Blog Feature Image: 

Hack the Vote card r3-01.jpg

As one of the world’s leading cyber security companies, Symantec spends a lot of time focusing on where the most damaging cyber attacks will be in the future. Since it’s an election year, we decided to analyze the ecosystem of an election, from electronic voting machines to data transfers, vote tabulation and finally, broadcasting the results.

To get started, we purchased actual direct-recording electronic (DRE) voting machines off an online auction site and other equipment to simulate a real-world voting system. Altogether, our research and development cost less than $500 and revealed three easy ways an attacker with the right level of intelligence and motivation could erode the trust that American citizens have in their election process.  

Let’s take a look at what we found in Symantec’s “Hack the Vote” election simulation.

Stuffing the Digital Ballot Box

Voters entering polling stations that use electronic voting machines are handed a chip card what they use to cast their vote. Once someone has voted, they turn the card back into the polling station volunteer and it gets re-used by the next voter. Just like credit cards, these cards are essentially a computer with its own RAM, CPU and operating system. Which means they can be exploited like any computing device.

In examining the election process for vulnerabilities, we discovered that there’s an opportunity for a hacker to modify the code put on a voter’s chip card. Anyone who knows how to program a chip card and purchases a simple $15 Raspberry Pi-like device, could secretly reactivate their voter card while inside the privacy of a voting booth. We found a card reader that fits neatly into the palm of our hand and used it to reset our fake voter chip cards two different ways. In one scenario, we reset the card to allow someone to vote multiple times using the same chip card. Our second method programmed the card to allow that card to cast multiple votes. In both approaches, that attacker is stuffing the digital ballot box and casting doubt in the validity of the results from that polling station.   

Encryption Absent on the Voting Machine Hard Drive

We also discovered that there was no form of encryption on the internal hard drive of the voting machines we purchased, which were running an outdated operating system to display the ballots and record votes. These types of hard drives are similar to those used in digital cameras. The lack of full disk encryption on the internal hard drive (as well as the external cartridges) presents opportunities for hackers to reprogram and alter ballots.

Potential hackers would also be unhindered by the voting machine’s lack of internet connectivity. Some types of malware, such as Stuxnet, can take advantage of air-gapped networks and vector through physical access to a machine. The lack of full-disk encryption on the DRE machine makes it easily exploitable, requiring only a simple device to reprogram the compact hard drive.

Tampering with Tabulation

A voting machine is only one vehicle for election cyber fraud. The behind-the-scenes data tabulation presents an even greater opportunity for attack. Votes are typically collected on the machine in a simple storage cartridge and physically transferred to a central database for tabulation. Ways in which the integrity of the voting data can be compromised include:

• Manipulation of cartridges – The storage cartridge functions like a USB drive, in which it stores data in plain text with no embedded encryption. A hacker could easily rewrite vote information or add false votes onto the cartridge to alter the outcome.

• Manipulation of the voting database – While we didn’t analyze a vote tabulation computer, our research indicated the type of database on which the votes would later be tabulated. Based on our findings, we believe it’s possible for hackers to compromise storage cartridges by uploading malware to alter the database or wipe it completely, causing recounts in numerous precincts. This year, 43 states will use electronic voting machines that are at least 10 years old. It’s reasonable to suspect some tabulation computers and software have been left unpatched or unsupported, opening the doors to other means of infiltration.

Spreading Misinformation to change voter behavior

We live in a world that allows people to connect to millions of others with the click of a button. Information spreads quickly – from across social networks to media coverage. By propagating misinformation, a hacktivist or attacker could cause voter distrust of election results.

In our simulated election, we broadcast our results “live” on YouTube. We found that it’s plausible for hackers to hijack means of communication and spread false results on YouTube, broadcast media, social media and other channels. If voters were to follow the poll leader, they might not choose to go through the trouble of voting in an election if it looked like they were in for a landslide victory.

Additionally, voters can be reached via other means of influence. Hacker Andrés Sepúlveda allegedly engineered election results in South America using an army of fake Twitter accounts, spreading false information using email campaigns, altering candidates’ websites and more.

Protect the Vote

Americans have the right to a free and democratic election. Yet there’s very little the average voter can do to secure, patch and modernize voting technology. If your district allows you to vote by paper, we recommend choosing that method over electronic voting for the time being. And if you see something that doesn’t look right when voting electronically, be sure to notify a poll worker immediately.

Ultimately, it’s up to state governments, federal organizations and voting machine manufacturers to define security standards for election equipment and employ stronger security measures. Right now, there’s too much variance in the voting systems amongst different districts.

The vulnerabilities we found can easily be fixed with existing security technology. Securing ballots throughout the voting process requires security software at all points of the process. For instance, the use of “write once, read many” storage cartridges is an easy first step. Chip cards should have asymmetric encryption. The voting machines’ hard drives should also have security measures in place – such as advanced endpoint protection, anomalous behavioral detection and full-disk encryption that is kept fully up to date. Voting machines should also have SSL certifications and public and private key encryption to protect the transmission of ballot results, as well as network protection and proxy servers to defend tabulation databases.

The recent Arizona and Illinois database attacks prove malicious actors are seeking opportunities to access the election system. Yet, few incentives exist to modernize voting security.  States can take advantage of Department of Homeland Security guidance and services to inspect voting systems for bugs and vulnerabilities, on top of the security measures voting machine manufacturers should be implementing.

Voting machines are no different than other vulnerable devices – computers, mobile phones, connected cars, ATMs and more. A lack of basic security measures defines voting technology in many states, putting democracy at stake. 

