Symantec CMO, Manny Kostas, shares how Symantec's excellence in innovation, holistic perspective on protection, and expert advice on security help you to "Do It All".

 Por Paola Zeni, Directora de Privacidad Global, Éticay Cumplimiento en Symantec

Symantec ha sido reconocida por el  Ethisphere Institute como una de las Compañías Más Éticas del Mundo en 2014. Ethisphere Institute es un centro independiente de investigaciones que promueve las mejores prácticas en ética corporativa y gobernabilidad. Esta es la séptima ocasión en que Symantec ha sido honrada con este distintivo, el cual reconoce a organizaciones que continúan elevando los estándares de liderazgo ético y de buen comportamiento corporativo.

Symantec, es una de las 10 compañías de tecnología distinguidas este año a nivel mundial. 

Este premio pertenece a todos los empleados de Symantec, quienes diariamente desempeñan sus labores siguiendo los más altos estándares éticos.  

"Las compañías más éticas del mundo consideran que sus clientes, empleados, inversionistas y reguladores dan un alto valor a la confianza, siendo la ética y la buena gobernabilidad puntos clave para ganar tal reconocimiento", comentó el CEO de Ethisphere, Timothy Erblich. "Symantec forma parte de un grupo exclusivo, comprometido con impulsar el buen desempeño a través de prácticas líderes en el negocio. Felicitamos a todos en Symantec por este extraordinario logro".

La evaluación de las “Compañías Más Éticas del Mundo” se basa en el marco del coeficiente de ética del Instituto Ethisphere, el cual fue desarrollado por líderes en este campo para evaluar de manera objetiva, consistente y estandarizada el desempeño de las organizaciones. Para poder calificar para el distintivo, Symantec proporcionó información acerca de su ética, programa de cumplimento, reputación, liderazgo e innovación, ciudadanía corporativa y responsabilidad, además de cultura ética.  

La lista completa de las Compañías Más Éticas del Mundo 2014 puede ser consultada en http://ethisphere.com/worlds-most-ethical/wme-honorees/.

Join Symantec's Brook Chelmo and Jeff Barto for a discussion on how to protect your business and information, and keep your communications secure from the recently discovered Heartbleed vulnerability.

Keeping your web browser up to date is very important for your own safety and security, but also it is important to install the latest add-ons whenever new versions become available.

What is a plugin?

• Plugins power videos, animation and games
• They're built outside of Firefox by companies like Adobe Systems and Apple
• Plugins don't always update automatically.

 

Why should I update my plugins?

• Old plugins can interrupt browsing and waste your time.
• Old plugins increase your risk for attack by malware, viruses, and other security threats.
• Updated plugins have improvements that make the web better and safer for you.

A simple way to check if you always have running the latest plug-ins is visit the Mozilla Plugin Check & Updates .

Also, if you see something strange or in case of doubt a safe solution is disable this plugin.

How do I disable a plugin?

In Firefox:

    Open the Tools menu.
    Choose Add-ons.
    Click the plugins tab.
    Click on a plugin in the list.
    Click the Disable button.

Caution: disabling a plugin means that you will no longer be able to do certain things. For example, if you disable Flash, you will not be able to watch videos on YouTube.

LINK : Plugin Check & Updates — Mozilla

From climate change to cyber security to employee diversity, corporate responsibility (CR) and sustainabilitytouch every aspect of Symantec’s business. We’ve defined our strategy and are continually working toward our goals to operate as a responsible global citizen. In addition to our dedicated global corporate responsibility team, every day Symantec employees across the world are helping us deliver on this, creating value for both our business and our stakeholders.

We are happy to introduce an ongoing feature of the CR in Action blog – the Sustainability Spotlight - that will profile employees and their contribution to Symantec’s CR and sustainability efforts. Some are members of our CR team, others contribute through our Green Teams or volunteering, some have seen an opportunity and developed programs in their function or region -- all are making a difference.

Today we hear from Eileen Brewer, Manager, Program Management, who was joined by Andria Bouskos, Corporate Counsel, Legal and Public Affairs, and Sowmya Simha, Principal Program Manager for Mobile Products, on a recent trip to Rwanda.

While many associate Rwanda with a civil war and genocide that plagued the country in the 90’s, I see a different side. For example, it might surprise you that in 2008, Rwanda became the first country in the world to have a majority of women in Parliament. Today, Rwanda’s parliament is 64 percent female and women are encouraged to complete college educations and participate in the economy. They do not tolerate any corruption or bribery in business transactions. Rwandans are optimistic about their current leadership and the direction of their country. And the people themselves are wonderful - a very shy, polite society where I’ve felt safe at all times when I’ve visited.  The streets are clean of litter and there is no smoking allowed in any public setting. And most importantly there is now a culture of unity, without an emphasis on classes or ethnicity, and a focus on all being Rwandan.

