Blogs

    Publish
     
      • Three-Dimensional Data Protection: Access, Visibility, and Control

        Nov 18 2016, 12:51 AM

        by Sunil Choudrie 2

        Knowledge is power. Whether it’s your proprietary data, customer insights, or strategic plans, data is valuable and needs protection. The problem is large. In 2015, half a billion personal records were stolen or lost, according to the Symantec 2016 Internet Security Threat Report Vol. 21 (ISTR). 

        What’s behind this risk? Our research shows both internal and external threats. Criminals have found that they can obtain your data by breaking into your systems or by targeting your staff who might be softer targets. If your staff use simple or default passwords, over-share data, or don’t follow security measures (such as removing redundant files from cloud services), they put your data at risk. And malicious insiders, such as disgruntled employees, may try to steal sensitive corporate data to further their career or to sabotage your company.

        Data Protection is not just about data loss prevention, it’s also about protection and access control. The key questions revolve around how do we allow open access to everyone, while still ensuring sensitive data is properly controlled? And moreover, how do we do this correctly?

        Symantec Information Protection

        The objective is not to contain data, but instead place the right visibility, controls, and policies to ensure that data is useful and not over-exposed. There’s also the people element. Encouraging the right behavior is better for employee trust and security. Consider a member of your team that attaches a document to an email. If they accidentally attach the wrong file in their haste, it can lead to embarrassment at best or a PR disaster or worse. Ideally, you would want to intercept this email before it leaves the organization, but if this isn’t carefully managed you can block emails that you didn’t mean to. A better approach is to empower your staff. A well-timed alert could inform your staff member that the attachment contains sensitive data, and gives an opportunity for any mistakes to be corrected. This approach allows your staff to make the right decision in what might be complex circumstances, which both plays to their strengths and reinforces and builds a strong security culture.

        Symantec Information Protection helps you identify critical data across all your files and emails using automated discovery and context-based classification. With Symantec, risk is reduced by ensuring you limit access to the right people. You limit the risk of data getting into the wrong hands by managing how it’s stored and the protection that surrounds it. You can easily apply policies to control access and usage―in the cloud, on mobile devices, or on the network—and protect and control data by establishing policies that apply across your entire network via a single point.

        Symantec VIP, VIP Access Manager, Data Loss Prevention all work together to create an information protection platform. Symantec Information Protection covers three areas: Access, Visibility, and Control.

        “Where are my data risks?”

        To protect data, you first need to find it, classify it, and then ensure that it’s properly managed. The challenge here is identifying the highest risks to your data. With data volumes exploding (a five-fold increase in data is predicted between 2015 and 2020), and data formats becoming less structured (photographs of forms or whiteboards), the challenges will only grow. 

        Symantec Information Protection helps you discover where your sensitive data is stored across your infrastructure. You’ll be able to monitor and protect sensitive data on mobile devices, on-premises, and in the cloud. And it’s all done through a unified policy framework to define data loss policies and to help you review and remediate incidents.

        “Who is accessing my data?”

        Passwords are the de facto standard, but bitter experience teaches us that too many users are inundated with them, resulting in the use of weak passwords, passwords being reused or even written down when they are too hard to remember. A recent study entitled Cyber Security Flaws in Working Practices discovered that 21 percent of workers write down their passwords. In another study, sixty-three percent of confirmed data breaches involved weak, default, or stolen passwords, according to the Verizon 2016 Data Breach Investigations Report. You need to strike the right balance—making it easy for the end-user to access systems while ensuring security without relying on written-down notes.

        Poor password hygiene makes accounts vulnerable to takeover attacks. These attacks can be eliminated with the use of single-sign on and multi-factor authentication technologies, such as Symantec VIP and VIP access manager. Symantec Managed PKI service also provides simple to manage device certificates, enabling secure access from any device, anywhere, to any apps your users need. Symantec increases security because VIP password-less fingerprint authentication makes accessing all approved applications simple, without the user needing to remember multiple passwords for multiple applications. This enables your organization to determine what applications show up as an option for the user based on their role.

        With Symantec VIP, VIP Access Manager, and Managed PKI Service, we offer single sign on with rock-solid authentication to protect all your cloud and on-premises apps.

        “How do I better protect my data?”

        Data Breaches have almost become a weekly, if not daily, occurrence. According to the ISTR, the number of publically disclosed data breaches has risen steadily over the last number of years to reach 318 in 2015. What about stolen laptops or USB thumb drives and data breaches? Breaches caused by stolen or lost devices are real threats organizations face. In fact, this type of data breach makes up 45 percent of healthcare industry data breaches, according to the Verizon 2015 Data Breach Investigation Report. And the cost? The Ponemon Institute found that the average consolidated total cost of a data breach grew from $3.8 million to $4 million last year, but of course this is highly variable with costs escalating significantly depending on scope, scale, and nature of the breach.

