• Let’ not Talk About PHI for a Moment, let’s Talk about Intellectual Property

        Aug 30 2014, 3:03 PM

        by Axel Wirth 0

        Why this post?

        Over the past few months we have seen a number of reports on breaches of healthcare organizations and medical device manufacturers where the suspected or documented target was intellectual property data related to medical devices.  Some of these recent cases have received wide press coverage.

        As a result, the FBI has issued a warning to US healthcare companies that they may be the target of further cyberattacks (FBI warns healthcare firms they are targeted by hackers). The document indicated that several companies in the sector had been targeted and intellectual property, rather than personal data or PHI, may be the main target of the attacks.

        "These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data" (FBI)

        It is suspected that nation states and/or well-organized cybercrime organizations are behind these highly sophisticated and well-executed attacks. This is in line with a trend cybersecurity experts have been observing for a number of years – the trend towards politically and financially motivated attacks executed with unprecedented degree of stealth, determination, and precision.

        In other words, cybersecurity is not what it used to be. Not by a long shot.

        What it means for the Healthcare Industry

        The healthcare industry has traditionally underinvested in security, yet at the same time we have seen breaches and attacks increase. Hackers focus on healthcare institutions because they are perceived as the easier target compared to other industries. We have seen focus on patient demographic information (i.e. identities), personal identifiers (social security, insurance, or medical record numbers), and medical data (PHI).

        We have seen data being stolen for the purpose of financial or medical identity theft, insurance fraud, sale of information on the underground marketplace, blackmailing of patients, financial gain, and ransoming of healthcare providers. And now we can add to that list corporate espionage and intellectual property theft.

        The recent attacks and breaches highlight the risk of companies in the medial device, biotech, and pharmaceutical industries, as well as their medical research and clinical trial partners – i.e. the hospitals and clinicians they are cooperating with. This does move the discussion to another, higher and very concerning level.

        The security industry has, for the past years, developed the concept of “Defense in Depth” … meaning that security as a point solution is no longer good enough. Not only do we need security across all layers, those security layers need to be integrated to allow reliable detection, coordinated defense, and efficient response.

        As cyber criminals are getting better, we need to up our game, too. Unfortunately, the bad guys need to be right only once, we need to be right every time. Hence, we have developed concepts of layered security, defense in depth, edge to endpoint, and lastly the importance of selecting the right security partner.

        Symantec can help you to protect your infrastructure and information on all levels through:

        • Endpoint Security: Symantec Endpoint Protection, Mobile Security Solutions, and specific solutions for mission critical systems (e.g. servers hosting clinical research and other intellectual property data) or difficult to protect and patch systems (e.g. COTS-based medical devices).
        • Data Loss Prevention: to understand data location, data access and usage so to allow for the appropriate protection of such data.
        • Encryption: to protect critical information on endpoints, fileshares, in email, or data being transmitted.
        • Altiris IT Infrastructure Management: to discover IT assets, assess IT compliance, identify vulnerable systems, and manage configuration, patching, and upgrades.
        • Validation and ID Protection Services: to enable strong (two factor) authentication and reduce the risk external access channels being exploited.
        • Symantec Web Gateway: Backed by Symantec Global Intelligence Network, it provides multiple layers of malware protection and URL filtering, securing web access and detecting malware related traffic.
        • Symantec Mail Gateway or Hosted Email Services: to block email-based malware or spam and reduce the risk of phishing attacks.
        • Security advisory, implementation, assessment and consultancy services.
        • Security Education: to make sure your employees understands today’s security threats and their obligation to prevent e.g. spear-phishing attacks.
        • Managed Security Services: Defend against today’s sophisticated cyber threats, accelerate detection, and optimize response to relevant security events.

        Large breaches can be costly and result in fines, remediation costs, class action lawsuits, loss of reputation and trust, and can affect your business and market opportunity if intellectual property is affected.

        As a security professional, that makes me wonder if not paying attention to what is happening in cybersecurity today, not understanding the changing threat landscape, and not being prepared for modern threats could be considered 'willful neglect'?


        Traditionally, lost or stolen equipment (laptops, thumb drives, backup tapes) were the biggest breach risk in healthcare, and looking at some of the breach statistics, we are still struggling to prevent. Yet, in reality, the bad guys are stepping up their game rapidly and healthcare is now in the crosshair, leading to a growing gap between threats and the industry's security capabilities.

        The paradigm is shifting and we need to be ready to deal with these new risks now, not at some point in the future. In a recent interview, John Halamka, CIO Beth Israel Deaconess Medical Center, stated that: “to guard against hackers, health care CIOs are investing in security like never before.”

