Are you the publisher? Claim or contact us about this channel


Embed this content in your HTML

Search

Report adult content:

click to rate:

Account: (login)

More Channels


Showcase


Channel Catalog


older | 1 | .... | 191 | 192 | (Page 193) | 194 | 195 | .... | 254 | newer

    0 0
  • 04/21/16--10:00: Results of our Investigation
  • Twitter カードのスタイル: 
    summary

    Investigating and remediating the test certificate mis-issuance incident has been a top priority for Symantec, and my team specifically. We have completed our investigation and have confirmed that the certificate mis-issuance was limited to certificates issued for internal Symantec testing purposes. Our investigation uncovered no evidence of malicious intent, nor harm to anyone. No customer or partner action is needed.

    As we previously disclosed, Symantec learned in September 2015 that it had generated a number of internal test certificates in a manner not fully consistent with its policies. These included certificates to unregistered domains and domains for which Symantec did not have authorization from the domain owner. We immediately commenced an investigation to identify and revoke mis-issued certificates. We also sought to determine and remediate the root causes of the mis-issuances and to confirm that no harm had resulted from the incident.

    Our now completed investigation has confirmed that each of the mis-issued certificates we have identified was issued solely for internal Symantec testing purposes.  Each of these test certificates has been revoked or expired and we have contacted the relevant domain owners.  Further, we have and will continue to work with the browser community to blacklist these test certificates where they deem appropriate.

    Since this issue first arose, Symantec has implemented changes to our test certificate policies, processes, and controls designed to prevent this from happening again, and we will continue to further evaluate and strengthen those policies, procedures, and controls. We remain fully committed to the continued trust of our roots across browsers and enhancing the security of the global certificate infrastructure. In support of this commitment, as we announced on February 12, 2016, we have already implemented extensive support for Certificate Transparency.

    We have sought to proactively implement the important lessons learned from this experience as we now return our attention to an innovative and exciting year for Website Security.

    Additional information, including the list of mis-issued test certificates that we have identified, is available here.

     
     

    0 0
  • 04/21/16--15:23: Innovation in Action
  • Symantec SVP & CIO Sheila Jordan shares her insights on innovation
    Twitter カードのスタイル: 
    summary

    When we talk about innovation in the enterprise, it is often associated with R&D teams. And while innovation is a necessity for R&D, I believe all teams need to look for new ways to develop and improve stellar customer experiences. In fact, everyone at every level of an organization can and should innovate. Everyone can make things better.

    I’d like to share my thoughts on how to innovate across the enterprise, and how we’re putting innovation into action at Symantec.

    Ways Management Can Encourage Innovation

    Management needs to create an environment to foster innovation in action―to encourage employees to look for areas that are causing more angst for internal teams, customers, and partners than they should―and find ways to fix the problem.

    Here a few best practices:

    1. Give the freedom for everybody to innovate—Management needs to set the stage for an environment to innovate. Ask your team to think outside the box and for ways to improve their service.
    2. Celebrate the “wins”—It is important to acknowledge the success when teams innovate and to further encourage them.
    3. Recalibrate or move on—Just as crucial as celebrating the success is knowing when to make changes. “What can be tweaked?” “What worked?” “What did not work?” A lot of organizations get caught up on infinite iterations. Know when to stop and move on.
    4. Innovate through education—Innovation is a continual learning process. At Symantec we use gamification as part of our Security Simulation and security training. Innovative education makes learning more real, relevant, and fun.

    Ways Individual Contributors Can Drive Innovation

    It is management’s responsibility to create a culture of innovation―but it is the employees’ responsibility to drive innovation across the company. Innovation should not be self-serving. It can be tricky if you are a solving a problem for yourself, but making things twenty times harder for everyone else. Innovation should make the experience better end-to-end. Innovate outside of your comfort zone and drive towards a “win-win-win” situation.

    Agility and Innovation

    Agility and innovation go hand-in-hand. Organizations should simplify processes and tools, communicate openly, and work together to stay agile. When teams do this―especially IT organizations―the environment is ripe for innovation. In the past, organizations were bogged down with slow, cumbersome processes. For example, a team would work on something by themselves, pass it to another team, and then wait for feedback or action. When feedback came, they would revise, then “throw it back over the fence” and wait, and so forth.

    Agility eradicates complexity and inefficiencies. As an example, our Symantec IT teams use agile development to quickly transition the business requirements and demands into a visual representation. “We heard what you said. We will mock it up, then validate that is what is expected.”

