What is Ransomware?

Ransomware is a category of malware that restricts users from accessing their devices or data. Ransomware attackers force their victims to pay the ransom through specifically noted payment methods after which they grant the victims access to their computers or to their data. With ransomlockers, the attacker pretends to be local law enforcement, demanding a "fine" to let victims avoid arrest and to unlock their computers.

CryptoLocker is a ransomware variant where malware often encrypts a user's files and often deletes the original copy. The attacker requests a ransom for the files to be unencrypted. Not only are files on the local computer damaged, but also the files on any shared or attached network drives to which the computer has write access.

Go through the latest article published by Symantec:

Ransomware protection and removal with Symantec Endpoint Protection

http://www.symantec.com/docs/HOWTO124710

“As the world’s largest cybersecurity company, Symantec unequivocally supports everyone’s right to feel safe and secure, including full and equal rights for the global LGBT community. We won't stop developing ways to foster an open and safe environment for all of our employees around the world, and we look forward to the day when we can celebrate genuine inclusion for all[1].” – Symantec Corp.

On Wednesday, May 11th, Symantec hosted Chad Griffin, President of the Human Rights Campaign, for a roundtable discussion on the current state of LGBT rights in the United States. Specifically, the roundtable took a look at current legislation limiting LGBT rights and North Carolina's controversial HB 2 law that was recently deemed to violate federal civil right laws.

The roundtable included a small group of approximately 20 executives from San Francisco Bay Area companies including VMware, Hewlett Packard Enterprise, Oracle, LinkedIn and Qualcomm. Fran Rosch, Executive Vice President, Norton Business Unit represented Symantec, as well as others from Symantec's global diversity and corporate responsibility teams. 

Mr. Griffin began with a look back at the legislative developments that lead to the creation and passing of the HB 2 law in North Carolina, which prevents transgender people from using restrooms consistent with their gender identity in public buildings, and doesn't allow cities to pass their own legislation protecting LGBT rights. He discussed the fast passing of the bill and the immediate disapproval by companies and people nationwide.

As the nation's leading LBGT civil rights organization, HRC immediately began awareness and advocacy efforts to overturn HB 2 after its passing. Symantec's VP Corporate Responsibility and Chief Diversity Officer, Cecily Joseph, was one of the first to join a current total of over 200 CEO's and business leaders signing a letter by HRC and Equality North Carolina denouncing the law. The letter was personally delivered by the organizations to North Carolina Governor Pat McCrory's office. Since its passing, the US Federal government has sued the state for a law that violates federal civil rights law, and North Carolina politicians have introduced new anti-discriminatory legislation. 

HB2 brings to light that the fight for LGBTQ equality in the United States is far from over.  The passing of gay marriage laws has left many with the misconception that we have achieved equality. While significant progress has been made, this is still not true.

For example, while the LGBT community can now legally marry, they can still be discriminated against when buying a home, looking for a job, gaining access to healthcare – solely because of their identity.

Marriage was just the first step, and the recent spate of anti-LGBT state bills that have cropped up demonstrate that in many parts of the US, it’s still legal to discriminate against people on the basis of their gender and sexual identities. 

Symantec hosts HRC President Chad Griffin, and a small group of Silicon Valley peers, to discuss the current state of LGBT rights in America.

As a member of the HRC's Global Corporate Coalition a "groundbreaking global coalition committed to advancing LGBT workplace equality around the world" and recognized for the 8th consecutive year on HRC's Corporate Equality Index, we continually strive to be at the forefront of equality for our employees, our industry and the global LGBT community. 

We were extremely honored to host HRC and our peers in this dynamic and thought-provoking discussion lead by the nation's largest LGBT civil rights organization, HRC.

What can you and your company do to support equality for all?

