Blogs

    Publish
     
      • Certificate Authority Authorization Checking: What is it, and why should you care?

        Aug 30 2017, 6:12 PM

        by Lee-Lin Thye 0

        Certificate Authority Authorization checking: what is it, and why should you care?

        The Public Key Infrastructure (PKI) ecosystem relies on root certificates issued by various certification authorities (CAs) like Symantec. This is what browsers use to decide which websites can be trusted, and which ones are not trusted.

        Up to now, any CA can issue a TLS certificate for any domain. That’s how the system works, and it’s good in the sense that it gives website owners and operators options to change CAs at their discretion. The downside to this is that certificate issuance can happen without the knowledge of website operators, either by mistake or intentionally by malicious actors.

        A number of technologies have been created in an attempt to highlight instances of “unknown” issuance, such as Certificate Transparency. These have been effective in making the internet a safer, more trustworthy place but they are reactionary measures – only .allowing website operators to address the issue after it’s happened.

        But is it possible to prevent certificates from being mistakenly or inappropriately issued? Yes. Enter: Certification Authority Authorization (CAA).

        CAA prevents unknown certificate issuance by:

        1.Allowing domain owners to specify which CAs are authorized to issue certificates for their domains; and

        2.Giving CAs the ability to check this authorization before issuing a certificate.

        In this article, we’ll explain how CAA works, and why making CAA checking mandatory is a good move for both customers and CAs.

        What is Certification Authority Authorization?

        A Certification Authority Authorization (CAA) record is a DNS Resource Record which allows a domain owner to specify which CAs are authorized to issue certificates for their domain(s) and, by implication, which aren’t.

        The idea is that a CA will check the CAA record(s) for a domain before issuing a certificate. If it finds that a domain has no CAA record, then it’s free to issue a certificate for it if all other authentication checks succeed. However, if it does encounter one or more CAA records, then the CA can only issue a certificate if it’s named in one of the records, indicating that it is authorized to issue a certificate for that domain. The whole process is designed to prevent CAs from unauthorized certificate issuance requests by unauthorized parties or bad actors.

        Sounds great. Why isn’t everyone doing this?

        Symantec has been checking CAA records for years, but it’s not a common practice. There are two reasons why CAA checking isn’t widely practiced:

        1.Many domains don’t have a CAA Resource Record; and

        2.Checking CAA records is not mandatory.

        Because it may take some work to create a CAA record, it’s a matter of customers or website operators consciously opting-in, not opting-out. Many domain owners use a DNS hosting provider and CAA is not yet supported in some DNS implementations.

        This is why CAA records are expected to be used by most high-value domains. These enterprises keep CAA records for their domains because they limit inappropriate (or malicious) certificate requests, and makes it easier to enforce company policies i.e. only using a particular set of CAs.

        The limitations of CAA checking

        Of course, CAA checking has its limitations.

        First, a newly-issued CAA record does not invalidate any previously-issued certificates that may have been issued by a different CA than the one named by the domain owner. Second, it doesn’t flag whether a certificate presented by a web server is a legitimate certificate for that domain.

        Furthermore, in order for CAA checking to be effective, all CAs need to be doing it; it doesn’t work if only one or two CAs are checking CAA records as matter of process. CAA checking must be widely adopted if it is to serve its purpose, but the good news is that more than ninety percent of CAs (who are members of the CA/Browser Forum) are in favor of it.

        The times are changing: CAA checking will become mandatory

        In February 2017, the CA/Browser Forum passed a ballot (on which Symantec voted in favor) requiring all CAs (even those who aren’t a member of the Forum) to check for a CAA record as part of the certificate issuance process for each domain. In accordance with RFC 6844, CAs can no longer issue a certificate for a domain unless:

        1.The CA does not find any CAA records for the domain

        2.The certificate request is consistent with the applicable CAA Resource Record(s)

        The rule is effective as of 8 September 2017. You can read the ballot in full here.

        A good outcome for all companies

        Mandatory CAA record checking requires CAs to abide by the rules set out in specific CAA records, giving domain owners more control over certificate issuance. This makes it easier for companies (especially larger ones) to enforce a certificate issuance policy across business units. With CAA records applicable to every domain, a company can specify a set number of CAs, knowing no other CA can issue a certificate to its domains.  This will help reduce the risks of certificate issuance by unauthorized CAs and help create a more secure and transparent online ecosystem.