    This agile development approach helps us listen closely, work together, and move fast. It is collaboration in real-time.

    While they may seem separate, innovation and security are deeply connected. At Symantec, we have a long history and culture of innovation. As the largest cybersecurity organization, innovation is part of our DNA and a necessity to help move the technology forward. We constantly talk with our customers to hear what challenges are facing them. We listen and learn what they need, amd then move with agility to solve the problems. Symantec’s innovation in action helps us deliver a win for our customers, partners, and the entire industry.


    0 0

    Presidential primary apps can gather a lot of information and may expose sensitive data.

    続きを読む

    0 0

    Twitter カードのスタイル: 
    summary

    In March 2015 we released Ghost Solution Suite 3.0, a long awaited major release that incorporates the best elements of Deployment Solution (DS) 6.9 and Ghost Solution Suite (GSS) 2.5. This powerful new integrated offering extended the capabilities for operating system deployment, configuration, PC "personality" migration, and software deployment across multiple hardware platforms and OS types, and scales easily from small business to large enterprise environments. To ease the transition we held several webcasts, created numerous how-to videos, and collected as much product feedback as possible.

    The customer participation and interaction helped shape the release of Ghost Solution Suite 3.1, which includes several new features and enhancements, such as:

    • Support for multiple versions of WinPE
    • Support for WinPE 10
    • Linux PE update
    • Automation folders (imaging without PXE)
    • Partition based imaging

    To learn all about this new release, you can listen to the recorded Ghost Solution Suite 3.1 Launch Webcast and how the solution can simplify your imaging and deployment needs.

    You can also learn more about Symantec Ghost Solution Suite or try a 30 day free trial by visiting the product page.

    Complete details on new features in the release are available on Symantec’s Support Center.


    0 0

    New series focused on how Symantec extends security of Office 365
    Blog Feature Image: 
    Twitter カードのスタイル: 
    summary

    Cloud apps like Microsoft Office 365 are becoming mainstream. Although the core of Office 365 is the email application, the product also includes many traditional Microsoft Office applications, as well as newer apps. While Office 365 focuses on workplace collaboration, allowing the open exchange of information, it’s also a prime target for attackers.

    Embracing the Cloud without Compromising Security

    The attractiveness of Office 365 to attackers has prompted organizations to consider additional security as they make their move to Office 365. Targeted attacks, rogue access, data leaks, and email threats (for example, SPAM, phishing, and malware) all pose significant threats to cloud-based applications.

    Microsoft ships Office 365 with some built-in security. However, enterprises need to build on and extend on these basic security controls. Organizations require expanded information and threat protection controls that work across heterogeneous environments, that are capable of securing a wide variety of enterprise applications, and that support hybrid deployment models. It is especially critical for organizations that operate in a highly-regulated industry, or in an industry with unique risk profiles that are prone to a higher volume of attacks. This is why leading industry analysts like IDC and Gartner recommend including third-party security products in a comprehensive Office 365 security framework.

    How Symantec for Office 365 Can Help

    Symantec for Office 365 is designed as a comprehensive security solution that seamlessly integrates with Office 365 for greater protection of your valuable information while detecting and remediating increasingly sophisticated threats. With Symantec for Office 365, organizations can:

    • Extend security controls to better shield email from advanced malware
    • Protect against targeted attacks
    • Increase safeguarding of business-sensitive information
    • Control access with numerous user-friendly and strong authentication options

    Symantec for Office 365 combines enterprise-strength email security, threat protection, data loss prevention, and authentication to extend Office 365 security.  

    Example Scenario

    Let’s say that one of the salesmen on your team, Jim, is at a coffee shop having a cup of mocha and getting some work done. Office 365 provides Jim the flexibility to work anywhere, allowing creation and sharing of data and files that he can share on the fly with the team, partners, and clients. 

    03_Touch_Id_404.png

    However, you want to ensure that access to Office 365 is secure. And, it’s got to be quick and easy. Fortunately, your team uses Symantec for Office 365. Jim brings up the single sign-on portal, uses his fingerprint with VIP to authenticate, and he’s logged in seamlessly.

    Jim wants to email some specs to a contractor friend for feedback. Fortunately, the Symantec DLP Cloud Service for Email identifies that the file contained sensitive information, which could possibly get critical information into the wrong hands if shared. When Jim tries to send the email via Office 365, it gets blocked.