        Fortunately, you can take some measures to help protect your organization from data breaches. Symantec offers four broad ways to help.

        • Symantec Endpoint Encryption helps prevent breaches by protecting critical data sent by email, as well as with files shared on network drives and in the cloud.
        • Second, Symantec’s unified policy controls the flow of information everywhere it goes—in the cloud (with Office 365, Box, Gmail and others), on premise, and with mobile applications. We deliver powerful protection without added complexity.
        • Third, Symantec Data Loss Prevention (DLP) integrates with encryption to prevent accidental leaks through user error and secures devices against data loss or theft.  
        • The fourth area is that Symantec ensures you limit access to only trusted users and devices. Symantec VIP, VIP Access Manager, and Managed PKI Service offer rock-solid access control, reducing the risk and consequences of account takeovers.

        In upcoming posts of this series, we'll take a closer look at specific features of Information Protection. 

        • Products
        • Identity Access Manager
        • Identity and Authentication Services
        • information protection
        • Data Loss Prevention
        • VIP (Validation ID Protection)
        • Products and Solutions
        • Managed PKI for SSL
      • Symantec and CI Plus LLP protect Pay TV across half a billion devices in the European Union

        Sep 13 2016, 2:57 PM

        by Clive Finlay 2

        Right across Europe, Pay TV has never been more popular. Recent research by Digital Research TV Limited (DRTL) found that over half (56.8%) of households in Western Europe currently have a Pay TV subscription service – and predicted that proportion would rise to nearly 60% by 2021.

        This impressive growth comes as TV consumption moved away from analog to broadcast digital services and more recently also towards IP distribution, with DRTL predicting that IPTV revenues in Western Europe would rise to $1.2 billion by 2021. This phenomenon has been driven by the rise of fast broadband, new services such as Netflix and affordable Smart TVs and set-top boxes. In 2015 alone, consumers across Western Europe bought 15 million new Smart TVs, according to German consumer electronics trade organisation GFU.

        Yet before IPTV could deliver on this promise, the industry first had to deliver a key challenge – and it’s done so with a solution underpinned by Symantec technology. That challenge was: if you’re going to deliver valuable, PayTV content directly to TVs, how do you protect that content from interception or piracy?

        Back in 2007, a consortium of TV manufacturers and vendors came together to solve this problem. Their solution was CI Plus, a technical specification that added security features to the commonly-used DVB Common Interface Standard. These enabled Smart TVs and set-top boxes to access a wide range of Pay TV services via conditional access plug-in modules. CI Plus enabled PayTV service providers protect their content by providing an encrypted channel between the plug-in module and the TV or Set-Top-Box.  This encryption capability was underpinned by Symantec certificates and the Symantec CI Plus certificate service.

        Since it launched in 2008, CI Plus has secured many billions of hours of Pay TV content worldwide. And earlier this year it reached a new landmark in the European Union. Together, CI Plus and Symantec have successfully secured more than half a billion TV and set-top boxes across the EU. And we are celebrating the success of this partnership at the International Broadcasting Convention (IBC) in Amsterdam this week.

        The success of CI Plus is an excellent example of how hardware manufacturers, security experts and content providers can come together to protect new categories of devices and secure intellectual property. As such it provides an important model for how industries can collaborate to effectively secure new Internet of Things technologies as they come online.

        • Products
        • Symantec Website Security
        • Device Certificate Service
        • Identity and Authentication Services
        • DigiCert Code Signing
        • Products and Solutions
        • Managed PKI for SSL
      • A Guide to Multi-Factor Authentication

        Oct 20 2017, 8:50 PM

        by Darla Scott 1

        Today, computers and smart devices are inexpensive enough that we can own many of them: smart phones, laptops, tablets, and even wearable micro devices. Our work and private lives demand portability. This, along with a trend towards moving enterprise servers into the cloud, makes secure user authentication even more imperative…and tricky. That brings us to multi-factor authentication (MFA), what it means, and how it is achieved.

        What Is Multi-Factor Authentication?

        The goal of multi-factor authentication is to create a layered defense of two or more independent credentials: what you know (password), what you have (security token), and what you are (biometric verification). Requiring multiple factors to authenticate a user makes it more difficult for an unauthorized person to gain access to computers, mobile devices, physical locations, networks, or databases; each successive layer should help protect where other layers may be weak.

        Multi-factor authentication is becoming more common, particularly in the financial industry, and is advancing to include retina and fingerprint scanning, voice recognition, and even facial recognition.

        2FA4.png

        How Does Multi-Factor Authentication Add Security Benefits?

        If only it were possible to develop a single method of authentication that was 100 percent accurate and could not be hacked—we wouldn’t need multi-factor authentication. But passwords can be seen, overheard, guessed, or bypassed; a token can be lost or stolen; and an identical twin or using a photograph may even work to fool biological recognition systems. This is why multi-factor authentication is currently very important to account security.