This post was orginially published October 13, 2016 on Net Impact's Blog in advance of the 2016 Net Impact Conference.

By Cecily Joseph, VP Corporate Responsibility and Chief Diversity Officer and Ruha Devanesan, Manager, Global Diversity and Inclusion, Symantec

There is no denying that diversity is one of the most talked about issues in business at the moment. And for good reason. McKinsey research estimates that “$12 trillion could be added to global GDP by 2025 by advancing women’s equality.”  It also shows that shows that companies which are gender diverse are 15% more likely to outperform peers, those that are ethnically diverse are 35% more likely to outperform peers.  And Gallup research shows that organizations with inclusive cultures have 27% higher profitability than those without. 

Diversity helps us understand our customers better, respond to trends quicker, and stimulate innovation because of the diversity in thoughts and approaches. It also makes people feel more accepted and respected, creating a happier and healthier workplace. Diversity makes moral AND business sense. 

Whose responsibility is it anyway? All of ours. 

To create a future workforce that truly mirrors our available workforce, we must, as individuals within our organizations, recognize the role we play. Diversity is a lens we often apply, as CSR and social impact professionals, to the populations we target and how we spend our philanthropic dollars. We overlook, however, think about the diversity of our own internal teams, and of the partners we choose. 

How can we as CSR and impact professionals integrate diversity into our business morals and every day work? How can we be provocative, and address controversial issues related to gender and equity head on? Below are a few key ways Symantec, and some other companies that inspire us, look to impact diversity across our functions, partners, customers, and communities:

• Attracting, retaining, and advancing diverse employees. Through our diversity strategy rooted in the four key areas here, we have increased female representation on our board to 33 percent and are working towards our goal of having women in 30% of all leadership positions by 2020. Similarly, Walmart President’s Global Council of Women, comprised of 14 female leaders, uncovers opportunities for females and inspired Walmart Canada to create its Women Retail Program, that has resulted in females representing more than half of Walmart Canada’s managers, including its corporate office and field.  
• Ensuring an inclusive experience for our employees, customers and entire value chain. 
  • Our five employee resource groups (ERGs) are key to building an inclusive culture. For example, due to the work of our Pride ERG, all-gender single-stall bathrooms are now available at Symantec headquarters and other main sites, and transgender inclusion guidelines are available to assist any employee transitioning during their Symantec tenure.  AT&T, with a goal to hire 20,000 veterans by 2020, relies on its veterans ERG to mentor and support veterans transitioning into the company. And more than 10,000 employees participate in Target’s diversity focused business councils. 
  • Additionally, this year we launched a new set of employee values and a leadership blueprint that call out diversity and inclusion as key tenets of how we work at Symantec. We are rolling out trainings for managers on the role unconscious bias plays in every day decisions, and trainings for all employees on how to build and sustain inclusion on teams. 
• Investing in your industry, customers, and entire value chain. Our signature Symantec Cyber Career Connection (SC3) program is addressing the growing cybersecurity workforce gap and provides underrepresented young adults and veterans the preparation and training to enter a long-term cybersecurity career. 
• Promoting equality on a national and global level. 
  • At Symantec we partner with the Human Rights Campaign (HRC) and just in this past year have joined 180+ of the world’s most prominent companies including Coca-Cola, Campbell Soup Company, Starbucks, Facebook, IBM, Microsoft, Yahoo, to advocate for marriage equality, denounce the Bathroom Bill and support the Equality Act—protecting LGBT individuals from discrimination on a federal level in the United States. 
  • Additionally, our #iamtech Medium publication, gives a voice to those underrepresented in tech through personal and thought provoking stories written by authors within and outside of Symantec.

Pushing boundaries

Improving diversity requires a long term, multifaceted approach and while substantial progress has been made, as professionals with a purpose we can still do more. In the same way companies have shifted practices due to climate change and human rights risks, we need drive and courage to tackle gender and racial equity issues. For example, in a current series with Triple Pundit, “Black Lives Matter and Beyond: Corporate Leaders Respond,” we discuss the ways companies can address controversial racial and diversity issues, as opposed to shying away from the discussion. 

We must step up and own this issue, drive awareness, and help our businesses integrate diversity & inclusion into their everyday operations. Whether or not we are part of an ethnic community, the LGBT population, just entering the workforce or an industry veteran, inclusion should be a concern and priority for all of us looking to create tomorrow’s responsible AND successful businesses.

Net Impact's ongoing blog series features articles written by a few of the speakers Net Impact is looking forward to seeing at the 2016 Net Impact Conference.  Cecily will be speaking on Saturday, November 5th at 11:00am during the Beyond Diversity: A Multi-Tiered Approach to Sustaining Inclusion in Business session and Ruha will be speaking Saturday, November 5th at 9am during Breaking Through Barriers for the Inclusive Employment.

Blog Feature Image: 

A50A6731-FM[3].jpg

Industrial espionage is a major threat to all Formula One teams and the car data is their “crown jewels”. From teams recording the sounds of other cars engine noise to determine the gear ratios, to the infamous stories of staff stealing data and taking it to other teams, all common challenges. During a race weekend at Silverstone there are over 250,000 fans and it is then that teams are most exposed. We were asked if there was a risk to the teams IT systems and what we could do to help secure it. The question was: Over a 2-day test at Silverstone, could we gain access to the Williams’ network & their sensitive data?