    Symantec’s data protection technology includes fingerprinting, keyword matching, and vector machine learning capabilities with support for more than 330 different file types (structured and unstructured data).

    With Symantec Advanced Threat Protection, organizations are also protected from outside threats infecting Office 365. With both virtual and physical sandboxes, Cynic, Symantec’s cloud-based sandboxing and detonation service, can catch even virtual machine-aware malware. Symantec Advanced Threat Protection can also correlate threat events from email with endpoint devices and network to quickly contain and remediate targeted attacks. Internal information is augmented with global telemetry from the Symantec Global Intelligence Network, one of the world’s largest cyber intelligence networks.

    Symantec for Office 365 helps ensure uniform security standards and policies across the entire IT environment, while monitoring threats across all control points (email, web, and endpoint) to make them easier to detect. As more organizations adopt Office 365 and build best practices for securing their deployments, Symantec is here to help.

    In the following weeks, we’ll take a closer look at specific Symantec for Office 365 capabilities.


    0 0

    Join us for our free webcast on May 3 at 9 a.m. PDT.
    Blog Feature Image: 
    Twitter カードのスタイル: 
    summary

    Join our upcoming “Key Findings From Symantec’s 2016 Internet Security Threat Report” webcast to tap into valuable insights from the newly released ISTR. The 2016 Internet Security Threat Report (ISTR) provides an overview and analysis of the year in global threat activity. Find more about targeted attack trends, vulnerabilities, evolving ransomware techniques, the professionalism of cybercrime, and more.

    What: “Key Findings From Symantec’s 2016 Internet Security Threat Report” Webcast

    When: May 3, 2016, 9 a.m. PDT

    Who: Presented by Kevin Haley, Director, Symantec Security Response

    Duration: 60 minutes

    Register for the free webcast here.

    While there is much to be learned from this comprehensive view into the threat landscape, the following are a few key findings and trends from 2015:

    • A new zero-day vulnerability was discovered on average each week. Advanced attackers continue to profit from flaws in browsers and website plugins. 
    • Half a billion personal records were stolen or lost. More companies than ever are not reporting the full extent of their data breaches.
    • Major security vulnerabilities in three quarters of popular websites put us all at risk. Web administrators still struggle to stay current on patches.
    • Spear-phishing campaigns targeting employees increased 55 percent. Cyber attackers are playing the long game against large companies.
    • Ransomware increased 35 percent. Cyber criminals are using encryption as a weapon to hold companies’ and individuals’ critical data hostage.
    • One hundred million fake technical support scams were blocked. Cyber scammers now make you call them to hand over your cash.

    Find more insights on the cyber threat landscape and the potential impact it has against you and your organization. Be proactive with your protection by arming yourself with actionable insights from Symantec!

    Download the full 2016 Symantec Internet Security Threat Report


    0 0

    大統領予備選挙に関連するアプリが大量の情報を収集しており、場合によっては重要なデータが開示される恐れもあります。

    続きを読む

    0 0

    总统预选应用程序可收集大量信息,并泄露敏感数据。

    続きを読む

    0 0

    Twitter カードのスタイル: 
    summary

    SVgives_0.png

    Come one, come all…Tuesday, May 3rd is the day- Silicon Valley Gives Day!

    It’s a 24-hour giving bonanza created to benefit charities throughout Silicon Valley. Beginning in 2014, hundreds of local nonprofits benefited from the first-ever event, raising $15.8 million to date.

    For the third consecutive year, Symantec will match the first $10,000 in donations given on svgives.razoo.com to philanthropic partner Techbridge Girls. Techbridge supports after-school activities for girls inspiring them to discover their passions in science, technology, and engineering. Since its founding in 2000, over 4,000 girls have participated in the after-school and camp programs.

    Furthermore, Symantec employees can triple their impact to Techbridge by donating on Silicon Valley Gives and applying for Matching Grant funds on the company's internal giving platform the GivingStation.

    Come visit representatives from Techbridge Girls at our Mountain View headquarters’ E Café between 11:30-1:30pm on Tuesday.

    Anyone can participate!

    With over $4 million in matching grants sponsored by SVGives supporters, there are several opportunities to double or triple donation dollars. For example, the Skoll Foundation is matching the first $50,000 raised during the 9am and 5pm hours, and Microsoft will be donating an additional $1,000 to 20 non-profits who fulfill their matching grants for SVGives.

