  • Professor Dorothy Denning at the Department of Defense Analysis, Naval Postgraduate School
  • Carl Landwehr, Editor-in-Chief of IEEE Security and Privacy Magazine
  • Peter Neumann, Ph.D., Principal Scientist at SRI International
  • Roger Schell, President of ÆSec
  • Whitfield Diffie, Martin Hellman and Ralph Merkle, inventors of the Public Key Cryptograph
  • Ron Rivest, Adi Shamir and Leonard Adelman, inventors of the RSA Algorithm
  • F. Lynn McNulty, Federal Information Systems Security Pioneer, was named to the 2012 class posthumously.

Mike Jacobs, chairman of the National Cyber Security Hall of Fame and the first Information Assurance Director for the National Security Agency (NSA), said: “Working in areas of technology, public policy, business, education and public awareness, the honorees represent the innovators and visionaries who defined an industry and established the standards in information assurance. These pioneers paved the way for people everywhere to have the ability to securely utilise digital technologies for work, banking, recreation and communication.”



Small Business Satisfaction Partially Rebounds, Says Gallup

A recent Gallup poll shows small business satisfaction levels have gone up.  However, it's a case of good news / bad news.  It's good news to see an uptick of any kind.  But that good news is tempered by the fact that satisfaction has barely gotten back to the 2008 level, and small business owners are still 12 points under the high point of satisfaction from 2006.

Be careful not to misinterpret this poll. Small business owners may feel satisfaction and a degree of success, but don't necessarily see conditions getting much better. This particular poll is more about pride in self-reliance, versus a measurement of how well things are going.

The poll was conducted in mid-July, 2012.  Here's what the chart looks like:

GALLUP Poll

The poll is part of a quarterly survey using a random sample of 600 small business owners.

In the poll, 55% of small business owners expressed satisfaction with their role as a business owner. That rate hasn't been seen since July 2008 during the recession.

Self-reported success among small business owners has also increased. Thirty-nine percent (39%) said they feel very successful, and 51% said they feel somewhat successful as a small business owner.  Success wasn't defined in the survey.

My take on it is that business owners' feelings of satisfaction and success come from intrinsic values such as the satisfaction of being able to employ people and continue to serve customers even in a tough economic environment.  It comes from the confidence of knowing your self-reliance helped you beat back adversity.  That's what this is measuring.

It's not about measuring the business owners' actual financial situation. If you look at business owners' outlook and expectations for the next 12 months based on how their businesses are doing financially (pulling data from the very same Gallup survey), the picture looks less positive.  Their overall sense of optimism about their future financial picture isn't as positive.

In other words, as a business owner you can feel a degree of satisfaction and success because your business survived or you haven't had to lay off employees or because you managed to keep most of your customers, even if economic conditions swirling around you are negative.  You feel satisfied and successful inside because of what you did manage to accomplish in the face of adversity.




Small Businesses Can Do BIG Things With Technology

Last week I was in Phoenix getting some training in my role as Regional Development Manager NY/NJ at Infusionsoft.  At that event I met up with Travis Campbell and he whipped out his iphone and used SoundCloud to record a quiet podcast (audio interview) with me. Brent Leary, Co-Founder and Partner of CRM Essentials LLC,  uses SoundCloud as well in his “Technology for Business Sake” radio show (which I'm honored to do the “Rappin' With Ramon” segment every other week).

My point is that very small businesses can do VERY big things using low cost (and often free technology).

I did this video from the Phoenix Airport on my tablet and used my wireless connection to uploaded it to Youtube.  Check it out:

Why is content so important?  People (prospects, journalists, competitors, everyone) are looking for information or entertainment or something. Although everyone is not looking for what you have â€" someone surely is.

If you have content, online, that aligns with what you do, it's going to be SEEN by the many people looking for this great content.



Malwarebytes launches first enterprise protection product

Malwarebytes has launched its first enterprise product which is designed to protect against zero-day exploits and rootkits which defeat traditional enterprise anti-virus solutions.

According to the company, Malwarebytes Enterprise Edition (MEE) will work alongside a company's existing anti-virus solution to provide a new layer of defence against targeted threats which use attack vectors including email, social networks and instant messenger.

It includes advanced protection via an automated detection engine which uses a combination of heuristics, behavioural and signature analysis. It said that this approach can identify and block entire families of malware and even predict future mutations.

It also uses highly-effective removal technologies to remove all registry traces of malware, as well as purpose-built Chameleon technology which counteracts illicit attempts to remove security software.

Marcin Kleczynski, CEO of Malwarebytes, said: “Modern malware is able to bypass many of the anti-virus technologies currently deployed in today's enterprise, posing a serious risk to corporate data. Built from the ground up, we developed a new approach to secure, control and remediate endpoints that has already been broadly adopted in the consumer marketplace.

