Tag Archives: SSL

No Sporting Chance When Ticket Touts Strike

What a summer of sport it has been. We’ve witnessed in our millions the British & Irish Lions rugby team triumphing in the Rugby Union Test series in Australia; Chris Froome winning the 100th edition of the Tour de France; Missy Franklin taki…

Staying Clear Of The Dark Side

      No Comments on Staying Clear Of The Dark Side

There are deep and disturbing sides to the Internet where businesses should fear to tread, if they want to keep themselves safe. So called ‘dark’ search engines, for example, certainly need to be approached with extreme caution.

Take Shodan, a search engine that navigates the Internet’s back channels. It’s akin to a ‘dark’ Google, helping hackers to find out the servers, webcams, printers, routers, systems, networks etc… that are vulnerable to tampering.

Shodan has been designed to help users track down certain types of software and hardware, determine which applications are most popular, identify anonymous FTP servers, or investigate new vulnerabilities and what hosts they could infect. All good stuff and useful to know. But Shodan also serves as a window into millions of unsecured online connections; and you definitely wouldn’t want those connections to be yours. It’s similar to a bank opening up for business in the morning and leaving the safe ajar by the front door – an open invitation to enter the inner workings of your organisation and see what riches are there to be had.

Shodan, it seems, runs non-stop, collecting data from hundreds of millions of connected devices and services each month. Through a simple search, a user can identify a number of systems that either have no security measures in place or generic passwords that can be hacked easily, leaving unwary organisations open to hazardous attacks.

There are accounts of one independent security penetration tester confirming that, amongst a number of unsecured systems he located using Shodan, were: a carwash that could be turned on and off remotely; an ice hockey rink in Denmark that could be defrosted with a click of a mouse; and a traffic control system for an unnamed city that could be put in ‘test mode’ with one command entry. But that is by no means the worst. Cybersecurity researchers are also said to have located command and control systems for nuclear power plants and a particle-accelerating cyclotron, using Shodan. Even allowing for apocryphal stories and a degree of hyperbole, that has to be worrying.

The biggest security flaw, argues Shodan’s creator John Matherly, is that many of these susceptible systems should not even be connected to the web. “Of course, there’s no security on these things. They don’t belong on the Internet in the first place,” he says. Many systems can now be controlled by computer, so IT departments hook them up to a server, instantly making systems and devices available to anyone with an Internet connection. It’s all part of that great unknown sometimes referred to as ‘The Invisible Web’ – the area of the WWW that isn’t indexed by the search engines. And it’s a high-risk place to be, if you don’t have the right protections in force.

Indeed, tightly targeted cyber-espionage attacks, designed to steal intellectual property, are hitting the manufacturing sector and small businesses with ever greater venom, warns Symantec’s latest ‘Webiste Security Threat Report’, with the latter, highly vulnerable, organisations the target of 31% of such attacks – a threefold increase on 2011. Targeted attacks overall have seen a massive 42% surge during 2012, compared to the previous year.

It’s also worth noting that in many cases protecting yourself, your company and your intellectual property online is not difficult, as long as you start with solid foundations such as securing your websites, intranets, extranets etc… with the latest encryption technologies from Symantec.

Using Symantec SSL is a cost-effective security measure for websites; when SSL is deployed site wide in a persistent manner it helps to protect the entire user experience from start to finish, making it safer to search, share and shop online. This encrypts all information shared between the website and a user (including any cookies exchanged), protecting the data from unauthorised viewing, tampering or use. The Online Trust Alliance is one leading organisation calling for websites to adopt the use of persistent SSL on websites (which is also known as ‘Always-On SSL’), with some of the world’s most successful names having successfully implemented it, including Google, Twitter and Facebook.

You might also want to look at Symantec Validation and ID Protection Service when shoring up your defences. This is a powerful cloud-based authentication service that enables enterprises to secure access to networks and applications, while keeping out malicious, unauthorised intruders. A unified solution providing both two-factor and risk-based tokenless authentication, VIP is based on open standards and can integrate readily into your enterprise applications.

With solutions such as these firmly in place, you should have the foundations in place be able to make light of even the Internet’s darkest places but don’t stop there. And as a colleague of mine writes here….”As we near the 2-year anniversary of Stuxnet, it is high time to check where your own organisation stands. While doing so could be relatively quick (particularly using such databases), dealing with the damage would take much longer so we strongly recommend the former course of action. “

There is no time like the present to review what you do and take the appropriate steps to ensure your organisation is protected both now and in the future.

Phishing for profits

      No Comments on Phishing for profits

We recently published Symantec’s Website Security Threat Report which contains a huge amount of information on the security threat landscape. In this series of blog posts we will focus on topics such as the re-emergence of phishing, the rise of m…

How to Manage the 1024-bit SSL Certificate Migration

Migrating certificates during a major key size migration can be difficult at best. I’m going to give you some background, share a great video we have produced, as well as share seven steps to aid in this migration.
Background – Key Sizes Change w…

Client Certificates vs. Server Certificates – What’s the Difference?

Mention PKI or ‘Client Certificates’ to many people and it may well conjure up images of businesses busily protecting and completing their customers’ online transactions, yet such certificates are to be found throughout our daily live…

A solid foundation for public sector security.

The public sector has a somewhat mixed record when it comes to staving off security breaches within its walls. In the UK, for example, the hugely embarrassing data losses at HMRC (Inland Revenue/Taxation services) – when the personal details of 25 million people were heavily compromised, due to what were described as “serious institutional deficiencies” – still linger in the mind a few years down the line.

