Blogs

    Publish
     
      • Symantec and CI Plus LLP protect Pay TV across half a billion devices in the European Union

        Sep 13 2016, 2:57 PM

        by Clive Finlay 2

        Right across Europe, Pay TV has never been more popular. Recent research by Digital Research TV Limited (DRTL) found that over half (56.8%) of households in Western Europe currently have a Pay TV subscription service – and predicted that proportion would rise to nearly 60% by 2021.

        This impressive growth comes as TV consumption moved away from analog to broadcast digital services and more recently also towards IP distribution, with DRTL predicting that IPTV revenues in Western Europe would rise to $1.2 billion by 2021. This phenomenon has been driven by the rise of fast broadband, new services such as Netflix and affordable Smart TVs and set-top boxes. In 2015 alone, consumers across Western Europe bought 15 million new Smart TVs, according to German consumer electronics trade organisation GFU.

        Yet before IPTV could deliver on this promise, the industry first had to deliver a key challenge – and it’s done so with a solution underpinned by Symantec technology. That challenge was: if you’re going to deliver valuable, PayTV content directly to TVs, how do you protect that content from interception or piracy?

        Back in 2007, a consortium of TV manufacturers and vendors came together to solve this problem. Their solution was CI Plus, a technical specification that added security features to the commonly-used DVB Common Interface Standard. These enabled Smart TVs and set-top boxes to access a wide range of Pay TV services via conditional access plug-in modules. CI Plus enabled PayTV service providers protect their content by providing an encrypted channel between the plug-in module and the TV or Set-Top-Box.  This encryption capability was underpinned by Symantec certificates and the Symantec CI Plus certificate service.

        Since it launched in 2008, CI Plus has secured many billions of hours of Pay TV content worldwide. And earlier this year it reached a new landmark in the European Union. Together, CI Plus and Symantec have successfully secured more than half a billion TV and set-top boxes across the EU. And we are celebrating the success of this partnership at the International Broadcasting Convention (IBC) in Amsterdam this week.

        The success of CI Plus is an excellent example of how hardware manufacturers, security experts and content providers can come together to protect new categories of devices and secure intellectual property. As such it provides an important model for how industries can collaborate to effectively secure new Internet of Things technologies as they come online.

        • Products
        • Symantec Website Security
        • Device Certificate Service
        • Identity and Authentication Services
        • DigiCert Code Signing
        • Products and Solutions
        • Managed PKI for SSL
      • Industrial Internet 4.0

        Jul 15 2015, 6:35 AM

        by Brian Witten 2

                    This quick post simply seeks to set context for software leaders hoping to help with the Industrial Internet, or “Industry 4.0” as many say in Europe, just highlighting a few points commonly missed by software leaders first stepping into industrial settings, particularly with the recent multi-hundred billion dollar projections on the size of the market for industrial internet software.

                    Unfortunately, many of us with strong backgrounds in software don’t often realize the scale of time and cost at which most industrial plants operate.  Relining a blast furnace can cost $100M.  In auto manufacturing, each minute of downtime for a manufacturing plant costs $22,000 on average.  That’s $1.3M per hour, nearly three times more expensive than unplanned downtime costs for the average Information Technology (IT) organization.  Some pipelines move $32,000 of oil per minute.  That’s over $1.9M per hour.  In that context, it’s no wonder that plant operations teams often view planned and unplanned maintenance with a bit more intensity than most IT teams.  It’s also no wonder that companies are investing aggressively to optimize systems where a 10% improvement can produce gains of more than $200M per year for typical manufacturing plants.  It's equally clear why "security" means "availability" to these operational teams who have so much need to protect the uptime and integrity of these systems.  That's in direct contrast to traditional Information Technology (IT) teams who often must protect "confidentiality" and "secrecy" at the cost of uptime.  That's an important distinction as manufacturing companies look to carefully leverage these smart technologies to improve their performance.