5am was an early start, but I was quite looking forward to meeting our “friendly pen tester”. We met in a pub carpark just down the road from the Silverstone circuit with our contact from Williams who was acting as our malicious insider for the exercise. Shaun turned up and was not exactly what I was expecting, he was well dressed, articulate & clearly ex-military. We drove in convoy and were then escorted into the Williams motorhome. Over a cup of tea we ran through the initial plan for the two days and confirmed the scope of the exercise that had been agreed. Our main attack vector was going to be the wireless networks in the garage. They had a direct link to the sensitive Williams data in the pit lane and the factory network back at HQ. As we walked through the garage and onto the pit lane we located the best spot in the grandstand to try and get access.

At 9.40am we picked our spot & sat in the grandstand directly opposite the Williams pit garage and we had a clear line of sight inside. With a laptop and a directional wireless antenna (called the “cantenna” that looked like more a Pringles tube) pointing at the garage we were able to get a signal on the Williams wireless networks from 100 yards away. At 10.06am just as I was getting comfy and enjoying watching some of the cars go past there was a break through. “We are in!” Full access to the network. One of the wireless networks was using only MAC authentication, by spoofing one of the MAC addresses we were straight onto that wireless network. I expected him to get in, but not in less than half an hour.

The weather was pretty miserable, so we moved to the comfort of the motorhome to continue the recon. Shaun began expertly probing around the network and checking what ports were open and what IP addresses were responding. For several hours he worked diligently checking what services were open until he found an open web server. He opened it in a browser. It was the management interface for the server infrastructure. With some lengthy in-depth forensic investigation and careful research he was able to establish the user credentials and log on to the management console. From here he could control and shut down the entire server infrastructure, but not actually see any of the data. We took an emergency pause to let them know they needed to fix this and fix it now. Within 15 minutes the issue had been addressed, the port secured and the risk totally mitigated. We had already provided our value.

As part of the exercise we had set up a couple of machines with some “sensitive” data for Shaun to try and access. One of the machines was secured with Symantec Data Center Security: Service Advanced (DCS:SA) and one was not. The policy we had applied to the secured machine prevented all users, including Administrators, from accessing the files even if windows privileges permitted unless they used the correct application with the specified user. Now that Shaun was on the network he was able to gain access to both machines using an RDP connection and was merrily navigating his way around the file systems. We had placed a text file “flag” in a directory on each machine and his challenge was to tell us the content. The unprotected file was not a challenge, but for the next several hours Shaun tried many different methods, but he could not open or read the protected file even when he had gained Administrator access. From within the DCS:SA console we could see everything that Shaun had tried and how Symantec DCS had kept him out.

As the day drew to a close and ideas ran out our two days onsite ended. We had shown that pit lane equipment was vulnerable to access from the public grandstand and with 250,000 fans over a race weekend this could be a serious potential weakness. The risks identified have now been fixed and the project proved to be a success. Shaun had managed to gain access to a number of systems and was satisfied with what he had achieved. Even with the correct Windows privileges he was unable to get access to the files that a well-crafted DCS:SA policy had secured. With everyone feeling pleased with the days, we shook hands and enjoyed the Formula One cars out on track.

Formula One is a multi-million dollar business where advantages are measured in hundredths of a second; any potential advantage can be worth millions of pounds over a season. Ensuring that the sensitive data is kept secure is paramount to all the teams; Williams, uses Symantec DCS:SA, making sure their data is as secure as possible. Learn more about how Symantec keeps Williams security on track. 

Blog Feature Image: 

ThinkstockPhotos-490926205.jpg

Last week, we held the first of three annual Partner Engage conferences – this one in Los Angeles, California for our Americas partners. The theme of this year’s event was “Defining the Future of Cyber Security, Together.” With the recent integration of Symantec and Blue Coat, we had the exciting opportunity to share our mission as a new company to our partners and the industry.

Partners attending this year’s event were treated to a full day’s worth of compelling insights.

“Partner Engage is our largest gathering—over 600 partners worldwide—of our most strategic partners, and this year is especially important as our partners meet our new executives and learn how we can define the future of cyber security, together,” said John Thompson, VP, Worldwide Partner Sales, Symantec. Thompson discussed how the Symantec and Blue Coat partner programs will remain separate until a new program is launched in the April 2017 timeframe.

CEO Greg Clark was also on hand in Los Angeles to share his thoughts on the vision for the new Symantec and how we will deliver on that vision through the Integrated Cyber Defense Platform. There was also a fireside chat with Symantec sales leadership on go-to-market strategies, key focus areas for the new Symantec, and how partners play an important role in our success and growth. Additionally, the event included partner program and strategy updates, innovation presentations, Symantec customer sessions, a special guest presentation by Herm Edwards – NFL legend and ESPN host,  as well as networking opportunities.

“Defining the Future of Cyber Security is about acknowledging the fast-changing cyber security industry and the evolving needs of all our customers—both big and small—to stay protected,” says Balaji Yelamanchili, Symantec EVP and General Manager. “I’m excited to have presented ‘The Future of Cyber Security: An Innovation Update’ along with my colleague Bradon Rogers, SVP of Product Strategy and Operations. Sharing our product roadmap with our key partners was important to ensuring they are as invested in Symantec as we are in innovation and helping our customers remain protected from the security challenges they face.”

Partners are an integral part of Symantec’s strategy. Investing with Symantec partners helps fuel our growth and desire to innovate industry-leading solutions. Success depends so much on working with our partners -- listening, sharing, and working together to secure our shared future. We look forward to our next meetings with partners in London and Tokyo this year.

