Tag Archives: Authentication Services

Todo lo que necesita saber para migrar del cifrado de 1024 bits al cifrado de 2048 bits

A estas alturas, seguramente ya sepa que el Certificate Authority/Browser Forum ha ordenado a las autoridades de certificación que dejen de admitir certificados RSA con claves de 1024 bits para SSL y firma de código de aqu&…

Web Security: Everything you Need to Know to Stay Safe

Tightly targeted cyber-espionage attacks designed to steal intellectual property are hitting the manufacturing sector and small businesses with ever greater venom, with the latter, highly vulnerable, organisations the target of 31% of such attacks &nda…

It’s National Cyber Security Awareness Week – here are a few tips

It’s time to stop and take a moment to consider cyber security, says the Australian Government. Once a year, the government gets together in partnerships with industry, the community, and consumer organisations to help make people aware of basic steps they can and should do to protect their personal and financial information.

This year’s theme on their Website is “Our Shared Responsibility”. I encourage you all to go out and look at their website, where they help distill a lot of activities down to the basic 10. (With commentary by me.)

  1. Install and update your security software and set it to scan regularly. If you’re broke, there are free A/V options from Microsoft, AVG, and Avast. Install one of these at minimum! Then as soon as you can, upgrade to a top-rated A/V like Norton.
  2. Turn on automatic updates on all your software, particularly your operating system and applications. Just do it. Microsoft pushes updates on the second Tuesday of every month. Get used to a reboot when required.
  3. Use strong passwords and different passwords for different uses. Don’t use the same password for your bank as for email and Facebook. And change them at least quarterly!
  4. Stop and think before you click on links and attachments. Most infections come in through ‘social engineering’ – that is, convincing people to open up a file or click a link with a virus payload.
  5. Take care when buying online – research the supplier and use a safe payment method. Look for the green bar, and the Norton Secured Seal!
  6. Only download “apps” from reputable publishers and read all permission requests. 
  7. Regularly check your privacy settings on social networking sites. Sharing isn’t always caring!
  8. Stop and think before you post any photos or financial information online.  We saw people posting pictures of their receipts and checks on FB once. Don’t be crazy!
  9. Talk with your child about staying safe online, including on their smart phone or mobile device. Teach them never to share their passwords with friends, and not to save their logins on unfamiliar machines. Show them how to check the No button!
  10. Report or talk to someone if you feel uncomfortable or threatened online. Cyber bullying is a crime! If someone is trying to intimidate you or your family members, report it immediately to the police.

The site didn’t list it, but I believe strongly in power-on password protection in case your computer or phone is stolen. I use the ‘find my phone’ app for tracking it to the bad guy who might steal it. And back up your files securely – encrypted online or on a back-up hard drive.

Be vigilant about your own protection, because the cyber criminals are certainly vigilant about finding easy targets.

A solid foundation for public sector security.

The public sector has a somewhat mixed record when it comes to staving off security breaches within its walls. In the UK, for example, the hugely embarrassing data losses at HMRC (Inland Revenue/Taxation services) – when the personal details of 25 million people were heavily compromised, due to what were described as “serious institutional deficiencies” – still linger in the mind a few years down the line.

On the plus side, the UK government has been heavily engaged in getting its own house in order, identifying information security as a key priority for 2013 and beyond. In recent months, new initiatives to address growing cyber security threats have been announced, with a cyber security ‘fusion cell’ established for cross-sector threat information sharing. The intention is to put government, industry and information security analysts side-by-side for the first time. The analysts will be joined by members of intelligence agencies, law enforcement and government IT, as they exchange information and techniques, and monitor cyber attacks in real time.

However, many of today’s businesses work across international boundaries, so preventing breaches and loss of data has become a world-wide challenge. According to a report from Ernst & Young, ‘Data loss prevention: Keeping your sensitive data out of the public domain’, companies in every industry sector around the globe have seen their sensitive internal data lost, stolen or leaked to the outside world.