                    According to many, the past 350 years of manufacturing are marked by three revolutionary advances: the steam engine for generating mechanical power, then electrification of manufacturing, and most recently, digitalization of manufacturing through simple Programmable Logic Controllers (PLC).  Many industrial leaders in Europe believe that they can produce a “fourth” such leap, “Industry 4.0,” by lashing digital manufacturing systems into highly virtualized, decentralized, and modular, plants leveraging interoperable real-time systems to yield “smart” factories which outperform current manufacturing plants by the same degree to which mechanization, electrification, and digitalization have improved manufacturing in centuries past.  Beyond “linear” improvements such as the “10%” mentioned above, such digitally “integrated” plants will have the flexibility and agility to not only keep pace with increasingly nimble competition, but to stay ahead of them.

                    Of course, that connectivity brings both tremendous promise and risk.  Having belabored pipeline explosions and steel blast furnace damage from cyber attacks in past posts, I won’t repeat myself here, especially since Symantec has already given the “Dragonfly” attacks against Western energy companies such great in depth coverage.  However, I will promise here that next month’s blog will propose a path “forward” for security of such next generation Industrial Control Systems (ICS), not only leveraging the cornerstones of security for the Internet of Things (IoT), but also describing how they can be applied to the ICS of the Industrial Internet and Industry 4.0.  In the interim, if you’re impatient, feel free to read up on our latest security solutions for embedded systems at www.symantec.com/iot.

        For more reading:

        http://www.symantec.com/iot

        http://blogs.wsj.com/corporate-intelligence/2014/01/28/times-have-changed-new-plan-for-a-century-old-u-s-steel-mill/

        http://news.thomasnet.com/companystory/downtime-costs-auto-industry-22k-minute-survey-481017

        http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat-energetic-bear

        http://articles.latimes.com/2010/aug/10/nation/la-na-alaska-oil-20100810

        http://www.prnewswire.com/news-releases/global-iot-platforms-and-software-market-2015-2020-300082499.html

        http://www.acatech.de/fileadmin/user_upload/Baumstruktur_nach_Website/Acatech/root/de/Material_fuer_Sonderseiten/Industrie_4.0/Final_report__Industrie_4.0_accessible.pdf

        http://www.inc.com/yoav-vilner/store-downtime-the-ecommerce-kiss-of-death.html

        http://www.datacenterdynamics.com/critical-environment/one-minute-of-data-center-downtime-costs-us7900-on-average/83956.fullarticle

        http://www.stratus.com/stratus-blog/2014/09/26/how-downtime-impacts-the-bottom-line-2014/

        http://blogs.gartner.com/andrew-lerner/2014/07/16/the-cost-of-downtime/

        • Products
        • Critical System Protection
        • Symantec Enterprise Security
        • Thought Leadership
        • Device Certificate Service
        • Identity and Authentication Services
        • Security Community Blog
        • Managed PKI for SSL
      • Hospitals Breached via Medical Devices?

        Jun 25 2015, 4:18 PM

        by Brian Witten 5

        Many were surprised to read that extremely sophisticated and expensive medical devices, such as X-Ray machines and Blood Gas Analyzers, had been used as a pivot point in more broadly penetrating IT systems in three hospitals.  Even though general vulnerability of networked medical devices has been well known, these are the first documented cases where such devices were used as pivot points for broader lateral attacks into the rest of the hospital. 

        With such exploitation now reported, I’d like to help “peel the onion” on why such obvious problems have been practically impossible to fix for so long.  Surprisingly, the answer has nothing to do with technology.  Many of these systems actually, believe it or not, run well-known software “under the hood,” such as various flavors of Windows and Linux.  Sadly though, these extremely important machines are almost never updated with the latest security patches.  Such risks aren’t a secret in hospitals.  The healthcare industry has long seen the risks as these devices had previously been infected by malware such as Zeus, Citadel, Conficker, and more.  In fact, some (computer) virus infections have shut down entire hospital departments, required rerouting of emergency patients, or had similar implications on care delivery.

        Of course, any PC in the hospital, just like your laptop, has countless defenses against such malware.  Well-patched machines running effective, up-to-date anti-virus software are well protected against such malware and hacker attacks.   Unfortunately though, for regulatory or policy reasons, hospitals are not allowed to patch medical devices, even medical devices running Windows or other commercial software.  Similarly, hospitals are not allowed to install any additional software on these medical devices, even security software essential for protection.  The original logic stems from good reason.  Medical equipment, including its software, must undergo formal testing and be determined safe for patients.  Changing the software in any way, including patches, or adding software without explicit approval by the manufacturer can change the behavior of the device in ways that could endanger patients.  For such reasons, regulatory restrictions prohibit tampering with medical equipment, even if the tampering is intended to protect the equipment and ultimately protect the patients.