From connected cars to connected kitchens to connected classrooms, the Internet of Things (IoT) is advancing our lives in ways we never imagined. It is expected there will be 50 billion connected devices by 2025[1]. While the benefits of a mobile world are easy to appreciate, the risks of protecting customers and their information has never been more of a priority:

• In 2015, Symantec’s Internet Security Threats Report saw a record-setting total of nine mega-breaches, the reported number of exposed identities jumped to 429 million and there were over one million attacks on people each day in 2015[2].
• The cyber security market itself is projected to grow from $75 billion in 2015 to $170 billion by 2020[3].
• From 2000-2015, demand for cyber security professionals increased 3.5 times faster than the demand for other IT jobs and increased more than 12 times faster than the demand for other non-IT jobs[4].

Cyber security’s role in our world is changing almost as fast as the online world it’s protecting.

Are companies preparing for this shift?

Only half of CEOs surveyed in KPMG’s 2015 Global CEO Outlook Survey are prepared for a cyber event while close to a third of them feel cyber security is one of the most significant factors for their business today.

Part of this gap is due to the fact that many organizations only understand IoT security risks at a high level. For example, information in the cloud may streamline services, however, critical information will now require more sophisticated protection. Having a connected device – such as a car – can revolutionize the customer experience, however, it also means predators can compromise vehicles in a whole new way. Security is no longer an add on, a nice to have, it is critical and must be an integral part of the development process.

How can companies prepare for this shift? A few weeks ago, I attended the Black Enterprise Tech ConneXt Summit where leading technology executives gathered to discuss the industry’s latest trends. Part of the discussion surrounded one of the key success factors in our increasingly connected world – growing a diverse, qualified workforce.

In cyber security this is a growing challenge. While unemployment remains high in most parts of the world, the cyber security industry is its own oasis of professional opportunity. An estimated 500,000 to 1 million jobs remain unfilled in the U.S. alone[5]. This gap is expected to grow to a staggering 1.5 million by 2020[6].

At the same time, the cyber security industry faces a significant lack of diversity. While women are leaders in adoption of technology, they hold less than 26% of technology jobs in the United States. When looking at some of the leading tech companies, less than a third of leadership positions are females, and at most less than a third are minorities[7]. The research is clear that diversity strengthens companies across the board. According to McKinsey, “companies in the top quartile for racial and ethnic diversity are 35 percent more likely to have financial returns above their respective national industry medians, and companies in the top quartile for gender diversity are 15 percent more likely to have financial returns above their respective national industry medians.”

We must bridge this gap – help people of all backgrounds understand the opportunities that exist and the road they can take to get there. I like to say, we need enough good guys to protect against the bad guys.

New roles are emerging and we are breaking down conventional stereotypes; a career in tech no longer means being a data analyst or coder. Technology relies on a stellar user interface, creative and engaging marketing strategies, and much more. At Symantec we are creating opportunities through our employee resource groups (ERGs), developing partnerships to recruit and retain diverse talent and helping fill the workforce gap by offering opportunities to professionals of all backgrounds through our signature Symantec Cyber Career Connection (SC3) program. 

Security is often seen as a roadblock, however today’s leaders are seeing it as an opportunity. An opportunity to build customer trust, brand credibility and differentiate from the competition. Technology is an enabler both through the solutions it makes possible as well as the breadth of opportunities it’s creating for a diverse and qualified workforce.

Renault Ross is Symantec's Chief Cyber Security Business Strategist 

Symantec’s User Experience team is conducting 1:1 interviews over WebEx about report creation, use, and distribution in SEP.cloud, SEP SBE, and SEP on-premise environments.  We are looking for SEP Admins, IT Security Engineers and Security Analysts, responsible forcreating and disseminating reports to participate in one 60 to 90-minute long session between Wednesday Oct. 26 and Friday Nov. 11, 2016.

If interested, please email XRM-symcusabil@symantec.com from your work email with:

1. Your name
2. Your title and brief description of responsibilities
3. Your company / employer
4. The number of endpoints managed
5. Which SEP product you use? (.cloud, SBE, on-prem)
6. Is your organization’s IT infrastructure mostly A) on-prem, B) cloud, or C) hybrid?
7. What tools do you use for data analysis, aggregation, and/or visualization?

All participants must be listed as Symantec SEP customers in our Salesforce tool.

Participants will receive a gift card for their participation and will help shape Symantec’s future security products.

Symantec Data Center Security Server Advanced (DCS:SA) formerly know as Critical Systems Protection(CSP)  blocks the Dirty COW exploit. The protection for this attack vector have been in the prevention policies since 2005 so all version of DCS:SA and CSP offer the protection by default.  Additionally a targeted prevention policy can be created to either monitor or block this specific Linux vulnerabilty.

Exploit Analysis and Proof of Concept Testing:

The vulnerability is an underlying programming bug in the in the copy-on-write (COW) mechanism found in the Linux kernel and when exploited provides privilege escalation. The nature of the flaw is that programs can set up a race condition to modify what should be a read-only file that is mapped into memory and then persist those changes to storage. The scope of the impact is that a non-privileged user can alter root-owned files and executables and thus effectively own the system. The ease with which this vulnerability, introduced in 2007, can be exploited  on such a wide range of Linux systems make this of particular concern to customers.  More infomration can be found at (https://dirtycow.ninja/) and the proof of concept code is currently hosted on GitHub (https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs). 

The exploit proof of concept code was compiled, executed and successfully tested on an unprotected Ubuntu host using a non-privileged user account.  The same attack was executed with a DCS:SA agent on the host with the default Unix protection policy applied and the exploited failed. The agent prevented the key step in the exploit from running which is opening the logical file /proc/self/mem with read and write access (where self is actually a process id). By default the DCS:SA Unix Policy does not allow write access to these /proc files as this is deemed unusual and undesirable behavior.