        We have to - the gap is getting bigger as I am writing this.

        For a further discussion on healthcare breaches, see also Kevin Haley's blog post here: Responding to Data Breaches in the Healthcare Industry

        • Drive Encryption Powered by PGP Technology
        • Gateway Email Encryption
        • Desktop Email Encryption
        • Endpoint Encryption
        • HIPAA
        • 12.x
        • Control Compliance Suite
        • Critical System Protection
        • Endpoint Encryption - Removable Storage Edition
        • DeepSight™ Technical Intelligence
        • File Share Encryption
        • Symantec Enterprise Security
        • Thought Leadership
        • Mobile Email Encryption
        • Data Center Security
        • Email
        • Endpoint Encryption - Device Control
        • intellectual property
        • Identity and Authentication Services
        • Digital IDs for Secure Email
        • Data Loss Prevention
        • PHI
        • Messaging Gateway
        • Web
        • Encryption Management Server Powered by PGP Technology
        • breaches
        • Managed PKI for SSL
        • Key Management Server (Key Management)
        • Endpoint Encryption Management Server
        • Symantec Protection Suites (SPS)
        • Healthcare Online User Group
        • Managed Security Services
        • Web Gateway
        • Products
        • PGP Command Line
        • ECA Certificates
        • Enterprise Security Manager
        • Healthcare
        • Endpoint Encryption - Full Disk Edition
        • Device Certificate Service
        • VIP (Validation ID Protection)
        • Endpoint Protection
      • Better Website Security and Google Search Rankings for SMB’s with Always On SSL.

        Aug 26 2014, 7:53 PM

        by Charla Bunton-Johnson 0

        Websites using https boosted in google rankings

        Often considered the backbone of global business, SMBs are a unique mix of entrepreneurial drive, daring ingenuity and highly customer-centric practices.

        SMBs need to compete in the virtual marketplace with players of all sizes, where square footage doesn’t matter; they are forever seeking ways to stay competitive. One arena where they have a greater chance to level the playing field is in the virtual marketplace.  They have more opportunities to take advantage of a variety of digital platforms, from Web-based businesses and social media outlets to SEO to mobile devices, all for a faster time to market. The Internet allows SMBs to use their limited budgets in ways that they can impress customers and help their brand become more relevant and recognized—even amidst enterprises with extensive budgets and brand

        What can SMBs do to stay competitive and maneuver quickly in the digital world, without compromising data security or breaking their wallet?  The answer is “Always On SSL” from Symantec, also known as HTTPS everywhere. It’s ideal for SMBs working online, and supported by major digital players like Google, PayPal, Facebook, Twitter and Microsoft. Keep reading to learn how this powerful form of SSL will completely secure your data in transit and help improve search result rankings.

        Download the Infographics today!


        Imagine locking the front door to your home but leaving the back door wide open. That is essentially what happens when websites use common HTTP SSL, otherwise known as “Intermittent SSL”, to protect only certain pages, like logins and transactions. Some companies think they are protected against data theft and hacking by only applying "Intermittent SSL” to one or two areas of their site but they are really leaving the rest of their site completely exposed and vulnerable to attacks such as Sidejacking.

        How can you protect every page of your website, and keep your customers safe? With Always On SSL from Symantec.


        As a member of the Online Trust Alliance and CAB Forum, Symantec has always advocated Always On SSL, which means that each and every page on a website has an HTTPS:// (i.e. SSL certificate), and not just the login and transaction pages. Moving from an "http” site to a fully “https” secure site is the only way to 100% ensure that every interaction with every page of your website is completely encrypted—from the moment a visitor arrives to the moment they leave. Protecting login and transaction areas alone doesn’t prevent hackers from stealing the cookies that store a user’s session. If those cookies are stolen, attackers can use them to recreate a website session and gain access to all kinds of sensitive data—over and over again. Slidejacking (using Firesheep) and SSL Strip are common types of attacks that prey on vulnerable sites with limited security. In the end, unprotected pages and their associated cookies negate any effort and expense put toward protecting login and transaction areas with Intermittent SSL.

        SSL secure sites get ranking boost


        To put end-to-end data protection in financial perspective, in the US alone, in 2012, almost 35,000 data breaches occurred—with over 100,000 data breaches worldwide. It cost US businesses $5.4 million to find the causes of these breaches, including direct expenses like data forensic experts and hotline support for free credit monitoring and indirect expenses like in-house investigations and communications and lost customers.* Malicious or criminal attacks were the main causes of data breaches, and they could have been reduced, prevented and even anticipated with Always On SSL. 