        The concept of security using multi-factor authentication is that, while there may be a weakness in one authentication factor—say, a stolen password or PIN—the strength of a second or third factor would compensate to provide proper authorization for access.

        What Multi-Factor Authentication Options Are Available for Mobile Devices?

        One-time passwords

        Applications are available which generate one-time passwords in the same way that security tokens have operated in the past. The one-time password is generated and sent to the mobile device using a time-based SMS.

        Using a smartphone or tablet eliminates the need for a user to keep track of a token, and companies incur less cost replacing lost tokens, activating tokens for new employees, or deactivating tokens when an employee leaves.

        Biometric authentication

        Top smartphone manufacturers understand that security is a growing customer concern, and have also started offering biometric authentication to ensure that only the authorized user can access the device. Each of these techniques have advantages and disadvantages.

        Biometric Verification

        Advantages

        Disadvantages

        Fingerprint authentication Individuals have unique fingerprints Requires integration with network access software
        Voice recognition No extra hardware is necessary Not effective in settings where the user must remain quiet, or with excessive background noise
        Facial recognition or retinal scanning No extra hardware is necessary (when the device is equipped with a camaera) Not effective in low light, and possible to defeat authentication with a photograph


        How Is Multi-Factor Authentication Implemented in the Cloud?

        As data, communication, training, storage, server infrastructure and more are migrated to the cloud, IT admins must deal with the risks of moving beyond the more traditional on-premises server location. Multifactor, random authentication for user access is essential to protect data in the cloud.

        Microsoft, Google, Amazon Web Services, Facebook, and Twitter—among others—all offer two-factor authentication for access to their cloud services, and some are extending to multi-factor authentication strategies.

        Multi-factor authentication for Office 365

        Office 365 requires a password to access applications on PCs, Macs, and mobile devices. The Office 365 admin tool automatically issues a random, 16-character token for users to sign in. When signed in, users are prompted to set up additional authentication.

        • Call My Mobile Phone: When the users receive the confirmation call, they press # in the phone's dial pad to log in.
        • Call My Office Phone: This works like Call My Mobile Phone, but the confirmation call is sent to a separate line, such as a desk phone.
        • Text Code to My Mobile Phone: A code is sent via SMS text message to the user’s phone, to be entered into the Office 365 login form.
        • Notify Me through App: The user can use a Microsoft smartphone app to receive and confirm the notification; the app is available for Windows Phone, iPhone, and Android.
        • Show One-Time Code in App: This uses the same app as for the Notify Me through App option, but sends a one-time, six-digit code that must be entered in the Office 365 login screen.

        Multi-factor authentication for Office 365 using Microsoft Azure Active Directory

        Office 365 with Microsoft Azure Active Directory is an enterprise-level solution that requires users to correctly enter a password, and then acknowledge a phone call, text message, or an app notification on their smartphone to authenticate and sign in.

        MBrown_Quote.png

        What Is the Best Way to Implement Multi-Factor Authentication?

        Using and supporting multi-factor tools requires that IT organizations coordinate and configure the enterprise infrastructure to get protected logins working properly. Most tools include various software agents that can protect VPNs, SharePoint servers, Outlook Web App, and database servers. As more traditional hardware-based onsite servers move into the cloud, most multi-factor solution vendors offer cloud and on-premise options. Customers are choosing offsite deployments more and more because of the support and management flexibility the cloud offers.

        It’s important to evaluate multi-factor authentication products carefully to determine how each one differs subtly with regard to the desired deployment. Not every vendor can handle all scenarios equally well, and this is often a prime factor in product selection. Here are a few questions to ask when preparing to look more closely at multi-factor authentication products for a business:

        1. How much private information does the network handle? If the network currently doesn’t handle much private information, or plan to expand the storage of critical data, it’s probably not necessary to change existing authentication methods.
        2. Who will need to view the reports produced by these products? It’s important to determine who will receive alerts when something goes wrong with the authentication system. Some products can send out alerts whenever anything goes wrong, and most enterprises don't want to get management into a fire drill unnecessarily. 
        3. Does the business require the ability to scale up deployment? It’s important to consider future licensing costs. Most multi-factor products are used to handling tens of thousands of tokens and users, but they can also serve a smaller enterprise.
        4. Who will be among the initial collection of pilot users? This might determine which direction a company takes for securing particular apps and use cases.
        5. Are employees already using the two-factor authentication tools available with some consumer services? If not, enterprises should start spreading the word and making employees familiar with second-factor option on common cloud services. Multi-factor authentication is already built into these services, and it won't cost anything other than a small amount of training time to try them.
        6. How will a password reset be handled in a multi-factor authentication environment? Ideally, any reset or recovery process should be at least as strong as the multi-factor authentication process itself. There should be ‘secret questions’ a user would answer, or an SMS code might be sent to a recognized email or phone number.