    Please join Symantec and the Silicon Valley community for this exciting chance to double or triple your impact on our local community!

    Techbridge_0.png

    Symantec will participate in the 24-hr SVGives event on Tuesday, May 3rd to raise much needed funds for philanthropic partner Techbridge – because there is an engineer in every girl!


    0 0

    Customer Experience Is the New Competitive Battlefield

    Customer experience (CX) management is a key focus area for countless C- suite executives and decision makers. So what is this Customer Experience – Well, Gartner defines customer experience management (CEM) as

    the practice of designing and reacting to customer interactions to meet or exceed customer expectations and, thus, increase customer satisfaction, loyalty and advocacy.”

    So the first challenge after defining customer is to decide what to measure and how to exceed those measured customer expectations.

    Measuring the customer experience has multiple purposes, depending on the maturity of the organization. The purpose might be to move from a measurement anarchy to a state where measuring is an aid to an overall customer experience performance enhancement. Over the years, software organizations have established various programs to track and report customer feedback from experiences in the field. The crusade started almost 6-7 years back when a few prominent software and hardware providers formalized these efforts into voice of the customer initiatives to include this information throughout the product development process.

    More recently, IDC research has shown that these voice of the customer initiatives have evolved into significant enterprise wide programs that are designed specifically to monitor the overall customer experience. While voice of the customer initiatives were typically focused on driving customer feedback into the product development process, customer experience programs are tracking customer experience at a much wider, and an all-inclusive level. They are an overall look at customer success across all aspects of the customer life cycle, across the product and services, and outside of support and development.

    Business demand is still growing for the 360-degree view of the customer, driven in large part by desire to improve the customer experience. Enterprise information management helps customer experience, CDOs and other information leaders ensure that trusted data is available for this view. Securing and maintaining customer trust is a critical element of customer success initiatives, and research from IDC and Gartner proves that over the next five years, technology providers will invest in extensive efforts focused on monitoring and analyzing the overall customer experience to improve their product suite and service offerings.

    4 time tested ways to ensure an optimal Customer Experience:

    Establish and maintain strong policies and procedures around transparency for data collection and dissemination, and stick to it. Customers need to know that their participation in these initiatives will be private and anonymous (if they so choose) and will be used only for the purposes of evaluating their overall experience with products and services.

    Develop and expand support for customer experience initiatives at all levels of the organization, including C-level executives. Many C-suite executives lack insight into the day to- day operations of their organizations as well as a detailed examination of end-user experiences with products and services. Establishing these initiatives with strong C-level sponsorship can help solve these problems and can help ensure long-term viability when unpleasant, unflattering data and results arise.

    Take advantage of big data and analytics to fully examine the customer experience. With a growing number of enterprise solutions in big data and analytics, software and hardware providers can tap into a wealth of expertise and functionality to examine and synthesize the data from their own customer experiences. When configured and executed properly, customer experience teams can gain almost unlimited insight from their proprietary enterprise data to stay in close touch with customer needs and wants, as well as broader market trends and overall strategies.

    Make sure team members and their cross-functional counterparts are empowered to act on any data that is gathered and analyzed as part of this process. This is the most critical step in the entire process and is an absolute requirement to build credibility into the initiative. Customer experience teams must have the power not only to both build actionable advice and recommendations but also to execute and initiate change based on the customer feedback and data from the process. Without this step, customer experience teams are just data gathering programs with no power for real and substantive customer-driven change.

      Customer Experience Foundations for Marketing Leaders

    Domain

    Description

    Sample Providers

    Customer Data

    A unified audience record that captures profile, preferences and all pre- and postsales interactions

    Acxiom, Experian, Harte Hanks

    Customer Voice

    Direct, indirect and inferred customer feedback through social listening, sentiment analysis and surveys

    Medallia, InMoment, MaritzCX, Satmetrix

    Customer Insight

    Primary research and secondary panel data to inform understanding of customer needs, preferences and perceptions

    comScore, Nielsen, eMarketer

    Competitive Insight

    Use of primary and secondary benchmark data and customer voice for tracking and optimizing competitive performance

    TrackMaven, Meltwater

    Goal Setting

    Definition of strategic KPIs and operational metrics to guide your customer experience efforts

    N/A

    Persona Development

    Archetypes that embody the behaviors and preferences of specific audience need states

    Razorfish, Ideo, Isobar

    Journey Mapping

    Detailed definition of the stages and touchpoints of a customer decision journey and/or lifetime relationship

