Category Archives: Website Security

est-ce qu’un SSL VPN?

      No Comments on est-ce qu’un SSL VPN?

L’ECC AU SERVICE DE L’OPTIMISATION DE VOTRE VPN SSL

Les utilisateurs exigent désormais de pouvoir accéder à leurs données sur les terminaux mobiles les plus divers, tant dans la sphère privée que professionnelle. Face à cette nouvelle donne, l’importance de la sécurité n’a d’égale que sa complexité.

Or, la solution réside au cœur même de l’environnement de travail des entreprises. Et dans un contexte d’évolution constante des nouvelles technologies, il est important de toujours conserver un coup d’avance.

Les réseaux privés virtuels (Virtual Private Network, VPN) constituent actuellement un moyen répandu de sécuriser les communications Internet de manière simple. Élément fondamental des systèmes distribués, les VPN permettent la création de tunnels sécurisés pour la transmission cryptée de données vers des sites ou hôtes distants. Objectif : préserver la sécurité et l’intégrité de ces données lors de leur transit sur Internet. En ce sens, les VPN permettent à vos collaborateurs mobiles d’accéder à vos ressources réseaux stratégiques via une connexion cryptée et sécurisée.

Or, cette pratique soulève plusieurs questions importantes : quel type de VPN utiliser ? Et comment conjuguer simplicité et sécurité ? La réponse passe le plus souvent par les VPN SSL (Secure Sockets Layer), des VPN compatibles avec tous les navigateurs Web standard, sans installation de logiciel client spécifique sur l’ordinateur de l’utilisateur. Un VPN SSL se compose d’un ou plusieurs équipements VPN auxquels l’utilisateur se connecte à l’aide de son navigateur Web. Pour crypter les échanges entre le navigateur et l’équipement VPN, le dispositif fait appel au protocole SSL – voire au TLS (Transport Layer Security).

Les avantages du VPN SSL : polyvalence, configuration facile et contrôle renforcé pour un large éventail d’utilisateurs et de terminaux, y compris mobiles. Dernier atout, et non des moindres, ce dispositif reste particulièrement abordable.

Pionnier de la sécurisation des connexions et communications sur les réseaux, Symantec a parcouru un long chemin En ce sens, Symantec n’a de cesse d’actualiser sa gamme Website Security Solutions (WSS), un ensemble complet de solutions innovantes destinées à répondre aux besoins croissants de sécurité et de performance des entreprises en ligne. Ses principaux objectifs : offrir une protection optimale aux entreprises, respecter les exigences de conformité, contribuer à l’amélioration des performances et réduire les coûts globaux d’infrastructure.

Symantec vient également d’annoncer la sortie des premiers certificats SSL multi-algorithmes, dotés de nouvelles options de cryptage ECC (Elliptic Curve Cryptography) et DSA (Digital Signature Algorithm). Nous comptons ainsi renforcer la protection de vos écosystèmes, avec à la clé une hausse de votre cote de confiance sur le Net. En 2013, ces options seront disponibles pour tous les clients, nouveaux comme existants. Ainsi, sur la base des pratiques informatiques actuelles, les clés ECC de 256 bits seront 10 000 fois plus complexes à décoder que les clés RSA de 2 048 bits. En d’autres termes, un certificat Symantec ECC offre le même niveau de sécurité qu’un certificat RSA de 3 072 bits. Mieux encore, un serveur avec un certificat ECC améliore considérablement les performances serveurs en chargement, dans la mesure où ils peuvent traiter plus de requêtes en moins de temps, sans oublier leur plus grande évolutivité dans plusieurs cas de figures :

  • Pics d’affluences – l’efficacité de l’algorithme ECC augmente en cas de volumes importants
  • Hausse d’activité – ECC gère davantage de connexions simultanées

Comme toujours, notre objectif reste d’offrir des solutions d’une grande fiabilité, à votre entreprise comme à vos clients. C’est pourquoi nous innovons sans cesse afin de vous proposer les meilleures solutions de sécurité en ligne du marché.

 

Pour en savoir plus sur le fonctionnement des certificats SSL, consultez notre infographie sur le sujet

What is an SSL VPN

      No Comments on What is an SSL VPN

SSL VPNs – DELIVERING VIP VALUE

With heavier demands for access to corporate and personal information – especially when ‘on-the-go’, via a proliferation of mobile devices  – staying safe has never been more challenging or crucial.