Below is subset of the event/alert attributes captured for this Dirty COW POC exploit.

Description           File Write Denied for tst.out on /proc/2957/mem

User Name             pjc

Process               /home/pjc/Downloads/tst.out

File Name             /proc/2957/mem

Disposition           Denied

Operation             open

SDCSS Result          0000000D (Permission denied)

Permissions Requested 00000003 (read, write)

The test was re-run using the root account and the exploit was stopped again (as the behavior is still unusual and undesirable even for a root user).

A quick automated test script was then run across all Unix Policy containment sandboxes to verify that this exploit would be stopped for system processes such as crond,  applications such as Apache and the DCS agent. All were prevented from accessing the key resource (/proc/self/mem) for write-access necessary for the exploit to work. The test also confirmed that unprotected applications such as those the customer may have specifically excluded from DCS protection features (usually provisioning tools) or general daemons not in the OOTB content would allow the exploit to succeed. However this attack space is a much smaller sub-set and also requires additional exploits at these targeted apps prior to a Dirty COW style exploit being run. DCS already provides system wide protection to stop these other threat vectors.

Customer Considerations

The customer can choose to mitigate the small set of unprotected use cases noted above by adding a read-only rule for the file path  /proc/*/mem to the default Unix Policy for either

• specific applications,
• unprotected sandboxes (covering all the applications in the sandbox), or
• as a global rule applicable to all applications

DCS customers who are only monitoring security can use DCS to detect if the Dirty COW exploit executes across on all their Linux systems in a matter of minutes by quickly deploying a targeted prevention policy in monitor only mode by incorporating the same read-only file rule noted above (this does require that the Host IPS feature is enabled on the agent).

Stay Tuned

We will be updating this blog to include demo video of the exploit and protection and provide targeted prevention policy for those that want to monitor or protect their servers from this vulnerabilty.

Starting November 2016, Symantec will begin rolling out the next version of the Email Quarantine to Symantec Email Security.cloud customers.

The latest version of the Symantec Email Quarantine includes a number of new features and improvements including:

• Administrators can quarantine emails based on Data Protection and Image Control policies
• New, mobile-optimized experience for users
• Users can release emails to administrators for further investigation
• Administrators have greater visibility into quarantine usage through enhanced reporting
• Clear differentiation between spam and new data protection/image control emails
• New email information such as attachment names and email direction

For existing customers using the Email Quarantine in Symantec Email Security.cloud, no action is required to obtain these additional capabilities. Customers can begin using the new Email Quarantine and leverage the Email Security.cloud admin console to configure Data Protection and/or Image Control policies for the quarantine.

Current Symantec Message Manager customers will automatically be migrated and new emails will be directed to the new Email Quarantine so that customers can access their data using the new portal. Migration dates will be published in the News section of the Email Security.cloud admin console.

Email Quarantine configuration options can be found in the Quarantine Settings page, which will be moved from Services > Anti-Spam > Quarantine to Services > Email Quarantine

In order to provide you with the necessary resources and knowledge to support these new capabilities, we have posted several videos and quick start guides with helpful content on the new look and feel:

Videos:

• Configuring Your Services to Use Symantec Email Quarantine
• Managing User Permissions for the Symantec Email Quarantine
• Managing the Symantec Email Quarantine Platform
• Configuring Defaults in the Symantec Email Quarantine

Quick Start Guides:

• Quick Start for Administrators with Approved and Blocked Lists
• Quick Start for Administrators
• Quick Start for Users with Approved and Blocked Lists
• Quick Start for Users
• Quick Start for Administrators on How to Setup the Quarantine

Blog Feature Image: 

eu-1473823_1280.png

The EU General Data Protection Regulation will give new requirements on how your business data is processed, who is responsible, and what happens if it is lost, including harsh penalties for organizations not complying.

The recent Brexit vote has created legal uncertainty around the implementation of current and upcoming EU law in the UK. Although the position of Brussels is clear - that as long as the UK is an EU member it is expected to fully comply with EU law and its membership obligations - it is inevitable that investors, regulators, politicians and compliance officers will ask whether the UK can “cherry-pick” what it wants to apply as it walks towards the exit.

The future of the GDPR in the UK

Much depends on the nature of the new relationship, the concessions of each side, and the negotiation timeline once Article 50 is officially triggered. For those active in the technology space, a key question on the impact of Brexit is whether the General Data Protection Regulation (GDPR) will apply to the UK or not, and what will be the role of the Information Commissioner (ICO), the independent privacy regulator in the UK that would be expected to enforce GDPR.

A quick look at the timelines suggests that the GDPR, which will enter into force on 25 May 2018, will apply in the UK, since it is a regulation directly applicable in every EU member state. Even if Article 50 was triggered on 31st March 2017 (which seems more likely given recent UK government statements), the two-year deadline it foresees expires on 31st March 2019. Therefore, the GDPR would apply in the UK and would create legal obligations during the time the UK is a full member.

Based on existing timelines and the high degree of certainty that there will be lengthy negotiations between the UK and EU, it is safe to assume that unless there is a common decision to the contrary, the GDPR will become fully applicable in the UK.

Continuing relationships

Not all EU-UK relationships are likely to be severed after Brexit. In fact, the UK position suggests that the political objective for the UK will be to maintain some level of access in the single market.