•Sign up in support of the Equality Act that would close the loopholes states are using to discriminate

•Sign the amicus brief HRC is putting out soon for companies to sign, which states the business case for LGBT inclusion

•Contribute to HRC and other organizations doing the policy advocacy work to overturn discriminatory legislation by states

•Learn more about the trans community and what you can do to be an ally

Markus Achord is Symantec's Manager, Global Diversity & Inclusion

In the lights of increasing activities of ransomeware across the world, everybody is in the search of something that can give early warnings about the infection. After getting hit by the 2 different variants of it, we also started thinking in the same line. Being an Antivirus administrator, we also thought of playing our part by putting restrictions such as blocking executable from the areas generally used by malicious software. But this proved to be of very little use in case of ransomeware. So we thought about hitting the ransomeware exactly where it tries to hit us.

Most of the ransomeware targeting end users and encrypting files are targeting office documents and pdfs. These are the file that are most important to users. So we thought about taking a white-listing approach to protect these files. 

We did this, 

1. List down what are the legitimate ways in which a user may delete these files. For example, if user want to delete excel files, he may do it using Windows Explorer, or through command prompt, or he can use excel to overwrite existing file, or user may download a file using a browser and overwrite existing file. Using this way list down all the processes (i.e explorer.exe, cmd.exe, excel.exe, iexplore.exe etc.) according to the environment, that are allowed to make modifications to excel files.
2. Allow only these binaries to do modifications to excel files. Terminate any other executable that tries to modify these files. Same method can be followed for other type of files that we want to protect. 
3. We achieved this using application control feature of SEPM. If such event occurs, it can be found in application control logs of SEPM. 
4. Warning can be set for users if such event occurs; so that they can report about it immediately. 

Though this will allow the ransomeware to run up to some extent but will protect office documents. But as soon as it tries to touch any office document ( or any file format we are protecting) it will be terminated and further damage is prevented. Obviously we do expect to get some false positives but we can surely add them to white-list. We had carried out few test with ransomeware samples in a test environment and method is proving to be effective. Let us know your view about this approach.

Blog Feature Image: 

ISTR_Twitter_440x220.jpg

Data breaches have almost become a daily occurrence. It may not seem like it on the surface, but according to the 2016 Internet Security Threat Report (ISTR), the number of publically disclosed data breaches has risen steadily over the last number of years to reach 318 in 2015. That’s almost one data breach per day.

However, it often seems that data breaches only make the news when the number of impacted individuals reaches into the millions, or even the tens of millions—what we’ve come to call “mega breaches.” These breaches have a far reaching impact on a business that suffers one. A large company can watch its stock value drop at the same time consumer trust erodes away. And mega breaches are up in 2015; there were nine reported during the year.

Yet for all the attention-grabbing headlines, mega breaches are still relatively rare in the greater scheme of things. These types of breaches make up only around three percent of those reported in 2015. The fact is that most data breaches are different than this. So what do these data beaches look like?

Let’s start with a general overview of all data breaches this year. The average of identities stolen per breach was 1.3 million, but averages tend to get skewed by large numbers, which is exactly what mega breaches are in this case. In contrast the median, or the mid-point when all the breaches are lined up, has been trending downwards: from 8,350 identities per breach in 2012 to 4,885 in 2015. The median has almost halved in four years, which indicates there are far more small breaches than large ones.

There’s no question mega breaches have a significant impact on the overall number of identities exposed, and this year’s total was 429 million. However, with an 85 percent increase in the number of breaches not reporting the number of identities exposed, we believe this number to be much higher. At the very least, we estimate that half a billion identities were exposed in 2015.

It’s worth noting that this is a conservative estimate; in fact, there are other organizations that have reported much higher numbers for 2015 than Symantec has. However, we hold our count to a fairly strict methodology. For example, if a breach was reported this year, but took place during the previous year, we don’t add it to this year’s total. We also only count breaches that have been publically reported, either by a press release from the breached organization or a reliable news source. We don’t count records found exclusively on data dump sites or hacker “stolen identity collections” unless the source the data has come from is clear (these are often duplicates or old caches). That’s not to say some of these incidents aren’t legitimate breaches. We simply aim for accuracy over inclusion. Thus, while we estimate that there where at least half a billion identities exposed in 2015, it’s possible that this number is even higher, based on underreporting in the public sphere.

To get a better understanding of the size of most data breaches, let’s look at what statisticians call a boxplot. This will allow us to discard “outliers,” or unusual cases, in the data and give us further insight into what most data breaches look like, as opposed to all data breaches. (A deep understanding of boxplots isn’t necessary, but more information on them can be found here.)