        What Are the Obstacles to Implementing Multi-Factor Authentication?

        Making a business case for multifactor authentication clearly requires some advanced planning. There are many use cases for the technology that can be applied in different ways to different parts of an IT infrastructure. Understanding how MFA will be used ahead of time will be helpful when it comes time to selecting a provider.

        Before you begin the task of picking a multi-factor authentication vendor, carefully consider the following possible obstacles to deployment:

        1. If your Active Directory is not lean and accurate, implementing a MFA solution will be a painful way to get there.
        2. If you still use mostly on-premises servers, you might be better off using (or at least starting with) Windows Server's built-in password-strengthening policies. This will allow you to gauge how much resistance there is from users when they have to regularly change their passwords and make them more complex.
        3. If your company has a geographically-distributed staff, with a few people in many cities, it may be difficult to train the user population or disseminate physical key fobs. In such cases, enterprises may want to look into software tokens or software apps instead.

        The Future of Multi-Factor Authentication

        MFA has become a more mainstream option for financial firms and other consumer-facing businesses. In 2014, more than 1800 respondents to a Ponemon Institute survey indicated that their organizations planned to adopt some form of multi-factor authentication, while another 40 percent were considering it. As passwords become increasingly insecure, and as our mobile, cloud-based computing becomes more prevalent, multi-factor tools are finding use in just about every corner of the enterprise, especially where personal information is being consumed. For example, Symantec Validation and ID Protection Service is a highly scalable, cloud-based solution that delivers highly secure multi-factor authentication for enterprises of all sizes.

        • Products
        • Multi-Factor Authentication
        • MFA
        • DigiCert SSL TLS Certificates
        • Thought Leadership
        • Managed PKI for SSL
      • Industrial Internet 4.0

        Jul 15 2015, 6:35 AM

        by Brian Witten 2

                    This quick post simply seeks to set context for software leaders hoping to help with the Industrial Internet, or “Industry 4.0” as many say in Europe, just highlighting a few points commonly missed by software leaders first stepping into industrial settings, particularly with the recent multi-hundred billion dollar projections on the size of the market for industrial internet software.

                    Unfortunately, many of us with strong backgrounds in software don’t often realize the scale of time and cost at which most industrial plants operate.  Relining a blast furnace can cost $100M.  In auto manufacturing, each minute of downtime for a manufacturing plant costs $22,000 on average.  That’s $1.3M per hour, nearly three times more expensive than unplanned downtime costs for the average Information Technology (IT) organization.  Some pipelines move $32,000 of oil per minute.  That’s over $1.9M per hour.  In that context, it’s no wonder that plant operations teams often view planned and unplanned maintenance with a bit more intensity than most IT teams.  It’s also no wonder that companies are investing aggressively to optimize systems where a 10% improvement can produce gains of more than $200M per year for typical manufacturing plants.  It's equally clear why "security" means "availability" to these operational teams who have so much need to protect the uptime and integrity of these systems.  That's in direct contrast to traditional Information Technology (IT) teams who often must protect "confidentiality" and "secrecy" at the cost of uptime.  That's an important distinction as manufacturing companies look to carefully leverage these smart technologies to improve their performance.

                    According to many, the past 350 years of manufacturing are marked by three revolutionary advances: the steam engine for generating mechanical power, then electrification of manufacturing, and most recently, digitalization of manufacturing through simple Programmable Logic Controllers (PLC).  Many industrial leaders in Europe believe that they can produce a “fourth” such leap, “Industry 4.0,” by lashing digital manufacturing systems into highly virtualized, decentralized, and modular, plants leveraging interoperable real-time systems to yield “smart” factories which outperform current manufacturing plants by the same degree to which mechanization, electrification, and digitalization have improved manufacturing in centuries past.  Beyond “linear” improvements such as the “10%” mentioned above, such digitally “integrated” plants will have the flexibility and agility to not only keep pace with increasingly nimble competition, but to stay ahead of them.

                    Of course, that connectivity brings both tremendous promise and risk.  Having belabored pipeline explosions and steel blast furnace damage from cyber attacks in past posts, I won’t repeat myself here, especially since Symantec has already given the “Dragonfly” attacks against Western energy companies such great in depth coverage.  However, I will promise here that next month’s blog will propose a path “forward” for security of such next generation Industrial Control Systems (ICS), not only leveraging the cornerstones of security for the Internet of Things (IoT), but also describing how they can be applied to the ICS of the Industrial Internet and Industry 4.0.  In the interim, if you’re impatient, feel free to read up on our latest security solutions for embedded systems at www.symantec.com/iot.

