• Protect your Business Reputation : Implement Always-On SSL

        Apr 27 2016, 11:59 PM

        by Neel Majumdar 0

        No-one can escape the challenges of keeping up with a perpetually evolving cyber security environment and no longer write off fraud as something that only happens to others. In December 2014 research by Tele Sign and RSA, just 11% of US companies said they hadn’t experienced any fraudulent incidents on their ecommerce sites in the past 12 months. Source Cyber security study conducted by J Gold and Associates , Feb 2 , 2015.

        Fraud victims can wave bye-bye to hard-earned bucks. More than one-third of businesses reported losing between 1% and 5% of revenues due to online fraud in the past year. Online businesses don’t just risk losing dollars, though—they can also see the departure of many customers.

        Of course, “fraudulent activity” comprises many risks, and further research highlights the wide range of issues online and mobile retailers must work against. Malware was the biggest issue, on PCs and web browsers as well as mobile devices. E-wallet fraud and app-related risks followed, with account takeovers and password guessing behind. Online businesses don’t better protect themselves from fraudulent activity, not only will they continue to fall victim to such incidents, they risk losing more money and customers as malware, hackers and the like become more advanced.

        I know, it’s easy to read this article and feel overwhelmed, but understand that half of the website security battle is knowledge and learning. The problem is that it is almost impossible to get in front of enough people to scale awareness and education. Once you get in front of people, the next battle is getting them to care. It is often only after someone feels the pain of a compromise that they begin to care or realize the harsh effects.

        As a company who is serious about protecting customers and their business reputation should implement Always-On SSL with SSL certificates from a trusted Certificate Authority.  You can find out all about Always On SSL here. Google now favours websites that implement HTTPS across their entire site. Keep your visitors safe with Always-On SSL and Google will reward you with a SEO ranking boost.

        As if that was not enough, many browsers now trigger security warnings when a user is hopping between secured and unsecured connections. Ensure your customers experience your website as intended with Always-On SSL. SSL and website security is now in the public consciousness, and if you’re not doing your  part you could find yourself being publicly shamed on HTTP Shaming, a site set up by software engineer, Tony Webster.

        When it comes to businesses and their websites, good security processes and Implementation are all that stand in the way of total ruin: financial and reputational.         

        So make sure you’re secure in 2016 with Symantec

        • Products
        • Malware Scan
        • Vulnerability Assessment
        • Symantec Website Security
        • DigiCert Code Signing
        • Products and Solutions
        • website security
      • Results of Our Investigation

        Mar 29 2018, 8:23 PM

        by Roxane Divol 0

        Investigating and remediating the test certificate mis-issuance incident has been a top priority for Symantec, and my team specifically. We have completed our investigation and have confirmed that the certificate mis-issuance was limited to certificates issued for internal Symantec testing purposes. Our investigation uncovered no evidence of malicious intent, nor harm to anyone. No customer or partner action is needed.

        As we previously disclosed, Symantec learned in September 2015 that it had generated a number of internal test certificates in a manner not fully consistent with its policies. These included certificates to unregistered domains and domains for which Symantec did not have authorization from the domain owner. We immediately commenced an investigation to identify and revoke mis-issued certificates. We also sought to determine and remediate the root causes of the mis-issuances and to confirm that no harm had resulted from the incident.

        Our now completed investigation has confirmed that each of the mis-issued certificates we have identified was issued solely for internal Symantec testing purposes.  Each of these test certificates has been revoked or expired and we have contacted the relevant domain owners.  Further, we have and will continue to work with the browser community to blacklist these test certificates where they deem appropriate.

        Since this issue first arose, Symantec has implemented changes to our test certificate policies, processes, and controls designed to prevent this from happening again, and we will continue to further evaluate and strengthen those policies, procedures, and controls. We remain fully committed to the continued trust of our roots across browsers and enhancing the security of the global certificate infrastructure. In support of this commitment, as we announced on February 12, 2016, we have already implemented extensive support for Certificate Transparency.

