SYMANTEC WEBSITE SECURITY THREAT REPORT - 2015

Symantec Website Security Threat Report 2015 to enhance digital security in

  1. RapidSSLOnlinecom
    Symantec Website Security Threat Report 2015 to enhance digital security in
    Transcript Header:
    SYMANTEC WEBSITE SECURITY THREAT REPORT - 2015
    Transcript Body:
    • 1. PART3 WEBSITE SECURITY THREAT REPORT I 2015
    • 2. 2 I Symantec Website Security Solutions CONTENTS Social media and scams Looking forward Recommendations About Symantec 3 17 19 23
    • 3. 3Symantec Website Security Solutions I SOCIAL MEDIA AND SCAMS
    • 4. 4 I Symantec Website Security Solutions AT A GLANCE 1 Social media scammers go after payouts from affiliate programs by offering false promises of weight loss, money, and sex to drive clicks and sign-ups 2 Many people use the same password on multiple networks, meaning criminals have been able to spam multiple accounts thanks to a single hack 3 Scammers take advantage of the power of social proof, by relying on real people rather than bot networks to share their scams 4 Many phishing scams either play on fears generated by hacking and health scare stories, or intrigue piqued by scandalous celebrity stories, both real and fake
    • 5. 5Symantec Website Security Solutions I Criminals exploited this theory by hacking real accounts on platforms like Snapchat, so that when you saw an endorsement for a scam product or link, you’d trust it because it seemed to come from someone you actually knew. The public also undervalued their data in 2014, freely giving away email addresses and login credentials without checking that they were on a legitimate website. While scammers certainly evolved their tactics and ventured onto new platforms in 2014, a lot of their success continued to come from people’s willingness to fall for predictable and easily avoided scams. INTRODUCTION In 2014 criminals hijacked the power of ‘social proof’—the idea that we attribute more value to something if it’s shared or approved by others. The classic example is of two restaurants, one with a big queue, the other empty: people would rather wait in the queue because popularity suggests quality.
    • 6. 6 I Symantec Website Security Solutions SOCIAL MEDIA SCAMS Criminals will go wherever there are people to be scammed. There are large numbers of people using well-established social media platforms and, as such, they play host to plenty of scams. The rise in popularity of messaging and dating apps means scammers have taken note and taken advantage, and a variety of scams are being seen on these platforms as well. Facebook, Twitter and Pinterest The big shift in social media scams this year has been the uptick in manual sharing scams. This is where people voluntarily and unwittingly share enticing videos, stories, pictures, and offers, which actually include links to malicious or affiliate sites. For example, scammers took advantage of the death of Robin Williams by sharing what was supposed to be his goodbye video. Users were told they had to share the video with their friends before they could view it, and then were instructed to fill out surveys, download software, or were redirected to a fake news website. There was no video1 . Facebook share dialog with fake comments and shares Scam site asks users to install fake Facebook media plugin In 2014, 70 percent of social media threats required end-users to propagate them, compared with only 2 percent in 2013. Source: Symantec | Safe Web 0 10 20 30 40 50 60 70 80 Fake Offering Lifejacking Comment Jacking Fake Apps Manual Sharing PERCENTAGE 56 81 23 10 7 5 00 1 2 23 1 18 70 2012 2013 2014 SOCIAL MEDIA, 2012-2014 1 http://www.symantec.com/connect/blogs/robin-williams-goodbye-video-used-lure-social-media-scams
    • 7. 7Symantec Website Security Solutions I With manual sharing, there’s no hacking or jacking necessary—people and their networks do all the work for the criminals. Other social media scams require a bit more work on the part of the criminal. Likejacking and comment jacking, for example, ask victims to click what appears to be a ‘continue’ or ‘verification’ button to access some enticing content, but actually masks the fact the victim is liking or commenting on the post to increase its popularity and reach. Instagram Instagram, the picture-sharing platform, now has more monthly active users than Twitter, and legitimate brands use it as a marketing channel2,3 . Among the scams seen on Instagram in 2014, were ones where criminals try to monetize pre-populated accounts and mimic offers employed by legitimate corporate users. In one scam, fake accounts are created purporting