Blogs

    Publish
     
      • Why Business Needs the Global Goals

        Oct 20 2017, 8:47 PM

        by Tess Hetzel 0

        By Delphine Millot, MPA, VP and Head of International Public Affairs at Grayling

        As a member of the UN Global Compact, Symantec was included in a new report by DNV GL highlighting companies pioneering progress towards the Sustainable Development Goals (SDGs). Symantec was praised for its outstanding work towards gender equality (SDG #5) through unique efforts to recruit women to Symantec’s board of directors and women-specific education programs in cyber security.

        The clock started ticking 18 months ago to start delivering on the 2030 Global Sustainable Development Agenda. Efforts are based on the so-named SDGs, a list of 17 goals and 169 targets covering the economic, social and environmental dimensions of sustainable development embraced by the 193 member governments of the United Nations.

        Governments are calling out businesses directly to play an active role in achieving the SDGs, as their success relies heavily on action and collaboration by all actors. None of the SDGs will be met without increased efforts from all sectors, and the trend on several goals, such as climate change and inequality, is actually going backwards. This is where business can make an impact – as a capable actor with the resources needed to deliver the SDGs alongside governments.

        If the global goals need business, the opposite is also true: business needs the global goals. The Business & Sustainable Development Commission found that achieving the SDGs could be worth at least US$12 trillion a year in market value by 2030 and create 380 million jobs in the process. Recognizing and capitalizing on the connections between social, environmental and economic progress has the power to unleash the next wave of global growth and redefine capitalism.

        A strategic approach to Corporate responsibility (CR) allows a company like Symantec to be pro-active, develop consistent CR initiatives and build a business model that can be sustained and bring shareholder value over the long term. Such an integrated approach brings credibility and authenticity to a CR program, which in turn enhances transparency and facilitates stakeholders’ engagement.

        In this context, companies can use the SDGs as an overarching framework to shape, steer, communicate and report their CR strategies, goals and activities.

        Symantec and the Global Goals

        Management approach

        Symantec looks at the SDGs as an opportunity to align core business activities and innovation efforts with society's needs. From a business perspective, this allows Symantec to reap the early benefits of high-integrity branding with their consumers, investors, employees and the marketplace. The SDGs therefore offer Symantec a pathway to attract talent, unlock new markets and develop new products and services to empower in-need customers on issues such as cyber security.  

        Symantec is a great example of a company that has integrated sustainable development into every aspect of its business. Symantec’s approach to corporate responsibility is set by the highest levels of management, who receive regular progress briefings on the company’s programs, including quarterly updates on diversity, ethics, environmental performance and community investment.

        Symantec also defined specific, measurable and time-bound key performance indicators (KPIs) as the basis for driving, monitoring, and communicating progress on the SDGs. An example is Symantec's commitment to increasing the diversity of its workforce at all levels of the company by 15% by 2020.

        Finally, Symantec reports annually on their corporate responsibility, including diversity metrics, goals and efforts. The CR reports are used as a tool to stimulate accountability and trust through integrated performance management.

        Progress on the SDGs

        SDG #4: Quality Education

        SDG #4 is focused on providing inclusive, equitable, and quality education. The talent gap in cyber security is expected to grow to a staggering 1.5 million by 2020 and there is a vibrant community of underrepresented young adults - including people of color, women, and veterans - that could fill at least 60,000 of these positions if properly trained. Symantec has invested more than six million dollars to engage and educate 745,446 students in STEM (Science, Technology, Engineering and Mathematics) education. Through education, mentorship, volunteering and partnering with leading STEM advocates, Symantec hopes to change the status quo, close the gender and diversity gap in STEM and build a robust talent pipeline. The Symantec Cyber Career Connection (Symantec C3) program was designed to do just this, providing a pathway for underrepresented young adults and veterans to receive targeted education, training, and certifications that position them to fill in-demand cyber security jobs and enter long-term careers.

        SDG #5: Gender Equality

        Around the world, women are underrepresented in the field of technology. As a result, women are missing out on this promising career path, and the field is missing out on their contributions. Symantec is committed to gender equality and the advancement of women in technology. To this end, they have created a goal to increase the percentage of women globally by 2020 and a sub-goal to increase the percentage of women in leadership (Director-level and above) to 30% by 2020.

        Symantec is a founding signatory of the Women’s Empowerment Principles (WEP), a partnership initiative of UN Women and UN Global Compact (UNGC) considered globally as the recognized principles and standards for women’s equality. And, through partners like The Anita Borg Institute and TechWomen, Symantec provides stand out females across the world mentorship, professional training and networking to prepare them for a promising future in cyber security.