        How big are the risks?   Obviously there is no risk of “banking information” being stolen from an MRI.  However, some of the machines are so vulnerable that they may crash when they experience unexpected behavior.  Chris Eng, VP of Research at Veracode, recently tweeted that an MRI machine crashed when simply scanned for vulnerabilities, or other researchers have reported that a simple SNMP inquiry could “tip over” medical equipment. Of course, not all medical devices are that sensitive, but none of these devices should be so vulnerable.  When a device becomes infected, either as an entry-point, pivot-point, or just as part of a broader infection, we need to be concerned about the potential consequences. Critical system controls may get altered and could result, for example, in an excessive radiation dose from a CT scanner.  Vulnerabilities found in insulin pumps have been shown to be outright lethal.

        Another concerning scenario would be that of a targeted attack on a medical device, for example to harm a specific patient or the reputation of a hospital. Although no such cases have been documented or reported to date, security researchers have demonstrated risks for Pacemakers (Kevin Fu), Insulin Pumps (Jerome Radcliffe) and Infusion Pumps (Billy Rios), the latter resulting in an advisory from Homeland Security’s ICS-CERT and a patient safety communication from the FDA.

        What is being done?  In 2014, the FDA issued guidance to medical equipment makers regarding cybersecurity for the medical devices that they make and sell.  I’m sure we’ll see further guidance, and potentially even enforcement, in years to come.  Device makers need to design in the cybersecurity as well as capability to update devices “in the field,” and need to work with regulators on a process whereby it is easier for such updates to be provided to their customers.  At the same time, hospitals are working on their processes to build a more secure medical device infrastructure.

        Could such a strategy work?  Will it?  Do you like the approach, or does it worry you?  Either way, I’d love to hear your thoughts.  Feel free to email us anytime at iot@digicert.com and visit us online at www.symantec.com/iot.

        For more reading:

        www.symantec.com/iot

        https://securityledger.com/2015/06/x-rays-behaving-badly-devices-give-malware-foothold-on-hospital-networks/

        http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices-in-hospitals/

        http://deceive.trapx.com/AOAMEDJACK_210_Landing_Page.html

        http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html

        https://twitter.com/chriseng/status/610412829405941760

        http://www.wired.com/2015/04/drug-pumps-security-flaw-lets-hackers-raise-dose-limits/

        http://go.bloomberg.com/tech-blog/2012-02-29-hacker-shows-off-lethal-attack-by-controlling-wireless-medical-device/

        http://www.newscientist.com/article/dn1920-internet-data-at-risk-from-language-flaws.html

        www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

        http://news.bbc.co.uk/2/hi/7735502.stm

        • Products
        • Critical System Protection
        • Symantec Enterprise Security
        • Thought Leadership
        • Device Certificate Service
        • Identity and Authentication Services
        • IoT
        • healthcare IT
        • Security Community Blog
        • Managed PKI for SSL
      • Bridging the Gap between IT and the Business with Next Generation Cloud Security

        Mar 18 2015, 11:16 AM

        by Mike Smart 0

        To those of us that have been brought up in the world of IT, there is nothing scarier than users and lines of business choosing and deploying their own IT.  We’ve labeled it ‘Shadow IT’ because it’s technology that is used in the dark, without the knowledge of the IT Department.

        But actually, to the user or the line of business, it’s just innovation. The typically risk-averse IT departments are all about mitigating risk; after all we’ve deployed Anti-Virus, Intrusion Prevention technologies to mitigate the risk of viruses and intrusions. This attitude of preventing risk is making us unpopular and irrelevant to the business, and this is why they often choose to bypass the IT procurement process.

        The fact is, users are more mobile than ever, and are comfortable taking corporate data and storing it on mobile devices or cloud storage applications all in the name of innovation and increased productivity.  Perhaps those of us in IT should find a way to embrace this and at the same time protect the business without imposing impractical policies and process.