to be lottery winners who are sharing their winnings with anyone who will become a follower. In another scam, they pretend to be well known brands giving away gift cards. Instagram users are told to follow the fake account and add their personal information, like email addresses, in the comments to receive the incentive. Victims think nothing of giving away their details. According to our Norton Mobile Apps Survey Report, 68 percent of people surveyed will willingly trade in various types of private information for a free app4 . In fact, some even sending $0.99 to the scammers in order to cover the return postage for the so-called offer above (The offer never arrives of course). It’s such a small amount, people don’t worry, but they’re giving away more details, and scammers are getting an extra cash bonus5 . This is particularly prevalent on Instagram, partly because there is no verified check for legitimate accounts. And as soon as one person falls for the scam, their friends who follow their stream will see the posted picture, and jump on board too. Once a fake account has enough followers, the criminals change the name, picture and bio, so that when the incentive fails to materialize, people can’t locate the account to mark it as spam. Criminals then sell this altered account with all its followers to the highest bidder. Shortly afterwards, a new account usually pops up in the guise of the original fake profile, claiming their old account was hacked, and the process starts all over again. Instagram accounts impersonating real-life lottery winners6 2 http://blog.instagram.com/post/104847837897/141210-300million 3 https://investor.twitterinc.com/releasedetail.cfm?ReleaseID=878170 4 http://www.slideshare.net/symantec/norton-mobile-apps-survey-report 5 http://www.symantec.com/connect/blo...ry-winners-impersonated-offer-money-followers 6 Image from: http://www.symantec.com/connect/blo...ry-winners-impersonated-offer-money-followers
    • 8. 8 I Symantec Website Security Solutions 1 2 3 Jan 19, 2015 Jan 24, 2015 Jan 29, 2015 Messaging platforms This year, it was Snapchat, the social app that allows people to send images and videos that self-destruct within 10 seconds of the recipient opening the message, that was particularly hard hit. In October, several Snapchat accounts were hacked, and people reported receiving messages from their friends with a live link, promoting diet pills. Snapchat claims these accounts were compromised because certain users reused the same password on multiple websites, one of which had been breached7 . URL shortening services are popular among spammers and social networking users alike, because they provide a shortened link. For spammers they have an added benefit: they obfuscate the domain name of the spam website behind them. Additionally, by appending “+” to the end of a bit.ly link, spammers and their affiliates now have easy access to click-through statistics and other demographics. Short URLs are frequently seen not only in email spam, but also in SMS spam, and some of the newer forms of spam spread through social networks. In October, Symantec also saw an incident, referred to online as ‘the snappening’, when supposedly destroyed Snapchat images began appearing online. This turned out to have originated from an unapproved third-party app, which some people used to archive their Snapchat photos to. Often, the security and privacy policies of emerging social media platforms aren’t as strong as they could or should be, and users don’t help the situation by replicating their passwords across multiple platforms and using unverified third-party apps to enhance their experience. Unless users begin to think about the risk they’re exposing themselves to, we’re likely to see similar account hijacking stories in 2015 on whatever the next big platforms turn out to be. An example of a legitimate user account being compromised to send spam to the victim’s circle of friends. The legitimate owner of the compromised account is quickly notified by Snapchat. Example of click-through rates for the URL included in the Snapchat spam example above 7 http://www.symantec.com/connect/blo...use-native-chat-feature-spread-diet-pill-spam