        * 2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute


        One major endorsement of Always On SSL –specifically end-to-end HTTPS encryption—came from Google on August 6th, 2014 via its Online Security blog. The plan is to give more weight—or better search ranking results—to sites that are fully HTTPS encrypted. And the reason is pretty simple, according to Google Webmaster trends analysts Zineb Ait Bahajji and Gary Illyes. “We’d like to encourage all web site owners to switch from HTTP to HTTPS to keep everyone safe on the web. A big part of that is making sure that web sites people access from Google are secure.” Their message couldn’t have been clearer: “We hope to see more web sites using HTTPS in the future.”  It’s about encouraging sites to change the way they protect themselves for the better—and to fully protect data in transit all over the web. You can see a full Google presentation on the importance and implications of HTTPS here.


        Protecting your site with HTTPS can help SMBs compete better in the virtual marketplace by:

        • Improving brand recognition in Google rankings—especially against larger companies who may not have embraced HTTPS. At the very least, SMBs can benefit from a level playing field by adopting HTTPS.

        • Making the most of better search results, Symantec’s Seal-in-Search™ can lead to a higher click-through rate by displaying the Norton™ Secured Seal—the most recognized trust mark on the Internet—right in the search result.

        • Strengthening brand and reputation by showcasing your commitment to online security.

        • Increasing transactions and conversion rates.

        • Protecting the entire user experience and all data in transit—not just at login or during a transaction.

        • Using Extended Validation for the highest visible display of trust.

        Symantec has a variety of proven Right for Me SSL solutions from our multi-brand portfolio. We can help any kind of business choose the “Always On SSL” solution that best meets your needs—from a single SSL cert to Wildcard and SAN certificates to Extended Validation certificates, which displays the green bar. All of our certificates feature the highest level of encryption, protecting data in transit such as identities, cookies and financial information.


        For years Always On SSL has been advocated by industry leaders, including Microsoft, PayPal, Facebook and Twitter. Together with Symantec, they are part of the Online Trust Alliance (OTA), whose mission is to enhance online trust and empower users, while promoting innovation and the vitality of the Internet. “It is incumbent on all of us to work together to implement web security best practices to protect consumers from harm,” according to the OTA’s white paper. “The general state of online security throughout the industry has reached a tipping point, and websites must change in order to preserve end-to-end trust and consumer confidence. One of the most important benefits of Always On SSL is customer reassurance.


        Here are some steps you can take to ensure end-to-end protection with “Always On” HTTPS:

        1. Enforce Persistent HTTPS on Every Web Page

        Secure clients’ personal information, identities, and cookies by having https enabled for every web page. Learn more here.

        2. Ensure Correct Implementation of Your SSL Certificates

        To enable HTTPS, you should use a valid SSL/TLS certificate from a trusted certificate authority (CA) like Symantec, telling your customers that the domain’s identity has been verified and authenticated by a trusted source.   Learn more here.

        3. Set the Secure Flag for All Session Cookies

        A session cookie can be set with an optional “secure” flag, which tells the browser to contact the origin server using only HTTPS whenever it sends back a cookie. This will also enable reliable, proactive HTTPS protection and reporting.

        4. Enhance Security and Trust with Extended Validation Certificates

        To reassure customers of a website’s value and security, use an Extended Validation (EV) SSL certificate from Symantec. The green address bar provides an organization’s name right in the cert and visually makes customers feel more secure of a website operator's identity reassuring your clientele they are safe to proceed on your website.

        For more insight, try these articles:

        Google Rewards Secure Websites with Higher Search Ranking (Blog)

        Google smiles on safer connections (Internet Retailer August 8, 2014)

        Understanding Always On SSL and SEO (Symantec | Connect January 2014)

        • Products
        • website security solutions
        • DigiCert Code Signing
        • Products and Solutions
        • Symantec Website Security
      • Types of SSL certificates – choose the right one

        Oct 20 2017, 8:20 PM

        by Robert Lin 0


        From the server administrators of highly technological organizations, to product managers of financial institutions, down to the one man startup companies that just want to secure their shopping cart, at one stage or another, the same question pops-up: “They all do the same thing, what should we get?”

        Fundamentally all SSL certificates do the same thing, encrypt information during SSL/TLS negotiations. Correctly installed and configured, both https:// and the padlock will show.

        However picture this:

        You want to buy smart phone online. You see three sellers offering the phone at different prices:

        US$250 – Zero star rating – no comments

        US$375 – Three star rating - with 50% of comments such as “it arrived late”, “It was scratched” and other 50% of the comments, “ok service” and “arrived on time”.

        US$400 – Five star rating – with only good comments: “excellent service” and “fast and reliable”.

        Which seller will be most likely to deliver the goods to you on time? The one offering $400?