        To help you bridge the gap, and allow users and the business to adopt flexible working practices that drive innovation through the adoption of mobility, cloud based systems and infrastructure, Symantec has released Identity: Access Manager.  Symantec™ Identity: Access Manager is a next generation access control platform that offers users and administrators control, convenience, and compliance for cloud-based applications.

        Access manager starts by using Symantec Validation and ID Protection (VIP) and Symantec Managed PKI to bring integrated single sign-on (SSO) and strong authentication to mobile devices. With Access Manager, users can login one-time using a password, PIN, or even a fingerprint to safely access all of their cloud apps and information. This helps secure mobile devices by eliminating bad password practices and gives your users fast, easy access to the resources they need.

        Also, Access Manager provides flexible, easy-to-create connectors and unified identity and context-based access control for virtually any cloud app or service, which means you can enforce your security and compliance policies, log your activities to stay compliant, and ultimately turn those rogue apps into legitimate productivity tools.

        Access Manager is every bit as flexible as it is powerful. You can choose to deploy it on-premise or in the cloud, depending on the needs of your organization. And because Access Manager integrates seamlessly with your existing infrastructure, it reduces complexity by providing a convenient central point for managing all of your different user directories.

        In summary, there are five good reasons to try Symantec Identity: Access Manager in your environment:

        • Ensures control, convenience, and compliance for public and private cloud applications
        • Enhances security with strong authentication and identity/context-based access control
        • Streamlines compliance auditing by consolidating access logs for protected users and applications
        • Boosts users’ productivity with Single Sign-On – one password grants access to all apps
        • Offers flexible deployment options, choose from on-premise or hosted service

        If you want to find out more, visit our home page here:

        • cloud security
        • Security Community Blog
        • User Authentication
        • Web Gateway
        • Products
        • Symantec Enterprise Security
        • Thought Leadership
        • Identity Access Manager
        • Device Certificate Service
        • Identity and Authentication Services
        • Digital IDs for Secure Email
        • Data Loss Prevention
        • VIP (Validation ID Protection)
        • Web Security.cloud
        • Managed PKI for SSL
      • Let’ not Talk About PHI for a Moment, let’s Talk about Intellectual Property

        Aug 30 2014, 3:03 PM

        by Axel Wirth 0

        Why this post?

        Over the past few months we have seen a number of reports on breaches of healthcare organizations and medical device manufacturers where the suspected or documented target was intellectual property data related to medical devices.  Some of these recent cases have received wide press coverage.

        As a result, the FBI has issued a warning to US healthcare companies that they may be the target of further cyberattacks (FBI warns healthcare firms they are targeted by hackers). The document indicated that several companies in the sector had been targeted and intellectual property, rather than personal data or PHI, may be the main target of the attacks.

        "These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data" (FBI)

        It is suspected that nation states and/or well-organized cybercrime organizations are behind these highly sophisticated and well-executed attacks. This is in line with a trend cybersecurity experts have been observing for a number of years – the trend towards politically and financially motivated attacks executed with unprecedented degree of stealth, determination, and precision.

        In other words, cybersecurity is not what it used to be. Not by a long shot.

        What it means for the Healthcare Industry

        The healthcare industry has traditionally underinvested in security, yet at the same time we have seen breaches and attacks increase. Hackers focus on healthcare institutions because they are perceived as the easier target compared to other industries. We have seen focus on patient demographic information (i.e. identities), personal identifiers (social security, insurance, or medical record numbers), and medical data (PHI).

        We have seen data being stolen for the purpose of financial or medical identity theft, insurance fraud, sale of information on the underground marketplace, blackmailing of patients, financial gain, and ransoming of healthcare providers. And now we can add to that list corporate espionage and intellectual property theft.

        The recent attacks and breaches highlight the risk of companies in the medial device, biotech, and pharmaceutical industries, as well as their medical research and clinical trial partners – i.e. the hospitals and clinicians they are cooperating with. This does move the discussion to another, higher and very concerning level.