    • 9. 9Symantec Website Security Solutions I Dating scams Sexual content has always gone hand-in-hand with cybercrime, and 2014 was no different. In 2014, these adult-themed scams embraced popular dating apps, with examples appearing on Tinder, and on messaging services, such as Snapchat and Kik Messenger. The end game is to get people to click through and sign up to external websites, at which point scammers earn a commission as part of an affiliate program8 . Some affiliate programs will pay out for every victim who clicks through, others will only pay out if a victim signs up and hands over their credit card details. Some sites pay $6.00 per lead for a successful sign-up and up to $60.00 if a lead becomes a premium member9 . They can be, in other words, a profitable monetization strategy for online criminals. (See Affiliate Programs: The Fuel That Drives Social Media Scams for more on affiliate marketing.) The scam usually starts with the profile of an attractive young girl offering adult webcam time, sexting or hook- ups. In Tinder, there have also been cases of profile pictures overlaid with text offering prostitution services. Scammers put the text within the image in an attempt to beat spam filters. The recipient has to then click through to, or manually visit an affiliate website if they want to continue the encounter. In reality, these ‘hot chicks’ are nothing more than scripted bots with sexy profile pictures, and there’s no one waiting on the other side. These promises of sexual content prove popular with the public: one particular campaign, associated with a site called blamcams, resulted in nearly half a million clicks across seven URLs in less than four months10 . For scammers tied to affiliate programs, or who use links to fake webcam sites to phish for credit card details, that’s a good source of income. Examples of spam “cam-girl” type messages appearing as new chats on Kik Messenger11 Historical overview of fake prostitution profiles on Tinder 8 http://www.symantec.com/connect/blogs/adult-webcam-spam-all-roads-lead-kik-messenger 9 http://www.symantec.com/connect/blo...ter-spammers-still-flirting-mobile-dating-app 10 http://www.symantec.com/connect/blo...ter-spammers-still-flirting-mobile-dating-app 11 Taken from: http://www.symantec.com/connect/blo...ter-spammers-still-flirting-mobile-dating-app
    • 10. 10 I Symantec Website Security Solutions Malcode in social media It’s worth noting that, while most sharing scams are concerned with gaining clicks and sign-ups for affiliate programs, there was a case in 2014 where a Facebook scam redirected to the Nuclear exploit kit. When successful, this scam can give attackers control of a victim’s computer, and allows them to send out spam email and download further malicious files12 . People need to be wary of links posted by friends that seem unusually sensational and, rather than clicking on the link, should go direct to a trusted news source and search for the story there. The rise of “anti-social” networking Privacy concerns—both about government surveillance and oversharing with service providers—have triggered the launch of new social networks that prioritize secrecy, privacy and/or anonymity, such as Secret, Cloaq, Whisper, ind.ie, and Post Secret. These types of applications are havens for gossip, confessions and, sometimes, the darker side of human nature. Some argue that secrecy is the key to the next phase of social networking13,14 . Critics say that anonymous forums, such as 4chan, create safe havens for trolls, bullies, and criminals15 . Existing social networks, such as Twitter and Facebook, have responded to these concerns with greater disclosure, and by sharpening up their privacy policies. For example, Facebook now publishes its number of government data requests16 , Twitter is considering a ‘whisper mode’17 , and Google has enhanced encryption on its Gmail email service18 . While the desire to remain anonymous may be very attractive for some individuals, there is always a downside that we must keep in mind. Some organizations have very strict guidelines and policies that govern how their employees must conduct themselves online, but many are still adapting to these new environments where people can potentially say whatever they like with impunity. Businesses should ensure that their electronic communication policies address these concerns and that technologies are in place for monitoring potential breaches of the rules. While it may not be appropriate to block access, it may prove invaluable to be able to monitor such activities. 12 http://www.symantec.com/connect/blogs/facebook-scam-leads-nuclear-exploit-kit 13 http://www.wired.com/2014/02/can-anonymous-apps-give-rise-authentic-internet/ 14 http://www.technologyreview.com/review/531211/confessional-in-the-palm-of-your-hand/ 15 See many issues highlighted on http://en.wikipedia.org/wiki/4chan 16 https://www.facebook.com/about/government_requests 17 http://thenextweb.com/twitter/2014/...iends-privately-discuss-public-conversations/ 18 http://techcrunch.com/2014/03/20/gm...servers-now-encrypted-to-thwart-nsa-snooping/
