Blogs

    Publish
     
      • Symantec to Pre-Verify Applicants on .bank and .insurance gTLDs

        Dec 16 2014, 12:40 AM

        by Brook Chelmo 2

        As recently announced, fTLD Registry Services has partnered with Symantec to verify applicants before domain names are approved in the new .bank and .insurance generic Top-Level Domains (gTLDs).  So what does this truly mean?  Ultimately, it offers a form of brand protection for .bank and .insurance in this new era of the Internet. 

        Handshake.jpg

        July 2013 through February 2014 marked the second major landrush for addresses on the Internet.  Companies from around the world applied to ICANN to operate nearly any gTLD they could think of (namely common search terms).  For example we have applied to operate .symantec and .norton.  With the new gTLDs as options for website developers, there are increasing risks to end-users who may confuse spoofed destinations with their real counterparts.  For instance, let’s say ChelmoBank.com was a real address with millions of customers visiting daily. 

        Without pre-verification there would be little stopping a hacker from creating a spoofed ChelmoBank.bank or Chelmo.bank website in order to confuse my customers and funnel them into a phishing scam as they do with subdomains (e.g., ChelmoBank.example.com). fTLD Registry Services recognizes this and is acting as the responsible operator of this new portion of the Internet.  Fundamentally, this is a best practice among gTLD operators.  It not only provides better brand protection, but it also enables website owners to go through a majority of the processing for an SSL certificate, which will allow the owners to easily apply for and rapidly install an SSL certificate from Symantec.  At the end of the day this drives value for gTLD operators and allows their new virtual tenants to be seated among other websites which have all been vetted.  Personally, I see this as the equivalent of setting up shop in a shopping mall in an affluent neighborhood. 

        If other registry service organizations would be interested in doing something similar to what fTLD Registry Services has done.

        • Authentication
        • gTLD
        • Products
        • website security solutions
        • Symantec Website Security
        • Verification
        • .bank
        • fTLD
        • DigiCert Code Signing
        • Products and Solutions
        • .insurance
        • symantec
      • 5 ways to protect your business against SQL injection

        Oct 20 2017, 8:59 PM

        by Christoffer Olausson 2

        sql-injection-blog.jpgYour database has been breached, malware has infected your systems and sensitive records are available for anyone to download on the internet. Your first action is to launch an investigation to find out more about the breach. The report shows that the vulnerability has been exploited for months and all forensic logs have been deleted.      

        SQL injection isn’t new and it has been around for more than 10 years. However, most companies still plunge huge amounts of dollars into IDS/IPS, firewalls, security gateways and anti-virus software. Web application attacks are growing at an alarming rate and most security teams focus is network security and not business critical data that is found in databases. Unless there’s a breach, then focus tend to shift but it’s simply too late.

        How does SQL-injection work?

        SQL injection is a very simple attack that is easy to execute. Basically the attacker adds a SQL statement into a web form and tries to modify, extract, add or delete information from the database.

        Michael Giagnovoco uses a very simple analogy.  I go to court and register my name as “Christoffer, you are now free to go.” The judge then says “Calling Christoffer, you are now free to go” and the bailiff lets me go, because the judge instructed him to do so.

        In this example the “you are now free to go” instruction was injected into a data field intended only for a name. Then the rogue input data was executed as an instruction. That’s basically the principle behind how SQL injection operates.

        How does SQL-injection impact my business?

        As all other types of attacks SQL injection has evolved. When the first instances of SQL injection were discovered the attackers simply tried to dump all records from a database. Today, SQL injection is usually part of an attack toolkit that hackers downloads and uses to launch several types of attacks. It’s no longer a challenge to dump the database records but the challenge has moved to installing malware behind expensive firewalls and other security measures in place deep inside the victim organization. The installed malware is far more dangerous and destructive than a simple database attack. Imagine a hacker eavesdropping on sensitive communication, dumping the windows password file to gain access to restricted systems or stealing the private keys for your SSL and Code Signing certificates? The private keys for Code Signing certificates can be protected by Symantec Secure App Service but unfortunately not all sensitive assets have proper security measures and are vulnerable to theft.

        How does SQL-injection impact consumers?

        Imagine that you’re about to log onto your favorite e-commerce site, greathappybargains.com. You enter your user name and password. When you look at your order history you find several orders that you didn’t make. What happened could be the result of a SQL-injection attack. Due to poor programming, some sites allows an attacker to log onto the site posing as the previous user, you. If your credit card info is linked to a user account you can be certain that the hacker has access to that information by now. Did you use the same user name and password for other e-commerce accounts? Chances are that those accounts are compromised as well using the information from the first breach.

        How do I protect my company from an SQL-injection?

        1. Install a Web Application Firewall (WAF).
        • Keep in mind that a WAF can’t interpret an obscured SQL injection attack as it is based on signatures
        1. Use Symantec Malware Scan
        • It comes free with all Symantec SSL certificates and provides a daily scan of your web applications and provides you with a detailed report if a SQL injection vulnerability is found
        1. Hire a penetration tester to test all web applications tied to a relational database.
        • Great option but time consuming and testing needs to be conducted continuously.
        1. Re-write all web applications
        • Doable but consumes resources and budget. Training your staff in secure coding is critical and a good investment. 
        1. Apply a database defense in depth strategy
        • The only way to protect your business from the SQL injection threat is to monitor all SQL statements at the database tier using an arsenal of tools.

        There is no such thing as perfect security but following these steps will get you closer to it. Follow us on Facebook and Twitter to stay up to date on SQL injection techniques and how you can help better keep your environment safe.  Take the first step by contacting us today about applying a Web Application Firewall and a DDoS Mitigation Service today.