        SDG #13: Climate Action

        Planetary warming continued in 2016, setting a new record of about 1.1 degrees Centigrade above the preindustrial period, according to the World Meteorological Organization. Stronger efforts are needed to build resilience and limit climate-related hazards and natural disasters. Symantec integrates environmental stewardship into their operational, product, and supply chain strategies. A sharp focus on environmental performance supports their business objectives and, at the same time, contributes to the urgent action needed to combat global climate change. Symantec took an important step regarding its energy and greenhouse gas (GHG) reductions by establishing a new goal to reduce the company’s GHG emissions by 30 percent by 2025. 

        Sustaining efforts over the long run

        They key to achieving the Sustainable Development Goals will be sustaining efforts over the long run – and corporations, governments, and nonprofits must all work together to achieve real impact. A business survey undertaken in May 2017 shows that business expects the United Nations and governments to incentivize companies to drive positive change. One incentive, publicly recognizing individual companies’ efforts, is important in two different ways. First, this positive recognition rewards companies’ innovative efforts and makes their stakeholders aware of these efforts. Perhaps even more importantly, this public reporting also disseminates best practices across a wide range of stakeholders. This sharing of best practices, and the ways in which corporations, governments and nonprofits are finding ways to lead in there own ways, is critical to making sure we deliver on the Global Goals by the 2030 deadline and beyond.

        void(0)Currently a Vice President at leading communications agency Grayling, Delphine Millot has twelve years of international experience in corporate reputation and public policy. Based in New York City, she heads Graylings International Public Affairs Practice, supporting a wide range of clients on their global communications strategies and advocacy campaigns. Before re-joining Grayling in 2015, Delphine led the business expansion in Africa, Middle East and Europe of a US trading firm, before joining a food start-up working with international hotel groups, restaurant chains and universities to lead the way towards health and environmental stewardship. Delphine completed her Masters of Public Administration (MPA) at Columbia’s University School of International and Public Affairs, with a specialization in sustainability management. 

        • Products
        • DigiCert Code Signing
        • Corporate Responsibility
        • Code Signing Certificates for Microsoft Office and VBA
      • Certificate Authority Authorization Checking: What is it, and why should you care?

        Aug 30 2017, 6:12 PM

        by Lee-Lin Thye 0

        Certificate Authority Authorization checking: what is it, and why should you care?

        The Public Key Infrastructure (PKI) ecosystem relies on root certificates issued by various certification authorities (CAs) like Symantec. This is what browsers use to decide which websites can be trusted, and which ones are not trusted.

        Up to now, any CA can issue a TLS certificate for any domain. That’s how the system works, and it’s good in the sense that it gives website owners and operators options to change CAs at their discretion. The downside to this is that certificate issuance can happen without the knowledge of website operators, either by mistake or intentionally by malicious actors.

        A number of technologies have been created in an attempt to highlight instances of “unknown” issuance, such as Certificate Transparency. These have been effective in making the internet a safer, more trustworthy place but they are reactionary measures – only .allowing website operators to address the issue after it’s happened.

        But is it possible to prevent certificates from being mistakenly or inappropriately issued? Yes. Enter: Certification Authority Authorization (CAA).

        CAA prevents unknown certificate issuance by:

        1.Allowing domain owners to specify which CAs are authorized to issue certificates for their domains; and

        2.Giving CAs the ability to check this authorization before issuing a certificate.

        In this article, we’ll explain how CAA works, and why making CAA checking mandatory is a good move for both customers and CAs.

        What is Certification Authority Authorization?

        A Certification Authority Authorization (CAA) record is a DNS Resource Record which allows a domain owner to specify which CAs are authorized to issue certificates for their domain(s) and, by implication, which aren’t.

        The idea is that a CA will check the CAA record(s) for a domain before issuing a certificate. If it finds that a domain has no CAA record, then it’s free to issue a certificate for it if all other authentication checks succeed. However, if it does encounter one or more CAA records, then the CA can only issue a certificate if it’s named in one of the records, indicating that it is authorized to issue a certificate for that domain. The whole process is designed to prevent CAs from unauthorized certificate issuance requests by unauthorized parties or bad actors.

        Sounds great. Why isn’t everyone doing this?

        Symantec has been checking CAA records for years, but it’s not a common practice. There are two reasons why CAA checking isn’t widely practiced:

        1.Many domains don’t have a CAA Resource Record; and

        2.Checking CAA records is not mandatory.