        Why? The comments from previous buyers formed a conscious or sub-conscious decision in your mind. The decision is based on “Trust”. They have been authenticated by real people.

        Anyone that purchased from the first two sellers most likely would base their decision on both price and luck (“Maybe I would not be unlucky”).

        Here’s another scenario: A hooded man walks out from a dark alley and offer you a brand new IPhone 6, still in its box for US $50.

        Do you feel lucky today?

        Owning a Certificate

        Before requesting a certificate, most security administrators would have done their analysis homework. Is it for internal or public use? What is the user base and their method of use? What operating system and server software are involved? What systems will be impacted? What are the security policy requirements?

        Beyond the technical specifications often a key question is neglected, the question of User Trust. Owning an SSL certificate it is not only about the functionality, or the key size, but rather as the Thawte motto goes, “It’s a trust thing”.

        Today there are three types of certificates that offer 3 levels of user trust for SSL/TLS negotiations: Domain Validated certificates (DV), Organization Validated certificate (OV) and Extended Validation certificates (EV).

        Domain Validated Certificate

        Domain Validated certificates are certificates that are checked against domain registry. There is no identifying organizational information for these certificates and thus should never be used for commercial purposes. It is the cheapest type of certificate to get, but this is a high risk certificate use on a public website. It is comparable to the “hooded man” or the zero star rating sellers. Visitors to a website with DV certificates cannot validate, via the certificate, if the business on the site is legitimate and thus often DO NOT trust this type of certificate. It is recommended using these types of certificates where security is not a concern, such as protected internal systems.

        This is an example of a DV certificate via Internet Explorer:


        Details of the certificate subject: CN =

        Organization Validated Certificate

        Organizational certificates are Trusted. Organizations are strictly authenticated by real agents against business registry databases hosted by governments. Documents may exchange and personnel may be contacted during validation to prove the right of use. OV certificates therefore contain legitimate business information. This is the standard type of certificate required on a commercial or public facing website. OV certificates conform to the X.509 RFC standards and thus contain all the necessary information to validate the organization.

        Details of the certificate via Firefox:



        Details of the certificate: CN =, O = Company Name, OU = Information Technology, L = San Diego, S = California, C = US

        Extended Validation Certificate

        Nothing provides more trust and security than Symantec Extended Validation Certificates. It is used by most of the world’s leading organizations. They have found that switching from OV to EV certificates increases online transactions and improve customer confidence.  It is no longer a luxury but a necessity.  

        “An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring website operators to undergo vetting with a Certificate Authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce ‘domain validation only’ SSL certificates for which minimal verification is performed of the details in the certificate.

        Most browsers' user interfaces did not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add perceived credibility to their websites.” – Wikipedia.

        EV certificates reinstate the trust users have for a secured web site. The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation and provide a vetting process that is much stricter than that for OV certificates.  Apart from improving trust and confidence via the strictest authentication process, EV certificates triggers a visible Green Bar on modern browsers to distinguish the secured site apart from others. The combination of Symantec’s world trusted strict validation procedures, the Symantec/Norton Seal and the Green Bar provides the highest degree of trust amongst consumers. It is extremely difficult to impersonate or phish an EV enabled site as even if web content can be duplicated, the Green Bar cannot be triggered without a trusted EV certificate.

        Browsers that support EV Green Bar:

        Google Chrome, Internet Explorer 7.0+, Firefox 3+, Safari 3.2+, Opera 9.5+

        Immediately when accessing a secured EV enabled site with one of the above browsers, the following can be seen:


        (EV Green Bar cannot not be triggered by DV or OV certificates)

        Detailed certificate information:

        Visitors viewing details of the certificate will find more information about the organization than a DV or OV certificate:


        Symantec Certificate policy required for the Green Bar:

        [1]Certificate Policy:

             Policy Identifier=2.16.840.1.113733.

        Consumer Awareness

        EV is good. It does work. Have a look at some of the success stories clients have at Symantec EV Success. The discoveries of vulnerabilities and increase in organized cyber-attacks in the recent years have made consumers more and more aware of security and SSL. More and more consumers look for the Green Bar and the Symantec Seal when doing online transactions. Extended Validation goes beyond security. It has become the baseline for any reputable site that care about security, brand and their clients.

        EV makes a difference. It has proven advantages over sites that do not have EV. Not all organizations are feasible to receive an EV certificate. However sites that switched from standard OV to EV have experienced 5 – 28% increases in web traffic and sales volumes. Commercial web sites cannot settle for anything less than EV status if they wish to stay competitive.

        What certificate to choose?  Go Green. Green is good.

        • Products
        • website security solutions
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security