        For more information on CAA with Symantec Certificates go to Symantec Knowledge Center

        • Products
        • Certificate Authority
        • TLS
        • Thought Leadership
        • CA
        • Symantec Website Security
        • SSL
        • DigiCert Code Signing
        • certificates
      • Threat Isolation: Why You Can Now Browse Without Fear

        Oct 20 2017, 8:33 PM

        by Mark Urban 1

        The battle between malicious hackers and enterprise security practitioners has become an ever escalating arms race.

        Organizations would invest in ant-virus, anti-spam, and host intrusion prevention services to bolster their security. And it would work - for a time. Attackers reacted by upping their game and started to make progress again. Then, advanced malware sandboxes came along to catch more sophisticated attacks.

        Before long, however, bad actors found new ways to slip their malware past even the most sophisticated network defenses, confounding beleaguered defenders with advanced persistent attacks, spear phishing and other exploits.

        And now cybercriminals have started to use encrypted channels, multi-vector and multi-phased attacks.

        When enterprise security practitioners use forensic tools to conduct breach investigations, they often trace breach sources back to employees who clicked on very clever phishing emails or have been led to a risky website that quickly downloads some zero-day malicious content to their devices. The bad guys have become experts at using techniques like social engineering to trick employees into making security mistakes. It can be subtle – a new, clever web site with a bit of bad JavaScript here, a malicious style sheets there, or maybe a document with just the last fragment malicious payload that activates after a day or two.

        The arms race script will repeat and change in ways we can’t know today.  But we’re looking to drive innovation in a different way – for the good guys.  

        Turning Point in the Malware Battle

        The advent of web and email isolation technology provides enterprises with a powerful tool to seal off their networks from infection, approaching security in a dramatically different way.

        The technology works by positioning itself between the users and the internet so that potentially malicious content gets executed in a secure, containerized environment, “isolating” the user from all code and content, good or bad. It works in the background, so there’s no impact on user experience.  They can interact with the website or the email content as if the isolation process was not even occurring.

        Early adopters in the healthcare, finance, government and telecommunications sectors are already deploying the technology to combat malware-laden threats arriving over the internet. But it is still early in what’s shaping up to be a major transition in the way security organizations fight malware. Indeed, Gartner, which included web isolation as one of the 10 most important technologies in the information security field, expects about 50% of enterprises will adopt isolation technology by 2021.  

        Since most attacks begin with malware delivered either through email, URL links or malicious websites carried over the internet, the very act of moving the browsing process directly from the end-user’s device and isolating it in a network container eliminates the threat of a potential infection.

        “This is a fundamentally different approach where malware can't get to the users any longer,” said Mark Urban, Symantec’s VP of Product Strategy and Operations. “I think this can be a game-changing technology.”

        It’s also why Symantec last week announced an agreement to acquire Israel-based Fireglass, whose leading edge technology creates virtualized websites that let users browse content without having to fear that viruses might infect their devices and corporate networks.

        Fireglass's isolation technology deploys virtual containers which process web browsing sessions remotely. It delivers the end user a “visual stream” that is completely safe from malware. By placing traffic in a cloud or on-prem isolation container, no  ransomware or other malicious content and malware can wind up infecting endpoints or systems.

        “There’s no ability for code or content to reach users,” Urban noted. “It’s just a visual stream. Users can see it, click it, and interact with it just like normal. But nothing actually gets downloaded into their computer or executed into a browser except the visual image, which is harmless. All the HTML, Java, CSS – all the code – gets executed in a safe virtual container.  In some ways, it’s the ultimate protection because bad stuff can’t reach the end user.”

        The computing architecture in web and email isolation serves as a proxy that essentially isolates the users and devices inside the enterprise and carefully manages their connections to the outside world. It applies different technologies that analyze information and content to ensure that malware can’t get into the network.

        “There is no silver bullet. But having a multi-layer approach to detection – with anti-virus scanning , advanced malware sandboxes, and behavioral analytics – is critically important,” Urban said. “ And isolation technology adds the latest high-impact capabilities to the mix, allowing employees to interact with higher-risk sites and emails which in a safe and secure manner.”                                                                       

        Isolation offers organizations a way to strike a balance between IT’s desire to keep their computing environment safe and employees, who need to access information over the public internet. Millions of hosts - domains, subdomains, or IP addresses - pop up every day and many have life spans of less than 24 hours. Many organizations choose to set their Secure Web Gateways to block users from going to types of uncategorized sites because of the risk they represent, even though many are legitimate destinations for business purposes.