        Because it may take some work to create a CAA record, it’s a matter of customers or website operators consciously opting-in, not opting-out. Many domain owners use a DNS hosting provider and CAA is not yet supported in some DNS implementations.

        This is why CAA records are expected to be used by most high-value domains. These enterprises keep CAA records for their domains because they limit inappropriate (or malicious) certificate requests, and makes it easier to enforce company policies i.e. only using a particular set of CAs.

        The limitations of CAA checking

        Of course, CAA checking has its limitations.

        First, a newly-issued CAA record does not invalidate any previously-issued certificates that may have been issued by a different CA than the one named by the domain owner. Second, it doesn’t flag whether a certificate presented by a web server is a legitimate certificate for that domain.

        Furthermore, in order for CAA checking to be effective, all CAs need to be doing it; it doesn’t work if only one or two CAs are checking CAA records as matter of process. CAA checking must be widely adopted if it is to serve its purpose, but the good news is that more than ninety percent of CAs (who are members of the CA/Browser Forum) are in favor of it.

        The times are changing: CAA checking will become mandatory

        In February 2017, the CA/Browser Forum passed a ballot (on which Symantec voted in favor) requiring all CAs (even those who aren’t a member of the Forum) to check for a CAA record as part of the certificate issuance process for each domain. In accordance with RFC 6844, CAs can no longer issue a certificate for a domain unless:

        1.The CA does not find any CAA records for the domain

        2.The certificate request is consistent with the applicable CAA Resource Record(s)

        The rule is effective as of 8 September 2017. You can read the ballot in full here.

        A good outcome for all companies

        Mandatory CAA record checking requires CAs to abide by the rules set out in specific CAA records, giving domain owners more control over certificate issuance. This makes it easier for companies (especially larger ones) to enforce a certificate issuance policy across business units. With CAA records applicable to every domain, a company can specify a set number of CAs, knowing no other CA can issue a certificate to its domains.  This will help reduce the risks of certificate issuance by unauthorized CAs and help create a more secure and transparent online ecosystem.

        For more information on CAA with Symantec Certificates go to Symantec Knowledge Center

        • Products
        • Certificate Authority
        • TLS
        • Thought Leadership
        • CA
        • Symantec Website Security
        • SSL
        • DigiCert Code Signing
        • certificates
      • A New Chapter: DigiCert to Acquire Symantec’s Website Security and Related PKI Solutions

        Mar 29 2018, 8:53 PM

        by Roxane Divol 0

        Today, Symantec announced in a press release an agreement under which DigiCert will acquire Symantec’s Website Security and related PKI solutions. At a time when it’s absolutely critical that businesses are safeguarded from the advanced cyber security threats infiltrating the web, through this acquisition customers will benefit from a company that is solely focused on delivering the leading identity and encryption solutions they require.

        DigiCert is a leading provider of scalable identity and encryption solutions for the enterprise. The fast-growing company currently has a number of high-profile enterprise and IoT customers. DigiCert enjoys a strong reputation and high customer loyalty with a focus on industry-leading customer support, innovative market solutions, and a meaningful contribution to improving industry best practices. DigiCert has earned several awards for its innovation and growth strategies, and this summer was named one of Computerworld’s Top 100 places to work in IT.

        The addition of Symantec’s website security and related PKI solutions to DigiCert’s offerings will provide customers with an enhanced technology platform, unparalleled support and market-leading innovations. DigiCert will have incredible talent and experience to lead the next generation of global website security and will gain capabilities to take advantage of opportunities in IoT and bring new approaches to the SSL market.

        Symantec Website Security and DigiCert share a strong commitment to customer service, and ensuring continuity for our customers and their businesses is a top priority. Once the transaction is complete, we will work to transition our customers to a new platform that meets all industry standards and browser requirements and provides the foundation for future innovation in the CA space.

        Importantly, we feel confident that this agreement will satisfy the needs of the browser community. DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users.

        Last but not least, I’d be remiss to not personally thank each and every one of the hard-working and dedicated employees of the Website Security team. We are tremendously excited about the opportunities ahead and deeply committed to the success of this transition for the Website Security business, its employees, and our customers.