Coping with this is something that organisations have to manage in their working environments. As new technology evolves, the challenge is to stay ahead of the game

Virtual Private Networks (VPNs) have become a common and easy way to secure communications over the internet. VPN services are a fundamental part of distributed systems, enabling the creation of secure data tunnels to remote sites or hosts. VPNs use cryptography to scramble data, so that it’s unreadable during its journey across the internet, protecting data security and integrity. Deploying VPNs allows businesses to deliver secure, encrypted connectivity for a workforce on the move, which needs access to critical corporate network resources.

These issues must be considered: What kind of VPN to use? How do you ensure the greatest payback, in terms of simplicity and security? Most common are SSL VPNs (Secure Sockets Layer Virtual Private Networks). It is a form of VPN that can be used with any standard web browser and does not require the installation of specialised client software on the end user’s computer. An SSL VPN consists of one or more VPN devices to which the user connects by using his web browser, with the traffic operating between the browser and SSL VPN device encrypted with the SSL or Transport Layer Security (TLS) protocol.

What an SSL VPN offers is versatility, a low-hassle set up and tight control for a range of users on a variety of computers, who may be accessing resources from any number of locations. Finally, it is attainable for a modest investment.

Symantec has been in the business of securing connection and communication from the beginning, providing solutions that have evolved powerfully over time. In timely fashion, Symantec has unveiled new updates to its Website Security Solutions (WSS) portfolio that have innovative and comprehensive capabilities built in to help meet the ever-expanding security and performance needs for connected businesses. Essentially, the Symantec WSS strategy focuses on bringing maximum protection to companies, meeting compliance requirements, helping to improve performance, and reducing overall infrastructure costs.

Symantec has also just announced the first available multi-algorithm SSL certificates, with new ECC (Elliptic Curve Cryptography) and DSA (Digital Signature Algorithm) options to help further protect your ecosystems and strengthen the foundations of trust online. These algorithm options will be available for all new and existing customers in 2013. The Symantec 256-bit ECC keys are 10,000 times harder to break than an RSA 2048-bit key based on industry computation methods. Symantec ECC certificates offer the equivalent security of a 3072-bit RSA certificate whilst at the same time offering significant improvements in server performance at load, as a server with an ECC-based certificate is able to handle more requests faster and scales well to handle:

  • Traffic spikes – ECC efficiency improves at higher volumes
  • Business growth – allows more simultaneous connections

The end goal, as always, is to deliver solutions that both your business and clients can rely on, which is why we are constantly moving forward to deliver the best possible website security solutions.

 

For more information about how SSL certificates work visit our ‘SSL explained’ infographic

2012 Threats in Review – Part 2

      No Comments on 2012 Threats in Review – Part 2

In my last blog, I talked about how the 2012 Internet Security Threat Report points out the vulnerabilities common for small- and medium-sized businesses, and because of their mistakes for the larger enterprises that do business with them. So let’s talk about some good practices to address these risks.

First and most important is education. Employees need to understand what the company rules are on how to be secure, and understand each of their individual roles in the process. In turn, the roles and responsibilities need to support good security policies including separation of duties, access controls, and the idea of ‘least privilege’. For anyone new to the concept, least privilege is illustrated most simply that a temporary secretary shouldn’t have access to the same databases at the same level of information sharing as the head of HR. People need information, but they only need data required for them to function in their everyday duties. Consumers and customers also need to be trained on the many vectors of attack, including social media, links, and the possibility of malware in attachments via email. Buyers are also increasingly looking for indications of security like the green URL bar for Extended Validation certificates, the padlock, HTTPS:// and trust marks. Have a good security policy, then follow up by telling everyone what it is and how you are protecting their data.

Second is doing business securely. While true that a small business may not be able to defend against the newest zero-day attack, or even be able to spell APT, it is the old attacks that are still the bulk of the vulnerability.  Communication and data flowing in and out of a network needs to be encrypted. If the company creates apps or proprietary code to distribute, the code should be signed with a digital shrink-wrap to assure end users that it wasn’t tampered with en route. The PCI’s eCommerce Guide recommends SSL to secure your payment information, and recommends EV wherever possible for transactions.