        “The age-old challenge for security organizations is to find the right balance between keeping users happy and keeping their computing environment safe,” according to Urban.

        “In a perfect world, these organizations would block everything that’s even a little bit risky, and users would be OK.” he continued, “but in the real world, users do complain and security has to strike a balance between risk and access.” With web and email isolation, Urban added, users can get to the information they need and the business is protected from any threats lurking in the shadows. “The isolation path gives them a lot more flexibility,” he said.

        What Does Fireglass Do?

        The core technology can be delivered on-premises or as a cloud-service. It intercepts and executes web requests in a remote secured environment and will offer users safe access to uncategorized websites, without risk of malware infection, since each website interaction is isolated from the network.  The same isolation benefits hold true for files delivered from the web - users access files through isolation instead of downloading them to their machines.

        Businesses can then let their users interact with these sites and documents to accomplish their tasks, knowing that any malware introduced via these sessions will remain isolated from their network and not infect their environment.

        The upshot: A more open environment, happier users and better threat prevention. Now that’s a winning combination.

        • Products
        • DigiCert Complete Website Security
        • Thought Leadership
        • Symantec Website Security
      • Integrations, Integrations, Integrations…

        Jul 20 2017, 7:12 PM

        by peter_doggart 3

        In June 2017, we officially announced the new Symantec Technology Integration Partner Program (#TIPP), bringing together the Blue Coat and Symantec worlds and creating the largest and broadest technology partner eco-system in cyber security.

        In this blog, I wanted to share what this means for our customers as well as our technology partners and showcase a new tool we call the Integration Cyber Defense Map  - Download the Map 

        Defending ourselves from cyber threats is hard. If you look at a typical enterprise, they will have acquired around 30-60 security vendors over the years, but unfortunately maybe only half of those would have been deployed. Why? Cyber-security requires discipline, a long-term viewpoint and for all these systems to work together to make operational sense. And that simply hasn’t happened. It’s a shame that many of these systems are just left on the shelf and not fully utilized.

        One can argue whether deploying 10 vendors is better than 60, but in any case, it is critical that cyber security systems be able to share data and context about what they know, what has been blocked and why, what they have detected as suspicious and so on. The Symantec Integration Cyber Defense Platform together with TIPP sets up this framework

        To help our customers understand how the Integrated Cyber Defense platform can help, we have created an interactive map of all internal and external partner technology integrations.

                                                                       

        This showcases many hundreds of integrations across our entire product portfolio and how they map to our own 24 product areas as well as our 23 partner solution categories and our 100+ TIPP partners.

        If you are a Symantec End Point or ProxySG customer, simply mouse-over that product to see all the current active partner solutions and then drill down to learn more. Alternatively, if you have deployed deception technologies, another EDR solution, simply mouse-over and find quickly which Symantec products work together. Access the Map Here.

        We have a very strong pipeline of additional integrations for 2017 so this map will be updated frequently.

        For our technology partners, we have also worked hard to make this the best program in the industry, with access to a rich set of APIs’, product support, demo licensing for engineering and certification, documentation as well as access to our community portal; Symantec Connect, with direct access to over 700,000 users.

        Any customers and partners wanting to learn more about TIPP, click here. https://www.symantec.com/partners/programs/technology-integration-partners

        • Endpoint Protection Small Business Edition
        • PacketShaper
        • Endpoint Encryption
        • Managing Mobility
        • Endpoint Virtualization Suite
        • Endpoint Virtualization
        • Content & Malware Analysis
        • Symantec Website Security
        • Cloud Workload Protection
        • IT Management Suite Documentation
        • Web Security.cloud
        • Symantec Security Information Manager
        • Network Access Control
        • Network Forensics & Security Analytics
        • Protection Engine for Network Attached Storage
        • Cyber Security Exercise
        • Advanced Threat Protection
        • Endpoint Detection and Response (EDR)
        • Symantec Mobility Device Management
        • Virtual Secure Web Gateway
        • Endpoint Protection Cloud
        • Data Loss Prevention and CASB - Symantec DLP Cloud and Symantec CloudSOC
        • Cloud-Delivered Web Security Services
        • Web Application Firewall & Reverse Proxy
        • Command Line
        • WebFilter Intelligence Services
        • Protection Suite Enterprise Edition
        • Protection for SharePoint Servers
        • CacheFlow
        • Control Compliance Suite
        • DeepSight™ Technical Intelligence
        • Symantec Mobility Suite
        • Data Center Security
        • Email Security.cloud
        • Data Loss Prevention
        • Data Loss Prevention Cloud Service for Email
        • Messaging Gateway
        • Advanced Threat Protection for Email
        • Management Center
        • Endpoint Management
        • Symantec Mobility Threat Protection
        • Encrypted Traffic Management
        • Client Management Suite
        • Symantec Protection Suites (SPS)
        • Partners
        • Endpoint Suite
        • CloudSOC CASB Gateway
        • Protection Engine for Cloud Services
        • Web Gateway
        • Products
        • Authentic Document IDs for Brew
        • Certificate Lifecycle Platform
        • Endpoint Protection
        • Symantec Mobility Application Management
        • Embedded Security Critical System Protection
      • The modern eCommerce landscape: How compliance impacts success