        Best Regards,

        Roxane Divol

        Executive Vice President & GM, Symantec Website Security 

        • Products
        • DigiCert Code Signing
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Products and Solutions
      • Code signing minimum requirements: standardizing the security of digital signatures

        Mar 29 2018, 9:00 PM

        by Rufus Connell 0

        Following collaboration between the Certificate Authority Security Council (CASC) and Microsoft, a series of Minimum Requirements (MRs) are now in place for all code signing authorities. For business owners, this will help standardise security protocol. The main requirements to consider are:

        • The use of verified company names, state and locality
        • The storage of private keys
        • New timestamping procedures

        As a long-time advocate for these baseline requirements, Symantec is reconfiguring its own authentication process in order to comply with the CASC’s decision. Through widespread adoption of the MRs, signed code use will become significantly securer and more transparent.

        In this article, we’ll discuss how the new regulations will improve your business’ security.

        The Microsoft story: preventing an increase in certified malware

        The driving force behind Microsoft’s bid for code signing standardization is the rise of certified malware.

        ‘Previously, there were no standards, which meant that if one CA rejected a company’s application, that company could submit the same application to a different CA,’ said Dean J. Coclin, Senior Director, Business Development at Symantec.

        With many untrusted CAs in operation, a fraudulent company could continue applying for a certificate until they found a negligent CA willing to authenticate their submission. Incidences of stolen certificates have also increased, with thieves using compromised user keys to digitally sign their own malicious code.

        While Microsoft has been able to track and revoke many of these certificates using its SmartScreen filter, it could do little to prevent misconduct from reoccurring. However, the introduction of MRs makes it easier for CAs to identify the original code publisher and authenticate its digital signature.

        The benefits of universal code-signing regulations

        From a business perspective, the MRs will enable end users and companies to verify and use code with increased assurance. Here are four ways the CASC guidelines will improve code verification:

        1.     Stronger private key protection

        The theft and improper issuance of private keys enables the authentication of malicious code by attackers. Under the new regulations private keys must be kept in secure locations, preferably in hardware, either on-premises or in a legitimate cloud-based code-signing service, to help prevent this threat.

        If a CA generates the private key on behalf of a subscriber and transports it from a secure infrastructure, it must be encrypted with at least 128-bits of encryption strength or transferred via hardware with an equivalent activation method.

        2.     Easier certificate revocation

        If an application software supplier such as Microsoft discovers that one of its users has published malicious code (malware), it will request a certificate revocation. Exploiting keys and running malware is extremely profitable, since there has always been a window of vulnerability before a CA can discover and revoke the associated certificate.  

        The MRs now dictate that a CA has two days to revoke the certificate or launch an investigation into its use, closing this window and ensuring rogue code is caught and eliminated earlier. Businesses that register with untrusted CAs are likely to find their certificates questioned in the future, so it’s important you choose a compliant authority with a strong reputation.

        3.     Standardized Blacklisting

        A higher standard of individual authentication will make it more difficult for bad actors to obtain code signing certificates. The new MRs require CAs to check blacklists of known and suspect malware during identity verification. These are provided by anti-malware organisations and application software providers.

        CAs must also maintain an internal database of revoked code signing certificates (used to sign malicious code) and rejected certificate requests. The aim is to prevent bad actors from switching between CAs in order to get their code authenticated.

        4.     Improved timestamping

        Timestamps are important for businesses that require extended signature verification. The use of a timestamp allows code to be trusted beyond the expiration of the associated certificate. Authenticating code signatures in this way gives relying parties the ability to identify when a certificate was issued and whether it was valid at the moment the timestamp was given, even if that’s after the certificate has expired.

        Symantec offer time-stamping as part of the code signing process, ensuring your code is recognised and accepted by Microsoft software. We create digital timestamps for Windows, Adobe, Android, Java and more.

        What are my code signing options?

        As an enterprise, it’s important to know where you stand. In terms of code-signing, you have two options when it comes to key management:

        1. Local certification – you’re responsible for managing your own certificates, private keys, and code-signing processes. You must contact your chosen CA for certification.
        2. Service orientation – If your CA provides code-signing as a service, and it complies with the MRs, it will have to employ multi-factor authentication.

        Symantec’s Secure App Service (SAS) provides code-signing and time-stamping, with two-factor authentication as standard. Since February 1st 2017, we’ve introduced new measures to our SAS to improve the security of your certificates:

        1. The SAS API now requires the use of both user/password credentials and a client certificate.
        2. The SAS portal now requires both a client certificate and a One-Time Password (OTP) authentication mechanism, provided by our Symantec VIP solution.

        Because Microsoft owns more than 90 percent of the desktop OS market, we’re striving to meet the company’s MRs and ensure our customers can continue to digitally sign and use their software without constraint. 