    Razorfish, Ideo, Isobar

    Customer Experience Architecture

    A framework that combines personas and journey maps to inventory and prioritize cross-functional customer experience investments

    Razorfish, Ideo, Isobar

    Content Supply Chain

    The workflow for fueling customer experience initiatives with relevant and resonant value-added content

    Adobe, Sitecore, Percolate, Kapost

    Loyalty

    Incentive and rewards programs to grow CLVT through a system of points/credit accrual and redemption

    Brierley+Partners, Maritz, Comarch

    Advocacy

    Programs to drive positive word of mouth at scale through references, referrals, ratings and reviews

    Influitive, Bazaarvoice, Pluck

    Automation and Orchestration

    The tools and workflows that drive appropriately timed and targeted audience interactions at scale

    Adobe, Oracle, Salesforce, Marketo, Kitewheel, Thunderhead.com

    Analytics

    Instrumentation and analysis of customer touchpoints to measure and optimize performance to goals

    IBM, Adobe, Webtrends, Google

    Source: Gartner (January 2015)

    While marketing, indeed, has a growing role to play in customer experience initiatives, the scope of a customer experience will almost always exceed the formal boundaries of the marketing organization. That's why it is critical that customer experience initiatives begin with a cross-functional orientation — and the support of cross-functional stakeholders. Just as importantly, to be successful, these initiatives require processes for sharing customer insights and driving the appropriate actions through the digital and human-centric channels within and outside of marketing's control. The highest-performing companies establish processes that cross these boundaries, ensuring that insights flow to the appropriate stakeholders and that actions can be taken in the moments that count, in the service of the customer experience (see Table above).


    0 0

    Blog Feature Image: 
    Twitter カードのスタイル: 
    summary

    No-one can escape the challenges of keeping up with a perpetually evolving cyber security environment and no longer write off fraud as something that only happens to others. In December 2014 research by Tele Sign and RSA, just 11% of US companies said they hadn’t experienced any fraudulent incidents on their ecommerce sites in the past 12 months. Source Cyber security study conducted by J Gold and Associates , Feb 2 , 2015.

    Fraud victims can wave bye-bye to hard-earned bucks. More than one-third of businesses reported losing between 1% and 5% of revenues due to online fraud in the past year. Online businesses don’t just risk losing dollars, though—they can also see the departure of many customers.

    Of course, “fraudulent activity” comprises many risks, and further research highlights the wide range of issues online and mobile retailers must work against. Malware was the biggest issue, on PCs and web browsers as well as mobile devices. E-wallet fraud and app-related risks followed, with account takeovers and password guessing behind. Online businesses don’t better protect themselves from fraudulent activity, not only will they continue to fall victim to such incidents, they risk losing more money and customers as malware, hackers and the like become more advanced.

    I know, it’s easy to read this article and feel overwhelmed, but understand that half of the website security battle is knowledge and learning. The problem is that it is almost impossible to get in front of enough people to scale awareness and education. Once you get in front of people, the next battle is getting them to care. It is often only after someone feels the pain of a compromise that they begin to care or realize the harsh effects.

    As a company who is serious about protecting customers and their business reputation should implement Always-On SSL with SSL certificates from a trusted Certificate Authority.  You can find out all about Always On SSL here. Google now favours websites that implement HTTPS across their entire site. Keep your visitors safe with Always-On SSL and Google will reward you with a SEO ranking boost.

    As if that was not enough, many browsers now trigger security warnings when a user is hopping between secured and unsecured connections. Ensure your customers experience your website as intended with Always-On SSL. SSL and website security is now in the public consciousness, and if you’re not doing your  part you could find yourself being publicly shamed on HTTP Shaming, a site set up by software engineer, Tony Webster.

    When it comes to businesses and their websites, good security processes and Implementation are all that stand in the way of total ruin: financial and reputational.         