        Apr 20 2017, 10:15 PM

        by Rufus Connell 0

        The more we rely on the web for personal and business use, the more important it is to keep it (and ourselves) safe from cyberthreats. The bulk of this responsibility falls on those in charge of websites, but once you understand the evolving cybersecurity landscape, you’ll realize you can actually shape it to your business advantage.

        Ushering in a new era of cybersecurity
        Key internet stakeholders, including web browsers, cybersecurity companies and organizations in the payment card ecosystem are joining forces and redefining best practices to create a safer, more sustainable internet:

        •    Chrome and Firefox are displaying “Not Secure” warnings on certain web pages that are not encrypted.
        •    Symantec and other security providers are supporting widespread data encryption.
        •    Payment card companies continue to innovate and drive stronger fraud prevention.

        The Payment Card Industry Security Standards Council (PCI) recently updated an important Best Practices for eCommerce Report. The update was created in collaboration with a special interest group including representatives from Symantec as well as merchants, financial institutions, service providers and other payment security professionals. The report offers:

        •    Additional guidance to the PCI Data Security Standards Guide (PCI DSS)  about best practices for securing eCommerce implementations.
        •    Useful information for selecting SSL/ TLS certificates (and the certificate authorities which provide them), especially those which are most appropriate for unique eCommerce environments.
        •    Questions merchants should ask their certificate authorities, eCommerce solution partners and other service providers.

        Staying ahead of these evolving best practices can help you not only protect your customers and your website —but improve your business and profitability.

        The stakes are high
        Cyberthreats are more pervasive than ever before. Customers are increasingly concerned about fraud, and failure to adhere to the latest compliance benchmarks can significantly impact your businesses. If a data breach occurs:

        •    Consumers lose confidence in your brand, making it difficult (if not impossible) to restore your image.
        •    The brunt of financial responsibility typically rests on merchants.
        •    Other liabilities exist in the form of fines and penalties, legal costs, lost jobs and more.

        In short, it all comes down to good governance. Without it, your site and your brand are at risk. With it, the eCommerce world is your oyster, and credibility and profit are the pearls within. 

        The road to success is paved with best practices
        Rather than burdening your business, compliance to evolving standards can actually open up new avenues of opportunity. But to capitalize upon them as an online merchant, your responsibilities include:

        •    Ensuring secure development of software and confirming Payment Application Data Security Standard (PA-DSS) validation of third-party apps
        •    Maintaining written agreements with third parties to ensure cardholder data is protected
        •    Strengthening SSL/TLS certificate authentication, minimizing risk and more

        The better you understand security guidelines, the easier it will be to stay competitive and build a sustainable online business.

        Ready to learn more?
        Register now to attend Online Trust: Where Compliance Meets Profitability, a live webinar that will be held on April 26 at 10 a.m. PST. Representatives from Symantec and VISA, key members of the PCI special interest group, will explore the intersection of compliance and profitability – and how the latest internet security best practices can benefit you, your customers and your business. 

        • Products
        • DigiCert Code Signing
        • Products and Solutions
        • Symantec Website Security
      • An Update for our Symantec CA Customers

        Oct 20 2017, 9:14 PM

        by Roxane Divol 0

        In connection with the statement posted to Symantec’s Blog on March 24, 2017, Symantec has been reaching out to its customers.  The text of our most recent customer communication is below: 

        ****************************************** 

        It's important that we keep the lines of communication open with you as we continue to deliberate possible changes to how we support your website security needs in response to Google's proposal. There is no doubt that these proposed changes would create a ripple effect across the entire industry. Following up on my previous Message To Our CA Customers, I wanted to provide you with an update on the progress we have made in response to Google's proposals.  