        • Products
        • DigiCert Code Signing
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Products and Solutions
      • The modern eCommerce landscape: How compliance impacts success

        Apr 20 2017, 10:15 PM

        by Rufus Connell 0

        The more we rely on the web for personal and business use, the more important it is to keep it (and ourselves) safe from cyberthreats. The bulk of this responsibility falls on those in charge of websites, but once you understand the evolving cybersecurity landscape, you’ll realize you can actually shape it to your business advantage.

        Ushering in a new era of cybersecurity
        Key internet stakeholders, including web browsers, cybersecurity companies and organizations in the payment card ecosystem are joining forces and redefining best practices to create a safer, more sustainable internet:

        •    Chrome and Firefox are displaying “Not Secure” warnings on certain web pages that are not encrypted.
        •    Symantec and other security providers are supporting widespread data encryption.
        •    Payment card companies continue to innovate and drive stronger fraud prevention.

        The Payment Card Industry Security Standards Council (PCI) recently updated an important Best Practices for eCommerce Report. The update was created in collaboration with a special interest group including representatives from Symantec as well as merchants, financial institutions, service providers and other payment security professionals. The report offers:

        •    Additional guidance to the PCI Data Security Standards Guide (PCI DSS)  about best practices for securing eCommerce implementations.
        •    Useful information for selecting SSL/ TLS certificates (and the certificate authorities which provide them), especially those which are most appropriate for unique eCommerce environments.
        •    Questions merchants should ask their certificate authorities, eCommerce solution partners and other service providers.

        Staying ahead of these evolving best practices can help you not only protect your customers and your website —but improve your business and profitability.

        The stakes are high
        Cyberthreats are more pervasive than ever before. Customers are increasingly concerned about fraud, and failure to adhere to the latest compliance benchmarks can significantly impact your businesses. If a data breach occurs:

        •    Consumers lose confidence in your brand, making it difficult (if not impossible) to restore your image.
        •    The brunt of financial responsibility typically rests on merchants.
        •    Other liabilities exist in the form of fines and penalties, legal costs, lost jobs and more.

        In short, it all comes down to good governance. Without it, your site and your brand are at risk. With it, the eCommerce world is your oyster, and credibility and profit are the pearls within. 

        The road to success is paved with best practices
        Rather than burdening your business, compliance to evolving standards can actually open up new avenues of opportunity. But to capitalize upon them as an online merchant, your responsibilities include:

        •    Ensuring secure development of software and confirming Payment Application Data Security Standard (PA-DSS) validation of third-party apps
        •    Maintaining written agreements with third parties to ensure cardholder data is protected
        •    Strengthening SSL/TLS certificate authentication, minimizing risk and more

        The better you understand security guidelines, the easier it will be to stay competitive and build a sustainable online business.

        Ready to learn more?
        Register now to attend Online Trust: Where Compliance Meets Profitability, a live webinar that will be held on April 26 at 10 a.m. PST. Representatives from Symantec and VISA, key members of the PCI special interest group, will explore the intersection of compliance and profitability – and how the latest internet security best practices can benefit you, your customers and your business. 

        • Products
        • DigiCert Code Signing
        • Products and Solutions
        • Symantec Website Security
      • Website Identity- The Key to Safety in E-Commerce

        Oct 20 2017, 9:17 PM

        by Dean Coclin 0

        Website identity is important for user safety. While encryption is important, knowing who you are encrypting to is paramount when conducting online transactions. While many users can identify the green bar/lettering associated with an Extended Validation (EV) certificate, recent user interface (UI) changes by browsers make it more difficult to differentiate these certificates from low value, domain validated certificates. This makes it a challenge to figure out the true owner of the website.


        For example, Chrome recently changed the certificate UI for Domain Validated (DV) certificates to show a green padlock. With an increase of DV certificates used by fraudsters for phishing (see: http://toolbar.netcraft.com/stats/certificate_authorities), it is becoming more and more difficult for users to determine if a site is legitimate. DV certificates don’t identify the entity behind the website. You just know you are connected to www.example.com. There is no ownership information vetted about example.com. Organizationally Validated (OV) and EV certificates provide ownership information allowing a user to know who the site belongs to. But unfortunately, browsers do not distinguish sites with these types of certificates.

        This chart from the CA Security Council (CASC) shows the confusing UIs that are in current browsers: https://casecurity.org/browser-ui-security-indicators/. It’s no wonder that users have trouble understanding the differences in the various certificates. And they are constantly changing.  