    • 11. 11Symantec Website Security Solutions I Source: Symantec I .cloud 250 500 750 1000 2012 2013 2014 965 392414 1IN PHISHING There was a dip between June and September, but the overall phishing rate in 2014 was 1 in 965, compared with 1 in 392 in 2013. Phishing attacks towards the end of the year were boosted by the surge in Apple ID phishing schemes that emerged after the headline- grabbing hack that saw several nude pictures of celebrities stolen and published. Apple IDs have always been a target for phishers, but this news story meant people were particularly receptive to messages purporting to be about the security of their iCloud accounts. 2200 2000 1800 1600 1400 1200 1000 800 600 400 200 M M JJJ S NNSJMMNSJMMJ 2013 20142012 1IN EMAIL PHISHING RATE (NOT SPEAR-PHISHING) PHISHING RATE, 2012–2014 Source: Symantec I .cloud
    • 12. 12 I Symantec Website Security Solutions The Kelihos botnet looked to exploit the public’s fear by sending messages that claimed a purchase had been made on the victim’s iCloud account from an unusual device and IP address. The victim was encouraged to urgently check their Apple ID by clicking an accompanying link, which led them to a phishing page. Masquerading as an Apple website, the site asked the user to submit their Apple ID and password, which is then harvested by criminals for exploit or resale19 . Variations on this theme appeared throughout 2014, with criminals aiming to acquire social media, banking, and email login details. Most phishing scams are distributed through phishing emails or URLs on social media sites. On social media there’s often a news hook, like the Ebola outbreak, or some kind of celebrity scandal that encourages people to click on links that require them to ‘login’ before they can see the details or video promised. Email distribution also involves news hooks, but is used to phish for professional account logins such as banking details, LinkedIn accounts, cloud file storage, or email accounts as well20 . Some emails pose as security updates or unusual activity warnings that require you to fill in your details on a phishing site, which immediately sends your details to the criminals. The origins of these phishing sites are often obscured to prevent security warnings when victims open their browsers, and this year saw a new leap forward for the criminals with the use of AES (Advanced Encryption Standard). The encryption is designed to make the analysis of phishing sites more difficult, and a casual analysis of the page will not reveal any phishing-related content, as it is contained in the unreadable encrypted text. Browser and security software warnings are therefore less likely to appear, more victims are likely to fall for the scam, and it’s harder to track21 . 0 10 20 30 40 50 60 2010 2011 2012 2013 2014 THOUSANDS Sample of phishing email sent to victims22 NUMBER OF PHISHING URLS ON SOCIAL MEDIA, 2009 – 2014 19 http://www.symantec.com/connect/blogs/apple-ids-targeted-kelihos-botnet-phishing-campaign 20 LinkedIn: http://www.symantec.com/connect/blogs/linkedin-alert-scammers-use-security-update-phish-credentials Google Docs: http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophisticated-phishing-scam Dropbox: http://www.symantec.com/connect/blogs/dropbox-users-targeted-phishing-scam-hosted-dropbox 21 http://www.symantec.com/connect/blogs/fresh-phish-served-helping-aes 22 Image from: http://www.symantec.com/connect/blogs/apple-ids-targeted-kelihos-botnet-phishing-campaign Source: Symantec I .cloud
    • 13. 13Symantec Website Security Solutions I Over the last three years, the overall spam rate has dropped from 69 percent in 2012, to 66 percent in 2013, and 60 percent in 2014. While this is good news overall, there are still a lot of scams out there being sent by email, and criminals are still making money. In October, Symantec reported an increase in a particular scam where emails were sent, often to a recipient working in the finance department of a company, requesting payment by credit card or the completion of a wire transfer. The sender details were sometimes faked, or made to look like they had come from the CEO or other high-ranking member of the victim’s company, and money transfer details were either sent in an attachment or required the victim to email back and request them23 . The rise in this type of scam is likely due to the fact that scams based on malicious attachments can be more easily filtered by corporate security systems, but many organizations are still not undertaking this simple action despite the majority of malicious emails still relying on potentially harmful attachments. In contrast, a sharp rise in malicious URLs versus attachments at the end of the year was related to a change in tactics and surge in socially engineered spam emails. EMAIL SCAMS AND SPAM The shift away from email isn’t just happening with phishing attacks; the global spam rate is declining. ESTIMATED GLOBAL EMAIL SPAM VOLUME/DAY OVERALL EMAIL SPAM RATE 2014 28 BILLION 29 BILLION 30 BILLION 2013 2012 -1% -1% 201220132014 60% 66% 69% -6% -3% Source: Symantec I Brightmail Source: Symantec I Brightmail 23 http://www.symantec.com/connect/blogs/scammers-pose-company-execs-wire-transfer-spam-campaign