        In the weeks since Google shared its initial proposal, we have met with Google several times and have also embarked on an industry-wide listening tour to understand the impact that any changes may cause to our customers, partners, and the PKI ecosystem. Our goal is to find a combined path forward that will ensure business continuity for our customers and peace of mind for all browsers and other industry stakeholders.  

        These conversations have been both encouraging and instructive. And the input we've received from our industry stakeholders, partners, and most importantly, our customers, gives us confidence that we can come to the table with an alternative proposal that will serve the shared interests of the entire industry.  

        We have also heard consistently from customers like you that the transition to fully adopt Google's proposal within its suggested timeframe would cause significant business disruption and additional expense - especially within complex IT infrastructures. Mitigating these concerns is a top priority for us as we develop our counter proposal and provide responses to the salient questions the community has posted online. While we believe Google understands the burden their proposal creates, if they decide to move ahead with their original plan, I want to reassure you that Symantec will keep your websites, web servers or web applications operational across all browsers. Specifically, this may require Symantec to reissue your certificates, which we would do as needed, at no charge to you, to meet the fully expected validity period.  

        While we've made solid progress, we have plenty of work left ahead of us and I hope you will continue to consider us a trusted security partner as we address the challenges before us. I firmly believe that the only way to improve is by listening. If you have thoughts on shorter validity certificates, automation, or the value of extended validation (EV), please don't hesitate to reach out to me or voice your concerns anonymously by participating in a brief online survey.  

        Your input is invaluable and I thank you for your continued support.  

        Best regards, 

        Roxane Divol

        Executive Vice President & GM, Symantec Website Security

        • Products
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      • A Message To Our CA Customers

        Oct 20 2017, 8:22 PM

        by Roxane Divol 3

        In connection with the statement posted to Symantec’s Blog on March 24, 2017, Symantec has been reaching out to its customers.  The text of our most recent customer communication is below:

        ******************************************

        On March 23, Google posted a blog on a public forum outlining a set of proposals targeted at Symantec SSL/TLS certificates. This was unexpected, and I wanted to reach out to explain what this proposal means for Symantec customers and how we will respond to Google’s proposal, if implemented, in order to ensure business continuity for you. I also want to address Google’s claims about Symantec’s certificate issuance processes and reaffirm our continued commitment to transparency of our practices as a public certificate authority.

        First and foremost, I want to reassure you that you can continue to trust Symantec SSL/TLS certificates. Google has outlined proposals, not actions. We object to its proposals and intend to engage with Google to work through its concerns.

        To be specific, the key terms of Google’s proposal are as follows:

        1. Over time, Symantec would need to revalidate and reissue previously issued certificates

        2. Maximum validity of newly issued Symantec Certificates would be reduced to 9 months

        3. Extended Validation (EV) treatment of Symantec certificates would be removed for at least one year

        In the event Google implements its proposal, Symantec will ensure your websites, webservers or web applications continue to work across browsers. Specifically, this may require Symantec to reissue your certificates, which we would do as needed, at no charge to you, to meet the fully expected validity period. In addition, Google’s proposal requires shorter validity certificates, which we would support. We anticipate Google may attempt to impose this shorter validity period on the entire industry, as they have previously tried to do so through an initiative at the CA/Browser forum that was voted down. Shorter certificate validity periods increase customer expense, which we are working to reduce by making considerable investments in automation. We would work with our customers to provide tools to manage any validity period changes that Google might unilaterally impose.

        Finally, while Google and Chrome have long been working to remove special treatment for EV certificates in general, other browsers continue to recognize it. We will continue to work with Google and other members of the CA/Browser forum on security best practices for the industry. Our customers get value from the extensive validation on our EV certificates, and derive meaningful results from them. Our brand is powerful: our certificates secure more than 80% of ecommerce revenue and our Norton Shopping Guarantee on average increases ecommerce revenue by more than 5%.

        We are proud to be one of the world’s leading certificate authorities. We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices. We have substantially invested in, and remain committed to, the security of the Internet.  Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers.  Symantec has also been a champion of Certification Authority Authorization (CAA), and asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA.  Our most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites.

        Google’s blog statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event referred to by Google, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed. 

        We do not believe Google’s proposal is in the best interest of the Internet community. We are working to resolve the situation with Google in the shared interests of our joint customers and partners.