Even countries like Switzerland, which Brexit supporters point to as an example of successful external relationship with the EU, has qualified for essential equivalence status when it comes to data protection, which is then essentially covered by EU law. It will be difficult to see how the UK, a major information technology hub in Europe, can secure access to the Digital Single Market without avoiding regulatory requirement on the treatment of personal data.

The implications for UK companies in Europe

One also needs to remember that the GDPR applies to all companies that target the European territory with their products or services. Due to the export focus of the UK digital economy, many UK-based companies and their suppliers will need to apply the GDPR in their internal processes irrespectively of the “law of the land” because it will be a legal requirement for doing business in continental Europe. Consequently, some of the stringent GDPR requirements such as security, breach notification, cross-border data transfer, right of access and right of deletion will apply in the UK “through the back door” by virtue of companies’ internal policies and contractual requirements.

Whereas questions around the impact of the GDPR and Brexit are understandable, it seems that the GDPR will apply in some form in the UK. In fact, there is even an incentive for the rest of the Member States to insist on GDPR applicability since the alternative – UK access to the Digital Single Market without rules for data - would create a unique competitive advantage for the UK.

Likely consequences of Brexit

Nevertheless, Brexit does pose issues for the UK digital economy. For example, the impact of Brexit on the EU Fundamental Human Rights Charter raises concerns about the role of UK security agencies in accessing EU citizens’ personal data, even if UK legislation is essentially equivalent to the GDPR. This may result in agreements similar to the EU-US Privacy Shield in the UK for cross-border data transfers.

Another question will be around the participation in the European Data Protection Board of the Information Commissioner’s Office (ICO), seen as a progressive and effective regulator whose feedback the regulatory community would miss.

Brexit does trigger regulatory uncertainty in many policy areas but less in data protection. Companies operating in multiple jurisdictions in Europe, including the UK, should continue to prepare for GDPR compliance while closely monitoring the progress of the Brexit negotiations as they will finally determine the exact compliance requirements for the UK.

Blog Feature Image: 

eu-1473823_1280.png

Ab Mitte 2018 tritt die neue Datenschutz Grund Verordnung (DSGVO) in Kraft und soll für eine Europa-weite Harmonisierung des Datenschutzes sorgen.

Die kürzliche Brexit-Entscheidung hat zu einigen rechtlichen Unsicherheiten in Bezug auf die Umsetzung von aktuellen und künftigen EU-Gesetzen in Großbritannien geführt. Obwohl der Standpunkt Brüssels völlig klar ist – solange Großbritannien ein EU-Mitglied ist, wird erwartet, dass sämtliche EU-Gesetze und Mitgliederverpflichtungen eingehalten werden –, ist es ebenso klar, dass britische Investoren, Gesetzgeber, Politiker und Aufsichtsbehörden versuchen werden, sich die „Rosinen“ herauszupicken, da man ja die EU in Kürze verlassen wird.

Die Zukunft der EU-DSGVO in Großbritannien

Sehr viel hängt von der Art der neuen Partnerschaft ab, den Konzessionen von beiden Seiten und den Verhandlungen, nachdem Artikel 50 EUV offiziell angewandt wurde.

Für die meisten Unternehmen der Technologiebranche stellt sich die Kernfrage, ob die EU-DSGVO nach dem Brexit in Großbritannien überhaupt gelten soll und welche Rolle der für die Umsetzung der neuen Verordnung verantwortliche Datenschutzbeauftragte, der Information Commissioner (ICO), spielen wird.

Betrachtet man nur die Zeitschiene, dann wird die EU-DSGVO, die am 25. Mai 2018 in Kraft tritt, auch in Großbritannien gelten, denn sie ist eine Verordnung, die jeder EU-Mitgliedstaat sofort umsetzen muss. Selbst wenn der Artikel 50 zum 31. März 2017 angewandt würde (was nach Aussagen der britischen Regierung wahrscheinlicher ist), endet die vorgesehene zweijährige Frist am 31. März 2019. Allein aus diesem Grund würde die EU-DSGVO auch in Großbritannien gelten und rechtliche Verpflichtungen schaffen, solange Großbritannien noch ein Vollmitglied der EU ist.

Aufgrund bestehender Fristen und der hohen Wahrscheinlichkeit, dass es zwischen Großbritannien und der EU langwierige Verhandlungen geben wird, kann man mit Sicherheit davon ausgehen, dass die EU-DSGVO auch in Großbritannien volle Anwendung findet, sofern keine explizit gegenteilige Entscheidung getroffen wird.

Fortdauernde Beziehungen

Nicht alle Beziehungen zwischen der EU und Großbritannien werden sich nach dem Brexit ändern. Im Gegenteil legt die Position Großbritanniens nahe, dass das politische Ziel sein wird, auch weiterhin den britischen Binnenmarkt weitgehend offenzuhalten.

Auch Länder wie die Schweiz, die von Brexit-Befürwortern gerne als erfolgreiches Beispiel für eine externe Beziehung zur EU angeführt wird, besitzt einen qualifizierten Gleichheitsstatus in Bezug auf Datenschutz, der wiederum durch EU-Gesetze gedeckt ist. Es bleibt abzuwarten, wie Großbritannien als wichtige Drehscheibe der Informationstechnologie in Europa einen sicheren Zugang zu diesem - dann externen - Markt garantieren will, ohne spezielle gesetzliche Anforderungen an den Datenschutz zu etablieren.

