DigiCert是為企業提供可擴展的身份與加密解決方案之領先的供應商。目前,這一快速增長的企業擁有一批知名的企業和物聯網(IoT)客戶。 DigiCert享有很高的聲譽並具有很高的客戶忠誠度,該企業專注於行業領先的客戶支持,創新的市場解決方案,以及改善行業最佳實踐的有意義的貢獻。 DigiCert的創新與增長戰略已經獲得了多項殊榮,而且該企業在今年夏天被評選為Computerworld百強IT雇主(Computerworld’s Top 100 places to work in IT)之一。
The fundamental steps to launching a cyber security career
Publish to Facebook:
No
By Jonathan Omansky, Senior Director, Development, Security Technology & Response Team
Symantec’s Jonathan Omansky provides a simple set of steps to launch a career in cyber security and to address the critical shortage of qualified cyber security professionals.
“HELP WANTED!” signs are hanging outside windows of almost every private, public, and governmental organization directly or indirectly connected to the cyber security space. If you’ve spent any time looking at this field as a potential career choice or read one of the thousands of articles, blogs, studies, think tank reports, and “expert” advice columns then you know the message is quite clear: WE NEED PEOPLE!!
Today, there are hundreds of thousands of cyber security positions that remain vacant around the world. As global consumer demand for automated, connected, and intelligent products and services grows, the risks and resulting reality of an increase in cyber attacks expands, and we will in turn see an even greater demand for people. This simple supply and demand equation is part of what the tech industry is now calling the fourth industrial revolution.
The prospect of filling all of these positions is slim at best, and it’s time to focus on what we can actually do about the growing skills gap. I’ve observed a lot of experts recommending advice: pursue a degree, hurry to complete any number of (a growing list of) certifications, learn to code in this language, learn to script in that one. While these are all cogent recommendations to consider if you have the financial means, competency, and time, this advice doesn’t provide the fundamental steps to launching a cyber security career. Research shows a large percentage of vacant cyber security positions could be filled by individuals without a college degree—creating a tremendous opportunity to train and prepare non-traditional candidates for these roles.
I coach, guide, and mentor young students and re-trainees including high school students, inner-city youth, veterans, and believe it or not, elementary school aged kids. While what follows may be common sense to some, the eager minds I know aspiring to cyber security careers need a much simpler set of baseline steps to get started. I’ve used the below strategies with the students I mentor and have seen real results in the form of numerous permanent job placements. I hope sharing this set of simple approaches helps others; we need to attract as many people as we can into cyber security to keep the world safe from ever-evolving digital threats.
Below you’ll find six simple steps to launch a career in cyber security and in this editorial, I’ll cover the first step, defining your career focus, in detail.
Define your career focus
Research, learn, and assess
Read and write
Formulate a view of the attack
Make friends, make lots of different friends
Don’t be afraid to be wrong
#1. Define your career focus
The very first thing I hear from folks trying to break into the field, is “There’s sooo much to consider, where do I start?” Well, it all starts with making a choice. The choice here is similar to those in medicine, law, auto mechanics, or construction, where you must choose where to focus your time and training. There is an array of disciplines under the cyber security umbrella, some are moderately technical and others require a more advanced technical skill set. This choice is an individual one: get to know the industry, where it is and where it’s going, define the skills you have, decide where you want to go, and think about what interests you.
You may be interested in network analysis, file reversing, email analytics, incident response, data mining, or one of numerous other areas. Each and every one of these areas has its own aspect of cyber threats attached to it. As such, each area has its own unique set of tools and an established baseline of knowledge that must be learned. Understanding this baseline, the analytical processes and procedures, communication protocols used, the file structures employed, the network architecture, and the programming and/or scripting language(s), is essential to establishing your career.
Jonathan Omansky visits with Symantec Cyber Career Connection (Symantec C3) graduates from the Stride Center, a Symantec education and training partner that prepares low-income Bay Area adults to thrive in technology careers.
When I began my career in network security, we weren’t using a hammer and chisel to establish a TCP handshake, but it wasn’t much more advanced. My learning was relegated to books, RFCs, and manual pages and I discovered very quickly the skills I needed to be effective. I needed to understand how networks communicated, how computers “talked” to each other using protocols spanning the TCP/IP stack and its difference between UDP. I invested countless hours reading about the structure of core protocols – the languages of the Internet - such as HTTP (web), SMTP (mail), FTP, POP, IMAP, IP, and many more. In order to identify an attack, you need to know the language of how it operates. I watched these protocols in action using tools such as Ethereal, Wireshark, and TCPDump, finding sample network traffic files of attacks and figuring out how they were successful. Before long, I understood the basics of how a network attack is performed and could identify patterns that stood out as anomalies. I eventually turned those patterns into IDS/IPS rules, which enabled users to prevent future attacks based off of similar patterns.
In the early days of my career, there were only a few hundred total people in this field, which made it hard to find someone to learn from or chat up over lunch. These days, there are a huge number of social media based learning and networking opportunities that make defining your career focus easier. You can use these tutorials, webinars, videos, and blogs to learn more about the industry, and once you’ve chosen your desired area of focus, take advantage of these tools to ramp up your knowledge and skills.
The approach I’ve described above is a short and simple way to begin learning basic network security concepts. My goal is not to replace the wide array of freely available online and written content that breaks down technical topics, but to provide a very basic roadmap of how to get started. I find as I speak to aspiring candidates, that this is needed just as much as a deep-dive in technical data.
In short, pick an area, layout your roadmap of learning, and start with one tool, one protocol, or one file structure. Continue to build on that, and you’ll see just how accessible this space really is.
Follow our CR in Action blog for more on how to launch a cyber security career. Interested in a career in cyber security? Learn more about the Symantec Cyber Career Connection (Symantec C3), which provides a mix of targeted classroom education, non-technical skills development, and cyber security internships to position students to fill in-demand cyber security jobs.