        For more reading:

        http://www.symantec.com/iot

        http://blogs.wsj.com/corporate-intelligence/2014/01/28/times-have-changed-new-plan-for-a-century-old-u-s-steel-mill/

        http://news.thomasnet.com/companystory/downtime-costs-auto-industry-22k-minute-survey-481017

        http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat-energetic-bear

        http://articles.latimes.com/2010/aug/10/nation/la-na-alaska-oil-20100810

        http://www.prnewswire.com/news-releases/global-iot-platforms-and-software-market-2015-2020-300082499.html

        http://www.acatech.de/fileadmin/user_upload/Baumstruktur_nach_Website/Acatech/root/de/Material_fuer_Sonderseiten/Industrie_4.0/Final_report__Industrie_4.0_accessible.pdf

        http://www.inc.com/yoav-vilner/store-downtime-the-ecommerce-kiss-of-death.html

        http://www.datacenterdynamics.com/critical-environment/one-minute-of-data-center-downtime-costs-us7900-on-average/83956.fullarticle

        http://www.stratus.com/stratus-blog/2014/09/26/how-downtime-impacts-the-bottom-line-2014/

        http://blogs.gartner.com/andrew-lerner/2014/07/16/the-cost-of-downtime/

        • Products
        • Critical System Protection
        • Symantec Enterprise Security
        • Thought Leadership
        • Device Certificate Service
        • Identity and Authentication Services
        • Security Community Blog
        • Managed PKI for SSL
      • Hospitals Breached via Medical Devices?

        Jun 25 2015, 4:18 PM

        by Brian Witten 5

        Many were surprised to read that extremely sophisticated and expensive medical devices, such as X-Ray machines and Blood Gas Analyzers, had been used as a pivot point in more broadly penetrating IT systems in three hospitals.  Even though general vulnerability of networked medical devices has been well known, these are the first documented cases where such devices were used as pivot points for broader lateral attacks into the rest of the hospital. 

        With such exploitation now reported, I’d like to help “peel the onion” on why such obvious problems have been practically impossible to fix for so long.  Surprisingly, the answer has nothing to do with technology.  Many of these systems actually, believe it or not, run well-known software “under the hood,” such as various flavors of Windows and Linux.  Sadly though, these extremely important machines are almost never updated with the latest security patches.  Such risks aren’t a secret in hospitals.  The healthcare industry has long seen the risks as these devices had previously been infected by malware such as Zeus, Citadel, Conficker, and more.  In fact, some (computer) virus infections have shut down entire hospital departments, required rerouting of emergency patients, or had similar implications on care delivery.

        Of course, any PC in the hospital, just like your laptop, has countless defenses against such malware.  Well-patched machines running effective, up-to-date anti-virus software are well protected against such malware and hacker attacks.   Unfortunately though, for regulatory or policy reasons, hospitals are not allowed to patch medical devices, even medical devices running Windows or other commercial software.  Similarly, hospitals are not allowed to install any additional software on these medical devices, even security software essential for protection.  The original logic stems from good reason.  Medical equipment, including its software, must undergo formal testing and be determined safe for patients.  Changing the software in any way, including patches, or adding software without explicit approval by the manufacturer can change the behavior of the device in ways that could endanger patients.  For such reasons, regulatory restrictions prohibit tampering with medical equipment, even if the tampering is intended to protect the equipment and ultimately protect the patients.

        How big are the risks?   Obviously there is no risk of “banking information” being stolen from an MRI.  However, some of the machines are so vulnerable that they may crash when they experience unexpected behavior.  Chris Eng, VP of Research at Veracode, recently tweeted that an MRI machine crashed when simply scanned for vulnerabilities, or other researchers have reported that a simple SNMP inquiry could “tip over” medical equipment. Of course, not all medical devices are that sensitive, but none of these devices should be so vulnerable.  When a device becomes infected, either as an entry-point, pivot-point, or just as part of a broader infection, we need to be concerned about the potential consequences. Critical system controls may get altered and could result, for example, in an excessive radiation dose from a CT scanner.  Vulnerabilities found in insulin pumps have been shown to be outright lethal.

        Another concerning scenario would be that of a targeted attack on a medical device, for example to harm a specific patient or the reputation of a hospital. Although no such cases have been documented or reported to date, security researchers have demonstrated risks for Pacemakers (Kevin Fu), Insulin Pumps (Jerome Radcliffe) and Infusion Pumps (Billy Rios), the latter resulting in an advisory from Homeland Security’s ICS-CERT and a patient safety communication from the FDA.

        What is being done?  In 2014, the FDA issued guidance to medical equipment makers regarding cybersecurity for the medical devices that they make and sell.  I’m sure we’ll see further guidance, and potentially even enforcement, in years to come.  Device makers need to design in the cybersecurity as well as capability to update devices “in the field,” and need to work with regulators on a process whereby it is easier for such updates to be provided to their customers.  At the same time, hospitals are working on their processes to build a more secure medical device infrastructure.

