Tag Archives: Authentication Services

SSL VPNs – DELIVERING VIP VALUE

With heavier demands for access to corporate and personal information – especially when ‘on-the-go’, via a proliferation of mobile devices  – staying safe has never been more challenging or crucial.

Coping with this is something that organisations have to manage in their working environments. As new technology evolves, the challenge is to stay ahead of the game

Virtual Private Networks (VPNs) have become a common and easy way to secure communications over the internet. VPN services are a fundamental part of distributed systems, enabling the creation of secure data tunnels to remote sites or hosts. VPNs use cryptography to scramble data, so that it’s unreadable during its journey across the internet, protecting data security and integrity. Deploying VPNs allows businesses to deliver secure, encrypted connectivity for a workforce on the move, which needs access to critical corporate network resources.

These issues must be considered: What kind of VPN to use? How do you ensure the greatest payback, in terms of simplicity and security? Most common are SSL VPNs (Secure Sockets Layer Virtual Private Networks). It is a form of VPN that can be used with any standard web browser and does not require the installation of specialised client software on the end user’s computer. An SSL VPN consists of one or more VPN devices to which the user connects by using his web browser, with the traffic operating between the browser and SSL VPN device encrypted with the SSL or Transport Layer Security (TLS) protocol.

What an SSL VPN offers is versatility, a low-hassle set up and tight control for a range of users on a variety of computers, who may be accessing resources from any number of locations. Finally, it is attainable for a modest investment.

Symantec has been in the business of securing connection and communication from the beginning, providing solutions that have evolved powerfully over time. In timely fashion, Symantec has unveiled new updates to its Website Security Solutions (WSS) portfolio that have innovative and comprehensive capabilities built in to help meet the ever-expanding security and performance needs for connected businesses. Essentially, the Symantec WSS strategy focuses on bringing maximum protection to companies, meeting compliance requirements, helping to improve performance, and reducing overall infrastructure costs.

Symantec has also just announced the first available multi-algorithm SSL certificates, with new ECC (Elliptic Curve Cryptography) and DSA (Digital Signature Algorithm) options to help further protect your ecosystems and strengthen the foundations of trust online. These algorithm options will be available for all new and existing customers in 2013. The Symantec 256-bit ECC keys are 10,000 times harder to break than an RSA 2048-bit key based on industry computation methods. Symantec ECC certificates offer the equivalent security of a 3072-bit RSA certificate whilst at the same time offering significant improvements in server performance at load, as a server with an ECC-based certificate is able to handle more requests faster and scales well to handle:

• Traffic spikes – ECC efficiency improves at higher volumes
• Business growth – allows more simultaneous connections

The end goal, as always, is to deliver solutions that both your business and clients can rely on, which is why we are constantly moving forward to deliver the best possible website security solutions.

For more information about how SSL certificates work visit our ‘SSL explained’ infographic

eCommerce is growing worldwide, and according to recent estimates from eMarketer online sales hit USD1 trillion in 2012 – which represented a year on year growth of over 21%. And what does this mean for Australia? The numbers for AU are equally a…

In my last blog, I talked about how the 2012 Internet Security Threat Report points out the vulnerabilities common for small- and medium-sized businesses, and because of their mistakes for the larger enterprises that do business with them. So let’s talk about some good practices to address these risks.

First and most important is education. Employees need to understand what the company rules are on how to be secure, and understand each of their individual roles in the process. In turn, the roles and responsibilities need to support good security policies including separation of duties, access controls, and the idea of ‘least privilege’. For anyone new to the concept, least privilege is illustrated most simply that a temporary secretary shouldn’t have access to the same databases at the same level of information sharing as the head of HR. People need information, but they only need data required for them to function in their everyday duties. Consumers and customers also need to be trained on the many vectors of attack, including social media, links, and the possibility of malware in attachments via email. Buyers are also increasingly looking for indications of security like the green URL bar for Extended Validation certificates, the padlock, HTTPS:// and trust marks. Have a good security policy, then follow up by telling everyone what it is and how you are protecting their data.

Second is doing business securely. While true that a small business may not be able to defend against the newest zero-day attack, or even be able to spell APT, it is the old attacks that are still the bulk of the vulnerability.  Communication and data flowing in and out of a network needs to be encrypted. If the company creates apps or proprietary code to distribute, the code should be signed with a digital shrink-wrap to assure end users that it wasn’t tampered with en route. The PCI’s eCommerce Guide recommends SSL to secure your payment information, and recommends EV wherever possible for transactions.

Third is to protect your customers, your partners, and your employees by securing your websites. Review the results of all the malware scans and vulnerability assessments of your website that can be conducted by third parties. Symantec enabled malware scanning and vulnerability assessments as part of our SSL certificates, because we believe strongly that it’s a basic security measure for any organization securing their website. Make sure your security policy includes deadlines for patching critical vulnerabilities.

The online security ecosystem is doing its part to code a better internet: Protocols are constantly under revision to remove vulnerabilities as they are found. Browsers have enabled the green bar to show where a company chose a higher level of SSL authentication for their identity, and they display warnings when content is served up insecurely on an encrypted page. Social media sites are leading some of the way toward an always on SSL approach, where the connection is encrypted from user log on through the entire site experience. App stores are joining the always on movement for SSL too. 

The Threat Report doesn’t paint a bleak picture. More people are living and doing business online, and the world of eCommerce is growing annually. But the attackers are getting smarter, and no one can afford to say, “It’ll never happen to MY Company.” Because that’s exactly what the bad guys want you to think. Lock your doors.