    • 14. 14 I Symantec Website Security Solutions AFFILIATE PROGRAMS: THE FUEL THAT DRIVES SOCIAL MEDIA SCAMS • Free smartphones, airline tickets, or gift cards • Unbelievable news about celebrities (sex tapes, death) • Unbelievable world news (specifically natural disasters) • Proposals to get naked on a webcam, or propositions from alleged sex workers It has become clear that as any social networking platform becomes popular, scammers are never far behind. While each platform may be different and each scam slightly varied, the constant is that affiliate networks are the driving force behind them. Affiliate marketing is a popular way for companies to increase their business on the Internet. A business uses affiliates to help market and sell their products. For instance, an affiliate could feature a book on their web page, and provide a link directly to a vendor that sells that book. And for every sale, the affiliate receives a small commission. While legitimate vendors use affiliates, so do illegitimate ones. And in some cases, the vendor is legitimate, but some of their affiliates are willing to use unscrupulous methods to profit from an affiliate program. The way affiliates participate in an affiliate program is by appending a special affiliate ID to the URLs used when a customer clicks an advertisement, helping to keep track of where the clicks come from. This affiliate ID is how merchants are able to track the contributions from affiliates, and thus pay out commissions. If you have used a social network in the last decade, chances are you have seen one of the following offers appear in your news feeds and timelines: by Satnam Narang
    • 15. 15Symantec Website Security Solutions I Scammers monetize on social media by leveraging affiliate networks. Any time a user is asked to fill out a survey or sign up for a premium offer to a service, that user becomes the referral for an affiliate program. By tricking users into participating in a survey and/or signing up for a premium service, the scammer makes money. Details on these semi-legitimate affiliates and their pay-outs are murky. Many won’t share details, making it hard to estimate just how much money an affiliate can make. However, most affiliate networks put up bids from merchants, which state clearly what action is required for a conversion. In the example below, a $1,500 Visa Gift Card advertisement will convert when the referrer submits their email address. This particular merchant values each email conversion at $1.40 USD when paying their affiliates. On the popular dating application Tinder, we found affiliate links to adult dating services and webcam sites. These sites promote their affiliate payouts directly. One site we found pays affiliates up to $6 USD for every user that signs up for an account, while paying up to $60 USD if that user signs up for a premium service, which typically involves paying for a subscription using a credit card. Based on the pricing structure, convincing users to sign up for the premium service could be highly profitable. However, scammers drive so much traffic to these sites that sign-ups for an account, paying only $6 each, is enough to create a handsome profit. The users that do sign up for a premium service are just the icing on the cake. Legitimate merchants and some affiliate networks have tried to tackle scams on their platforms, but as long as there is money to be made from these shady affiliate programs, they will persist. As a merchant, it is important to know the affiliates you work with and ensure they are being transparent with you about their practices. End users should be mindful when using any social network, keeping an eye out for free offers for gadgets, gift cards, and airline tickets, or invitations from attractive women to join adult dating and webcam sites. If you are asked to fill out a survey or sign-up for a service using a credit card, you are most likely being scammed. As the old adage goes, if it sounds too good to be true, it is.