        Could such a strategy work?  Will it?  Do you like the approach, or does it worry you?  Either way, I’d love to hear your thoughts.  Feel free to email us anytime at iot@digicert.com and visit us online at www.symantec.com/iot.

        For more reading:

        www.symantec.com/iot

        https://securityledger.com/2015/06/x-rays-behaving-badly-devices-give-malware-foothold-on-hospital-networks/

        http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices-in-hospitals/

        http://deceive.trapx.com/AOAMEDJACK_210_Landing_Page.html

        http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html

        https://twitter.com/chriseng/status/610412829405941760

        http://www.wired.com/2015/04/drug-pumps-security-flaw-lets-hackers-raise-dose-limits/

        http://go.bloomberg.com/tech-blog/2012-02-29-hacker-shows-off-lethal-attack-by-controlling-wireless-medical-device/

        http://www.newscientist.com/article/dn1920-internet-data-at-risk-from-language-flaws.html

        www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

        http://news.bbc.co.uk/2/hi/7735502.stm

        • Products
        • Critical System Protection
        • Symantec Enterprise Security
        • Thought Leadership
        • Device Certificate Service
        • Identity and Authentication Services
        • IoT
        • healthcare IT
        • Security Community Blog
        • Managed PKI for SSL
      • Enhancing Trust in the CA/Browser System

        Apr 13 2015, 5:40 PM

        by Dean Coclin 0

        Stop Hand.jpg

        Browsers and Certificate Authorities are in the news again over the reported mis-issuance of an SSL server certificate to google.com domains. Discovered by Google most likely via technology known as key pinning and discussed by Google’s Adam Langley in this blog, a Chinese certificate authority, CNNIC (Chinese Internet Network Information Center), apparently issued an intermediate certificate to an Egyptian company called MCS Holdings. Because the CNNIC root certificate is included in the root store of most major browsers, users would not see any warnings on sites that have certificates issued by CNNIC or MCS Holdings. When MCS installed their intermediate into a Man in the Middle (MITM) proxy device, that device could then issue certificates for sites which users connected via that proxy would visit.

        There are several violations of the CA/B Forum Baseline Requirements and Mozilla Root Program Requirements here. First, Mozilla specifically prohibits using public roots for MITM applications. (While there may be legitimate corporate use cases for these proxy devices, using public root certificates as part of the implementation is prohibited and is a violation of public trust). Second, any sub CA certificates (issued from the Root) must be publicly disclosed and audited or be technically constrained(using the technology known as “name constraints” which limits the domains which the CA can issue to. Neither appears to be the case here. Third, indications are that the key was not generated and stored in a proper Hardware Security Module (HSM). There are several other mistakes as well but these are the major ones.

        CNNIC documents show that the sub CA certificate was only issued for a short duration and was to be used for test purposes only. While this may be the case, it ignores the reality that the misuse of such a certificate can cause great harm to end users. Users can be deceived to go to a fraudulent website and have their credentials stolen. The fact that bogus certificates found their way onto the public Internet due to this “test” makes it clear that improper controls were in place at both CNNIC and MCS Holdings as well as a limited understanding of the rules surrounding public CAs.

        The major browsers quickly moved to un-trust the MCS Holdings certificate to protect their users from potential fraud. MCS sent a report to Mozilla with their assessment of the situation. Google has announced that they are taking action to distrust the CNNIC root certificates.  Google will “whitelist” all existing CNNIC certificates and has provided a path for re-inclusion into their browser by insisting all future certificates use Certificate Transparency.  Firefox will be updated to distrust any CNNIC certificate with a notBefore date of April 1, 2015. The current CNNIC root will remain in the Mozilla root store to validate current certificates and CNNIC can reapply for full inclusion but may be subject to additional scrutiny and controls during the process. This is essentially a punishment for violating the Baseline Requirements and the Mozilla root program rules.  Microsoft is still evaluating whether to take further action than just distrusting the MCS Holdings Intermediate certificate. No word from Apple so far.

        Three recently introduced technologies and controls namely Certificate Authority Authorization (CAA) and Certificate Key Pinning (HPKP), which are designed to prevent mis-issuance, and Certificate Transparency (CT) which is designed to detect mis-issuance, significantly raise the level of security of the CA/Browser cryptography system. CT and HPKP are being implemented by some browsers and CAA is a function that CAs will have to deploy.