It turns out that most data breaches contain under 60,000 identities, with three quarters having less than 25,000 identities. Any data breach over 60,000 is actually an outlier—an irregular occurrence that falls outside the norm.

In terms of the data being exposed, looking at these more common data breaches also paints a slightly different picture. Save a small amount of shuffling in the order, the types of data stolen is largely the same. The most obvious difference is that medical and insurance information both jump up in rankings, indicating these breaches are more likely to contain these highly sensitive pieces of personal information.

What’s interesting is the overall percentages we see in the following table. It’s concerning that the percentages rise in every instance of our top ten list. What this means is that these breaches are more likely to contain a larger variety of data about the individuals exposed.

When looking at how these breaches take place, the order of causes changes when comparing all data breaches to the most common. Overall, attackers were responsible for the largest percentage of identities exposed. This remains true for the most common breaches; however, their overall share declines. Theft or loss climbs to second place as well, dropping the share of breaches that were the result of accidental disclosure significantly. Insider theft also increases when looking at most data breaches, in comparison to all data breaches.

So why do most data breaches appear so much smaller when compared to mega breaches? It could be that most attackers are going after “soft targets,” or smaller organizations that may not have a lot of data, but also may not have strong defenses in place to protect against a data breach. The attackers get in and steal the data, but the size of the cache is about the size you would expect in a small- to medium-sized business. The data set is also richer, with more diverse types of data points.

As for the reasons most data breaches occur, the answers tend to lead to speculation, given the nature of the topic. Naturally those behind such attacks work diligently to mask their identities, which makes painting such a picture challenging. However, there have been rare cases where the motivation has come to light. These cases point to data breach goals rooted in identity theft, blackmail, cyberespionage, and even cyberactivism.

Ultimately a data breach is the end result of a larger security issue. Attackers can get in through a variety of ways, from misconfigured or unpatched servers to socially engineered phishing attacks that include malicious payloads. To avoid becoming the victim of a data breach, businesses should carry out regular security audits and employ defense-in-depth strategies that can detect and prevent intrusion attempts. Employing encryption can prevent attackers from siphoning off sensitive information that is in transit, while data loss protection (DLP) solutions can prevent the exfiltration of data if an attacker manages to make it into the internal network.

Regardless, every data breach is a serious incident. You can liken a mega breach to a plane crash, with the loss of identity being widespread and at times shocking. Meanwhile most data breaches are more akin to car crashes—far, far more frequent and an event that also leads to significant losses of identities.

These are just a few of the data breach subjects covered in the Symantec 2016 Internet Security Threat Report. Interested in what industries are at risk or what’s at play in the growing cyber insurance market?

Download the full 2016 Internet Security Threat Report. 

"We want to have one mission and target: Take the nation forward digitally, and economically."– Shri Narendra Modi, Prime Minister of India[1]

Exactly 10 months after Symantec's leadership announced its partnership with the Indian IT association NASSCOM to implement the joint initiative "Building Cyber Security Skills"the first courseware was released at an April 18, 2016 event hosted by NASSCOM.

At the event, Symantec's John Sorensen (SVP, Worldwide Sales) and Sanjay Rohatgi (SVP, APJ Sales) were joined by:

• Dr. Gulshan Rai, National Cyber Security Coordinator, Government of India
• Rajendra S Pawar, Chairman, NASSCOM Cyber Security Task Force and Chairman, NIIT Limited
• R Chandrashekhar, President, NASSCOM
• Nandkumar Saravade, CEO, Data Security Council of India

The initiative includes a particular focus on gender diversity, and the audience of senior functionaries from across government, industry, media and academia heard first-hand from two female candidates on their aspirations, and thanked both Symantec and NASSCOM for their support.

Release of Building Cyber Security Skills courseware developed under the Symantec / NASSCOM partnership. Featured here include (L to R) Symantec's Sanjay Rohatgi, Nandkumar Saravade, CEO, Data Security Council of India, Dr. Gulshan Rai, National Cyber Security Coordinator, Government of India, Rajendra S Pawar, Chairman, NASSCOM Cyber Security Task Force and Chairman, NIIT Limited, Symantec's John Sorensen, and R Chandrashekhar, President, NASSCOM.