The exposure of sensitive or compliance related documents in the cloud has become one of the primary data security threats that organizations face today. Leakage of these documents, intentional or otherwise, can be potentially disastrous for an organization and result in compliance fines, mitigation costs, and loss of customer trust. The problem is not specific to a single cloud app provider but can occur when using any file sharing app. Whether an exposure happens to just a handful of documents or millions, the damage can be severe. For instance, the loss of a single document containing a confidential business strategy can provide a significant edge to the competition, resulting in lost business opportunities and potential revenue.
Recently, the Symantec Cloud Threat Labs team discovered a number of invoice documents that were exposed via AWS S3 buckets. Due to responsible disclosure and ethical guidelines, we are not divulging the names of the involved businesses. These documents were publicly available and could be easily accessed and downloaded using a web browser. In an earlier blog, we discussed how globally accessible AWS buckets could lead to data exposure involving sensitive documents if not audited completely.
This incident highlights the importance of securing data in AWS buckets by restricting privileges. Considering the competitive nature of service providers, disclosure of invoices could be very damaging to an organization if discovered by external parties. For example, one of the invoice documents reveals information about a firm’s consulting services, associated costs, and its Tax Identification Number (TIN) as shown below:
Figure 1: Invoice disclosing business consulting charges
Figure 2: Invoice disclosing service and product costs
Figure 3: Invoice disclosing professional fees charged for a specific engagement
Figure 4: Invoice disclosing supply chain and delivery costs
If documents like the ones above were exposed, the results could be devastating from a business perspective. The potential repercussions of this exposure are clear, and below we list only a few that can damage the business and benefit the competition (or attackers):
Glean more information about the different types of services being offered.
Understand the different types of fees being charged by the company for specific services.
Collect sensitive information such as Tax Identification Number (TIN).
Understand the revenue generation model being followed by the company.
Underbid the company on RFPs to win projects.
Considering the above case studies, there are several points to ponder:
Are the documents being exposed by the business firms’ clients by mistake?
Are the documents being exposed by a malicious insider who wants to make the sensitive information public?
What would be the impact on the business if the documents were exposed and accessed by competitors?
Do the involved parties have a Cloud Access Security Broker (CASB) solution to monitor the activities in the cloud, analyze exposed content, and alert or remediate a business-sensitive exposure?
As discussed earlier, exposure of sensitive documents in the cloud can have a substantial impact on the businesses irrespective of the sources and causes of the exposure. Considering the case discussed here, it shows how crucial it has become for an organizations to deploy to uncover and classify sensitive corporate data and then enable the organization to set policies around its use and sharing.
重要なデータや情報の可視性を維持するのは、容易なことではありません。ひとつひとつのデータがどこにあるのか、把握するのもひと苦労です。ビジネスに欠かせないデータ、たとえば知的財産(IP)や、ときには個人情報(PII)さえ、さまざまなチャネル(メールや USB で、オンプレミスで、あるいは Box などのクラウドストレージシステム)を通じてチーム間で共有されることが多く、そこには可視性も管理性もほとんどありません。
データ漏えいが起これば、企業の IP が失われるだけでなく、EU の一般データ保護規則(GDPR)や PCI Security Standards Council といった規制順守義務に違反する恐れもあります。違反ということになれば、実質的な被害はさらに深刻になりかねません。最大 2,000 万ユーロの科料を支払わなければならないうえ、市場競争力が落ち、データ漏えいによるブランド評価も損なわれるからです。
解決策は統合型のセキュリティ
シマンテックの Information Centric Security(情報中心のセキュリティ)ソリューションは、可視性、保護、ID 管理を取り込んで、データセキュリティに対する新しいアプローチを採用しています。Symantec Information Centric Security では、クラウドアプリケーションや、持ち込まれる「個人所有」モバイルデバイスなど、管理対象外の環境にある場合も含めて、機密性の高いデータが保護されます。
お客様は、どんな形のデータについても、そのライフサイクル全体で追跡と管理性が可能になります。業界をリードする DLP(データ漏えい防止)と CloudSOC CASB、クラウドベースの PGP 暗号化が ID 認証と統合されているからです。どんなユーザーについても、いつでもどこでも、データの暗号化、追跡、呼び出しが自動的に行われるようになります。セキュリティ市場で、ここまでの可視性と管理性を実現しているベンダーはほかにありません。
統合は、シマンテック製品だけにとどまりません。Symantec Information Centric Security は真にオープンであり、サードパーティ製品の統合にも利用できます。サードパーティの開発者とデータ中心型ベンダーに向けて、シマンテックはインターネットドラフトと API 拡張を公開する予定です。
Symantec Information Centric Security では、強力なポリシーによってデータが高精度で捕捉され、追跡、保護されます。そのため、マルウェア環境の進化に順応し、時間とともに新しいリスクにも適応する動的でインテリジェントな保護によって、人的エラーが緩和されます。
ProxySG is a Symantec Secure Web Gateway (SWG) that can serve as a forward or reverse proxy. In both deployment modes, it leverages its extremely-efficient caching capabilities to improve a customer’s Internet experience. In forward proxy mode, the customer is typically an enterprise with employees enjoying faster speeds accessing the Internet due to the proximity of caching resources. Note that in this mode there is a possibility of additional upstream caching devices (think Content Delivery Network, Reverse Proxies, Load Balancers etc.). In reverse proxy mode, ProxySG is deployed in front of the Origin Content Server (OCS) and typically is the last caching device on the way to the web server.
Recently, an interesting research appeared online called “Web Cache Deception.” The original research dates back to February 2017, but it gained additional publicity when Omer Gil has presented it at Black Hat USA this July. In parallel, a more detailed white paper was published here. The research represents a new vector of attack that leverages the discrepancies between caching behavior on a caching device and resource retrieval behavior on the web server serving the resource behind the caching device.
Attack
This simple attack exploits sometimes-undefined behavior upon requesting a non-existent but cacheable resource from OCS. Depending on the web framework and server configuration, the OCS might fall back to the last known resource while retrieving the page. The researcher provides several specific examples of this behavior in PHP, Django and ASP.NET. The focus of this article is ProxySG caching behavior, rather than OCS, therefore we will use the simplest example of PHP page for demonstration purposes.