    • 16. 16 I Symantec Website Security Solutions PHISHING IN COUNTRIES YOU MIGHT NOT EXPECT Angola and Mozambique are two southern African countries, on opposite sides of the vast continent. These countries aren’t the first places that spring to mind when you think of phishing, where the goal is to gather sensitive information in order to make money. Mozambique is still a developing country, and despite having an abundance of natural resources, remains heavily dependent on foreign aid. Its per-capita GDP is around $600. Angola fares better than Mozambique; its per-capita GDP is just under $6,000. These are statistically poor countries. (For comparison, global average per-capita GDP figure stands at $10,400, and the United States GDP stands around $52,800.) A recent phishing campaign was targeted at a major African financial institution, appearing to come from a Mozambique bank, with the email subject, “Mensagens alertas: 1 nova mensagem!” (Messages alerts: 1 new message!) A URL contained within the body led to a fake version of the bank’s website, asking the target to enter a number of banking details that would allow the attacker to take over the account. Why are financial institutions in these countries being targeted? It’s impossible to be sure, but one of the main dangers of phishing is the ease with which attackers can set up phishing sites. Over the year, we’ve found many “phish kits”—zip files containing phishing sites, ready to be unzipped on a freshly-compromised web server. From an attacker’s perspective, phishing has very low barriers to entry. By targeting smaller or more niche institutions, phishers can avoid competition with their peers. Phishing awareness in developing countries is likely to be lower than in the US or Europe, for example. In all likelihood, the phishing scams targeting Angola and Mozambique probably originate from those countries or neighboring ones. Phishers who target people in developed countries won’t be interested in the comparatively low potential profits from phishing accounts in Angola or Mozambique—but those low (by Western standards) profits can still be attractive to someone living in Angola, Mozambique, or nearby countries with similar living standards. It might also be easier for phishers based in Angola or Mozambique to use stolen credentials locally rather than selling them on. As people increasingly interact with companies and services online, we expect phishing to increase—there are more targets and barriers of entry that will continue to get lower. Even institutions in the very small and relatively isolated east Himalayan Kingdom of Bhutan have been targeted in phishing attacks. This only demonstrates that nowhere is safe from phishing. Symantec sees a significant proportion of global email traffic, and recently we were surprised to see phishing attacks targeting institutions in rather unexpected locations. by Nicholas Johnston
    • 17. 17 I Symantec Website Security Solutions LOOKING FORWARD HINDSIGHT + INSIGHT = FORESIGHT
    • 18. 18Symantec Website Security Solutions I Security gamification As the 15th century security consultant Niccolo Machiavelli observed: ‘Men are so simple and yield so readily to the desires of the moment that he who will trick will always find another who will suffer to be tricked.’ Internet security relies on the human element as much as it does on technology. If people were more skillful, they could help to reduce the risks they face. This is as true of consumers avoiding scams as it is of government employees avoiding social engineering in targeted attacks. In this context, gamification24 can be used to turn ‘the desires of the moment’ into lasting changes of behavior by using the psychological rewards and instant gratification of simple computer games. Gamification could be used, for example, to train people to be wary of phishing emails or to generate, remember, and use strong passwords. We see a big market opportunity and a great need for this kind of training in coming years. Security simulation Companies can prepare for security breaches and understand their defenses better by using simulations and security ‘war-games’. By extending conventional penetration testing into a simulated response and remediation phase, companies can train their people and improve their readiness. This message is not lost on governments. In January 2015, UK Prime Minister David Cameron and US President Barack Obama agreed to carry out ‘war game’ cyber attacks on each other25 . Companies should follow their example in 2015. A determined attacker will likely succeed In the battle between attackers and corporate IT security, the bad guys only have to be lucky once. The IT department has to be lucky all the time. With this in mind, IT managers (and indeed consumers) need to plan for the worst. There is no magic-bullet technology that will guarantee