        In closing, we take certificate issuance very seriously. The events that prompted Google to propose these changes have been addressed with the utmost transparency. We are working hard to ensure that this proposal does not create disruption for you. Please let me know if you would like to schedule a call.

        Best Regards,
        Roxane Divol

        Executive Vice President & GM, Symantec Website Security

        • Products
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      • Symantec Backs Its CA

        Oct 20 2017, 8:21 PM

        by connect 8

        At Symantec, we are proud to be one of the world’s leading certificate authorities. We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible. We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.  

        Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading.  For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed. 

        While all major CAs have experienced SSL/TLS certificate mis-issuance events, Google has singled out the Symantec Certificate Authority in its proposal even though the mis-issuance event identified in Google’s blog post involved several CAs.    

        We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices. We have substantially invested in, and remain committed to, the security of the Internet.  Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers.  Symantec has also been a champion of Certification Authority Authorization (CAA), and has asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA.  Our most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites. 

        We want to reassure our customers and all consumers that they can continue to trust Symantec SSL/TLS certificates.  Symantec will vigorously defend the safe and productive use of the Internet, including minimizing any potential disruption caused by the proposal in Google’s blog post.  

        We are open to discussing the matter with Google in an effort to resolve the situation in the shared interests of our joint customers and partners.

        • Products
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      • Website Identity- The Key to Safety in E-Commerce

        Oct 20 2017, 9:17 PM

        by Dean Coclin 0

        Website identity is important for user safety. While encryption is important, knowing who you are encrypting to is paramount when conducting online transactions. While many users can identify the green bar/lettering associated with an Extended Validation (EV) certificate, recent user interface (UI) changes by browsers make it more difficult to differentiate these certificates from low value, domain validated certificates. This makes it a challenge to figure out the true owner of the website.


        For example, Chrome recently changed the certificate UI for Domain Validated (DV) certificates to show a green padlock. With an increase of DV certificates used by fraudsters for phishing (see: http://toolbar.netcraft.com/stats/certificate_authorities), it is becoming more and more difficult for users to determine if a site is legitimate. DV certificates don’t identify the entity behind the website. You just know you are connected to www.example.com. There is no ownership information vetted about example.com. Organizationally Validated (OV) and EV certificates provide ownership information allowing a user to know who the site belongs to. But unfortunately, browsers do not distinguish sites with these types of certificates.

        This chart from the CA Security Council (CASC) shows the confusing UIs that are in current browsers: https://casecurity.org/browser-ui-security-indicators/. It’s no wonder that users have trouble understanding the differences in the various certificates. And they are constantly changing.  

        A proposal from the CASC for a common, easy to understand, user display for website identity is shown below:

        Image.png

        The members of the CASC which include the 7 largest SSL issuers in the world, are endorsing a paper on Website Identity Principles, which was presented at the RSA Conference on February 15, 2017. There are three main principles that summarize the intent of this paper:

        1.  Website identity is important for user safety.

        2. Different TLS certificate types that are used to secure websites – Extended Validation (EV), Organization Validated (OV), and Domain Validated (DV) certificates – should each receive a separate, clearly-defined browser UI security indicator to tell users when a website’s identity has been independently confirmed.

        3.  Browsers should adopt a common set of browser UI security indicators for different certificate types, and should educate users on the differences among these indicators for user safety.

        More information on these principles is available on the CASC website (https://casecurity.org/identity/).

        • Products
        • DigiCert Code Signing
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Symantec Website Security
      • Combat Advanced Malware With Security and Threat Protection Designed for the Cloud Generation

        Oct 21 2017, 12:02 AM

        by Gerry Grealish 1

        Hackers continue to show endless ingenuity in penetrating corporate networks. In fact, some recent malware attacks made headlines by crippling corporations, robbing shareholders, and damaging the credit of thousands of consumers. These attacks make it clear that cybercriminals continue to evolve, creating threats that can bypass the security defenses of many organizations. Some advanced malware can even sense threat defenses and mutate like a biological virus.

        Determined hackers, coupled with the expanding adoption of cloud applications and the explosion of mobile workforce devices means that enterprises must find new ways to protect themselves from increasingly sophisticated, malicious attacks. It’s a daunting challenge; where can organizations find a solution to combat threats defined by devices, applications, and users everywhere? The answer can’t be found by looking to the stars. However, if you cast your line of sight toward the clouds, you’ll have a clue as to where you should look for a more innovative enterprise security solution.