When accessing the most basic authenticated PHP page:
Upon successful authentication, the default PHP/Apache configuration on Ubuntu 12.04 returns status 200 and serves the content of secret_w_auth.php:
For simplicity, we will leave the query string and request/response headers aside for now.
On the caching side, seeing status 200 and not 404, the caching device assumes nonexistent.css was served and caches the resource under the requested URL. This is an example of impedance mismatch, this time between the logic at the middlebox (caching engine) and the endpoint (OCS). This is because the caching device does not always know what web servers / web frameworks reside upstream and, arguably, it shouldn’t know. The researcher provides several examples of caching devices that make the attack possible (Cloudflare, IIS ARR and NGINX). In addition, there were several publications from affected CDN vendors (see References section). In the next section, we will explore ProxySG caching behavior in the context of this attack in both forward proxy and reverse proxy modes.
ProxySG Caching Logic
ProxySG by default is very careful when caching an object. Out-of-the-box configuration obeys all the accepted cache controls, such as Cache-Control headers and expiration timestamps. In addition, additional factors affect the default caching behavior, such as existence of cookies and authentication header. The rule of thumb is not to cache private or user-specific information.
Caching Authenticated Data
Taking a closer look at the previous example, the GET request will carry the Authentication header:
ProxySG has a feature to cache authenticated data which is turned on by default. This feature can be controlled via configuration. All the factors that can affect the HTTP request or response cacheability (such as Cache-Control etc.) in a non-authenticated flow apply when authenticated data is cached. In addition, the authenticated cached data is marked with “authenticated” flag when it is stored on the disk, which indicates that future requests for such content will always require clients to authenticate to the server before the cached content is served. Note that a similar flow applies to other authentication methods; HTTP basic authentication is only chosen here for the sake of simplicity.
In these cases, ProxySG always issues a GET request with an “If-Modified-Since” header to verify that the client has provided valid authentication credentials to the origin server even when the cached authenticated data has not yet expired. Therefore, it is not possible for an unauthenticated user to access the cached authenticated data, which the server would not have served if the user tried to directly access it without authentication. In the case where the cached object is fresh and the origin server allows access to the object, the origin server can reply back to the proxy with a 304 (instead of 200) response, saving the server-side bandwidth.
Caching Unauthenticated Data
For unauthenticated cached objects, ProxySG would not contact the origin server if the object is still fresh in cache. So, the deception is certainly possible, but there’s no harm in this because the server would have served the same content to all users even when no caching was involved.
This brings us to cookie-based authentication and the original Paypal vulnerability from the aforementioned white paper. Following is the request-response flow visiting the most basic PHP web page that uses custom authentication login form and standard session management support:
The initial login page would redirect authenticated user to the next page containing private information. The PHP session module takes care of session management and embeds cookie value in HTTP requests as seen in the screenshot. Because presence of cookie in the request/response is considered to be associated with the presence of private information, one of the default ProxySG caching behaviors is to bypass caching for these transactions. So, the exploit is not possible with out-of-the-box config.
To override this default behavior, the ProxySG administrator would have to consciously use dangerous force_cache(personal_pages) policy gesture (marked “for advanced users only” in the ProxySG CPL reference). This would open up the possibility of the exploit discussed above and thus should be used very cautiously and avoided if unsure.
Like in many other web applications, the authentication state for Paypal session is stored in cookies that will be present even when retrieving paypal.com/home/account/nonexistent.css. However, a caching middlebox would have to disregard the presence of cookies in both HTTP requests and HTTP responses for this exploit to be successful.
Mitigation
From the very beginning, caching controls were developed by the Internet community to standardize caching behavior across various devices on the web. As such, following the RFCs and common recommendations on the way to and from the OCS inherently minimizes the infamous impedance mismatch. In addition, smart middleboxes can look for other signs of user-specific content such as “Authentication”, “Cookie”, or “Vary” headers to protect against serving private information when an origin server fails to set the standard cache controls correctly. ProxySG administrators should not need to do much when using the ProxySG with recommended or default settings. However, caching overrides such as force_cache() should be used with extreme caution.
ProxySG also provides additional controls to identify content that may vary per user or which should only be served after verifying server authentication. The ProxySG’s Content Policy Language (CPL) provides the cookie_sensitive() and ua_sensitive() properties to modify caching behavior by declaring that the requested object varies based on cookie values or user agent respectively. It also provides the check_authorization() property to identify content subject to authentication when standard authentication headers are not used.
When your mobile phone gets hacked, attackers can do a lot more than rifle through your hard drive.
Not only can they take control of the device’s camera to watch you, they can use your mic to monitor all of your conversations. What’s more, they can also access the location-based services your phone uses to locate you. That leaves cyber stalkers free to track your every movement - by foot, car, train or plane.
While this might sound like a page from a dystopian potboiler, it’s hardly the stuff of fiction. Last year, Berkeley PhD candidate Bill Marczakrevealed just how easily spyware can now strip iPhone users of their anonymity. In a world where repressive governments can hack their citizens’ phones, that’s bad news in bells for critics, who face their regime’s wrath for transmitting the wrong tweet or clicking on the wrong link.
Porous Digital Castles
Smart phone insecurity is just one part of a much bigger story that I want to focus on: In an increasingly digitized world, our privacy has become an open book.
Your home may still be your castle, but it’s anything from being a digitally safe bastion. Some TV’s have been discovered to have digital ears that listen to what goes on around them. Hackers are now able to remotely compromise baby monitors and other popular home audio devices. Home security cameras have been similarly hacked so that criminals can view video feeds from the home. Digital door locks and garage doors are also vulnerable to cyber criminals who can manipulate the systems to gain entry.
The reality of the connected world is that it’s easy to digitally follow us around. Consider the fact that your smart phone often interacts with countless beacons and base stations. If any of them get hacked, they can relay proximity information to aggregation servers and interlopers who can track your location.