        What is the lesson learned here? Not all CAs are created equal. Clearly CNNIC broke the rules and got caught. Whether it was intentional or not is being debated in the public. It doesn’t appear from the evidence that this was intentionally malicious. Symantec and all the SSL issuing CAs are held to high standards with regard to the ecosystem rules including CA/B Forum Baseline Requirements, Network Security controls, and Mozilla, Microsoft, Google, Apple and other root program requirements. We have strict controls in place to insure sub CA certificates are either disclosed or constrained, have strong and knowledgeable vetting and authorization teams, obtain regular audits from accredited WebTrust auditors and work closely with the major browser vendors in the CA/B Forum. While we do issue sub CA certificates to third parties, we are well aware of the strict rules surrounding this practice and the need to remain vigilant. Symantec supports the use of CT, CAA, and HPKP technologies and urges adoption by all participants in the ecosystem.  In the end, it matters which CA you choose so pick one that has a long track record and invests in its infrastructure to insure its customers are protected.

        • Products
        • Public Key Infrastructure (PKI)
        • Symantec Enterprise Security
        • Thought Leadership
        • SSL
        • Identity and Authentication Services
        • Security Community Blog
        • Managed PKI for SSL
      • Bridging the Gap between IT and the Business with Next Generation Cloud Security

        Mar 18 2015, 11:16 AM

        by Mike Smart 0

        To those of us that have been brought up in the world of IT, there is nothing scarier than users and lines of business choosing and deploying their own IT.  We’ve labeled it ‘Shadow IT’ because it’s technology that is used in the dark, without the knowledge of the IT Department.

        But actually, to the user or the line of business, it’s just innovation. The typically risk-averse IT departments are all about mitigating risk; after all we’ve deployed Anti-Virus, Intrusion Prevention technologies to mitigate the risk of viruses and intrusions. This attitude of preventing risk is making us unpopular and irrelevant to the business, and this is why they often choose to bypass the IT procurement process.

        The fact is, users are more mobile than ever, and are comfortable taking corporate data and storing it on mobile devices or cloud storage applications all in the name of innovation and increased productivity.  Perhaps those of us in IT should find a way to embrace this and at the same time protect the business without imposing impractical policies and process.

        To help you bridge the gap, and allow users and the business to adopt flexible working practices that drive innovation through the adoption of mobility, cloud based systems and infrastructure, Symantec has released Identity: Access Manager.  Symantec™ Identity: Access Manager is a next generation access control platform that offers users and administrators control, convenience, and compliance for cloud-based applications.

        Access manager starts by using Symantec Validation and ID Protection (VIP) and Symantec Managed PKI to bring integrated single sign-on (SSO) and strong authentication to mobile devices. With Access Manager, users can login one-time using a password, PIN, or even a fingerprint to safely access all of their cloud apps and information. This helps secure mobile devices by eliminating bad password practices and gives your users fast, easy access to the resources they need.

        Also, Access Manager provides flexible, easy-to-create connectors and unified identity and context-based access control for virtually any cloud app or service, which means you can enforce your security and compliance policies, log your activities to stay compliant, and ultimately turn those rogue apps into legitimate productivity tools.

        Access Manager is every bit as flexible as it is powerful. You can choose to deploy it on-premise or in the cloud, depending on the needs of your organization. And because Access Manager integrates seamlessly with your existing infrastructure, it reduces complexity by providing a convenient central point for managing all of your different user directories.

        In summary, there are five good reasons to try Symantec Identity: Access Manager in your environment:

        • Ensures control, convenience, and compliance for public and private cloud applications
        • Enhances security with strong authentication and identity/context-based access control
        • Streamlines compliance auditing by consolidating access logs for protected users and applications
        • Boosts users’ productivity with Single Sign-On – one password grants access to all apps
        • Offers flexible deployment options, choose from on-premise or hosted service

        If you want to find out more, visit our home page here:

        • cloud security
        • Security Community Blog
        • User Authentication
        • Web Gateway
        • Products
        • Symantec Enterprise Security
        • Thought Leadership
        • Identity Access Manager
        • Device Certificate Service
        • Identity and Authentication Services
        • Digital IDs for Secure Email
        • Data Loss Prevention
        • VIP (Validation ID Protection)
        • Web Security.cloud
        • Managed PKI for SSL
      • Information protection everywhere begins with Symantec Identity: Access Manager (SAM)

        Feb 02 2015, 8:44 AM

        by Teresa Law 0

        So information protection everywhere begins with Symantec Identity: Access Manager (SAM)?  But what is information protection everywhere?

        • It’s prevention - scanning on-premise and in cloud apps to find sensitive files that should be secured
        • It’s user friendly protection – securing identities and access with simple, smart, and secure strong authentication; and protecting data in the enterprise or the cloud, at rest and in transit
        • It’s fast detection and rapid remediation – quickly identifying suspicious or risky behavior and automating responses
        • It’s about standards so integration with vendors' products is easy
        • And it begins with SAM

        Access Manager (SAM) is the platform on which Symantec’s information protection solution will be built.  A comprehensive information protection solution that not only includes identity and access protection, but also information management, and a way to intelligently correlate unusual behavior or events identified by both.  Access Manager acts as the single access point for all cloud apps and services to ensure secure access and data integrity; similar to a Control Access Security Broker (CASB) or Cloud Access Control. 