        We have sought to proactively implement the important lessons learned from this experience as we now return our attention to an innovative and exciting year for Website Security.

        Additional information, including the list of mis-issued test certificates that we have identified, is available here.

        • Products
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Symantec Website Security
      • A Guide to Multi-Factor Authentication

        Oct 20 2017, 8:50 PM

        by Darla Scott 1

        Today, computers and smart devices are inexpensive enough that we can own many of them: smart phones, laptops, tablets, and even wearable micro devices. Our work and private lives demand portability. This, along with a trend towards moving enterprise servers into the cloud, makes secure user authentication even more imperative…and tricky. That brings us to multi-factor authentication (MFA), what it means, and how it is achieved.

        What Is Multi-Factor Authentication?

        The goal of multi-factor authentication is to create a layered defense of two or more independent credentials: what you know (password), what you have (security token), and what you are (biometric verification). Requiring multiple factors to authenticate a user makes it more difficult for an unauthorized person to gain access to computers, mobile devices, physical locations, networks, or databases; each successive layer should help protect where other layers may be weak.

        Multi-factor authentication is becoming more common, particularly in the financial industry, and is advancing to include retina and fingerprint scanning, voice recognition, and even facial recognition.


        How Does Multi-Factor Authentication Add Security Benefits?

        If only it were possible to develop a single method of authentication that was 100 percent accurate and could not be hacked—we wouldn’t need multi-factor authentication. But passwords can be seen, overheard, guessed, or bypassed; a token can be lost or stolen; and an identical twin or using a photograph may even work to fool biological recognition systems. This is why multi-factor authentication is currently very important to account security.

        The concept of security using multi-factor authentication is that, while there may be a weakness in one authentication factor—say, a stolen password or PIN—the strength of a second or third factor would compensate to provide proper authorization for access.

        What Multi-Factor Authentication Options Are Available for Mobile Devices?

        One-time passwords

        Applications are available which generate one-time passwords in the same way that security tokens have operated in the past. The one-time password is generated and sent to the mobile device using a time-based SMS.

        Using a smartphone or tablet eliminates the need for a user to keep track of a token, and companies incur less cost replacing lost tokens, activating tokens for new employees, or deactivating tokens when an employee leaves.

        Biometric authentication

        Top smartphone manufacturers understand that security is a growing customer concern, and have also started offering biometric authentication to ensure that only the authorized user can access the device. Each of these techniques have advantages and disadvantages.

        Biometric Verification



        Fingerprint authentication Individuals have unique fingerprints Requires integration with network access software
        Voice recognition No extra hardware is necessary Not effective in settings where the user must remain quiet, or with excessive background noise
        Facial recognition or retinal scanning No extra hardware is necessary (when the device is equipped with a camaera) Not effective in low light, and possible to defeat authentication with a photograph

        How Is Multi-Factor Authentication Implemented in the Cloud?

        As data, communication, training, storage, server infrastructure and more are migrated to the cloud, IT admins must deal with the risks of moving beyond the more traditional on-premises server location. Multifactor, random authentication for user access is essential to protect data in the cloud.

        Microsoft, Google, Amazon Web Services, Facebook, and Twitter—among others—all offer two-factor authentication for access to their cloud services, and some are extending to multi-factor authentication strategies.

        Multi-factor authentication for Office 365

        Office 365 requires a password to access applications on PCs, Macs, and mobile devices. The Office 365 admin tool automatically issues a random, 16-character token for users to sign in. When signed in, users are prompted to set up additional authentication.

        • Call My Mobile Phone: When the users receive the confirmation call, they press # in the phone's dial pad to log in.
        • Call My Office Phone: This works like Call My Mobile Phone, but the confirmation call is sent to a separate line, such as a desk phone.
        • Text Code to My Mobile Phone: A code is sent via SMS text message to the user’s phone, to be entered into the Office 365 login form.
        • Notify Me through App: The user can use a Microsoft smartphone app to receive and confirm the notification; the app is available for Windows Phone, iPhone, and Android.
        • Show One-Time Code in App: This uses the same app as for the Notify Me through App option, but sends a one-time, six-digit code that must be entered in the Office 365 login screen.