Actually, even without getting hacked, many of them aggregate the information and then sell it to the lowest bidder. And as more cars evolve into the equivalent of big computers on wheels, many have been misconfigured by manufacturers to reveal their latitude and longitude when pinged over the internet, even without requiring decent authentication.
Other common devices - discoverable through services like Shodan - are similarly vulnerable to hacks. When the Mirai botnet struck last year, for example, it made headlines by infecting millions of devices to bring down big chunks of the cloud. Yet the infection proliferated precisely because so many of the “smart” things were built by makers who embedded passwords such as “1234” for remote access, typically without even telling the buyer that their device would have such an obvious remote login.
There are other ways our traditional notion of privacy is being put in jeopardy. Simply scanning a QR code opens a link that doesn’t only reveal your location to merchants. With or without QR codes, cookies, trackers, and device profiling through “ad networks” also expose other kinds of valuable private information, such as personal interests, other web pages you’ve visited and potentially your location-based history - including your home address, along with political leaning, religious affiliations, and even sometimes likely income brackets.
What to Do
So how can we protect ourselves from the myriad threats to our privacy? Fortunately, lots of new digital security products are coming to market that can help.
At Symantec Labs, we’re doing research to broaden such protection from the traditional security coverage, to include better privacy protection, creating the ability for people to more effectively limit data collection to data they choose to share.
For instance, two years ago we were among the first to show how Machine Learning could be used to identify the HTTP requests carrying sensitive information to third-party trackers with very high accuracy.
More recently we demonstrated a new technique for a 90% reduction in spyware getting access to privacy sensitive sensors on Android smart phones.
Of course, many security scanning and prevention services in the market focus on blocking “security” threats, not blocking all “privacy” threats, but we’re looking to change that. Both network and device protections can do far more to protect people’s privacy, and enable people to have genuine anonymity when they need it. In short, on the one hand, “there could be a better app for that,” and we’re working on that.
On the other hand, you can’t always install an app. For that, we’re working to make the network based privacy protections better so that as long as your devices are tied to a cloud-based protection service like Symantec’s Web Security Service (WSS), such cloud-based services could be protecting you not only against security threats, but also protecting you against privacy threats. That includes surveillance by ad networks, atop the geo-location threats, and atop the “server to client” attacks which have already unmasked the anonymity of people arrested or disappeared for doing no more than exercising their moral obligation to question authority.
In the meantime, smart phone users can take advantage of security solutions include offerings like Norton Mobile Security, SkyCure, WSS and more. Some car makers are beginning to protect their fleets of cars with services like WSS to build better building security into the car from the beginning. Smart city and smart building infrastructure can borrow a page from the car makers, using services like WSS or security gateway hardware such as ProxySG.
Clearly, our increasingly connected world is creating amazing new opportunities. This world wide web and emerging internet of things are powerful tools that put the world at our fingertips. But we’re also going to need good tools to deal with the thorny privacy threats that inevitably will arise. Otherwise, the absence of adequate protections will put every aspect of our lives on display for thieves, stalkers, bullies, and tyrants.
This week Symantec CloudSOC is proud to be one of the first cloud access security broker (CASB) solutions to announce plans to provide threat protection and data governance for Cisco Spark.
Symantec CloudSOC has a long history of integration with Cisco solutions and adding a Spark Securlet to CloudSOC will be yet another example of our commitment to providing customers a holistic cloud security solution that integrates coverage across a wide range of services.
CloudSOC already provides the following support for Cisco solutions:
Analysis of Cisco cloud services, such as Cisco WebEx and Cisco Spark, as part of CloudSOC Audit visibility, analysis and intelligence
CloudSOC Audit’s ability to use event logs from Cisco appliances for Shadow IT use of cloud apps and services
Symantec Secure Web Gateways monitoring, reporting and policy controls for Cisco WebEx and Cisco Spark application traffic based on CloudSOC Audit intelligence
CloudSOC integration with the Cisco Identity Services Engine to enforce CASB policies such as quarantining endpoints
Support for Cisco Web Security Appliances, including proxy chaining and log analysis
In addition to our work with Cisco, CloudSOC offers unique integrations with Symantec DLP, user authentication, encryption, endpoint protection, advanced threat protection, and secure web gateways as well as other industry integrations with directory services, SSO solutions, SIEM platforms, firewalls, and proxies.
Symantec’s Integrated Cyber Defense Platform is designed to maximize security efficacy, minimize administrative overhead and improve user experience. Learn more about how CloudSOC can identify attacks, automatically classify data and mitigate risk through alerts, access controls, quarantines, and more to help organizations prevent data loss and remain compliant with data privacy regulations here.