        A proposal from the CASC for a common, easy to understand, user display for website identity is shown below:

        Image.png

        The members of the CASC which include the 7 largest SSL issuers in the world, are endorsing a paper on Website Identity Principles, which was presented at the RSA Conference on February 15, 2017. There are three main principles that summarize the intent of this paper:

        1.  Website identity is important for user safety.

        2. Different TLS certificate types that are used to secure websites – Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) certificates – should each receive a separate, clearly-defined browser UI security indicator to tell users when a website’s identity has been independently confirmed.

        3.  Browsers should adopt a common set of browser UI security indicators for different certificate types, and should educate users on the differences among these indicators for user safety.

        More information on these principles is available on the CASC website (https://casecurity.org/identity/).

        • Products
        • DigiCert Code Signing
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Symantec Website Security
      • Combat Advanced Malware With Security and Threat Protection Designed for the Cloud Generation

        Oct 21 2017, 12:02 AM

        by Gerry Grealish 1

        Hackers continue to show endless ingenuity in penetrating corporate networks. In fact, some recent malware attacks made headlines by crippling corporations, robbing shareholders, and damaging the credit of thousands of consumers. These attacks make it clear that cybercriminals continue to evolve, creating threats that can bypass the security defenses of many organizations. Some advanced malware can even sense threat defenses and mutate like a biological virus.

        Determined hackers, coupled with the expanding adoption of cloud applications and the explosion of mobile workforce devices means that enterprises must find new ways to protect themselves from increasingly sophisticated, malicious attacks. It’s a daunting challenge; where can organizations find a solution to combat threats defined by devices, applications, and users everywhere? The answer can’t be found by looking to the stars. However, if you cast your line of sight toward the clouds, you’ll have a clue as to where you should look for a more innovative enterprise security solution.

        The Issue: Evolving Nature of Threats

        As network security advances, so does malware. It is more aware and adaptive than ever, looking for new delivery channels and mutating to evade behavior detection. A few examples include:

        Virtual machine awareness—An increasing number of attackers are creating malware that can detect when it’s operating in a virtual sandbox environment and can execute techniques to disguise itself.

        Polymorphic files and URLs—Malware files can morph and mutate like an infectious virus to escape signature-based detection. Using automated systems, hackers continually change the look of their files and flood these files toward your defenses, hoping one of them will penetrate and begin to operate. Attackers can do similar things with URLs by using domain-generating algorithms (DGAs) to mathematically compute new domains, making it difficult for techniques such as blacklisting to keep pace.

        Multistage, multivector attacks—Sophisticated cybercriminals stage multiphase attacks to get through corporate defenses. Hackers select web-based, email, and file-based intrusions, coordinating them to achieve desired results.

        Encrypted communication—Because most network security systems are unable to scan encrypted data to detect malware, hackers find it effective to use SSL to build communication tunnels between embedded malware and remote command and control (C&C) servers.

        Misleading file types—Malware may masquerade as harmless files. For example, some malware files may pretend to be JPEGs but actually have executable files inside of them. Another malware file can later change itself into an executable (.exe) to unleash the malware inside your network.

        User interaction triggers—Malware may pretend to be legitimate, displaying a friendly or familiar looking dialog box that asks users to install some software. When the user allows the installation, the malware goes into operation.   

        Unique and targeted malware—Some malware can be incorporated into a targeted “spearfishing” attack. If it’s aimed at you, it will trick you into opening a file by using information specific to you. Once opened, the hackers go after the specific assets they’re looking for.

        Enter: the Cloud (or Cloud-Delivered Security) 

        Threat defense needs to be reimagined to address not only the sophisticated nature of the threats just described, but also to ensure it aligns with the realities of how organizations are accessing the web and corporate applications. If your workforce is increasingly distributed, with laptops and mobile devices going directly to the internet to access to SaaS applications, cloud-delivered security and threat protection needs to be on your radar. Cloud-delivered security can be easily provisioned to tackle the security and threat protection needs of all of your web traffic. And the benefit of a subscription-based service is that it can easily scaled up or down to meet changing needs. In addition to ease of deployment, you need to make sure it can deliver the top-notch threat prevention you require. A deeper look at Symantec cloud-delivered security service will help you understand why customers consider our solution to be truly enterprise-class. 

        The Solution: Symantec Cloud-Delivered Security, Malware Analysis Services  

        Symantec Research and Development organization has been busy working to ensure we have strong capabilities to address evolving new attack techniques. We developed a multitiered system that includes advanced analysis techniques to identify and neutralize malware designed to evade detection technology. These techniques block known threats, analyze anything new and unknown, and combat evolved attacks. The entire system is designed to make sure that you get enterprise-class protection while ensuring that false-positives remain extremely low (so precious security and incident response personnel are not wasting time chasing false alarms).