    So make sure you’re secure in 2016 with Symantec


    0 0

    Blog Feature Image: 

    据赛门铁克最近开展的一项研究报告显示,一家称作Suckfly的中国高级威胁组织针对与代码签名证书相关联的私钥展开攻击来传播恶意软件,且已持续两年之久。这一发现再次证实了网络攻击者散布伪装成合法文件和应用程序的恶意软件的上升趋势。

    为什么网络攻击者会瞄准代码签名证书的私钥下手?问题在于其目的的截然对立性,以及传统代码签名做法的管理。

    代码签名的主要目的是:a) 验证内容的完整性,并确保其不被篡改,以及 b) 提供有关文件或应用程序创建者的属性和不可抵赖性。代码签名通过以下方法来提升文件和应用程序的信任级别:a) 保证内容未被修改过;b) 将内容与经过第三方验证的身份相关联。出于上述原因,许多软件公司和行业团体都会要求使用代码签名。

    从实际应用的角度来看,一些浏览器会在用户尝试下载任何未签名的应用程序时显示警告,以此保护其用户。在其他领域,一些安全应用程序会阻止用户下载和/或执行未签名的文件和应用程序,以尽量减少执行来自未知或未经授权的发布者的代码,从而降低风险。因此,我们发现重视安全的组织和大量的内部软件或应用程序开发通常已采用代码签名技术。无论从发布还是降低风险的角度看,这都是有益的。

    在传统的代码签名技术中,保管在签名中使用的私钥的责任和义务由发布组织承担。在这些组织中,私钥的安全和管理通常由开发团队负责,这是因为:文件和应用程序大多是由应用程序或软件开发人员发布的。如果该团队未接受过安全最佳做法方面的培训,也不必为密钥丢失、被盗或遭到滥用的后果负责,则较为大型的组织往往会面临私钥遭他人窃取后用于签署恶意软件的风险。

    有一些行业最佳做法可帮助组织防止密钥被盗或遭到滥用。它们包括:

    • 保护私钥
      • HSM或在专用的安全环境中
    • 跟踪私钥和签名事件
      • 提供有关签名操作的一切信息,比如:谁在何时签署了哪些内容
    • 管理发布者的任务分配和撤销
      • 确保只有经过授权的用户才能访问私钥
    • 审计能力
      • 设立问责制和保留有关代码签名活动的证据

    除了最佳做法以外,某些组织可能更看重通过避免现场分散存储私钥(而是通过健全的密钥管理机制将其保管在集中、安全的位置)来提高安全性。作为全球65%的代码签名证书的提供商*,赛门铁克提供了下一代替代技术,有助于解决传统代码签名做法缺乏管理等问题,并降低私钥被盗的风险。赛门铁克安全应用服务是一种全面的基于云的代码签名管理解决方案,它能够集中管理密钥、跟踪代码签名事件,并进行用户管理。

    网络犯罪分子会继续想方设法地攻破组织的安全防线并窃取重要数据。严格遵循行业最佳做法或采用“赛门铁克安全应用服务”等解决方案有助于抵御犯罪分子的攻击,并确保代码签名能够达到其与生俱来的目的 — 提供信任。

    *资料来源:rsEdge开展的一项国际调研(2014年)


    0 0

    Blog Feature Image: 

    賽門鐵克最近的研究報告指出,名為 Suckfly的中國進階威脅團體,已經鎖定程式碼簽章憑證相關的私有金鑰,在兩年期間散佈惡意軟體。這項發現再次確認,網路攻擊者透過合法檔案及應用程式散佈惡意軟體的趨勢,持續增加。

    為什麼網路攻擊者要鎖定程式碼簽章憑證的私有金鑰?問題在於程式碼簽章的兩大目標,以及傳統程式碼簽章實務的監管。

    程式碼簽章的關鍵目標在於 a) 驗證內容的完整性,確保並未遭到竄改,以及 b) 建立檔案或應用程式創造者的歸屬及不可否認性。程式碼簽章提升了檔案及應用程式的信任程度,確認內容未經修改,並讓內容與通過第三方驗證的身分建立關連。因此許多軟體公司及產業團體,都必須使用程式碼簽章。

    就實務應用觀點而言,部分瀏覽器可保護使用者,在使用者嘗試下載任何未簽章應用程式時顯示警告訊息。至於在其他領域方面,部分安全應用程式可減輕風險,避免使用者下載及/或執行未簽章的檔案和應用程式,盡可能減少執行未知或未授權發佈者的程式碼。因此,我們發現更重視安全,且具有大量內部軟體或應用程式開發的組織,一般會為了發佈及減輕風險採用程式碼簽章。

    在使用傳統程式碼簽章的情況下,簽章使用私有金鑰的安全問題,是由發佈組織負責。在這類組織之中,私有金鑰的安全性及管理事宜,一般是委交開發團隊負責,而檔案及應用程式則大多由應用程式或軟體開發人員發佈。如果團體沒有接受安全最佳實務訓練,或者不必為遺失、遭竊或濫用的金鑰負責,則龐大組織就可能面臨風險,導致自己的私有金鑰不慎簽章惡意軟體。