Third is to protect your customers, your partners, and your employees by securing your websites. Review the results of all the malware scans and vulnerability assessments of your website that can be conducted by third parties. Symantec enabled malware scanning and vulnerability assessments as part of our SSL certificates, because we believe strongly that it’s a basic security measure for any organization securing their website. Make sure your security policy includes deadlines for patching critical vulnerabilities.

The online security ecosystem is doing its part to code a better internet: Protocols are constantly under revision to remove vulnerabilities as they are found. Browsers have enabled the green bar to show where a company chose a higher level of SSL authentication for their identity, and they display warnings when content is served up insecurely on an encrypted page. Social media sites are leading some of the way toward an always on SSL approach, where the connection is encrypted from user log on through the entire site experience. App stores are joining the always on movement for SSL too. 

The Threat Report doesn’t paint a bleak picture. More people are living and doing business online, and the world of eCommerce is growing annually. But the attackers are getting smarter, and no one can afford to say, “It’ll never happen to MY Company.” Because that’s exactly what the bad guys want you to think. Lock your doors.

What is OCSP?

      No Comments on What is OCSP?

The Online Certificate Status Protocol (OCSP) is the protocol used by browsers to obtain the revocation status of a digital certificate attached to a website. Naturally OCSP speed is considered one of the main criteria for quality, as browsers reach out to webservers and confirm that the SSL certificate is valid.

It is the first criteria, but certainly not the only one. Most of the major Certificate Authorities (CAs) measure similarly in OCSP speeds according to reputable third party tests, some trending slightly lower or higher. Mindful investments in infrastructure and architecture keep the speed battle going, and competition is fierce. But there are four aspects to OCSP and the whole SSL certificate verification structure that should be considered, and held equal in importance.

A second factor is reliability. When a Certificate Authority is tricked into issuing a legitimate SSL certificate for third party fraudulent activities, the entire industry can suffer a loss of trust. A few years ago, DigiNotar went out of business after they had a reliability failure when an attacker obtained fraudulent certificates for several dozen Internet domains. In return, the major Web browser vendors had to remove all trust from DigiNotar’s certificates, and the CA folded. Reliability creates trust. A CA needs reliable, audited business practices for authentication and revocation alike.

Availability is the simplest to talk about to a lay person: Either a site is up or it’s down. Either an OCSP response returns or it does not. These are simple concepts, but reputation can still play a factor. If your company is known to have major outages, and by major let’s define longer than 10 minutes at a time, your reputation for availability will start to suffer. There are sites dedicated to tracking the uptime of various vendors for online availability, so clearly it matters to consumers and businesses alike.

Fourth there’s security, both physical and logical. To maintain a public CA, your physical and logical security must be beyond reproach. Your business continuity and disaster planning has to be extensive. CAs invest in security infrastructure, building or buying malware-protection systems, conducting regular audits, and run vulnerability assessments to cover all known vectors of attack. Multi-layer security and continuous monitoring is expensive, but a necessary part of overhead to protect the integrity of the business and the consumer.

Smaller and local CAs globally often discover that the overhead and expense of running a mainstream commercial CA is too high, and sometimes they go out of business. But none of these four core components to OCSP, or indeed the whole commercial CA security ecosystem, can be sacrificed for any other and still maintain a web of trust on the internet.

Read more about PKI, OCSP, and best practices HERE.

The Online Trust Alliance has published a whitepaper on CA best practices as well HERE.

2012 Threats in Review – Part 1

      No Comments on 2012 Threats in Review – Part 1

The landscape

This year’s Internet Security Threat Report is very sober reading for SMBs. Last year, targeted attacks on small companies (fewer than 2,500 employees) went up 50%. Yes, it’s true: Criminals realized that money stolen from the SMB would spend just as nicely as money pulled from a large corporation, and was much easier to acquire. Smaller companies have income in the bank, employee and customer data, and sometimes very valuable intellectual property that they’re hoping to make a lot of money with. Yet with all these assets, surveys last year showed that the majority of smaller business owners think they’re too small to be targeted by evildoers.

A secondary problem for the SMB situation is the larger enterprise they want to do business with. With inadequate security, the vulnerabilities for an SMB can be points of entry into larger organizations.  A sophisticated cyber-criminal may choose to target an enterprise’s subsidiaries, partners, or vendors to find inroads into their environment. Compromised SMB websites can also become ‘watering holes’, or lures for phishing or cyber-espionage. Mitigating these risks may create an inevitable march toward more regulations, especially with organizations that wish to do business with any state or government agency.