immunity from Internet crime or determined, targeted attacks. So assume you’ve been hacked or you’re about to be hacked. And switch from a binary ‘safe / not-safe’ view to a nuanced, almost medical approach to trends, symptoms and behavioral prevention, diagnostics, and treatment. On a technical level, it means ensuring you have effective data-loss prevention software on each endpoint, gateway, and email server to prevent data exfiltration. It also means that backup and disaster recovery become much more important, as does detection and response planning. This is not a counsel of despair—we should never make it easy for attackers by giving up on prevention—but it is better to be wise before the event than sad after it26 . Data sharing between companies is essential Data sharing between companies is essential to security27 . Historically, companies have been afraid to share too much information with other companies, so they’ve effectively been fighting individual battles against the bad guys and depending on their own internal resources. We believe that they need to pool their threat intelligence and their experience to combat the criminals. Tools that allow them to do this, while retaining some IP protection, will become increasingly important. For example, security electronic data exchanges could share hashes, binary attributes, symptoms, and so on without revealing corporate secrets or information that could be useful in an attack. Insecure operating systems A quarter of PC users were running Windows XP and Office 2003 in July 201428 , even as their software went out of support and Microsoft stopped updating it. A lot of people are still in denial about this change29 . This leaves them unpatched as new threats emerge. Over the next year, this presents a significant security risk. For embedded devices running out-of-date operating systems, companies will need to find new ways of protecting them until they can be replaced or upgraded. Internet of things As consumers buy more smart watches, activity trackers, holographic headsets, and whatever new wearable devices are dreamed up in the Silicon Valley and Shenzhen, the need for improved security on these devices will become more pressing. It’s a fast-moving environment where innovation trumps privacy. Short of government regulation, a media-friendly scare story, or greater consumer awareness of the dangers, it is unlikely that security and privacy will get the attention it deserves30 . 24 Gamification from Efrain Ortiz interview 25 http://www.bbc.co.uk/news/uk-politics-30842669 26 Assume you’ve been hacked from Efrain Ortiz interview 27 Efrain Ortiz 28 http://www.informationweek.com/software/operating-systems/windows- xp-stayin-alive/d/d-id/1279065 29 Candid Wueest interview 30 Vaughn Eisler interview LOOKING FORWARD
    • 19. 19 I Symantec Website Security Solutions RECOMMENDATIONS AND BEST PRACTICES
    • 20. 20Symantec Website Security Solutions I Despite this year’s vulnerabilities, when it comes to protecting your website visitors and the information they share with you, SSL and TLS remain the gold standard. In fact, due to the publicity that Heartbleed received, more companies than ever have started hiring SSL developers to work on fixes and code. This has made for more eyes on the SSL libraries and common good practices in implementation. i http://www.symantec.com/page.jsp?id=1024-bit-certificate-support ii http://www.symantec.com/en/uk/page.jsp?id=sha2-transition iii http://www.symantec.com/connect/blogs/introducing-algorithm-agility-ecc-and-dsa iv https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp Get Stronger SSL 2014 saw SSL certificate algorithms become stronger than ever. Symantec, along with several other CAs, has moved to SHA-2 as default, and is winding down support for 1024-bit rootsi . Microsoft and Google announced SHA-1 depreciation plans that may affect websites with SHA-1 certificates expiring as early as January 1, 2016ii . In other words, if you haven’t migrated to SHA-2, visitors using Chrome to access your site will likely see a security warning, and as of January 1, 2017, your certificates just won’t work for visitors using IE. Symantec is also advancing the use of the ECC algorithm—a much stronger alternative to RSA. All major browsers, even mobile, support ECC certificates on all the latest platforms, and there are three main benefits to using it: 1.Improved security. Compared to an industry-standard 2048-bit RSA key, ECC-256-bit keys are 64,000 times harder to crackiii . In other words, it would take a lot more computing power and a lot longer for a brute force attack to crack this algorithm. 