Symantec will sponsor 1,000 scholarships for females who successfully graduate from NASSCOM's cyber security certification. Two scholarship recipients where welcomed on stage who shared their future career aspirations with the audience and thanked the partners for the opportunity.

A partnership for the future

This partnership between Symantec and NASSCOM endeavours to build a cadre of world-class certified cybersecurity professionals in India in line with the ‘Digital India’ initiative envisioned by India’s Prime Minister Shri Narendra Modi.

Digital India is "a flagship program of the Government of India with a vision to transform India into a digitally empowered society and knowledge economy."The program focuses on three core pillars, one of which addresses the need to ensure a safe and secure cyber space for all citizens of India. While speaking at NASSCOM’s silver jubilee function on March 1, 2015, Prime Minister Shri Narendra Modi had issued a challenge to develop skills and leadership in cybersecurity.

Significantly, the partnership with NASSCOM includes scholarships for 1,000 women candidates as well as supporting creation of courseware for five job roles and training of teachers.

A project board with industry representatives, constituted under the aegis of NASSCOM, identified and prioritized job roles and continues to oversee and guide courseware development to ensure that it is aligned with industry needs. Several Symantec employees have also reviewed and provided valuable feedback in this process.

"Building the next generation of cyber professionals is key to securing India's critical information infrastructure, battling cybercrime and making the 'Digital India' initiative successful. As the global leader in cyber security, Symantec partners closely with governments and law enforcement agencies around the world[2]" 

Sanjay Rohatgi (SVP, Sales, APAC)

Rajendra S Pawar, Chairman, NASSCOM Cyber Security Task Force and Chairman, NIIT Limited, Symantec's Sanjay Rohatgi, and Nandkumar Saravade, CEO, Data Security Council of India speak at an event hosted by NASSCOM where the first courseware was released.

A key piece of the global puzzle

Today cybersecurity is one of the most important fields in technology. However, there is a projected shortfall of qualified candidates expected to reach 1.5 million globally by 2019[3].

As highlighted last July on our blog, the partnership with NASSCOM is an extension of our CR initiative launched in 2014, the Symantec Cyber Career Connection (SC3), to address the global workforce gap in cybersecurity and create a diverse, highly qualified workforce. 

We’re excited that, together with NASSCOM, this project is coming to fruition in India, and hope to celebrate many more successes together!

Deepak Maheshwari is Symantec's Director, Government Affairs, India & ASEAN

The healthcare industry topped the tables for data breaches in 2015, according to the 2016 Internet Security Threat Report (ISTR), which provides an overview and analysis of the year in global threat activity. Unfortunately, as more consumer (patient) data is now stored and shared digitally with the healthcare industry, this attack trend seems to continue in 2016.

How cyber secure is the health industry? How safe is your personal medical information?

Attend these two Symantec webcasts for insightful ISTR and Independent Security Evaluators (ISE) analysis on the cyber threats targeting healthcare organizations.

2016 Healthcare Internet Security Threat Report Highlights Webcast



May 25, 2016, 10 a.m. PDT



Paul Wood, Cyber Security Intelligence Manager, Symantec and David Finn, Health IT Officer, Symantec

Register for the free webcast

Get insights on:

• How many personal information records were stolen or lost in 2015
• Why attackers are targeting medical records
• What’s at stake
• How can you protect your organization

Be sure to also register and attend the June 8 webcast!

Hacking Hospitals June 8 Webcast

June 8, 10 a.m. PDT



Axel Wirth, Distinguished Technical Architect, Symantec and Geoff Gentry, Director of Healthcare, Independent Security Evaluators

Register for the free webcast

Topics include:

• Why patient health is at risk because of cyber threats
• Which barriers facing Health IT must be overcome
• What actionable steps IT Security leaders can follow to properly secure and protect their hospital IT infrastructure, sensitive information, and their patients

David Finn, Symantec Health IT Officer, is part of the Independent Security Evaluators Advisory Board.