        SymantecCloud.png

        Web Security Service Leverages the Symantec Global Intelligence Network

        Symantec cloud-delivered Web Security Service (WSS) is fed by our global intelligence network (GIN), the world’s premier civilian cyber defense threat intelligence service. The GIN gives your enterprise the ability to filter URLs into granular categories with defined risk scores. The network uses threat information and telemetry data from 15,000 enterprises and 175 million consumer and enterprise endpoints to categorize and analyze threats posed by more than a billion previously unseen and uncategorized websites each day and more than two billion daily emails sent/received by our customers. Symantec’s unique expertise and analytics uses this information to define the “known bad” files and locations your organization should avoid. Web and file access control policies set in the Symantec WSS ensure that the “known bads” stop at your doorstep and don’t harm your company. The Symantec WSS also leverages content analysis capabilities that perform further analysis on risky files using dual malware engines, as well as comparisons against blacklist/whitelist files. 

        Symantec Malware Analysis Service

        Because it’s extremely difficult for malware authors to evade both virtual and emulative environments, the Symantec Malware Analysis Service works with Symantec WSS to add behavior analysis and sandboxing capabilities for advanced threat detection and prevention. The service uses a powerful combination of emulation and virtualization to identify malicious code. Virtualization takes place in a virtual machine that is a fully licensed version of Windows in which the user can install any application  (Office, Adobe, Quicken, or custom applications). We call it Intelligent VM (iVM). The emulative sandbox environment is not Windows software; it’s a fully recreated computing environment based on a Windows-like API. In this completely controlled artificial space, users can make the malware think it’s interacting with a real computer.

        The Cloud Makes it Easy—Give it a Try

        The Symantec WSS, along with the integrated Symantec Malware Analysis Service, is designed to give you the protection you need to deal with the rapidly evolving advanced threats that are attacking your network each and every day. Contact us to learn how to use our subscription service can help your enterprise protect your corporate assets. Use Symantec to help you enable your enterprise by reliably passing the “known good” and protect your enterprise by reliably blocking the “known bad” and accurately analyzing the “unknown.” 

        Learn more at go.symantec.com/cloudsecurity

        • Products
        • DigiCert Code Signing
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Symantec Website Security
      • Update on Chrome 53 Bug Affecting Symantec SSL/TLS Certificates

        Oct 20 2017, 8:31 PM

        by Unknown 1

        As mentioned on November 10, 2016, we were made aware of a bug in Chrome version 53 that affects some Symantec, GeoTrust, and Thawte SSL/TLS certificates resulting in an untrusted error displaying when visiting affected websites.  There were no issues with the certificates used on the affected websites, but rather, the issue is entirely a Google bug with specific versions of Chrome, Chromium, Chrome Custom Tabs and WebView.

        Since my initial post, we’ve gained more insight into the scope of impacted platforms and releases for this bug, and although the majority of them have been patched, there is an outstanding issue with Android apps that leverage the WebView version 53. To remedy this problem, end users of affected applications will need to update to the most recent version of WebView (currently, that's version 54) and the forthcoming Chrome version 55 (or later versions). Developers using Android Open Source Platform (AOSP) will need to review their own apps to ensure compatibility.

        Other Chrome-based applications and platforms have been patched by Google including Chrome Mac, Chrome Windows, Chrome Linux, Chrome Android, Chrome iOS, Chromium, Chromium-based browsers, and Chrome Custom Tabs. All of these will operate normally on Chrome version 54 for the time being, and are fully patched in Chrome version 55 (or later versions). We expect no adverse issues on these platforms at this time, and no action should be required by users leveraging typical update mechanisms.

        Update, February 15, 2017: Google reports that bug fixes have been made available across all platforms. However, in some locations those fixes are not automatically deployed to affected customers. Those customers must manually update their applications to take advantage of the bug fix.

        • Products
        • Google Chrome
        • TLS certificate
        • Symantec Website Security
        • SSL
        • DigiCert Code Signing
        • DigiCert SSL TLS Certificates
        • Products and Solutions
      • Symantec and CI Plus LLP protect Pay TV across half a billion devices in the European Union

        Sep 13 2016, 2:57 PM

        by Clive Finlay 2

        Right across Europe, Pay TV has never been more popular. Recent research by Digital Research TV Limited (DRTL) found that over half (56.8%) of households in Western Europe currently have a Pay TV subscription service – and predicted that proportion would rise to nearly 60% by 2021.