2. Better performance. Website owners used to worry that implementing SSL certificates would slow their site down. This led to many sites having only partial-on SSL, which creates serious vulnerabilities. ECC requires much less processing power on the website than RSA, and can handle more users and more connections simultaneously. This makes the implementation of Always-On SSL not only sensible, but viable too. 3. Perfect Forward Secrecy (PFS). Although PFS is an option with RSA-based and ECC-based certificates, performance is much better with ECC-based certificates. Why does that matter? Well, without PFS, if a hacker got hold of your private keys, they could retrospectively decrypt any and all data they had captured. Considering the Heartbleed vulnerability made this a very real possibility for so many websites, this is a problem. With PFS, however, if a hacker cracks or gets hold of your SSL certificate private keys, they can only decrypt information protected with those keys from that point on. They can’t decrypt any historical data. Use SSL Right As we’ve seen from 2014, SSL is only as good as its implementation and maintenance. So be sure to: • Implement Always-On SSL. Use SSL certificates to protect every page of your website, so that every interaction a visitor has with your site is authenticated and encrypted. • Keep servers up to date. This applies beyond server SSL libraries: any patch or update should be installed as soon as possible. They’re released for a reason: to reduce or eliminate a vulnerability. • Display recognized trust marks (such as the Norton Secured Seal) in highly visible locations on your website to show customers your commitment to their security. • Scan regularly. Keep an eye on your web servers and watch for vulnerabilities or malware. • Keep server configuration up to date. Make sure that old, unsecure versions of the SSL protocol (SSL2 and SSL3) are disabled, and newer versions of the TLS protocol (TLS1.1 and TLS1.2) are enabled and prioritized. Use tools like Symantec’s SSL Toolbox to verify proper server configurationiv .
    • 21. 21 I Symantec Website Security Solutions v http://arstechnica.com/security/2014/08/new-website-aims-to-shame-apps-with-lax-security/ Educate Employees Basic common sense and the introduction of some good security habits can go a long way to keeping sites and servers safe this year: • Ensure employees don’t open attachments from senders they don’t know • Educate them on safe social media conduct: offers that look too good, are; hot topics are prime bait for scams; not all links lead to real login pages. • Encourage them to adopt two-step authentication on any website or app that offers it • Ensure they have different passwords for every email account, applications and login— especially for work-related sites and services • Remind them to use common sense—having anti-virus software doesn’t mean it’s ok to go on malicious or questionable websites Get Safe or Get Shamed Attackers have become more aggressive, more sophisticated, and more ruthless than ever in their attempts to exploit the Internet for ill gains. There is, however, plenty that individuals and organizations can do to limit their impact. SSL and website security is now in the public consciousness, and if you’re not doing your part, you could find yourself being publicly shamed on HTTP Shaming, a site set up by software engineer, Tony Websterv . When it comes to businesses and their websites, good security processes and implementations are all that stand in the way of total ruin: financial and reputational. So make sure you’re secure in 2015 with Symantec.
    • 22. 22Symantec Website Security Solutions I COMING SOON THE FULL SYMANTEC WSTR 2015 AND KEY INSIGHTS INFOGRAPHIC For you to keep and reference throughout the year or share with colleagues.
    • 23. 23 I Symantec Website Security Solutions ABOUT SYMANTEC Symantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings—anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed, and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2013, it recorded revenues of $6.9 billion. To learn more, go to www.symantec.com or connect with Symantec at: go.symantec.com/socialmedia. More Information • Symantec Worldwide: http://www.symantec.com/ • ISTR and Symantec Intelligence Resources: http://www.symantec.com/threatreport/ • Symantec Security Response: http://www.symantec.com/security_response/ • Norton Threat Explorer: http://us.norton.com/security_response/threatexplorer/ • Norton Cybercrime Index: http://us.norton.com/cybercrimeindex/
    • 24. Symantec World Headquarters 350 Ellis Street Mountain View, CA 94043 USA 1-866-893-6565 www.symantec.com/ssl For specific country offices and contact numbers, please visit our website. For product information in the US, Call: 1-866-893-6565 Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Circle Logo, and the Norton Secured Logo are trademarks, or registered trademarks, of Symantec Corporation, or its affiliates, in the U.S. and other countries. Other names may be trademarks of their respective owners.
    View More