On the plus side, the UK government has been heavily engaged in getting its own house in order, identifying information security as a key priority for 2013 and beyond. In recent months, new initiatives to address growing cyber security threats have been announced, with a cyber security ‘fusion cell’ established for cross-sector threat information sharing. The intention is to put government, industry and information security analysts side-by-side for the first time. The analysts will be joined by members of intelligence agencies, law enforcement and government IT, as they exchange information and techniques, and monitor cyber attacks in real time.

However, many of today’s businesses work across international boundaries, so preventing breaches and loss of data has become a world-wide challenge. According to a report from Ernst & Young, ‘Data loss prevention: Keeping your sensitive data out of the public domain’, companies in every industry sector around the globe have seen their sensitive internal data lost, stolen or leaked to the outside world.

“A wide range of high-profile data loss incidents have cost organisations millions of dollars in direct and indirect costs, and have resulted in tremendous damage to brands and reputations,” it states. “Many different types of incidents have occurred, including the sale of customer account details to external parties and the loss of many laptops, USB sticks, backup tapes and mobile devices, to name just a few. The vast majority of these incidents resulted from the actions of internal users and trusted third parties, and most have been unintentional.

“As data is likely one of your organisation’s most valuable assets, protecting it and keeping it out of the public domain is of paramount importance. In order to accomplish this, a number of DLP [Data Loss Prevention] controls must be implemented, combining strategic, operational and tactical measures.”

In the face of such global threats, governments are responding. The European Commission, for example, has introduced a computer emergency response team in each member country to promote reporting of online attacks and breaches. The recently published draft EU Cybersecurity Directive makes it compulsory for all ‘market operators’, including utilities, transport and financial services businesses, as well as public authorities who use ‘network and information systems’ within their businesses, to implement technical and organisational measures to manage cyber risks.

These organisations will be subject to independent regulation, have to disclose security breaches to the regulators, submit to compulsory regulatory audits and be sanctioned, if they fail to comply with the law.

All good news, then… But the simple reality is that any public sector department or body intent on ensuring its own security could readily put in place measures to stop such data breaches and losses, such as, for example, secure File Transfer Protocols and Data Guardians (a secure database application with up to 448-bits of Blowfish encryption), enabling the locking down of data.

Public sector organisations are often, by their nature, large and complex, making it relatively easy for a rogue employee to access a sub-set of highly sensitive data; or simply to move on to another job, with the organisation unaware that a certificate relating to that employee is about to expire, all due to a lack of adequate central management. So they need such solutions.

Take Symantec’s Managed PKI for SSL service, for example, which enables organisations to manage and deploy SSL certificates from a single centrally managed platform, while also tailoring the deployment to meet their individual requirements (such as, if your organisation needs to issue multiple SSL certificates to different internal organisations or business units. Managed PKI for SSL allows for both centralised control and delegated administration). This cloud-based approach dramatically lowers the cost and complexity of managing multiple SSL certificates by eliminating the time it takes to authenticate multiple different business units, individual purchasing, personnel, training, and maintenance expenses and complexity associated with deploying multiple SSL certificates.

What SSL does is to protect applications that demand the highest level of security – enabling the secure transmission of sensitive data, Web services-based business process automation, digital form signing, enterprise instant messaging and electronic commerce. It also protects firewalls, virtual private networks (VPNs), directories and enterprise applications. Trust lies in knowing that the people, networks and devices accessing, modifying or sharing information within a community are verified.

There can be a tendency to imagine things are worse in our own backyard, but the security issues we face in the UK are, by and large, no different from those in other countries or indeed in other industries. One manufacturer in Europe, for instance, saw its production line go down when a certificate suddenly expired. Eventually, the problem was traced to an expired SSL certificate. Symantec’s solution, through a complete audit of the company’s architecture, using a product called Certificate Intelligence Center, would have identified any certificates that were about to expire and immediately notified the business – and (if a Symantec SSL certificate) automatically have renewed the offending certificate. Instead, the outcome was estimated to be in the millions of Euros, in terms of lost production, damage to their brand, corporate reputation and a workforce standing idle.

Microsoft goes Always On with EV for Outlook.com

On Tuesday, Microsoft announced that they have just upgraded their entire Outlook.com mail environment to an Always On SSL experience, protected by Extended Validation (EV).  This means that all of the user’s data is protected via 2048-bit e…

Physical Security Makes Web Security Possible

      No Comments on Physical Security Makes Web Security Possible

Trust on the internet isn’t just a catch phrase. It’s a concern that engenders policies that extend from the virtual world of security products and integration all the way down into process and physical reinforcement. It is also a daily practice at Symantec, where we back up our mission statements with concrete, measured practices. We built our datacenter facilities with a defense in depth approach, and believe in practicing what we preach regarding the standards a CA should adhere to. My leadership team demands that our infrastructure supports our strategy to be the best.

We gave the folks at CNet a tour of our Operations facility where we process SSL Certificates, and showed them our model of what makes a secure facility. We are constantly investing in improvement, keeping up with the latest trends in physical security as a vital link to supporting our virtual security. Recently, CNet published the following article about what they saw on that tour:

http://news.cnet.com/8301-1009_3-57498393-83/rare-peek-inside-symantecs-security-fortress/

By hardening every piece of our layered security model, we’re helping set the standard throughout the CAB Forum participants and industry at large. CNet’s tour shows in tangible ways our commitment to secure methods and processes, and the tight physical security that backs up our logical security. If an attacker can steal a private key, all the data for an organization becomes at risk. This is multiplied exponentially for Certificate Authorities that are responsible for the safety of managed PKI systems all over the world.

We’re proud of our 100% uptime commitment to our customers. We’re proud that we have never had an instance of compromise in our certificate datacenter. We’re proud to be leaders in the CA industry with our commitment to the CAB (Certification Authority/Browser) forum. We walk the walk of security every day, and challenge our competitors to do the same to help combat cyber-crime and make the Net a safer place.