        This impressive growth comes as TV consumption moved away from analog to broadcast digital services and more recently also towards IP distribution, with DRTL predicting that IPTV revenues in Western Europe would rise to $1.2 billion by 2021. This phenomenon has been driven by the rise of fast broadband, new services such as Netflix and affordable Smart TVs and set-top boxes. In 2015 alone, consumers across Western Europe bought 15 million new Smart TVs, according to German consumer electronics trade organisation GFU.

        Yet before IPTV could deliver on this promise, the industry first had to deliver a key challenge – and it’s done so with a solution underpinned by Symantec technology. That challenge was: if you’re going to deliver valuable, PayTV content directly to TVs, how do you protect that content from interception or piracy?

        Back in 2007, a consortium of TV manufacturers and vendors came together to solve this problem. Their solution was CI Plus, a technical specification that added security features to the commonly-used DVB Common Interface Standard. These enabled Smart TVs and set-top boxes to access a wide range of Pay TV services via conditional access plug-in modules. CI Plus enabled PayTV service providers protect their content by providing an encrypted channel between the plug-in module and the TV or Set-Top-Box.  This encryption capability was underpinned by Symantec certificates and the Symantec CI Plus certificate service.

        Since it launched in 2008, CI Plus has secured many billions of hours of Pay TV content worldwide. And earlier this year it reached a new landmark in the European Union. Together, CI Plus and Symantec have successfully secured more than half a billion TV and set-top boxes across the EU. And we are celebrating the success of this partnership at the International Broadcasting Convention (IBC) in Amsterdam this week.

        The success of CI Plus is an excellent example of how hardware manufacturers, security experts and content providers can come together to protect new categories of devices and secure intellectual property. As such it provides an important model for how industries can collaborate to effectively secure new Internet of Things technologies as they come online.

        • Products
        • Symantec Website Security
        • Device Certificate Service
        • Identity and Authentication Services
        • DigiCert Code Signing
        • Products and Solutions
        • Managed PKI for SSL
      • Protect your Business Reputation : Implement Always-On SSL

        Apr 27 2016, 11:59 PM

        by Neel Majumdar 0

        No-one can escape the challenges of keeping up with a perpetually evolving cyber security environment and no longer write off fraud as something that only happens to others. In December 2014 research by Tele Sign and RSA, just 11% of US companies said they hadn’t experienced any fraudulent incidents on their ecommerce sites in the past 12 months. Source Cyber security study conducted by J Gold and Associates , Feb 2 , 2015.

        Fraud victims can wave bye-bye to hard-earned bucks. More than one-third of businesses reported losing between 1% and 5% of revenues due to online fraud in the past year. Online businesses don’t just risk losing dollars, though—they can also see the departure of many customers.

        Of course, “fraudulent activity” comprises many risks, and further research highlights the wide range of issues online and mobile retailers must work against. Malware was the biggest issue, on PCs and web browsers as well as mobile devices. E-wallet fraud and app-related risks followed, with account takeovers and password guessing behind. Online businesses don’t better protect themselves from fraudulent activity, not only will they continue to fall victim to such incidents, they risk losing more money and customers as malware, hackers and the like become more advanced.

        I know, it’s easy to read this article and feel overwhelmed, but understand that half of the website security battle is knowledge and learning. The problem is that it is almost impossible to get in front of enough people to scale awareness and education. Once you get in front of people, the next battle is getting them to care. It is often only after someone feels the pain of a compromise that they begin to care or realize the harsh effects.

        As a company who is serious about protecting customers and their business reputation should implement Always-On SSL with SSL certificates from a trusted Certificate Authority.  You can find out all about Always On SSL here. Google now favours websites that implement HTTPS across their entire site. Keep your visitors safe with Always-On SSL and Google will reward you with a SEO ranking boost.

        As if that was not enough, many browsers now trigger security warnings when a user is hopping between secured and unsecured connections. Ensure your customers experience your website as intended with Always-On SSL. SSL and website security is now in the public consciousness, and if you’re not doing your  part you could find yourself being publicly shamed on HTTP Shaming, a site set up by software engineer, Tony Webster.

        When it comes to businesses and their websites, good security processes and Implementation are all that stand in the way of total ruin: financial and reputational.         

        So make sure you’re secure in 2016 with Symantec

        • Products
        • Malware Scan
        • Vulnerability Assessment
        • Symantec Website Security
        • DigiCert Code Signing
        • Products and Solutions
        • website security
      4 pages