Google が、シマンテックの CA(認証局)について、この新しい提案をコミュニティと共有したのは、5 月 15 日のことです。シマンテックはそれ以来、この提案を吟味するとともに、シマンテックの CA をご利用のお客様など、広いコミュニティからいただいたメリットとフィードバックを比較しています。見直しの過程でシマンテックは、Google が示した提案のうち subCA に関する項の実施に必要なエンジニアリング上、契約上、業務上の策定要件について予備分析を行いました。また、subCA 方式を適切に導入するうえで考慮すべきタイムラインと統合の制約を把握するために、パートナー候補(以下、「subCA」)との間に最初の対話も設けました。目下のところ、subCA 候補の提案依頼書(RFP)に対する詳しい応答を待っているところですが、Google の現在の提案に対するシマンテックからの最初のフィードバックについては、お伝えしておきたいと思います。
まずシマンテックは、弊社の CA 業務で発生した発行の不手際を認め、このインシデントをきわめて真摯に受け止めています。このたびの不手際はあくまでも例外的なものであり、弊社の CA 運用で常態化しているわけではありません。シマンテックの CA 業務には、全世界のお客様を相手にする経験豊富なスタッフが当たっており、証明書発行の業務が業界の要件やブラウザの要件を満たすよう万全を図っています。
とはいえ、シマンテック発行の SSL/TLS 証明書が一般的なブラウザで認識されないという事態になれば、お客様の業務に大きな支障が出ることは間違いありません。その点を鑑みると、Google の現在の提案が、大多数のユーザーにとって互換性あるいは相互運用性にただちに影響するものでないことは高く評価しています。むしろ、subCA に関する Google の最新の提案では、最終的に大きな変更は必要になるものの、それはシマンテックの CA ユーザーとブラウザユーザーに対する影響を最小限に抑えるためのものと理解しています。特に、Google の現在の提案ではシマンテックの EV 証明書の扱いが維持されるため、業界標準の証明書有効期間でお客様のサポートを続行する道が残されます。しかも、現在の提案でも、シマンテックのお客様のほとんどは、中断や制限を受けることがありません。
しかしながら、現在の提案には、変更が必要と考えられる面もあります。それを変更しない限り、弊社の CA 運用を第三者に委任することまで含めた計画を妥当に、かつ責任をもって遂行することは不可能です。
Netcraft によれば、シマンテックは EV 証明書および OV 証明書の発行者として業界最大手であり、どの CA よりも広い地域で、どこよりも大量の検証作業に当たっています。私たちの知る限り、現在のシマンテックほど大規模に運営され、かつ広範囲な機能を提供している CA はほかにありません。適切な CA パートナーを見きわめるために調査が必要なだけでなく、どんな CA でもかなりの強化期間が必要になると考えられます。高い信頼性とセキュリティ、万全のコンプライアンスで、確実にシマンテックの証明書発行数に対処するには、リソースの補強が必要になるからです。技術的な統合と移行を始める前に、シマンテックは関連する適格な CA の特性を評価しなければなりません。また、subCA 提案が順調に進むためには、適切なアカウンタビリティと監督を保証するうえで必要なガバナンス、業務構造、法的枠組みも実施する必要があります。
トラストストアにおいて既存のルートがもつ遍在性を活用できるように、管理下 CA は合意に基づく既存のシマンテックルートによってクロス署名できる。
管理下 CA は、検証の要件を満たしていれば、EV 証明書を発行できる。
管理下 CA が情報を完全に再検証する限りにおいて、新しい証明書の有効期間は、最大 39 カ月、または Chrome がすべての CA に許可する最大(現在は、「Baseline Requirements」と「EV Guidelines」に指定されている)まで設定することができる。移行期間中、管理下 CA は既存の検証情報を再利用できるが、存続期間は 13 カ月までに制限しなければならない。
2016 年 6 月 1 日以降に発行された既存の証明書は、Chrome の CT(証明書の透明性)ポリシーに準拠している限り、引き続き信頼される。同日以降に発行された EV 証明書は、引き続き EV として取り扱われる。
2017 年 8 月 8 日: 証明書の発行は管理下 CA が行わなければならないが、既存の検証情報を再利用できる(「Baseline Requirements」に定める限度まで)。
2017 年 11 月 1 日: 証明書の発行とドメインの再検証は管理下 CA が行わなければならないが、既存組織の検証情報を再利用できる(「Baseline Requirements」に定める限度まで)。
2018 年 2 月 1 日: 証明書の発行とすべての検証は、管理下 CA が行わなければならない。
シマンテックからのインライン回答: 弊社の初期調査に基づき、上記で提示されている期限は実現不可能と判断します。この投稿の冒頭でも述べたように、実施が必要になる移行の規模が膨大なためです。よって、シマンテック証明書の最終的な失効日を、現時点では定めないよう Google に提案いたします。シマンテックは、潜在的な制限事項、期限、必要と思われる統合作業などを把握するために、パートナー候補(subCA)に対するアウトリーチを実施しました。また、タイミング、ロジスティクス、依存関係に関して具体的に質問する RFP も作成し、お送りしています。プロジェクト案を提示するために、必要なフィードバックを 6 月末までにお送りいただくことになっているので、その時点で改めて、前向きかつ実現可能な日程案を Google ならびにコミュニティに提示する予定です。ここでは、現在提案されている日付の再検討が必要と考える現実的かつやむをえない理由を、いくつか挙げておきたいと思います。
subCA は、2 年間以上の信頼実績をもつ Android および Chrome OS のトラストストアで現在信頼されているルート証明書を運用する、利害関係のない組織が運営しなければならない。
利害関係のない当該の組織は、かかる subCA の運営について全責任を負わねばならず、その subCA で発行の不備があった場合には、その組織が運営する他の CA による発行の不備と同等に扱うものとする。同様に、組織が運営する他の CA による発行の不備があった場合には、それも subCA による発行の不備と同等に扱うものとする。このような仲介組織に対する信頼の基礎は、他の組織の CA 証明書ではなく、シマンテックが発行した既存のルート証明書とのチェーン関係に依存するのであるから、シマンテックはかかる subCA の運営について全責任を負わねばならず、その subCA で発行の不備があった場合には、シマンテックが運営する他の CA による発行の不備と同等に扱わねばならない。
シマンテックおよびその子会社は、権限委譲先の第三者機関(エンタープライズ RA を含む)または検証スペシャリストなど、「Baseline Requirements」で認められている情報検証の役割に当たってはならない。すなわち、証明書の発行に関する情報検証のあらゆる管理を実行する全責任は、利害関係のない組織が負う。ただし、シマンテックとその子会社は、検証プロセスを迅速かつ簡潔にするために、証明書請求プロセスの一環として、あらゆる情報の収集と集約に努めることはできる。
かかる subCA は、シマンテックが運営または管理する CA の証明に利用してはならないが、シマンテックが運営または管理する既存の CA によって証明されることはできる。すなわち、既存のインフラストラクチャによってクロス署名できるということだが、既存のインフラストラクチャまたは証明書をクロス署名してはならない。
権限委譲先の第三者機関を利用してドメイン検証(「Baseline Requirements」の第 3.2.2.4 項)、または IP アドレス検証(「Baseline Requirements」の第 3.2.2.5 項)の情報検証機能を実行しないものとする。
중요한 데이터 및 정보의 가시성을 유지하기는 쉬운 일이 아닙니다. 데이터의 각 바이트가 어디에 있는지는 알기가 어렵습니다. 지적 재산(IP, Intellectual Property) 또는 개인식별정보(PII, Personally Identifiable information)가 여러 팀 간에 다양한 경로(예: 이메일, USB, 온프레미스, Box 또는 기타 클라우드 스토리지 시스템)로 공유되지만 가시성과 제어가 부족한 경우가 많습니다.