As a leader in cyber security, Symantec is uniquely positioned to share insights on the changing threat landscape. Don’t miss out on these valuable insights.

Download the 2016 Internet Security Threat Report and register for both upcoming webcasts today!

Visit Symantec Healthcare Solutions.

About SCS Exams

The Symantec Certified credentials are industry recognized exams and are available to customers, partners, and employees. The technical certification program (i.e., Symantec Certified Specialist – SCS) targets people who have hands-on experience with the product. They might be called technical sales engineers, partner integrators, product engineers, administrators, architects, designers, technical support engineers, or consultants, for example.

Although each technology varies in complexity and depth, SCS exams measure technical knowledge and skills needed to efficiently deploy, configure, utilize, troubleshoot, and optimize Symantec solutions. SCS exams are based on a combination of training material, commonly referenced product documentation, and real-world scenarios. Learn more by visiting http://go.symantec.com/certification.

How do you access these exams?

These exams are delivered only through Pearson VUE test centers.  To register for an exam, log in to CertTracker or create a new account.  Please see our step-by-step registration instructions for more information.

What are the recommended preparation strategies for this exam?

• Candidates are strongly encouraged to review the corresponding course materials prior to attempting the exam.

• Review the exam study guide, which contains the exam objectives and sample items. The study guide aligns to the recommended training course by summarizing the key lessons and topics and how they correspond to the SCS exam.

Exam Details for 250-423: Administration of Symantec IT Management Suite 8.0 

# of Questions: 70-80
Exam Duration: 90 minutes
Passing score: 65%   

For more information, visit the exam page: https://www.symantec.com/services/education-services/certification/all-exams/exam-250-423

Exam Details for 250-425: Administration of Symantec Cyber Security Services (May 2016)

# of Questions: 70-80
Exam Duration: 105 minutes
Passing score: 64%   

For more information, visit the exam page: https://www.symantec.com/services/education-services/certification/all-exams/exam-250-425 

Questions?

For more information about the Symantec Certification Program, contact Global_Exams@Symantec.com.

Thank you for your support of the Symantec Certification Program!

As more and more organizations seek to wrap the highest possible levels of protection around their businesses, the whole concept of Incident Response has evolved into something increasingly complex and sophisticated. Every enterprise has different and individual requirements, both proactive and reactive. With every incident varying in vector, scope and overall impact, and with unique legal, regulatory and industry requirements, it’s vital that organizations tailor their approach, so they have the proper readiness and response strategy in place.

The ability to prioritize and address the growing number of security alerts is at least one of the issues challenging organizations. It creates an expanding gap between an initial compromise and the time a breach is detected. This is a growing issue as attacks take longer to discover, notification is delayed, forensics investigations are hampered, public opinion declines and regulators/auditors take harsh actions. All of which defines how an organization should shape and manage its response.

Who do the security professionals protecting these organizations turn to when deciding what approach to take? First, they need to ally themselves with a service provider that has deep skills and years of experience in helping resolve incidents, returning the business to normal operations rapidly and minimizing incident recurrence, while limiting any operational impact. Equally, all of this needs to be delivered in a way that makes financial sense.

Typical incident response services are built on a per-hour/per-diem structure, which can rapidly become quite costly. By contrast, Symantec's incident response services not only address these challenges, but also offer a unique price model by not charging an hourly rate. Moreover, its services are tailored to meet the needs of organizations wherever they may be in their security life cycle, namely:

• A current security crisis or breach situation
• An elevated concern based on an indicator that may signal potential incoming attack or current compromise
• Proactive and preparing in advance of an attack.

Irrespective of which of these paths an organization is on, Symantec follows generally accepted forensic procedures to collect, preserve and analyze evidence in accordance with their objectives. This includes a variety of techniques, such as log analysis, network, memory and systems forensics, live response, advanced malware analysis and security intelligence, to determine the root cause, timeline and extent of the incident.