“A wide range of high-profile data loss incidents have cost organisations millions of dollars in direct and indirect costs, and have resulted in tremendous damage to brands and reputations,” it states. “Many different types of incidents have occurred, including the sale of customer account details to external parties and the loss of many laptops, USB sticks, backup tapes and mobile devices, to name just a few. The vast majority of these incidents resulted from the actions of internal users and trusted third parties, and most have been unintentional.

“As data is likely one of your organisation’s most valuable assets, protecting it and keeping it out of the public domain is of paramount importance. In order to accomplish this, a number of DLP [Data Loss Prevention] controls must be implemented, combining strategic, operational and tactical measures.”

In the face of such global threats, governments are responding. The European Commission, for example, has introduced a computer emergency response team in each member country to promote reporting of online attacks and breaches. The recently published draft EU Cybersecurity Directive makes it compulsory for all ‘market operators’, including utilities, transport and financial services businesses, as well as public authorities who use ‘network and information systems’ within their businesses, to implement technical and organisational measures to manage cyber risks.

These organisations will be subject to independent regulation, have to disclose security breaches to the regulators, submit to compulsory regulatory audits and be sanctioned, if they fail to comply with the law.

All good news, then… But the simple reality is that any public sector department or body intent on ensuring its own security could readily put in place measures to stop such data breaches and losses, such as, for example, secure File Transfer Protocols and Data Guardians (a secure database application with up to 448-bits of Blowfish encryption), enabling the locking down of data.

Public sector organisations are often, by their nature, large and complex, making it relatively easy for a rogue employee to access a sub-set of highly sensitive data; or simply to move on to another job, with the organisation unaware that a certificate relating to that employee is about to expire, all due to a lack of adequate central management. So they need such solutions.

Take Symantec’s Managed PKI for SSL service, for example, which enables organisations to manage and deploy SSL certificates from a single centrally managed platform, while also tailoring the deployment to meet their individual requirements (such as, if your organisation needs to issue multiple SSL certificates to different internal organisations or business units. Managed PKI for SSL allows for both centralised control and delegated administration). This cloud-based approach dramatically lowers the cost and complexity of managing multiple SSL certificates by eliminating the time it takes to authenticate multiple different business units, individual purchasing, personnel, training, and maintenance expenses and complexity associated with deploying multiple SSL certificates.

What SSL does is to protect applications that demand the highest level of security – enabling the secure transmission of sensitive data, Web services-based business process automation, digital form signing, enterprise instant messaging and electronic commerce. It also protects firewalls, virtual private networks (VPNs), directories and enterprise applications. Trust lies in knowing that the people, networks and devices accessing, modifying or sharing information within a community are verified.

There can be a tendency to imagine things are worse in our own backyard, but the security issues we face in the UK are, by and large, no different from those in other countries or indeed in other industries. One manufacturer in Europe, for instance, saw its production line go down when a certificate suddenly expired. Eventually, the problem was traced to an expired SSL certificate. Symantec’s solution, through a complete audit of the company’s architecture, using a product called Certificate Intelligence Center, would have identified any certificates that were about to expire and immediately notified the business – and (if a Symantec SSL certificate) automatically have renewed the offending certificate. Instead, the outcome was estimated to be in the millions of Euros, in terms of lost production, damage to their brand, corporate reputation and a workforce standing idle.

What you need to know to migrate from 1024-bit to 2048-bit encryption

I hope by now that you are aware that the Certificate Authority/Browser Forum has mandated that Certificate Authorities stop supporting 1024-bit key length RSA certificates for both SSL and code signing by the end of this year (2013). To learn more abo…

Certificados OpenSSL – Cómo y cuándo utilizarlos | Symantec

Certificados SSL: cómo y cuándo utilizar OpenSSL
 A la hora de proteger los sistemas de una empresa, el protocolo SSL (Secure Sockets Layer) se ha convertido en un arma esencial, pues cifra los datos que se transmiten por Internet y …