데이터가 정말로 안전한지 확신할 수 없다면, 다음과 같은 질문으로 가시성과 제어를 간단하게 테스트해 볼 수 있습니다.
중요한 데이터를 다음과 같은 상대와 공유할 때 해당 데이터에 대한 액세스 권한이 있는 사람이 누구인지 알고 있습니까?
신뢰할 수 있는 파트너
신뢰할 수 있는 공급업체
BYO 장치를 사용하는 계약업체
신뢰할 수 있는 파트너 또는 공급업체가 데이터를 다른 공급업체와 공유하는지 알고 있습니까?
계약업체, 파트너 또는 공급업체와의 관계가 종료될 경우 이들과 공유한 데이터를 회수할 수 있습니까?
위의 질문에 '아니요'라고 대답한 기업들이 적지 않습니다. 최근의 Symantec 설문 조사에서 CISO(Chief Information Security Officer)들은 거의 3명 중 1명꼴로 올해 비즈니스에서 가장 심각한 내부 위협이 데이터 손실이라고 응답했습니다.*
회사 IP의 잠재적 손실 외에도, 데이터 손실은 GDPR(Global Data Privacy Regulations)과 PCI Security Standards Council 같은 규정 준수 요건의 위반으로 이어질 수 있습니다. 이러한 규정 준수를 위반할 경우 많은 기업들이 이미 최대 2000만 유로의 벌금을 지불하고 시장 경쟁력 손실, 데이터 손실로 인한 브랜드 손상을 경험했듯이 더 큰 손해를 입을 수 있습니다.
해답은 보안의 통합
Symantec의 Information Centric Security 솔루션은 가시성, 보안 및 ID를 통합하여 데이터 보안에 대한 새로운 접근 방식을 제시합니다. Symantec Information Centric Security는 클라우드 앱과 "BYO(Bring Your Own)"모바일 장치처럼 관리되지 않는 환경에 상주하는 중요한 데이터까지도 보호합니다.
Symantec은 업계 최고의 DLP와 CloudSOC CASB를 통합하고 클라우드 기반 PGP 암호화를 ID 인증과 통합하여 고객이 어떠한 유형의 데이터라도 전체 수명 주기를 추적하고 관리할 수 있게 해줍니다. 이제 어떤 사용자에 대해서든 언제 어디서나 데이터를 암호화, 추적 및 무효화할 수 있습니다. 시장의 다른 공급업체는 이러한 수준의 가시성과 관리 기능을 제공하지 못합니다.
기존 데이터 솔루션은 진정한 보호를 제공하지 못함
정보를 보호하기 위한 다른 옵션은 제한된 상황에서 효과적으로 기능하지만, 요령 있는 사용자는 이러한 보호 수단을 우회하는 방법을 찾아내는 경우가 많습니다.
기존의(온프레미스) DLP 및 사용자 태깅은 기계 학습 및 사용자 데이터 태깅 같은 첨단 방법을 사용하여 중요한 컨텐트를 식별할 수 있지만, 정보가 허가된 앱 또는 허가되지 않은 앱을 통해 관리되지 않는 장치에 공유되는 순간 보호가 중단됩니다.
기존의 CASB는 DLP 정책과 결합하면 더 강력해지는 솔루션이지만 NDA를 체결한 파트너, 공급업체 및 계약업체 같은 제3자와의 통신을 차단하도록 설계되지 않았기에 가시성이 손실될 수 있습니다.
암호화는 까다로운 프로세스이며 사용자 마찰로 인해 정책이 쉽게 폐기될 수 있습니다. 파일이 복호화되어 다른 공급업체와 공유된다면 더 이상 해당 파일에 대한 보호나 가시성이 존재할 수 없습니다.
Microsoft DRM 및 RMS(Digital Rights and Risk Management Services)는 더 넓은 시장을 충족하지 못하며 배포 및 가용성 문제가 있습니다. Microsoft 에코시스템의 이러한 제약 때문에 업계에서는 아직 보안 정책을 데이터 자체에 구현하고 의도한 사용자만 플랫폼에 관계없이 데이터에 액세스할 수 있도록 하는 방법을 찾지 못했습니다.
Symantec의 Information Centric Security는 어떻게 다른가?
관리되지 않는 환경에서는 정보를 보호하기가 어렵습니다. 데이터의 위치 또는 데이터에 어떤 장치/사용자가 액세스하는지에 대한 제어 또는 가시성이 없기 때문입니다.
해결책은 먼저 업계를 선도하는 Symantec DLP, CASB, 암호화 및 인증을 다음과 같은 방식으로 통합하는 것입니다.
모든 통신 채널에서 중요한 데이터가 자동으로 검색되거나 데이터를 생성한 사용자에 의해 수동으로 분류됩니다.
DLP는 중요한 데이터를 자동으로 식별하고 암호화하여 뜻밖의 데이터 손실 가능성을 줄여줍니다.
CASB 기술은 클라우드로 이동하는 데이터를 차단하고 이전에 관리되지 않았던 환경까지 DLP 보호를 확장합니다.
Symantec VIP는 사용자 인증 신임 정보를 복호화 키와 통합하여 의도한 사용자만 액세스할 수 있도록 하는 다중 요소 인증을 제공합니다.
이러한 통합은 Symantec 제품에만 그치지 않으며, 이 솔루션은 완전히 공개되어 타사 통합에도 사용할 수 있습니다. Symantec은 타사 개발자 및 데이터 기반의 공급업체를 위해 인터넷 초안 및 API 확장을 게시할 예정입니다.