But let’s return to the pricing challenge and the terms under which Symantec’s incident response solution is delivered. Symantec's new retainer services offer a flat rate by the day and number of experts needed, versus by the hour. There is no charge for travel time, senior leader engagement or remote project manager time. Also, with the new price model, Symantec will evaluate the situation and assess how many people and days will be required for the project and provide an estimate in advance. In doing so, any organization knows exactly what it will be charged at all times.

Finally, the Symantec incident response model is constantly evolving. The intelligence gathered from each and every incident is used to improve and advance its protection products and services, with the incidents modeled into a real-world investigation model and placed in Symantec's simulation platform for customer training.

We think our solution meets customers’ needs and addresses their concerns but what do you see as the most critical factors for organizations today in incident response? Cost, Timeliness, Intelligence, Detection, etc? What do they need that they might not even realize they are missing?

While Microsoft Office 365 is an excellent platform to enhance your productivity through the cloud, Symantec Advanced Threat Protection can augment the security of that platform and protect your organization.

Cyber criminals are moving beyond the PC and targeting the cloud, mobile, IoT and virtual worlds – and organizations need advanced protection to combat these threats. The Symantec 2016 Security Threat Report Vol. 21, found that there were 430 million new unique pieces of malware in 2015, up 36 percent from the year before.

Consider Symantec Advanced Threat Protection -- with the ability to correlate events across email, endpoints and network to detect stealthy and persistent attacks -- augmenting the built-in security of Office 365.

Fight advanced threats with Symantec Advanced Threat Protection

Symantec Advanced Threat Protection, the industry’s first unified solution, detects more threats and prioritizes them faster across multiple control points (network, email, endpoint). It combines Symantec’s global threat intelligence with local intelligence to strengthen protection capabilities, provide better detection, accelerate response times and reduce security-operating costs.

Fight email-based threats rapidly by leveraging these capabilities:

Improve detection with Symantec Cynic

Symantec Cynic is an entirely new cloud-based sandboxing and payload detonation service. It can execute suspicious files in both virtual and “bare metal” environments, to uncover even those “virtual machine-aware” attacks that would evade detection by traditional “virtual-only” sandboxing technologies offered natively by Office 365.

Cynic leverages advanced machine learning-based analysis and combines local customer context with Symantec’s global intelligence to detect sophisticated attacks.

Prioritize critical events

Symantec Synapse is our new cross-control point (email, endpoint, network) correlation engine that prioritizes the most important security events across the organization. This allows analysts to “zero in” on just those events of greatest risk to the organization.

A single console showing all suspicious events across the organization allows you to quickly “drill into” details of an attack, lets you see how all events are related, and search for attack artifacts across control points.

Remediate quickly

Symantec Advanced Threat Protection provides one-click containment and remediation across control points. For example, with a single click, the analyst can: “Remove BAD.EXE from all endpoints, block incoming e-mails containing BAD.EXE, and prevent BAD.EXE from entering via web downloads”. Or, go one step further and totally isolate the compromised machine from your production network.

Symantec Advanced Threat Protection also provides unique visualization of related attack Indicators-of-Compromise (IoCs), with a graphical view of how all IoCs are connected to each other.

Transition to the cloud with confidence

Symantec Advanced Threat Protection helps fill in the security gaps that Office 365 misses. We help enhance the security of Office 365 and most of all, create defenses to help protect your organization and your sensitive data. We help “connect the dots” of various control points to give you higher levels of visibility.

In the first instalment of this series, we covered how Symantec can help build on the email security of Microsoft Office 365. Read the full post here.

Looking for more insights on how Symantec can help?

Visit Symantec Office 365 Security

Dwight Smith, Net Impact's Chapters and Impact Programs Manager shares his story in the most recent #iamtech Medium series.

What happens when a black boy is adopted at birth into a white world where race and racism are ghosts of the past and racial identity is a silly thing to waste time thinking about? As a transracial adult adoptee of color, my life journey reveals some insight into this very question.

And what happens when a mostly white millennial generation is raised without an accurate understanding of race, racism or their role in a racialized society? As Slate’s chief political correspondent Jamelle Bouie puts it, our generation “think[s] if we ignore skin color, racism will somehow disappear.”