    業界已有若干最理想實務,協助組織避免金鑰遭竊或濫用。其中包括:

    • 維護私有金鑰安全
      • HSM 或位於針對特定目的建置的安全環境
    • 追蹤私有金鑰及簽章事件
      • 提供可見度,掌握簽章者、簽章內容及簽章時間
    • 管理發佈者的指派及撤銷事宜
      • 確保只有獲得授權的使用者才可存取私有金鑰
    • 有能力進行稽核
      • 推動程式碼簽章活動的責任及鑑識見解

    除了最佳實務以外,部分組織可能偏好更安全的作法,不在現場散佈私有金鑰,而是在集中、安全,且具備強大金鑰管理監管的地點進行作業。身為全球 65% 程式碼簽章憑證的供應者*,賽門鐵克提供次世代替代方案,有效因應缺乏監管的漏洞,以及傳統程式碼簽章實務的其他挑戰,妥善處置私有金鑰遭竊的風險問題。賽門鐵克安全應用程式服務 (Symantec Secure App Service)是全方位的雲端型程式碼簽章管理解決方案,可集中管理金鑰及追蹤程式碼簽章事件,並提供使用者管理。

    網路罪犯將持續尋找各種方式,突破組織的安全措施竊取重要資料。嚴格遵循產業最佳實務,或利用賽門鐵克安全應用程式服務等解決方案,當能有效威嚇此類不法行動,並且重建程式碼簽章的公信力,回歸安全至上的初衷。

    * 資料來源:rsEdge 2014 年國際意見調查


    0 0

    一家中国的高级持续性渗透攻击(APT)组织对于被盗代码签名证书永无止境的渴求。

    続きを読む

    0 0

    中國境內的進階持續性滲透攻擊 (APT) 團體不斷竊取程式碼簽章憑證

    続きを読む

    0 0

    Compromised websites and spear-phishing emails used to infect targets with Daserf Trojan

    続きを読む

    0 0

    SymantecLogo-Twitter V2.jpg

    The lens on diversity in tech couldn’t be more focused at this moment in our collective history. We want to give a voice to those underrepresented in the tech industry — including minorities, women, LGBT, veterans, disabled and people entering into tech as a second career — as we explore how we got here and how we move the industry forward to be truly reflective of today’s society. To do that, we’re starting a publication #iamtech— for you, for everyone interested in this topic — to talk about what it means to you.

    #iamtech's first story is written by employee C.Moulee. C. Moulee is a gay man living in Chennai, India who, despite the country's criminalization of homosexuality, is helping to lead an effort in the tech industry there – one that he describes as “Making One Cubicle Safe at a Time” – to spread awareness and acceptance of LGBT people.

    "In late 2013, India’s highest court suddenly turned me and millions of other gays into criminals – once more. It was a devastating blow. But I knew we didn’t have the luxury of grieving. It was clear that we would need to seek protection in our workplaces and our communities since we wouldn’t have it under the law."

    – C Moulee

    The #iamtech publication will profile many of the diverse faces of our employees and partners. But most importantly, it’s not limited to them. We want to hear from you. We encourage you to share your story.

    Please join us as a reader by visiting #iamtech periodically, as a contributor by sharing your stories and insights, or as an advocate by encouraging others throughout your network to read our publication.

    Through #iamtech we want to create an engaging forum where readers can come to truly understand what it’s like to be an underrepresented individual in the tech industry — and inspire and elevate solutions to help push our industry forward to a more diverse future.

    {Please visit Medium to read our first #iamtech article}

    Ruha Devanesan is Symantec's Manager, Global Diversity and Inclusion


    0 0

    トロイの木馬 Daserf に感染させることを狙って、Web サイトへの侵入とスピア型フィッシングメールが利用されています。

    続きを読む

    0 0

    Daserf木马可通过受入侵网站和钓鱼邮件传染目标

    続きを読む

    0 0

    Twitter カードのスタイル: 
    summary

    Symantec and our Mirantis colleagues gave several presentations at the OpenStack Newton Summit in Austin. See the videos below and let us know what comments and questions you have!

    Ansible, beyond playbooks & openstack deployments

     
     
     
     
     

older | 1 | .... | 191 | 192 | (Page 193) | 194 | 195 | .... | 254 | newer