Auswirkungen für britische Unternehmen in Europa

Man darf nicht vergessen, dass die EU-DSGVO für alle Unternehmen gilt, die auf dem Territorium der EU mit ihren Produkten und Dienstleistungen tätig sein wollen. Aufgrund der Exportorientierung der britischen Digitalwirtschaft werden zahlreiche britische Unternehmen und ihre Zulieferer die EU-DSGVO in ihren internen Prozessen berücksichtigen müssen, unabhängig von dem in Großbritannien geltenden Recht, da diese eine gesetzliche Voraussetzung ist, um Geschäfte auf dem europäischen Kontinent tätigen zu dürfen. Schon daher sind einige der strengen Anforderungen der EU-DSGVO wie Sicherheit, Meldepflicht bei Datenschutzverstößen, grenzüberschreitender Datentransfer, Zugangsrechte und das Recht auf Löschung auch „durch die Hintertür“ in Großbritannien gültig, da viele britische Unternehmen ihre Strategien und vertraglichen Anforderungen daran ausrichten werden.

Während Fragen rund um die Auswirkungen der EU-DSGVO und des Brexit durchaus verständlich sind, scheint es klar zu sein, dass die EU-DSGVO in Großbritannien zumindest in ähnlicher Form gelten wird. Tatsächlich liegt es sogar im Interesse der übrigen EU-Mitgliedsstaaten, dass die EU-DSGVO gelten muss, denn die Alternative – ein britischer Zugang zum digitalen Binnenmarkt ohne Datenschutzregeln – würde Großbritannien einen erheblichen Wettbewerbsvorteil bescheren.

Wahrscheinliche Konsequenzen des Brexit

Gleichwohl stellt der Brexit die britische Digitalwirtschaft vor Probleme. Zum Beispiel wirft die Auswirkung des Brexit auf die Menschenrechts-Charta der EU Bedenken hinsichtlich der Rolle des britischen Geheimdienstes bei der Sammlung persönlicher Daten von EU-Bürgern auf – selbst wenn die britische Gesetzgebung im Wesentlichen der EU-DSGVO gleicht. Es wird daher vermutlich in Großbritannien zu Vereinbarungen ähnlich den zwischen der EU und den USA geschlossenen Datenschutzvereinbarungen (Privacy Shield) für grenzüberschreitenden Datenverkehr kommen.

Eine weitere Frage ist die Beteiligung des European Data Protection Board des Information Commissioner’s Office (ICO), das als eine moderne und effektive Regulierungsinstitution gesehen wird und dessen Fehlen die Gesetzgeber bedauern würden.

Der Brexit sorgt in vielen anderen politischen Bereichen für wesentlich mehr Unsicherheit als beim Datenschutz. Unternehmen, die in den zahlreichen Rechtssystemen Europas einschließlich Großbritanniens aktiv sind, sollten sich weiterhin auf die EU-DSGVO vorbereiten und die Verhandlungen über den Brexit abwartend beobachten, da diese erst später die exakten Anforderungen für Großbritannien zeigen werden.

Blog Feature Image: 

eu-1473823_1280.png

La nouvelle réglementation européenne relative à la protection des données GDPR (General Data Protection Regulation) implique de nouvelles contraintes sur la manière dont votre entreprise gère les données, qui en est responsable, et sur la gestion de la perte de données. Et des pénalités sont prévues pour les entreprises qui ne seraient pas en conformité.

Le résultat du récent référendum britannique sur la sortie de l’Union européenne (Brexit) a créé une incertitude juridique quant à la mise en œuvre au Royaume-Uni de la réglementation européenne présente et à venir. Bien que la position de Bruxelles soit claire – tant que le Royaume-Uni reste dans l’Union, il est tenu de respecter l’ensemble de la réglementation européenne et ses obligations d’État membre – il est inévitable que les investisseurs, les autorités de régulation, la classe politique et les responsables de la conformité évoquent la possibilité de « sélectionner » les mesures à appliquer pendant le processus de sortie de l’Union.

Avenir du GDPR au Royaume-Uni

Tout dépend de la nature de la nouvelle relation, des concessions acceptées de chaque côté, et du calendrier des négociations une fois l’article 50 officiellement activé. Dans la sphère des technologies, l’une des grandes questions est de savoir si, suite au Brexit, le règlement général sur la protection des données (GDPR) s’appliquera, ou non, au Royaume-Uni. Et quel sera le rôle du Commissaire à la protection des données, l’organisme de régulation indépendant qui devrait encadrer l’application du GDPR outre-Manche.

Le calendrier laisse penser que le GDPR, dont l’entrée en vigueur est fixée au 25 mai 2018, concernera le Royaume-Uni, puisqu’il s’agit d’un règlement directement applicable dans tous les États membres. Même si l’article 50 est activé le 31 mars 2017 (comme le laisse entendre le gouvernement britannique dans ses dernières déclarations), le délai de deux années qu’il prévoit prendra fin le 31 mars 2019. Par conséquent, le GDPR s’appliquerait au Royaume-Uni et créerait des obligations légales pendant la période où le pays conserverait son statut d’État membre à part entière.

Compte tenu du calendrier existant et sachant qu’il est fortement probable que les négociations entre le Royaume-Uni et l’UE prendront du temps, on peut raisonnablement penser que, sauf accord contraire entre les parties, le GDPR entrera pleinement en vigueur au Royaume-Uni.

Poursuite des relations

Le Brexit ne devrait pas rompre toutes les relations entre l’UE et le Royaume-Uni. La position du Royaume-Uni indique même que l’objectif politique est de conserver un accès au marché unique.