The Online Certificate Status Protocol (OCSP) is the protocol used by browsers to obtain the revocation status of a digital certificate attached to a website. Naturally OCSP speed is considered one of the main criteria for quality, as browsers reach out to webservers and confirm that the SSL certificate is valid.

It is the first criteria, but certainly not the only one. Most of the major Certificate Authorities (CAs) measure similarly in OCSP speeds according to reputable third party tests, some trending slightly lower or higher. Mindful investments in infrastructure and architecture keep the speed battle going, and competition is fierce. But there are four aspects to OCSP and the whole SSL certificate verification structure that should be considered, and held equal in importance.

A second factor is reliability. When a Certificate Authority is tricked into issuing a legitimate SSL certificate for third party fraudulent activities, the entire industry can suffer a loss of trust. A few years ago, DigiNotar went out of business after they had a reliability failure when an attacker obtained fraudulent certificates for several dozen Internet domains. In return, the major Web browser vendors had to remove all trust from DigiNotar’s certificates, and the CA folded. Reliability creates trust. A CA needs reliable, audited business practices for authentication and revocation alike.

Availability is the simplest to talk about to a lay person: Either a site is up or it’s down. Either an OCSP response returns or it does not. These are simple concepts, but reputation can still play a factor. If your company is known to have major outages, and by major let’s define longer than 10 minutes at a time, your reputation for availability will start to suffer. There are sites dedicated to tracking the uptime of various vendors for online availability, so clearly it matters to consumers and businesses alike.

Fourth there’s security, both physical and logical. To maintain a public CA, your physical and logical security must be beyond reproach. Your business continuity and disaster planning has to be extensive. CAs invest in security infrastructure, building or buying malware-protection systems, conducting regular audits, and run vulnerability assessments to cover all known vectors of attack. Multi-layer security and continuous monitoring is expensive, but a necessary part of overhead to protect the integrity of the business and the consumer.

Smaller and local CAs globally often discover that the overhead and expense of running a mainstream commercial CA is too high, and sometimes they go out of business. But none of these four core components to OCSP, or indeed the whole commercial CA security ecosystem, can be sacrificed for any other and still maintain a web of trust on the internet.

Read more about PKI, OCSP, and best practices HERE.

The Online Trust Alliance has published a whitepaper on CA best practices as well HERE.

The landscape

This year’s Internet Security Threat Report is very sober reading for SMBs. Last year, targeted attacks on small companies (fewer than 2,500 employees) went up 50%. Yes, it’s true: Criminals realized that money stolen from the SMB would spend just as nicely as money pulled from a large corporation, and was much easier to acquire. Smaller companies have income in the bank, employee and customer data, and sometimes very valuable intellectual property that they’re hoping to make a lot of money with. Yet with all these assets, surveys last year showed that the majority of smaller business owners think they’re too small to be targeted by evildoers.

A secondary problem for the SMB situation is the larger enterprise they want to do business with. With inadequate security, the vulnerabilities for an SMB can be points of entry into larger organizations.  A sophisticated cyber-criminal may choose to target an enterprise’s subsidiaries, partners, or vendors to find inroads into their environment. Compromised SMB websites can also become ‘watering holes’, or lures for phishing or cyber-espionage. Mitigating these risks may create an inevitable march toward more regulations, especially with organizations that wish to do business with any state or government agency.

53% of websites scanned by Symantec in 2012 showed vulnerabilities. The most common vulnerability found was related to cross-site scripting. Many small businesses do not have a dedicated or experienced security force in their IT arsenal. Even for large businesses, a web page or database can be compromised for years without it being discovered internally, or known how to properly harden. Trojans are being inserted into point-of-sale systems and left unfound while data flows out into the wrong hands. Some lie dormant for weeks or months until activated.

A lack of security-specific training for a SMB IT department can also create an environment of success for scareware or ransomware tactics. A small business can spend money on the wrong things, fixing the wrong problems, and by doing so create more problems by trusting the wrong advisors.

Speed. Availability. Security. Name recognition. These are things everyone cares about, in any online industry. Whether you’re selling shoes, running a charity, or operating a multi-national company with global online presence, it matters that your customers feel safe to interact online with you, and that they have a fast, efficient experience at your site to bring them back again.

Speed and availability are becoming two of the biggest challenges for hosting companies and SSL providers alike. Speed of OCSP lookup is important, to keep within acceptable guidelines of page load times. Symantec is constantly looking for ways to improve, and we invest in expanding our infrastructure to enhance speed and reliability. GlobalSign has advertised that they outsourced their OCSP lookup to CloudFlare. Now, there’s nothing wrong with a company outsourcing services, if it helps operate more safely and efficiently.

Alas CloudFlare has had some significant recent outages, so while speedy they have failed now and again at availability. You can read their KB article here. And any certificate authority who thinks this level of service is acceptable clearly isn’t taking their customer’s security seriously enough.

Symantec has military-grade data centers protecting our SSL and PKI infrastructure, and  our validation edge infrastructure has delivered 100% uptime for many years. We have speed, availability, and security covered.

Wie eine Naturgewalt sind die sozialen Medien über uns hereingebrochen. Sie sind allgegenwärtig, und doch ist ihre derzeitige Beliebtheit vielleicht nur der Anfang. Mit welchem Einsatz Millionen Menschen um das jeweils aktuelle Smartphone k&a…