“MEE's heuristic and behaviour-based analysis engine adds a powerful second layer of defence to today's corporate systems that more effectively safeguards sensitive corporate assets from the organized crime rings behind much of today's malware.”



PCI council issues best practice guidance for mobile apps

The Payment Card Industry Security Standards Council (PCI SSC) has released best practice guidance for mobile app developers and device manufacturers.

It said that the main focus of the guidelines is to provide direction on securing mobile device payment processes and the payment environment itself by educating developers in the emerging mobile app market.

Bob Russo, the general manager of the PCI SSC, told SC Magazine US that the new guidelines are particularly relevant today.

“I tell people that convenience trumps security all the time, and people are running quickly to use these new devices and technology, without even thinking about security,” Russo said.

“This guidance is actually for the developers of those devices. We are purposely being cautious. It's such a changing market â€" you'll put something out today and tomorrow people are using it.”

Key recommendations of the report include isolating sensitive functions and data in trusted environments, implementing secure coding best practices and eliminating unnecessary third-party access and privilege escalation. Developing ways to remotely disable payment functions, in addition to creating tools for mobile apps to monitor and report suspicious activity were also among the recommendations.

The guidelines focus on ways to prevent account data from being intercepted while sent or received on mobile devices or from being compromised while being processed or stored on them.

Troy Leach, the chief technology officer of the council, said that the most recent guidelines reinforce the council's standard payment security goals, while applying them to a mobile space.

“We have a brand new group of developers that aren't of aware of their responsibility,” Leach said.

“They are designing good code, but don't know all it's being used for.”



Microsoft to patch Flash flaw in IE10

Microsoft has said that it will patch a Flash flaw in Internet Explorer ahead of the launch of Windows 8.

Originally, the company said that it would not patch the exploit in the forthcoming Internet Explorer 10 (IE 10) browser until after Windows 8 ships on October 26th.

In a statement sent to ZDNet, Yunsun Wee, director of Microsoft Trustworthy Computing, said: “In light of Adobe's recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers. This update will be available shortly.

“Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible.”

Originally Microsoft said that fixes issued for Flash in August were available for installation on Internet Explorer 9 and earlier versions in Windows 7, Windows Vista, and Windows XP SP3, but as IE10 incorporates its own version of Flash, this cannot be removed and can only be updated by Microsoft. Therefore the fixes would not be available for IE10 until Windows 8 is launched.



Yahoo! CEO Takes Personal Charge of Hiring

As she marked her first 60 days at Yahoo! last week, CEO Marissa Mayer made it clear that people will be the main focus of her efforts to turn one of the Web's most iconic brands around. No matter what kind of business you operate or how small it may be, people will always be at the heart of your success. Bringing in the right employees and building an effective team are important jobs for any business owner. Here are some thoughts on meeting the challenge.

A League of Their Own

Marissa takes charge. In an unusual move that industry insiders say has slowed down the process but is probably a necessary step, Mayer has reportedly taken charge of hiring at Yahoo! in recent weeks, and is now personally reading the resume of every serious contender to see that they meet her exacting standards. The idea, sources say, is to avoid under-performers in the ranks. BGR

More than a feeling. Since her arrival at Yahoo! in July, Mayer has sent clear signals that people, not technology, are the most important asset Yahoo! possesses. Signs of this commitment and a focus on placing the right people into the right positions has led to some high profile changes in the company's upper management, and new work requirements, offset by new perks for all employees. Silicon Republic

Battling burnout. The most important part of managing the perfect team, once assembled, is to keep members working and motivated so they don't burn out and jump ship. To do this, Mayer has developed a technique focused on helping employees, not by reducing their work loads, but by helping them find their rhythm instead. Business Insider

Now It's Your Turn

This is how we do it. Small business owners may believe they can't compete with huge companies like Yahoo! for the best talent. Not true, says one business coach, who insists that high salaries and prestige aren't all that attract great employees. Instead, perhaps you should think about hiring employees for their attitude instead of their skill level. You can train the team you need. Bernd Geropp

So happy together. Once you have a team together, the key is to members happy and working while building your company. As it turns out, there are a variety of ways to motivate your team, and big raises and bonuses aren't the only options open to you. Here are 11 other tips for keeping your employees motivated and moving your business forward. Business News Daily

Balancing act. One of the things employees most often list as important for job satisfaction is a good work/life balance. Depending on the kind of business you operate, providing an environment that allows your employees this kind of balance could go a long way toward creating loyalty and satisfaction in your team. The question is what work/life balance really means to them, and whether you, as an employer, can make it possible. B2B Bliss

House rules. Another way to improve employee satisfaction is by allowing workers more flexibility, for example, the ability to work remotely from time to time. Of course, working from home isn't always all it's cracked up to be. Here are some tips from one work-at-home dad that will make the experience more productive and beneficial for everyone. Productive Superdad



Let the Self Employed Deduct Health Insurance Premiums from Payroll Taxes

Suppose Congress passed a law exempting Americans from a tax on health insurance premiums as long as they worked for someone else, but required them to pay $1,800 if they were self-employed. Would you think it was fair?