        Multi-factor authentication for Office 365 using Microsoft Azure Active Directory

        Office 365 with Microsoft Azure Active Directory is an enterprise-level solution that requires users to correctly enter a password, and then acknowledge a phone call, text message, or an app notification on their smartphone to authenticate and sign in.


        What Is the Best Way to Implement Multi-Factor Authentication?

        Using and supporting multi-factor tools requires that IT organizations coordinate and configure the enterprise infrastructure to get protected logins working properly. Most tools include various software agents that can protect VPNs, SharePoint servers, Outlook Web App, and database servers. As more traditional hardware-based onsite servers move into the cloud, most multi-factor solution vendors offer cloud and on-premise options. Customers are choosing offsite deployments more and more because of the support and management flexibility the cloud offers.

        It’s important to evaluate multi-factor authentication products carefully to determine how each one differs subtly with regard to the desired deployment. Not every vendor can handle all scenarios equally well, and this is often a prime factor in product selection. Here are a few questions to ask when preparing to look more closely at multi-factor authentication products for a business:

        1. How much private information does the network handle? If the network currently doesn’t handle much private information, or plan to expand the storage of critical data, it’s probably not necessary to change existing authentication methods.
        2. Who will need to view the reports produced by these products? It’s important to determine who will receive alerts when something goes wrong with the authentication system. Some products can send out alerts whenever anything goes wrong, and most enterprises don't want to get management into a fire drill unnecessarily. 
        3. Does the business require the ability to scale up deployment? It’s important to consider future licensing costs. Most multi-factor products are used to handling tens of thousands of tokens and users, but they can also serve a smaller enterprise.
        4. Who will be among the initial collection of pilot users? This might determine which direction a company takes for securing particular apps and use cases.
        5. Are employees already using the two-factor authentication tools available with some consumer services? If not, enterprises should start spreading the word and making employees familiar with second-factor option on common cloud services. Multi-factor authentication is already built into these services, and it won't cost anything other than a small amount of training time to try them.
        6. How will a password reset be handled in a multi-factor authentication environment? Ideally, any reset or recovery process should be at least as strong as the multi-factor authentication process itself. There should be ‘secret questions’ a user would answer, or an SMS code might be sent to a recognized email or phone number.

        What Are the Obstacles to Implementing Multi-Factor Authentication?

        Making a business case for multifactor authentication clearly requires some advanced planning. There are many use cases for the technology that can be applied in different ways to different parts of an IT infrastructure. Understanding how MFA will be used ahead of time will be helpful when it comes time to selecting a provider.

        Before you begin the task of picking a multi-factor authentication vendor, carefully consider the following possible obstacles to deployment:

        1. If your Active Directory is not lean and accurate, implementing a MFA solution will be a painful way to get there.
        2. If you still use mostly on-premises servers, you might be better off using (or at least starting with) Windows Server's built-in password-strengthening policies. This will allow you to gauge how much resistance there is from users when they have to regularly change their passwords and make them more complex.
        3. If your company has a geographically-distributed staff, with a few people in many cities, it may be difficult to train the user population or disseminate physical key fobs. In such cases, enterprises may want to look into software tokens or software apps instead.

        The Future of Multi-Factor Authentication

        MFA has become a more mainstream option for financial firms and other consumer-facing businesses. In 2014, more than 1800 respondents to a Ponemon Institute survey indicated that their organizations planned to adopt some form of multi-factor authentication, while another 40 percent were considering it. As passwords become increasingly insecure, and as our mobile, cloud-based computing becomes more prevalent, multi-factor tools are finding use in just about every corner of the enterprise, especially where personal information is being consumed. For example, Symantec Validation and ID Protection Service is a highly scalable, cloud-based solution that delivers highly secure multi-factor authentication for enterprises of all sizes.

        • Products
        • Multi-Factor Authentication
        • MFA
        • DigiCert SSL TLS Certificates
        • Thought Leadership
        • Managed PKI for SSL