        • Products
        • website security solutions
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      • SSL; More than Encryption

        Mar 29 2018, 8:34 PM

        by Brook Chelmo 1

        While doing an online search for “SSL Certificates” and one of the ads said “$4.99, Why Pay More?”  Without clicking on the ad I know what they are going to offer me; a simple domain validated (DV) SSL certificate.  This certificate will encrypt my site’s traffic at a basic level but this isn’t 1997; the business climate and threat landscape have changed and so have our requirements for security.  SSL is more than encryption.  We have to consider trust, security, service, certificate management & reliability.  While many Certification Authorities are cutting corners to compete with each other on price, Symantec is working around the clock to continually deliver best-in-class solutions.  At Symantec we believe in these core factors as does 91% of the fortune 500 and 94 of the top 100 financial institutions in the world.  Here’s why:

        1. Increased End-Consumer Trust

        • Trust Seal -- Trust seals suggest that websites are safe to interact with.  The Norton Secured Seal has been shown through independent research to be the most recognized trust seal on the Internet.  Offered only by Symantec, it is seen about 4 billion times per month on websites all around the world.  The seal ensures visitors that they are communicating with organizations that not only encrypt their traffic but also are legitimate organizations that have gone through Symantec’s strong authentication screening as well.
          ssl-encryption-blog-1.jpg
        • Visual Cue -- The “Green Bar” also represent that a site is trustworthy.   With Symantec EV Certificates, browsers will change the color of the address bar to green, serving as a cue for safe interaction.  DV certificates won’t provide for a visual cue to website visitors
          ssl-encryption-blog-2.jpg

        2. Stronger Business Authentication and Website Security

        • Authentication -- With every Symantec certificate, Symantec performs strong authentication to ensure that a website visitor can trust who they are communicating with.  Security-minded organizations realize that encryption alone is not enough and require, as a matter of policy, that all certificates issued for their organization have strong authentication.  On the other hand, domain validated certificates, like those that Let’s Encrypt intends to offer, will only provide encryption of data.   Thus, they will not prevent a credit card number or password from going to an encrypted website that may be fraudulent.
        • Scanning and Alerts -- Symantec products also secure customer websites with scanning for critical vulnerabilities and active malware.  Symantec proactively notifies customers about security risks within a customer’s unique environment and provides guidance to ensure that such issues are quickly and easily resolved. 

        3. Simplified Certificate Management and Live Worldwide Support

        • Management Tools -- Symantec enables customers to track and manage large volumes of certificates with a wide range of tools.  Organizations are often burdened with the complexity of managing a variety of SSL certificates that may include of self-signed, client certificates or SSL certificates that chain up to public roots.
          ssl-encryption-blog-3.png
        • Accessible Technical Support -- Symantec provides 24/7/365 support worldwide to ensure that customers’ sites stay up and running and secure, with an optional premium support that include SLA’s on problem escalation and resolution.  This is a critical component for organizations that need to ensure that their website operations remain.  A free offering like Let’s Encrypt rarely comes with any form of live support.

        4. Powerful Technical Capabilities and Advanced Options

        • Client Ubiquity -- As the longest operating Certification Authority, Symantec’s roots are in more clients than any other Certification Authority.  Organizations that want to support Always on SSL and connectivity with the greatest number of users choose Symantec to secure their transactions.
        • Advanced Certificate Options -- Symantec Secure Site Pro products include both RSA 2048 bit certificates and ECC 256 bit certificates which are optimal within Perfect Forward Secrecy.  These high security, high performance certificates are the future of SSL/TLS encryption and Symantec’s ECC roots are in more clients than any other Certification Authority.
        • Best in Class Revocation -- Symantec provides revocation information to clients through both the Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRLs).  Both of these services are updated continually to communicate certificate revocation activity to clients worldwide.  The services are tuned to provide the fastest response times possible.   In the case of websites, OCSP response times can impact page load times and Symantec has invested in its infrastructure to provide OCSP responses in about 50 milliseconds for almost every major region in the world.  
          ssl-encryption-blog-4.jpg

        5. Reliable Security and Business  Assurances

        • Warranties -- Symantec offers the highest warranties of any Certification Authority.  These warranties can cover customers for losses of up to $1,750,000 from incorrect information contained on Symantec certificates.
        • Military-Grade Data Centers -- Symantec’s roots and signing services are protected by the most stringent physical, network, and logical security and process controls.   The hardened facilities provide our customers with confidence that certificate issuance for their domains will not be compromised.  With ten years of continuous uptime, Symantec’s robust continuity practices are the best in the industry.
        • Contractual Commitments -- Symantec customers have a contractual commitment from Symantec to maintain their products for the term of their contract.  Let’s Encrypt, as a non-profit, open-source Certification Authority, it will be difficult to offer such contractual guarantees, given the significant expenses associated with operating a publicly audited Certification Authority.
          ssl-encryption-blog-5.jpg
        • Focused investment – As the world’s largest security company, Symantec has both the resources and the motivation to ensure that the our SSL products are uncompromised.  Vulnerabilities like Heartbleed have clearly demonstrated that, despite the good intentions of OpenSSL, a non-profit organization with limited resources will be challenged to keep up with the rapidly-changing security threat landscape.

        Modern Security for Modern Needs

        Companies that know security understand they need to use modern-day security solutions in today’s environment and that SSL is more than just simple encryption.Please keep all of these factors in mind as you are building out your webserver security plans.For more information on Symantec SSL, please visit our website.

        • SSL Encryption
        • SSL certificate
        • DV cert
        • Go Daddy
        • certificate
        • symantec
        • Products
        • website security solutions
        • Norton Secured Seal
        • Symantec Website Security
        • SSL
        • DigiCert SSL TLS Certificates
        • Products and Solutions