53% of websites scanned by Symantec in 2012 showed vulnerabilities. The most common vulnerability found was related to cross-site scripting. Many small businesses do not have a dedicated or experienced security force in their IT arsenal. Even for large businesses, a web page or database can be compromised for years without it being discovered internally, or known how to properly harden. Trojans are being inserted into point-of-sale systems and left unfound while data flows out into the wrong hands. Some lie dormant for weeks or months until activated.

A lack of security-specific training for a SMB IT department can also create an environment of success for scareware or ransomware tactics. A small business can spend money on the wrong things, fixing the wrong problems, and by doing so create more problems by trusting the wrong advisors.

SHA 256 Support For Symantec Code Signing Certificates is Here

Secure Hash Algorithm 256 (SHA-2 or SHA-256) support on Symantec Code Signing for Individuals and Symantec Code Signing for Organizations is available starting April 1st, 2013 on the following Symantec Code Signing platforms: Microsoft® Authenticod…

Comment sécuriserle transfert des données sensibles

De plus en plus d’affaires sont menées sur internet aujourd’hui. Même les plus petites entreprises avec une présence web s’y trouvent.

L’internet est un endroit fantastique pour des entreprises, particulièrement pour celles de petite taille. Les coûts impliqués sont assez bas et il est relativement facile de se construire une forte présence en ligne.

Mais mener des affaires en ligne n’est pas sans danger, surtout au vu des menaces nombreuses que posent les cybercriminels aujourd’hui. 

Cet aspect est important par rapport au transferten ligne des données sensibles. Quece soit des contrats ou des reçusque vous envoyiez par mail ou même des informations financières sensibles, la protection des données envoyées en ligne est indispensable. Que pouvez-vous faire pour les protéger ?

Email

L’email a presque le même âge que l’internet mais pendant longtemps le système desécurité des services de courrier électronique était plutôt démodé et facile à infiltrer.

Depuis, il y avait des améliorations dans ce domaine mais il existe toujours des mesures pour augmenter la protection de vos emails si vous envoyez des informations sensibles sur le web.

En vous connectant sur votre compte mail, rassurez-vous que l’adresse commence par HTTPS. Cela vous indique non seulement que votre compte mailest chiffrémais aussi qu’il est sûr.

Pour se rassurer même plus, il est également une bonne idée dechiffrer un mail avant de l’envoyer. Dans ce cas des méthodes comme PGP encryption ou Symantec Digital ID for Secure Email vous fournissent une clé de chiffrement pour vos emails.

Transfert de fichiers

L’émail peut être un moyen sûr pour transférer vos données sensibles mais la plupart des services de courrier électronique limite la taille des fichiers que vous pouvez envoyer.

Pour un document ou un fichier plus large beaucoup de gens utilisent File Transfer Protocol ou FTP (en français « protocole de transfert de fichiers »). Il s’agit d’un système qui permet d’envoyer rapidement et facilement des larges fichiers. Pourtant, il ne vous protège pas si bien.

Il est très facile d’intercepter et de lire des FTP. Des mesures de sécurité supplémentaires sont nécessairessi vous voulez envoyer des informations sensibles avec cette méthode.

En utilisant un FTP en même temps qu’un certificat SSL, vous pouvez améliorer votre niveau de protection et transférer vos fichiers larges sans risque.

Ceci est parfois appelé FTPS. Ce système crée une connexion sûre depuis un serveur ou un ordinateur pour que vous puissiez transférer rapidement et facilement des données sensibles.

Les réseaux de partage de fichiers (file sharing services) représentent une alternative au FTP – beaucoup d’eux sont gratuits au début mais si vous avez besoin de plus d’espace et de plus de bande passante il faut investir quelques euros.

Certificats SSL

Si vous transférezrégulièrementdes larges quantités d’informations sensibles dans le cadre de votre business, un certificat SSL pour sécuriser un portail de transfert de fichier pourrait être un bon investissement

En mettant le transfert des informations sensibles sous un certificat SSL sur votre serveur, vous améliorez votre niveau de sécurité et de simplicité.

Il existe de nombreuses solutions pour le transfert de fichiers en ligne…mais peut-être que la chose la plus importante c’est le choix d’un service sûr et chiffré.