        But why does Symantec’s information protection start with Access Manager? The single access point provided by Access Manager is necessary, not just to help ensure that legitimate users are the only ones to gain access to sensitive corporate data, but also to identify users if there is a need to take action - enabling rapid response.  Identity provides the best means to correlate disparate events and Access Manager provides the unified identity.

        The introduction of Access Manager is just the beginning of information protection everywhere. Read more about Access Manager http://bit.ly/1H8H33G or visit the Access Manager website

        • 2FA
        • Products
        • Identity Access Manager
        • #SSO
        • Single Sign-on
        • Identity and Authentication Services
        • Access Control
        • VIP (Validation ID Protection)
        • Products and Solutions
        • Managed PKI for SSL
      • VIP Push now available with Symantec Identity: Access Manager

        Oct 20 2017, 9:06 PM

        by Teresa Law 2

        Symantec Identity: Access Manager (SAM) now supports VIP Push and will soon support VIP Login.

        VIP Push

        When we introduced VIP Access Push we told you how much more convenient it is – you automatically receive a Push verification to your registered mobile device upon sign-in, replacing the need for you to manually enter a security code – it’s just a push of a button.  We’ve now taken it one step further and made it available as the login method for SAM.   When combined with the SAM Single Sign-On portal you can now login to ALL your applications in a secure yet user friendly manner.

        VIP Push with SAM2_0_0.jpg

        VIP Access Push uses a challenge-response authentication technique and a 2048-bit asymmetric key to securely and uniquely identify the device and help protect against a security breach. You are notified on your device each time there is a login attempt and have the option to deny any request.  In the event that a mobile device is offline, you will have the option to use the six-digit security code from the same VIP Access app to authenticate. The VIP Access Push feature is supported on iOS and Android platforms.

        VIP Login

        As you can see from the SAM login portal we also offer login using Symantec Managed PKI and are getting ready to support VIP Login.  VIP Login replaces the cumbersome password with a  PIN defined by you.  Passwords get reused and can be difficult to remember, while a PIN is much simpler to remember and is generally not reused – think of your ATM card.

        VIP Login with SAM3.jpg

        Find out more about Symantec Identity Access Manager now visit the website.

        Follow us on Twitter: @SymantecSAM, @SymantecVIP,  or @SymantecMPKI

        • 2FA
        • Products
        • symantec vip
        • SAM
        • #SSO
        • Products and Solutions
        • VIP
        • Managed PKI for SSL
      • To protect your enterpise, protect your vendors

        Nov 10 2014, 10:04 PM

        by Teresa Law 2

        We talk a great deal about using strong authentication to secure access for enterprise employees, but often we don’t think about how breaches to vendors could make our own enterprise vulnerable.  In some cases all an attacker needs is to steal the username and password from a vendor to begin their attack on your enterprise.  That is exactly what happened to Home Depot; and it is an excellent example of why not only you, but also your outside vendors should be using strong authentication like Symantec VIP – Home Depot hackers exposed 53 million email addresses.  This kind of breach not only damages customer trust but also Home Depot estimates that the theft would cost about $62 million.

        “According to Home Depot, the attackers stole login credentials from an outside vendor and used this information to infiltrate Home Depot’s systems. They could then move from a peripheral third-party vendor system to the company’s main computer network by exploiting a Windows vulnerability. Microsoft released a patch for this bug after the breach began, but while Home Depot applied the patch when it was released, it was too late. The attackers could then move to more Home Depot computers, eventually reaching 7,500 of the company’s POS terminals at self-checkout lanes. However, the attackers may have missed 70,000 of the retailer’s standard cash registers as these terminals were only identified by numbers.

        The attackers moved through Home Depot’s network during regular business hours and used malware that stole data, transmitted details to a remote location, and deleted its traces. According to the investigation, the breach could have gone unnoticed for much longer if the attackers hadn’t put some of the stolen credit card details on sale while a number of Home Depot executives were on vacation for Labor Day. “

        The Symantec Internet Threat Report highlighted how attackers are using smaller businesses and the supply chain to attack larger entities - the Home Depot attack dramatically reinforces this finding.  Attackers are becoming more relentless, using multiple avenues to stage attacks.  Enterprises need to engage in a layered security approach to mitigate the risk.  A mandatory first step is ensuring that not only your enterprise but your vendors are securing access to their networks and applications.  Symantec VIP is a simple, smart, and secure way to easily add a second layer of protection to secure access.  A username and password may be compromised but a secure second factor will not.

        • Products
        • Identity and Authentication Services
        • VIP (Validation ID Protection)
        • Identity Access Manager
        • Products and Solutions
        • Managed PKI for SSL
      2 pages