Blogs

    Publish
     
      • Protect your Business Reputation : Implement Always-On SSL

        Apr 27 2016, 11:59 PM

        by Neel Majumdar 0

        No-one can escape the challenges of keeping up with a perpetually evolving cyber security environment and no longer write off fraud as something that only happens to others. In December 2014 research by Tele Sign and RSA, just 11% of US companies said they hadn’t experienced any fraudulent incidents on their ecommerce sites in the past 12 months. Source Cyber security study conducted by J Gold and Associates , Feb 2 , 2015.

        Fraud victims can wave bye-bye to hard-earned bucks. More than one-third of businesses reported losing between 1% and 5% of revenues due to online fraud in the past year. Online businesses don’t just risk losing dollars, though—they can also see the departure of many customers.

        Of course, “fraudulent activity” comprises many risks, and further research highlights the wide range of issues online and mobile retailers must work against. Malware was the biggest issue, on PCs and web browsers as well as mobile devices. E-wallet fraud and app-related risks followed, with account takeovers and password guessing behind. Online businesses don’t better protect themselves from fraudulent activity, not only will they continue to fall victim to such incidents, they risk losing more money and customers as malware, hackers and the like become more advanced.

        I know, it’s easy to read this article and feel overwhelmed, but understand that half of the website security battle is knowledge and learning. The problem is that it is almost impossible to get in front of enough people to scale awareness and education. Once you get in front of people, the next battle is getting them to care. It is often only after someone feels the pain of a compromise that they begin to care or realize the harsh effects.

        As a company who is serious about protecting customers and their business reputation should implement Always-On SSL with SSL certificates from a trusted Certificate Authority.  You can find out all about Always On SSL here. Google now favours websites that implement HTTPS across their entire site. Keep your visitors safe with Always-On SSL and Google will reward you with a SEO ranking boost.

        As if that was not enough, many browsers now trigger security warnings when a user is hopping between secured and unsecured connections. Ensure your customers experience your website as intended with Always-On SSL. SSL and website security is now in the public consciousness, and if you’re not doing your  part you could find yourself being publicly shamed on HTTP Shaming, a site set up by software engineer, Tony Webster.

        When it comes to businesses and their websites, good security processes and Implementation are all that stand in the way of total ruin: financial and reputational.         

        So make sure you’re secure in 2016 with Symantec

        • Products
        • Malware Scan
        • Vulnerability Assessment
        • Symantec Website Security
        • DigiCert Code Signing
        • Products and Solutions
        • website security
      • Most Dangerous Web Application Security Risks

        Sep 02 2015, 4:01 AM

        by Sathya Narayanan Balakrishnan 1

        As everybody know the top 10 dangerous web app security risks:

        1. Injection flaws
        2. Cross - site scripting
        3. broken authentication and session management
        4. insecure direct object reference
        5. cross site request forgery
        6. security misconfiguration
        7. insecure cryptographic storage
        8. failure to restrict URL access
        9. insufficient transport layer protection
        10. Invalidated redirects and forwards

        Being an new techie to Symantec and Symantec products, may I know what are Symantec's contributions, updates for these security risks?

        May I also ask everyone to kindly share an example of an incident which you may came across in the past, where one of these security risks wasn't detected which ended up in major chaos.

        Many thanks

        Best regards

        Sathya Balakrishnan

        Information Security Response Analyst

        Symantec  Norton.png

        • Symantec Security Information Manager
        • Voice of the Customer
        • Endpoint Encryption
        • DigiCert Code Signing
        • Security Community Blog
        • Web Gateway
        • Products
        • 12.x
        • Malware Scan
        • Vulnerability Assessment
        • Symantec Website Security
        • DigiCert SSL TLS Certificates
        • Endpoint Protection
        • Web Security.cloud
      • The FREAK Vulnerability; What You Need to Know

        Oct 20 2017, 8:43 PM

        by Unknown 3

        A new SSL/TLS vulnerability named “FREAK” was identified by several security researchers. It’s a threat because FREAK allows an attacker to get between a client and server and view what is intended to be a secure and private communication. The vulnerability is primarily due to a bug in OpenSSL client software and Microsoft's SChannel library, but only exploitable on poorly-configured web servers. Both clients and servers are at risk. Web site owners can protect their sites by properly configuring their web servers. End users will need to wait for software vendors to release new versions that include a fix.

        Note that this vulnerability is not related to SSL certificates. Your existing certificate will continue to work as intended; no certificate replacement is needed.

        Organizations should evaluate their web servers to determine if they are vulnerable.  Symantec offers an easy-to-use check in its SSL Toolbox to allow customers to easily verify that their web sites are safe or vulnerable. At the time of this writing, Symantec is evaluating its own systems and no Symantec web servers appear to be vulnerable.