Additionally, there is a huge focus on education in Rwanda and the country is working very hard on developing its infrastructure. They want to become the IT hub of Africa and are inviting companies to open offices in Kagili to manufacture and/or sell their products into the African continent from one central point.

This is what I see, a beautiful country that has recovered significantly over the past 20 years, and is full of opportunity for its people. 

Finding a Way to Support Rwandans

About ten years ago, I decided to take action, to leverage my skills and experience, to serve a personal passion of mine – increasing opportunities for women in developing countries, like Rwanda. 

As a female IT executive, I have always been passionate about increasing the number of women in our field and encouraging women to consider a career in science, technology, engineering, and math (STEM) that offers so many benefits. I feel even more strongly about this in developing regions around the world where women lack the same opportunities that are offered in more developed regions.

Symantec has been a supporter of the TechWomen Program, a US Government funded program, since its inception in 2011. This initiative brings female IT professionals from the Middle East and Africa to Silicon Valley for a month of mentoring. Because Symantec encourages its female employees to apply to this program there have been about a dozen women in Symantec volunteering their time as either a Professional or Cultural Mentor since its inception in 2011.

I have participated since 2012, mentoring two women from the Middle East and Africa, while Symantec overall has hosted many of these mentees since 2011. One of the mentees at Symantec in 2013 was an IT professional from Rwanda, who we were able to reconnect with during our trip there.

Creating a Local STEM Workforce

The Rwandans are very clear that they want to foster a local skilled IT work force and are therefore encouraging high tech companies to hire locals, not bring in their own contingents, to ensure the locals can achieve middle class careers. To support this they are investing in their university system and providing degrees in computer science and all engineering fields. Additionally, they are opening up the channels for new businesses – by clearing the way for corporations to open a new business in less than two days.

Visiting Rwanda was an extension of the TechWomen Program. In addition to hosting and mentoring women from the Middle East and Africa in Silicon Valley, we are also invited to visit two of the 16 participating countries each year to help spread the word about the program and to encourage girls to pursue careers in STEM.

I was joined by two other Symantec employees - Andria Bouskos, Corporate Counsel, Legal and Public Affairs, and Sowmya Simha, Principal Program Manager for Mobile Products, and the three of us were part of a group of 30 female ICT professionals on the trip.   

In seven days we covered a lot of ground meeting with multiple non-profits, educational institutions, government agencies and numerous women pursuing STEM careers in Rwanda.  It was an incredible trip, and made me feel so thankful to work for an organization that has given me, and many others, the opportunity to make an impact for females and the IT sector in Rwanda.

I hope you’ll have a chance to read the following highlights of our goals and activities over these impactful seven days.

1. Encouraging girls to pursue careers in STEM

On our second day, we visited the Akilah Institute and KLab, both programs in Rwanda promoting the development of STEM skills and opportunity for STEM careers for women. The Akilah Institute operates like a trade school for 200 women aged about 18-30, many of whom have not had the chance to complete their high school degree, and helps them develop skills like general computer use and hospitality which will allow them to enter the work force and become self-sufficient.

“A majority of these women come from extremely underprivileged backgrounds, many of them never finished school, and several of them were impacted by the genocide one way or another,” said Sowmya Simha, Principal Program Manager, Enterprise Mobility Engineering. “They were there with the hope of picking up skills that would help them better their living, as well as of their family, and even their communities. Many of them that we met spoke of taking their learning back to their community and helping improve their conditions. We met with one of their first year classes, and answered many questions about Silicon Valley, life as tech women in the US, work/life balance, and marriage.”

K Labs is a government funded IT innovation hub where community members can come together to work in teams on IT problems facing a broad range of industries from agriculture to education to medical. The government reaches out to KLab when they need solutions to particularly pressing challenges in the nation, and encourage the KLab participants to come up with innovative solutions. This introduced us to women who qualify for the TechWomen program and it is possible one of these women could end up at Symantec later this year.

We also visited Carnegie Mellon University Rwanda. This is a new campus offering classroom settings for students pursuing a Masters in Computer Science or Engineering. We held round table discussions with the students where they talked about how hard the studies were but also about how much they want to succeed to help develop Rwanda’s tech industry.

“This trip really demonstrated to me the resilience of this country and its people,” said Andria Bouskos, Corporate Counsel, Legal and Public Affairs. “Everyone we met with was extremely passionate about advancing their skills in STEM and understanding how best, collectively, to contribute to building the IT industry in Rwanda.”