Symantec Information Centric Security를 사용하면 시간의 경과와 함께 새로운 위험에 적응하는 방법을 학습하여 계속 증가하는 위협 환경에 맞게 조정되는 동적이고 지능적인 보호를 통해 인간의 오류 위험을 줄여주는 강력한 정책 엔진으로 데이터가 정확하게 캡처, 포착 및 보호됩니다.
2017년 6월 22일에 Forrester의 시니어 애널리스트 Heidi Shey가 진행하는 웨비나를 시청하십시오. Symantec이 데이터와 정보의 보호를 유지하는 새로운 방식을 제공하기 위해 우수한 보안 솔루션을 어떻게 통합하는지 보여 드립니다. 등록하려면여기를클릭하십시오.
* 1,100명의 CISO(Chief Information Security Officer)을 대상으로 한 2017 Symantec 연구 결과입니다.
Symantec equips students with the tools they need to succeed and stay safe this school year
Publish to Facebook:
No
As children across the U.S. go back to school this month, Symantec is helping to make sure they are prepared. Through backpack and school supply drives for local children in need and cyber education tools for parents and children, Symantec is working to make sure every student is ready for class.
Symantec employees in Tempe, Arizona write notes to include with the school supplies they donated to Curry Elementary.
This month students across the U.S. head back to school and Symantec is focused on keeping them safe online, and prepared for the classroom. While some students need school supplies to start their school year off right, others need to learn a few essential cyber basics to enable them to explore the digital world safely.
Symantec provides school supplies for kids in need
Symantec’s Consumer Business Unit in Mountain View, California is hosting a virtual backpack drive to help send low-income children back to school with the essential, grade-appropriate supplies they need to succeed. Symantec has partnered with the Family Giving Tree, a nonprofit that has served more than one million Bay Area children from low-income families since 1990. In 2016, the demand from schools and agencies was greater than ever and more than 39,000 backpacks filled with supplies were delivered to students in grades K – 12 who were enrolled in the Federal Free or Reduced Price Meal Program. Backpacks with STEM supplies can cost between $50 (Elementary) and $95 (High School) dollars, and students without a calculator, protractor, or compass have a hard time learning geometry or algebra, participating in the classroom, and completing their homework. For children living in poverty, a lack of crucial school supplies means they start their school year off at a large disadvantage.
Symantec’s virtual Backpack Tree hopes to empower a low-income high school student to graduate, equip two middle school students with the tools needed to succeed in the classroom, provide five elementary school students with fundamental school supplies, and fill an entire classroom with the supplies needed to elevate their learning.
Symantec’s Tempe, Arizona office also hosted a schools supply drive and wrote hand-written notes for the students at Curry Elementary. The office provided a financial donation to the school to use for whatever they need, which meant buying new shoes for all of the students in 2016. Curry Elementary is located right down the street from Symantec’s Tempe office and is a Title 1 school; out of the 539 students 23% are limited in English proficiency and 81% have subsidized lunches. We have worked with the school for the past few years, first as LifeLock and now as Symantec, providing much needed resources for the cash-strapped public school, and opportunities for the students to start their school year off with items they desperately need.
Symantec employees sent 600 inspiring notes to students heading back to school at Curry Elementary.
Symantec provides resources to keep kids safe online
As children head back to school, they also face increasing threats that emerge as a result of cyber behavior. Cybercrime is a multibillion-dollar industry and hackers exploit poor cyber habits, including those of children. According to a recent Norton survey, 60% of parents worldwide allow their children access to the Internet before age 11. These children are often on a quest to constantly learn new things, and may unintentionally engage in risky online behavior, like inadvertently disclosing too much information. Even though 78% of parents agree that children today face more online risks than children five years ago, only 50% check their children’s browser history and 46% limit access to certain websites and apps.1
This month, children will be accessing the Internet from numerous devices, including computers and tablets at school, messaging each other through the newest social media sites and downloading the latest apps. We believe that, in the same way that we educate our children about other risks, it is imperative that we educate them about avoiding online dangers. Symantec has developed free cyber safety educational tools for parents to address new and emerging risks to children's online safety, including a guide to identify the signs of cyberbullying and how to start a conversation about it. To learn more and download the guide, visit Norton.com/cyberbullying. For children not yet using technology, we provide tips on how to decide when a child is ready for technology and offer free Cyber Safety Guides for grade school kids, middle school kids, and high school students.
The Smart Talk, another online tool, is designed to help parents empower their children to become smart digital citizens in an increasingly connected world. It’s the result of a collaboration between LifeLock, a Symantec company, and the National PTA, and gets parents and kids together for a conversation about being responsible with new technology. Parents and children answer a series of questions together to make sure everyone is on the same page, and through The Smart Talk parents can print out their Internet rules agreement and posit it where the whole family can see it.
You can visit Norton’s Kid Safety Security Center to read more about keep kids safe online, and we wish you all a safe and successful school year.
Radicati, IDC MarketScape and SE Labs provide objective comparisons for ATP solutions
Publish to Facebook:
No
Twitter カードのスタイル:
summary
While every vendor claims market leadership, the industry benchmark of leadership is an objective third-party comparison. Independent assessments and lab tests confirm Symantec's leadership in the ATP market.
Getting Beyond the Noise
Technology products often are overhyped, and products that address advanced threats are no exception. Advanced Threat Protection players proliferate in the market, and self-proclaimed market and technology leadership is common. Customers rely on independent sources to cut through the noise and provide a clear picture of what vendors have to offer.
Symantec has demonstrated leadership in the Advanced Threat Protection (ATP) market with multiple independent assessments.
Top Player Radicati Advanced Persistent Threat Protection Market Quadrant*
Radicati Group has published a deep-dive assessment of the APT Protection market, and the overall leader is Symantec Advanced Threat Protection.
The Radicati APT Protection MQ report is a comprehensive assessment of vendors that analyzes functionality, strategy, customer support, and more.