Both questions are connected because I — and many of my millennial peers — came up in similar race-erasing worlds. Both questions are important to me, because my life experiences motivate me to address the racial confusion of the millennial generation.

I lead the Impact Race initiative for a global nonprofit called Net Impact, connecting our 100,000 members with the awareness, language and resources to lead for racial equity in their communities and careers. Members represent hundreds of campuses and companies across a wide variety of industries, including the local tech industry. Aspects of my journey as a transracial adoptee, and the majority white millennial generation experience in the United States, highlight the importance of pushing the conversation toward an honest, reflective look at how to understand racism and lead for racial equity.

Ignorance is bliss, until it isn’t.

{Please visit Medium to read more of Dwight's #iamtech article}

Blog Feature Image: 

bluelock.jpg

In my previous blog, I discussed the need to balance the benefits of logging certificates publicly with the need of many customers to prevent logging of internal domain names they consider private.

The Internet Engineering Task Force (IETF) also recognized the importance of this, and has made solid progress in support for name redaction in the latest version of the Certificate Transparency (CT) specification. Based on this progress, Symantec will soon be adding a “redaction” option for customers to exclude publishing of sub-domain information when requesting certificates. With this feature, customers will be able to get the full benefits of monitoring certificates issued by Symantec and also get the privacy protection they need.

Here’s an example:

With the introduction of the redaction feature, we will remove the current “opt-out” option from our tools. Why are we removing opt-out? As I shared in my last post, opt-out, while a solution for privacy concerns, is not optimal because it creates a gap where all certificates will not be logged. By supporting redacted certificates instead, we can still provide customers the benefits of monitoring their domains while addressing their potential need for privacy.  In short, Symantec will log all certificates and all certificate information by default. Customers who choose to redact should do so only when their security and privacy policies require it, and should be aware that monitoring may be simpler with a non-redacted certificate.

Google – whose browser is currently the only major one to support Certificate Transparency - has not yet announced when or whether Chrome will accommodate redaction. As a result, it is possible that Chrome will show an “untrusted” warning if it encounters certificates where customers have chosen to log their certificates with redacted sub-domain information. Therefore, customers who have internal, browser-based applications, where privacy of certificate domain information is important, may want to consider using an alternate browser or one of our Private CA options.

We fully support certificate transparency, and with the addition of redaction, we will be logging 100% of our publicly trusted certificates. But we also believe that it is important to provide customers with options, particularly when it comes to privacy decisions for their own information. We encourage customers, partners, and the broader Internet ecosystem to share your thoughts on striking this balance in the Certificate Transparency policy discussion group. 

**Register Now for This Free 3-Hour Symantec Certification Webinar to Ensure Your Success!***

https://symantecevents.verite.com/34479/123456

Join us for an engaging webinar covering some of the Symantec IT Management Suite 8.0 SCS exam objectives. This 3-hour webinar will provide you knowledge, skills and confidence to succeed. During this webinar, Rajesh Rathod, will explore some of the ITMS 8.0 SCS exam objectives, introducing some useful real-world scenarios that can help add to your skillset and better prepare you to become Symantec Certified. As part of this webinar, there will be a 15 to 30 minute structured Q&A session. Whether you are a seasoned endpoint management professional or just starting out, this webinar could benefit you.

What: Exploring Symantec IT Management Suite 8.0 SCS Exam Objectives and Real World Scenarios

Who: Technical professionals interested in knowledge, tips and hints to help prepare for the Symantec ITMS 8.0 Certification exam

When: 9 a.m. to 12 p.m. (3-hours, Pacific Time), Thursday, June 9, 2016

How: Register here and submit your questions in advance to help provide an engaging Q&A session.

Presented By:  Rajesh Rathod – Principal Technical Education Consultant

Rajesh has been employed with Symantec for more than 12 years. Rajesh started working with Symantec as a technical support engineer supporting customers globally and he has been delivering training for Symantec for 10 years since then. In addition to delivering classes, Rajesh has developed course modules and demonstrations for customers, as well as worked with consulting and partners to design and implement customer environments.