        The security industry has, for the past years, developed the concept of “Defense in Depth” … meaning that security as a point solution is no longer good enough. Not only do we need security across all layers, those security layers need to be integrated to allow reliable detection, coordinated defense, and efficient response.

        As cyber criminals are getting better, we need to up our game, too. Unfortunately, the bad guys need to be right only once, we need to be right every time. Hence, we have developed concepts of layered security, defense in depth, edge to endpoint, and lastly the importance of selecting the right security partner.

        Symantec can help you to protect your infrastructure and information on all levels through:

        • Endpoint Security: Symantec Endpoint Protection, Mobile Security Solutions, and specific solutions for mission critical systems (e.g. servers hosting clinical research and other intellectual property data) or difficult to protect and patch systems (e.g. COTS-based medical devices).
        • Data Loss Prevention: to understand data location, data access and usage so to allow for the appropriate protection of such data.
        • Encryption: to protect critical information on endpoints, fileshares, in email, or data being transmitted.
        • Altiris IT Infrastructure Management: to discover IT assets, assess IT compliance, identify vulnerable systems, and manage configuration, patching, and upgrades.
        • Validation and ID Protection Services: to enable strong (two factor) authentication and reduce the risk external access channels being exploited.
        • Symantec Web Gateway: Backed by Symantec Global Intelligence Network, it provides multiple layers of malware protection and URL filtering, securing web access and detecting malware related traffic.
        • Symantec Mail Gateway or Hosted Email Services: to block email-based malware or spam and reduce the risk of phishing attacks.
        • Security advisory, implementation, assessment and consultancy services.
        • Security Education: to make sure your employees understands today’s security threats and their obligation to prevent e.g. spear-phishing attacks.
        • Managed Security Services: Defend against today’s sophisticated cyber threats, accelerate detection, and optimize response to relevant security events.

        Large breaches can be costly and result in fines, remediation costs, class action lawsuits, loss of reputation and trust, and can affect your business and market opportunity if intellectual property is affected.

        As a security professional, that makes me wonder if not paying attention to what is happening in cybersecurity today, not understanding the changing threat landscape, and not being prepared for modern threats could be considered 'willful neglect'?

        Conclusion:

        Traditionally, lost or stolen equipment (laptops, thumb drives, backup tapes) were the biggest breach risk in healthcare, and looking at some of the breach statistics, we are still struggling to prevent. Yet, in reality, the bad guys are stepping up their game rapidly and healthcare is now in the crosshair, leading to a growing gap between threats and the industry's security capabilities.

        The paradigm is shifting and we need to be ready to deal with these new risks now, not at some point in the future. In a recent interview, John Halamka, CIO Beth Israel Deaconess Medical Center, stated that: “to guard against hackers, health care CIOs are investing in security like never before.”

        We have to - the gap is getting bigger as I am writing this.

        For a further discussion on healthcare breaches, see also Kevin Haley's blog post here: Responding to Data Breaches in the Healthcare Industry

        • Drive Encryption Powered by PGP Technology
        • Gateway Email Encryption
        • Desktop Email Encryption
        • Endpoint Encryption
        • HIPAA
        • 12.x
        • Control Compliance Suite
        • Critical System Protection
        • Endpoint Encryption - Removable Storage Edition
        • DeepSight™ Technical Intelligence
        • File Share Encryption
        • Symantec Enterprise Security
        • Thought Leadership
        • Mobile Email Encryption
        • Data Center Security
        • Email Security.cloud
        • Endpoint Encryption - Device Control
        • intellectual property
        • Identity and Authentication Services
        • Digital IDs for Secure Email
        • Data Loss Prevention
        • PHI
        • Messaging Gateway
        • Web Security.cloud
        • Encryption Management Server Powered by PGP Technology
        • breaches
        • Managed PKI for SSL
        • Key Management Server (Key Management)
        • Endpoint Encryption Management Server
        • Symantec Protection Suites (SPS)
        • Healthcare Online User Group
        • Managed Security Services
        • Web Gateway
        • Products
        • PGP Command Line
        • ECA Certificates
        • Enterprise Security Manager
        • Healthcare
        • Endpoint Encryption - Full Disk Edition
        • Device Certificate Service
        • VIP (Validation ID Protection)
        • Endpoint Protection