The report assesses vendors on critical criteria including:
Deployment options
Malware detection
Web and Email Security
Forensics and Analysis of zero-day and advanced threats
Sandboxing and Quarantining
Remediation
The extensive analysis provides an independent source for customer evaluation.
In the 2017 report to compare APT Protection vendors in detail, Radicati assessed Symantec as the overall leader and the highest ranked Top Player.
Figure 1
In Radicati's review of the APT Protection market, the analyst firm cited as one as Symantec's strength our integrated ATP solution that covers critical control points including Endpoint, Email, Web and Network threat vectors. The ability to add visibility and threat correlation for multiple control points is essential. Firms that invest in point products that focus on a single threat vector may find the task of integrating and managing a disparate set of products costly.
Radicati highlighted this strength stating, "Symantec provides a fully integrated portfolio of solutions to guard against threats across all vectors including endpoint, network, web, email, applications and more."
Just as important as addressing control points is providing a multi-layered approach to protection. Radicati recognized Symantec's integrated solutions support the entire threat lifecycle. Symantec's integrated cyber defense approach includes Network Forensics via Symantec Security Analytics giving customers real-time content inspection and sophisticated anomaly detection for all network traffic including SSL traffic (using Symantec SSL Visibility).
The Radicati report highlighted Symantec Malware Analysis for its customizable hybrid sandbox and noted that Symantec’s cloud sandbox offers virtual and physical execution modes to thwart threats designed to be “VM aware.”
Lastly, Radicati cited Symantec ATP’s Endpoint Detection and Response capability that ensures stealthy threats can be exposed and any impacts of a breach quickly resolved across all impacted endpoints.
SE Labs Network Security Appliance Test
In July, SE Labs published the lab results comparing several popular network security appliances including Symantec ATP. The test used real-world threats that were active on the internet at the time of the test. The threats utilized in the analysis were web-based, malware downloads and targeted attacks.
SE labs found that Symantec ATP had the highest rating for Total Accuracy a measure that combines the effectiveness of threat protection and the handling of non-malicious objects (99%). In addition, SE Labs found that Symantec protected against 100% of the public web-based threats, malware downloads and targeted attacks used in the test.
Symantec ATP received SE Labs AAA Award for strong overall performance in the test.
Figure 2
IDC MarketScape on Endpoint Specialized Threat Analysis and Protection 2017**
In another major analyst report, the IDC MarketScape named Symantec a leader, citing the combination of technology and services that support threat detection and remediation of known and targeted attacks.
Among the strengths highlighted in the report, stating "Symantec Advanced Threat Protection is tightly integrated into SEP 14 and provides incident responders with complete visibility through a single agent and the ability to conduct active threat hunting and live response on endpoint devices."
The Bottom Line
Claiming you're a leader is one thing, many vendors make this claim.
Having an independent assessment from Radicati that your solution is the highest ranked among Top Players for APT Protection and has the highest rating for total accuracy in real-world lab tests from SE Labs are the kind of validations customers should consider when comparing vendors.
悪質な Web ダウンロードから保護する: スキャンの対象となった Web サイトのうち 76% は脆弱性があり、攻撃者がマルウェアの侵入に悪用できるという結果が出ています(ISTR22)。着信と発信のトラフィックをすべて解析してブラウザを保護する侵入防止の技術があれば、エンドポイントに到達する前にそうしたマルウェアを遮断できます。
Email continues to be a top incursion vector for attackers. As a result, organizations need to gain better visibility into their email, which is the most critical and exposed control point. Understanding threat actors and the email threat landscape has become imperative for customers today, as they are looking to quickly investigate, correlate, and respond to threats.
Symantec Advanced Threat Protection for Email already provides deep visibility into the threat landscape with Indicators of Compromise (IOCs) on malicious emails such as file hashes and URLs as well as attacker information such as sender IPs & sender countries. This intelligence can be seamlessly ingested into third-party Security Incident and Event Management tools (SIEM) such as Splunk, IBM QRadar, and HP ArcSight, which enables Security Operations Center (SOC) teams to investigate and respond to advanced email attacks. Customers are leveraging this information for use cases such as correlating malicious file hash information from emails with their endpoints, feeding malicious links into their Web proxies to gain insight into attackers, and increasing protection by understanding targeted threats against their organizations.
Figure 1 – Intelligence on malicious URLs found by deep link analysis in Symantec Cloud Email Security. This includes both the original URL and as well as the destination URL from where malicious payloads are served.
Figure 2 – Symantec offers visibility into the threat landscape, including where attacks originate.
Last month, we announced new Business Email Compromise protection and deeper visibility into advanced email attacks. Today, we are excited to announce the launch of new APIs as part of our Advanced Email Security Analytics, which provide deep visibility into both clean and malicious emails by extending our intelligence to all emails scanned by our Symantec Email Security.cloud service. These APIs enable organizations to:
Gain near real-time visibility and analytics into the email threat landscape
Investigate and correlate threats by providing actionable intelligence about IOCs, including spoofed domains, spoofed users, malicious URLs, detailed sandbox behaviors and associated network communication
Accelerate response to targeted and advanced threats by tracking email-based attack campaigns and outbreaks
Understand end-user risk profiles and improve the overall security posture and awareness of email threats
Figure 3
Over the next couple of months, we will release an updated version of our free Splunk application that will leverage these new data sources to provide enhanced advanced analytics at your fingertips.
Figure 4 – Ability to create campaign view to track email outbreaks.
Getting Started
This feature is available to Symantec Advanced Threat Protection for Email customers today. To enable the data feeds, please refer to settings section under Advanced Threat Protection:Email in Email Security.cloud portal. You can also download our admin guide that provides detailed information about the data points provided and sample Python scripts to get started quickly.
Figure 5 – Email data feed settings in Symantec Email Security.cloud console.
As children head back to school, they also face increasing threats that emerge as a result of cyber behavior. Cybercrime is a multibillion-dollar industry and hackers exploit poor cyber habits, including those of children. According to a recent Norton 