Rajesh specializes in the following Symantec technologies: Endpoint Security, DLP, and Endpoint Management & Mobility Suite. He is also a Symantec Certified Specialist (SCS) for ITMS 8.0 and has been the primary subject matter expert for the Asia-Pacific region since 2008 when Symantec acquired Altiris.

Register now at https://symantecevents.verite.com/34479/123456.    

このブログではウェブサイトやその上で動作しているウェブアプリケーションの脆弱性について紹介すると共に注意喚起をする目的でまとめられています。

今回は、最近著名CMSの脆弱性として情報漏えいを起こした原因としてニュースをにぎわしており、Webアプリケーションの脆弱性の中でも最も危険度の高いOSコマンドインジェクションについて解説をしています。

※なお、内容に関しましてはHASHコンサルティング株式会社の徳丸　浩様に監修いただいています。

＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋

OSコマンドインジェクション脆弱性(CWE-78)

■概要

Webアプリケーションの中には、機能の実現のために外部コマンドを呼び出しているものがあります。多くのアプリケーションでは、メール送信の機能をsendmailコマンドの呼び出しで実現しています。外部からのファイルダウンロードをwgetやcurl等のコマンド呼び出しにより実現する場合もあります。

外部コマンドにパラメータを渡して呼び出している場合、パラメータを巧妙に細工することにより、開発者が意図しない別のプログラムを呼び出せる場合があります。これにより悪意のあるコマンド呼び出しを行う攻撃がSQLインジェクション攻撃です。また、OSマコンドインジェクション攻撃を許す状況をOSコマンドインジェクション脆弱性と言います。

　OSコマンドインジェクションはソフトウェアの脆弱性として継続して報告されており、サイト改ざんなどの攻撃に悪用されています。

■攻撃のイメージと影響

　Webアプリケーションで利用者登録の際にメールアドレスを登録してもらい、そのメールアドレスに対して通知メールを送信している場合を想定します。以下のPerlスクリプトで$mailは、利用者が入力したメールアドレスです。

ここで、$mail = “test@example.jp; cat /etc/passwd” と外部から指定された場合、生成されるコマンドは以下の通りです。

　コマンド中のセミコロン「;」は、2つ以上のコマンドを続けて実行する際の区切り文字なので、上記コマンド呼び出しにより/etc/passwdの内容を表示する結果となります。この他、様々なコマンド呼び出しが可能です。

■脆弱性による影響

　この脆弱性による影響の例として下記がありますが、これらに限りません。OSコマンドインジェクション攻撃を受けると、サーバーが乗っ取られたた状態になり、最悪の場合はサーバー内部からの脆弱性攻撃により、root権限を奪取される可能性があります。

• サーバー内のファイルの閲覧、書き換え、削除
• 不正なシステム操作（ユーザアカウントの追加、変更、その他）
• 不正なプログラムのダウンロード、実行
• 他のサーバーへの攻撃（踏み台）

■脆弱性の有無の確認方法

　OSコマンドインジェクション脆弱性の有無の確認は、ソースコードを確認する方法が確実です。system、exec等外部コマンドを呼びだすことのできる関数名やメソッド名を検索して、該当箇所を目視で確認します。

　あるいは、ネットワーク経由の手動診断で脆弱性の有無を検証することもできます。この場合、独立行政法人情報処理推進機構(IPA)が公開している「安全なウェブサイトの作り方」別冊の「ウェブ健康診断仕様」に診断の方法が説明されており、参考になります。

■対策

　OSコマンドインジェクション脆弱性はアプリケーションのバグなので、アプリケーション改修による対策が基本です。外部コマンドを使わないで同じ機能を実現できる場合は、外部コマンドを呼ばない実装の方が安全で効率も良くなる場合が多いです。どうしても外部コマンドを使用する必要がある場合は、シェルを経由しないコマンド呼び出しの方法を採用します。詳しくは「安全なウェブサイトの作り方」等の参考資料を御覧ください。

なお、「シマンテック クラウド型WAF」では、OSコマンドインジェクション脆弱性からウェブサイトが攻撃を受けるのを防ぐことができます。

■参考文献

安全なウェブサイトの作り方

https://www.ipa.go.jp/security/vuln/websecurity.html