Probably not, but that's in essence what happened when Congress failed to renew the Small Business Jobs and Credit Act of 2010. That law permitted the self-employed to deduct their health insurance premiums before figuring their Medicare and social security taxes in tax year 2010.

That was a one-time change from how the Internal Revenue Code of 1986 treats the deductability of health insurance premiums. Under the code's special rules for the health insurance costs of self-employed individuals, the deduction of health insurance premiums is “not allowed for self-employment tax purposes.”

Given the average tax rates and health insurance premiums paid by self-employed individuals, the inability to deduct health insurance premiums from payroll taxes results in an additional $1,800 in taxes that the average self-employed person pays, the National Association for the Self-Employed argues.

That additional $1,800 in taxes violates the principle of fairness that most of us think is important in the tax code. Few people think that a house painter, for instance, should pay more for health insurance if he decides to paint houses on his own than if he paints the same houses as someone else's employee.

Representative Jim Gerlach, Republican from Pennsylvania, and Ronald Kind, Democrat from Wisconsin, have introduced a bill into Congress to fix this inequity. Their bill, American's Small Business Tax Relief Act of 2012 (H.R. 6102), would make permanent the deduction of health insurance premiums from payroll taxes. Unfortunately, Govtrack.us assesses it as having only a 3 percent chance of passage.

Between now and election day, every member of the House of Representatives will be actively campaigning for reelection. Many of them will sing the praises of small business and claim to be its biggest supporter on Capitol Hill. Perhaps 51 percent of them could take some time away from all that talking to get American's Small Business Tax Relief Act of 2012 through committee, onto the House floor, and voted in.

This may come as a surprise to those in Washington, but many self-employed Americans would prefer if their representatives in Congress passed laws to help them rather than try to outshout their opponents with their praise for small business.

Healthcare Photo via Shutterstock




How Mobile Marketing Trumps the Web

Deltina Hay â€" the author of The Bootstrapper's Guide to the Mobile Web and The Social Media Survival Guide and also a web developer, publisher, and entrepreneur â€" recently wrote an intriguing post for us, here at smallbiztechnology.com, titled “If you are not Mobile, You're Not Going Anywhere ”

If nothing, that post is a sure “knock on the head”, wake-up call for all businesses regardless of size, market, and geographic presence.

Why mobile? What's the big deal anyway?

Today, there isn't anything as ubiquitous as the mobile phone, all over the world. From an interesting Infographic  from Deltina's Bootstrapper's Guide itself, it's clear that there would be as many mobile devices as the number of people in the entire world by 2015. Over 8 trillion SMS messages were sent in the year 2011. At least 48 million people who don't have electricity have mobile phones at least, and the world now records in excess of 5.5 billion mobile device subscriptions.

How does this mean anything for marketing my business?

Brace yourself for the numbers: more than 788 million mobile-only Internet users are expected to surface by 2015. It's predicted that the estimated mobile ad revenue is at least $20.6 billion. Mobile users, much to the delight of any business, will spend $119 billion by the same year.  Further, mobile browsing (for the web) is going to surpass desktop browsing by 2015.  Clearly, there's a fundamental shift in an average Internet user's browsing habits and choice of devices.

It's time to develop a mobile-centric marketing strategy, don't you think?

Mobile websites and Apps: Taking engagement several notches higher

Mobile-based websites and mobile applications will take user engagement for businesses to a whole new level. While the number of mobile devices with enhanced mobile-based browsers will top 1.82 billion, about 40% of these users are addicted to mobile applications. 90% of all searches originating from a smartphone result in an action. More than 95% of smart phone users searched for local information. 88% of these users take immediate action, 79% of users depend on smartphones for shopping, and at least 77% of them contact businesses (either by calling, emailing, or visiting in person).

In a previous post on whether retailers should build their own apps , we pointed to research from mobithinking.com where more than 225,000 applications are being added to the marketing place, and each application is downloaded more than 20,000 times. Deltina's Infographic reveals much more information about mobile apps: there were more than 31 billion mobile app downloads in 2011 (this number will shoot up to 66 billion by 2016). At least 2 thousand new apps are added to the market place everyday.

Mobile marketing matures

Mobile marketing isn't just about mobile websites and apps, though. Plenty of other mobile-centric technologies are already being used by many businesses such as SMS, QR codes, Location-based marketing, NFC (Near Field Communication), and augmented reality. Mobile advertisements are already huge with spectacular results that would pound traditional marketing to death: 82% of users notice and react to ads on mobile, while 71% of users search because of ads, and 74% of these users make a purchase.

For a business, “going mobile” is not choice; it's a do-it-or-die proposition. What's your call going to be?

Â