        The Issue: Evolving Nature of Threats

        As network security advances, so does malware. It is more aware and adaptive than ever, looking for new delivery channels and mutating to evade behavior detection. A few examples include:

        Virtual machine awareness—An increasing number of attackers are creating malware that can detect when it’s operating in a virtual sandbox environment and can execute techniques to disguise itself.

        Polymorphic files and URLs—Malware files can morph and mutate like an infectious virus to escape signature-based detection. Using automated systems, hackers continually change the look of their files and flood these files toward your defenses, hoping one of them will penetrate and begin to operate. Attackers can do similar things with URLs by using domain-generating algorithms (DGAs) to mathematically compute new domains, making it difficult for techniques such as blacklisting to keep pace.

        Multistage, multivector attacks—Sophisticated cybercriminals stage multiphase attacks to get through corporate defenses. Hackers select web-based, email, and file-based intrusions, coordinating them to achieve desired results.

        Encrypted communication—Because most network security systems are unable to scan encrypted data to detect malware, hackers find it effective to use SSL to build communication tunnels between embedded malware and remote command and control (C&C) servers.

        Misleading file types—Malware may masquerade as harmless files. For example, some malware files may pretend to be JPEGs but actually have executable files inside of them. Another malware file can later change itself into an executable (.exe) to unleash the malware inside your network.

        User interaction triggers—Malware may pretend to be legitimate, displaying a friendly or familiar looking dialog box that asks users to install some software. When the user allows the installation, the malware goes into operation.   

        Unique and targeted malware—Some malware can be incorporated into a targeted “spearfishing” attack. If it’s aimed at you, it will trick you into opening a file by using information specific to you. Once opened, the hackers go after the specific assets they’re looking for.

        Enter: the Cloud (or Cloud-Delivered Security) 

        Threat defense needs to be reimagined to address not only the sophisticated nature of the threats just described, but also to ensure it aligns with the realities of how organizations are accessing the web and corporate applications. If your workforce is increasingly distributed, with laptops and mobile devices going directly to the internet to access to SaaS applications, cloud-delivered security and threat protection needs to be on your radar. Cloud-delivered security can be easily provisioned to tackle the security and threat protection needs of all of your web traffic. And the benefit of a subscription-based service is that it can easily scaled up or down to meet changing needs. In addition to ease of deployment, you need to make sure it can deliver the top-notch threat prevention you require. A deeper look at Symantec cloud-delivered security service will help you understand why customers consider our solution to be truly enterprise-class. 

        The Solution: Symantec Cloud-Delivered Security, Malware Analysis Services  

        Symantec Research and Development organization has been busy working to ensure we have strong capabilities to address evolving new attack techniques. We developed a multitiered system that includes advanced analysis techniques to identify and neutralize malware designed to evade detection technology. These techniques block known threats, analyze anything new and unknown, and combat evolved attacks. The entire system is designed to make sure that you get enterprise-class protection while ensuring that false-positives remain extremely low (so precious security and incident response personnel are not wasting time chasing false alarms).

        SymantecCloud.png

        Web Security Service Leverages the Symantec Global Intelligence Network

        Symantec cloud-delivered Web Security Service (WSS) is fed by our global intelligence network (GIN), the world’s premier civilian cyber defense threat intelligence service. The GIN gives your enterprise the ability to filter URLs into granular categories with defined risk scores. The network uses threat information and telemetry data from 15,000 enterprises and 175 million consumer and enterprise endpoints to categorize and analyze threats posed by more than a billion previously unseen and uncategorized websites each day and more than two billion daily emails sent/received by our customers. Symantec’s unique expertise and analytics uses this information to define the “known bad” files and locations your organization should avoid. Web and file access control policies set in the Symantec WSS ensure that the “known bads” stop at your doorstep and don’t harm your company. The Symantec WSS also leverages content analysis capabilities that perform further analysis on risky files using dual malware engines, as well as comparisons against blacklist/whitelist files. 

        Symantec Malware Analysis Service

        Because it’s extremely difficult for malware authors to evade both virtual and emulative environments, the Symantec Malware Analysis Service works with Symantec WSS to add behavior analysis and sandboxing capabilities for advanced threat detection and prevention. The service uses a powerful combination of emulation and virtualization to identify malicious code. Virtualization takes place in a virtual machine that is a fully licensed version of Windows in which the user can install any application  (Office, Adobe, Quicken, or custom applications). We call it Intelligent VM (iVM). The emulative sandbox environment is not Windows software; it’s a fully recreated computing environment based on a Windows-like API. In this completely controlled artificial space, users can make the malware think it’s interacting with a real computer.