        Blue Digital Lock 600X.jpg

        Technical Details:

        It’s relatively easy to determine if a website is vulnerable, and if so, it’s relatively easy to change the configuration to block any possible attacks. Any type of web server (Apache, IIS, nginx, etc.) may be vulnerable if its configuration allows the use of so-called Export Ciphers. In Apache/OpenSSL documentation, for example, the names of these ciphers all begin with EXP (from https://httpd.apache.org/docs/2.4/mod/mod_ssl.html):

        EXP-DES-CBC-SHA

        EXP-RC2-CBC-MD5

        EXP-RC4-MD5

        EXP-EDH-RSA-DES-CBC-SHA

        EXP-EDH-DSS-DES-CBC-SHA

        EXP-ADH-DES-CBC-SHA

        EXP-ADH-RC4-MD5

        If a customer’s web server supports these ciphers, the customer must reconfigure the web server by removing these ciphers from the list of supported ciphers, and restart the web server. Although not related to this vulnerability, customers should also disable null ciphers if they are supported, since such ciphers do not provide any encryption of the SSL stream:

        NULL-SHA

        NULL-MD5

        In Windows, the names of export ciphers contain the string “EXPORT”. Here is a list taken from http://support.microsoft.com/kb/245030:

        SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA

        SSL_RSA_EXPORT1024_WITH_RC4_56_SHA

        SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

        SSL_RSA_EXPORT_WITH_RC4_40_MD5

        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

        TLS_RSA_EXPORT_WITH_RC4_40_MD5

        NULL

        We advise customers to consult their web server documentation to determine how to view the list of supported ciphers, and how to disable certain ciphers.

        Additional guidance from Symantec

        FREAK is another reminder that website security is not just about certificates. Symantec has numerous articles and white papers on security best practices and technical areas related to SSL/TLS and code-signing issues.  Please stay tuned to our Connect blog site for up-to-date information on this and other critical vulnerabilities, for other topics related to advanced threat protection, and for security industry news.  Please access our learning center for more resources that can help your organization make critical decisions related to web server security.  For technical details to help with troubleshooting please bookmark our SSL/TLS and code-signing knowledge base.

        Update: The FREAK vulnerability was reclassified from LOW to HIGH on March 19, 2015 by the OpenSSL team.

        • Products
        • website security solutions
        • Vulnerability Assessment
        • Symantec Website Security
        • FREAK
        • DigiCert SSL TLS Certificates
        • vulnerability
        • Products and Solutions
      • Website Security made simple

        Feb 19 2015, 3:20 PM

        by Melanie Pracht 2

        Website security is important for every business that has an online presence. Whether you’re in ecommerce or electricals, holiday cottages or hedge funds, your website is one of your most important business assets. It’s your 24/7 shop front, and you need to make sure it’s secure and working at its best.

        You wouldn’t leave your laptop behind when you leave a coffee shop, or your stockroom door wide open, so why would you take chances with website security?

        If your site triggers a security warning in the web browser of the visiting user or worse, it infects a customer’s computer, that customer is going to tell all their friends and colleagues and thanks to social media perhaps even the wider world. Ouch!

        And it’s not just your reputation that you have to worry about. If you have an ecommerce site, warnings and poor security will mean abandoned carts and lost customers. In a recent Symantec, online consumer study, 56 per cent of respondents go to a competitor’s website to complete their purchase and only 11 per cent go back to the first website after seeing a security warning (Symantec Online Consumer Study, March 2011).

        But website security can be a daunting topic, full of jargon and unfathomable workings. To get to grips with the why and what of website security, Symantec created an easy to read ‘How-To Guide’ for everyone who wants to learn more about website security in the world famous ‘For Dummies’ style. 

        15383-Dummies-375x375tw-V3.jpg

        Download the eBook here!

        “Website Security For Dummies” is your guide to understanding the risks posed by unprotected websites, the value of using SSL certificates and the what-and-how of different types of SSL certificates. You will learn how to:

        • Make the business case for website security
        • Understand the basics of SSL certificates
        • Choose and implement the right SSL certificate for your website
        • Follow best practice for maintaining a healthy and trusted website
        • Find useful sources for information on website security

        So relax, Symantec got you covered; soon you too will be an expert on website security.

        • Products
        • Malware Scan
        • Symantec Enterprise Security
        • Thought Leadership
        • Vulnerability Assessment
        • Symantec Website Security
        • DigiCert Code Signing
        • Security Community Blog
      • Understanding how Symantecs Vulnerability Assessment Scan service works

        Mar 30 2018, 4:05 PM

        by Dom SYMC 1

        The Vulnerability Assessment (VA) scan is a service that each week performs a scan searching for common entry points for the domain you enrolled in for with a purchase of certain SSL certificates. 

        If the scan finds any potential weakness within that domain that if breached could threaten your online security, an e-mail will be sent out informing the technical contact to pick up the results of the scan in a downloadable PDF report highlighting the most critical vulnerabilities if any are found.

        The Vulnerability Assessment scan is a service that is available for following account types and products:

        VA scan products.JPG

        You may have lots of questions or may want to know more regarding the technicalities of the Vulnerability Assessment scan. Such as..

        • What IP address does it scan from?
        • What types of Vulnerability’s does the scan detect?
        • What are its limits? ETC...

        The majority of your questions can be answered by visiting the Authentication Services knowledge base article Vulnerability FAQ. Other related articles regarding its technicalities can also be found by visiting the knowledge base article Vulnerability Basics

        • Products
        • Symantec Enterprise Security
        • Thought Leadership
        • Vulnerability Assessment
        • Symantec Website Security
        • Vulnerability Assesment
        • Identity and Authentication Services
        • DigiCert SSL TLS Certificates
        • Security Community Blog
        • VA scan