La Suisse, que les partisans du Brexit citent souvent comme exemple d’une coopération réussie entre l’UE et un pays extérieur, a obtenu un statut d’équivalence essentielle en matière de protection des données, statut couvert par la législation européenne. Le Royaume-Uni étant un pôle majeur des technologies de l’information en Europe, il semble difficile qu’il puisse s’assurer un accès au marché unique numérique sans se soumettre aux exigences réglementaires relatives au traitement des données à caractère personnel.

Conséquences pour les entreprises britanniques en Europe

Il convient également de rappeler que le GDPR s’applique à toutes les entreprises souhaitant vendre des produits ou services sur le territoire européen. L’économie numérique britannique étant largement tournée vers l’exportation, nombre de sociétés établies au Royaume-Uni, ainsi que leurs fournisseurs, devront conformer leurs processus internes aux dispositions du GDPR, indépendamment de la « loi du pays », car cette conformité réglementaire sera une condition à remplir pour conduire des affaires en Europe. Par conséquent, certaines des obligations strictes du GDPR, notamment sur la sécurité, la notification des fuites de données, les transferts de données transfrontaliers, le droit d’accès et le droit de suppression, s’appliqueront « de manière détournée », par le biais des politiques internes et des obligations contractuelles des entreprises.

S’il est compréhensible que l’impact du Brexit sur le GDPR soulève des interrogations, il apparaît que le règlement européen s’appliquera au Royaume-Uni sous une forme ou une autre. En fait, les autres États membres ont même intérêt à insister sur l’applicabilité du GDPR, car si le Royaume-Uni devait accéder au marché unique numérique sans respecter les règles de protection des données, il bénéficierait d’un avantage compétitif exclusif.

Conséquences probables du Brexit

Néanmoins, le Brexit pose certains problèmes pour l’économie numérique britannique. Par exemple, l’impact du Brexit sur la Charte des droits fondamentaux de l’UE soulève des inquiétudes quant à la possibilité pour les agences de sécurité du Royaume-Uni d’accéder aux données à caractère personnel des citoyens de l’UE, même si la législation britannique en la matière est essentiellement équivalente au GDPR. Il en résultera probablement des accords semblables au bouclier de protection des données UE-États-Unis pour les transferts de données transfrontaliers impliquant le Royaume-Uni.

Se pose également la question de la participation au comité européen de la protection des données du Commissaire britannique à la protection des données (ICO). L’avis de cet organisme de régulation perçu comme progressiste et efficace pourrait faire défaut à la communauté réglementaire.

Certes, le Brexit laisse planer l’incertitude sur de nombreux aspects réglementaires, mais la protection des données est relativement épargnée. Les entreprises opérant dans plusieurs pays d’Europe, dont le Royaume-Uni, doivent continuer de se préparer à l’application du GDPR, tout en surveillant de près l’avancée des négociations sur le Brexit, car elles détermineront à terme les obligations exactes au Royaume-Uni.

About SCS Exams

The Symantec Certified Specialist (SCS) credentials are industry-recognized exams and are available to customers, partners, and employees. The SCS technical certification targets people who have hands-on experience with the product. They might be called technical sales engineers, partner integrators, product engineers, administrators, architects, designers, technical support engineers, or consultants, for example.

Although each technology varies in complexity and depth, SCS exams measure technical knowledge and skills needed to efficiently deploy, configure, utilize, troubleshoot, and optimize Symantec solutions. SCS exams are based on a combination of training material, commonly referenced product documentation, and real-world scenarios. Learn more by visitinghttp://go.symantec.com/certification.

How do you access this exam?

This exam is delivered only through Pearson VUE test centers.  To register for the exam, log in to CertTracker or create a new account.  Please see our step-by-step registration instructions for more information.

What are the recommended preparation strategies for this exam?

• Candidates are strongly encouraged to review the corresponding course materials prior to attempting the exam.

• Review the exam study guide, which contains the exam objectives and sample items. The study guide aligns to the recommended training course by summarizing the key lessons and topics and how they correspond to the SCS exam.

Exam Details

# of Questions: 70-80

Exam Duration: 75 minutes

Passing score: 72%   

Questions?

For more information about the Symantec Certification Program, contact Global_Exams@Symantec.com.

Thank you for your support of the Symantec Certification Program!

About SCS Exams

The Symantec Certified Specialist (SCS) credentials are industry-recognized exams and are available to customers, partners, and employees. The SCS technical certification targets people who have hands-on experience with the product. They might be called technical sales engineers, partner integrators, product engineers, administrators, architects, designers, technical support engineers, or consultants, for example.

Although each technology varies in complexity and depth, SCS exams measure technical knowledge and skills needed to efficiently deploy, configure, utilize, troubleshoot, and optimize Symantec solutions. SCS exams are based on a combination of training material, commonly referenced product documentation, and real-world scenarios. Learn more by visitinghttp://go.symantec.com/certification.

How do you access this exam?

This exam is delivered only through Pearson VUE test centers.  To register for the exam, log in to CertTracker or create a new account.  Please see our step-by-step registration instructions for more information.

What are the recommended preparation strategies for this exam?

• Candidates are strongly encouraged to review the corresponding course materials prior to attempting the exam.

• Review the exam study guide, which contains the exam objectives and sample items. The study guide aligns to the recommended training course by summarizing the key lessons and topics and how they correspond to the SCS exam.

Exam Details

# of Questions: 70-80

Exam Duration: 75 minutes

Passing score: 72%   

Questions?

For more information about the Symantec Certification Program, contact Global_Exams@Symantec.com.

Thank you for your support of the Symantec Certification Program!