        The Cloud Makes it Easy—Give it a Try

        The Symantec WSS, along with the integrated Symantec Malware Analysis Service, is designed to give you the protection you need to deal with the rapidly evolving advanced threats that are attacking your network each and every day. Contact us to learn how to use our subscription service can help your enterprise protect your corporate assets. Use Symantec to help you enable your enterprise by reliably passing the “known good” and protect your enterprise by reliably blocking the “known bad” and accurately analyzing the “unknown.” 

        Learn more at go.symantec.com/cloudsecurity

        • Products
        • DigiCert Code Signing
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Symantec Website Security
      • Website Not Secure? How to Fix Now!

        Oct 20 2017, 8:11 PM

        by jeff_barto 0

        You’ve heard recent news about security breaches at Yahoo and hacking allegations during the 2016 presidential election. These are just two examples of the recurring nightmare of real dangers on the Internet – which hurt organizations of all sizes and potentially anyone on the web. Google Chrome, Mozilla Firefox and other web browsers are all too familiar with these kinds of cybersecurity risks and are making helpful changes to protect all of us.  But you need to understand that they might not help your website unless you take immediate action.

        In November 2016, I wrote about a simple idea published inside USA Today which has huge implications – the more a person trusts a business, the better it is for that business. Further, our Symantec Website Security Team created a timely, useful content hub that’s all about helping you to prepare for browser changes and be trusted in 2017; follow the conversation on Twitter with #BeTrusted2017.

        WebsiteSecurity_0.png

        Why is this topic important right now?

        It’s 2017 and already, Google Chrome and Mozilla Firefox are actively judging web pages containing password and payment input fields, but without using encryption, to be Not Secure – and displaying those scary terms right in the URL bar. Changes like these are a forcing function for all businesses – from sole proprietorships to busiest websites – to move from non-secure HTTP to more secure HTTPS, now. It’s also creating an opportunity to become more compliant and competitive from a trustworthiness perspective.  

        This transition period is a meaningful opportunity for you to create more trust on the web which could support your digital business, e-commerce, customer experience, and search engine optimization objectives going forward.

        Website Security Webinar: January 31, 2017

        Given browser changes and known website security threats, join Dave Corbett and me on January 31st for a useful webinar that will provide a step-by-step approach to assessing your website security situation and switching from HTTP to HTTPS. We’ll also cover our ‘Be Trusted Framework’ and ‘Website Security Math’ ideas to provide context and relevant insights. As a preview for the webinar, watch and share this brief video.

        Ten Steps to Switch from HTTP to HTTPS

        If you’re concerned about possible financial losses, site traffic slowdowns or brand damage due to lack of customer trust, here’s a quick overview of how to encrypt your website with an ‘Always-On SSL’ approach. We’ll cover these ten steps in more detail during our January  31st  webinar:

        1. Evaluate your website for security vulnerabilities
        2. Do a full back-up of your site before making any changes
        3. Make the right SSL choice – extended validation certificates are recommended
        4. Install and test SSL certificate(s) to ensure they’re working as required
        5. Removed mixed content by replacing HTTP references with HTTPS pointers
        6. Fix server protocol and cipher suite settings
        7. Redirect HTTP traffic to HTTPS
        8. Implement an automated scanning system that will help you be more proactive
        9. Set the secure flag for all session cookies
        10. Implement HTTP Strict Transport Security (HSTS)

        Clearly, just implementing a few of these will get your site compliant with the browser changes – but there’s way more to demonstrating security and trustworthiness than merely encrypting data.  Users want to know that they’re really on your site (not a fake site), that you operate a legitimate organization, and that they are safe to proceed. 

        Website Security Content to Help You Now

        If you’re a website developer, e-commerce or marketing leader, or IT security practitioner for an organization that serves businesses and/or consumers on the web, I recommend you carve out just 60 minutes to tune into our helpful January  31st webinar. If you’re unable to participate, we’ll provide an on-demand version shortly after it’s aired live; either way, there is useful content to download at any point.  

        Our content hub is also a fantastic resource for you and your team to get complimentary best practices and how-to info, participate in live discussions and webinars, read and share blog posts from our website security experts, and choose SSL/TLS certificates that are right for your organization. 

        Is your website not secure? We can help you fix this digital business problem right now!

        ###

        • Products
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      6 pages