2. Increasing awareness for women who qualify to apply to the TechWomen Program so they may be mentored for a month in Silicon Valley at a high tech company

TechWomen is an initiative of the United States Department of State’s Bureau of Educational and Cultural Affairs. It brings young female “emerging leaders” from the Middle East and Africa to the United States for a six-week mentorship program. The program is designed to empower, connect and support the next generation of women leaders in STEM. Last year, six women from Rwanda participated in the program.

The trip to Rwanda was a return visit to help spread the word about TechWomen, and bring awareness of STEM areas to young women and girls in that country. On our second day, we participated in an event called Speed Geek with Silicon Valley TechWomen. Local women working on solutions to problems in the community had the opportunity to pitch their ideas to us and we were asked to provide feedback and insight. Some of the ideas included:  an SMS message that would warn farmers in remote areas of big storms coming so they could harvest or protect their crops, and a voice message in their local language that would be generated after they pick up a prescription that provides needed information.

3. Meeting with local government agencies and the US Embassy to share the importance of the program and the need for their continued support

On our third day, I spoke on a panel at the first ever Science & Technology Fair hosted at the US Embassy in Kigali to an audience of 130 middle school girls, teachers and Embassy staff. At the fair, Rwandan secondary students have the chance to attend panels, workshops and networking sessions with female IT executives from top Silicon Valley companies such as Twitter, Juniper Networks, Ericsson, and of course, Symantec.

Our panel was about what inspired us to pursue careers in STEM, who our role models were and how we overcame career challenges. There were also a half dozen tables all with different activities for the girls to participate in. I brought a suitcase full of computer components, motherboards, memory sticks, CPU’s, etc. and explained the jobs of each component and how they worked together.

Eileen Brewer is Manager, Program Management Team, for Symantec’s product engineering group.

The Symantec Executive Briefing Center becomes the CyberV Enterprise Assessment Service Centre of Excellence (CoE)

Symantec has joined the OpenStack Foundation as a corporate-level sponsor. In doing so, Symantec joins a vibrant consortium of OpenStack users, developers and other leading IT vendors including Cisco, HP, IBM, Rackspace and Red Hat, as well as many innovative emerging companies like Cloudscaling, Mirantis and Nebula that are helping shape the future of cloud computing.

It seems like every week another major company experiences a data breach. 2013 was a rough year for organizations struggling to secure their data and the list of breached organizations reads like a “who’s who” of the business world: Target, Neiman Marcus, Adobe, The New York Times, Twitter, Facebook, LinkedIn, Snapchat, LivingSocial, Evernote and even the NSA suffered major data breaches.

The cost of data breaches is astounding. A recent study by the Ponemon Institute estimates that data breaches cost US organizations an average of $5.4 million (this figure excludes uncommon “catastrophic” data breaches involving over 100,000 compromised records). Exacerbating the problem is the fact that if the Federal Trade Commission (FTC) gets involved, those costs are likely to climb. Unfortunately, many organizations are finding out the hard way that the FTC takes data breaches seriously, whether the breach involves ten thousand or tens of millions records.

Symantec is aware of reports of a zero-day vulnerability (CVE-2014-1776) that affects all versions of Internet Explorer.

Microsoft released a security advisory (2963983) about a vulnerability in Internet Explorer that is being leveraged in limited targeted attacks. There is currently no patch available for this vulnerability and Microsoft has not at the time of writing provided a release date for one.

Our testing confirmed that the vulnerability crashes Internet Explorer on Windows XP. This will be the first zero day vulnerability that will not be patched for Windows XP users, as Microsoft ended support for the operating system on April 8th, 2014. However, Microsoft states that versions of the Enhanced Mitigation Experience Toolkit (EMET) 4.1 and above can mitigate this vulnerability in Internet Explorer and is available for Windows XP users. Besides using EMET, Symantec Security Response encourages users to temporarily switch to a different Web browser until a patch is made available by the vendor.

Symantec protects customers against this attack with the following detections:

Antivirus

• Bloodhound.Exploit.552

Intrusion Prevention Signatures

• Web Attack: MSIE Use After Free CVE-2014-1776

We will update this blog with additional information as soon as it will be available.

Symantec recently published an updated version of Norton Spot in Google Play (US-English only), and with it, turned the traditional Android mobile security model on its head with a new take on how we use our Mobile Insight technology.

シマンテックは、すべてのバージョンの Internet Explorer に影響するゼロデイ脆弱性（CVE-2014-1776）が報告されていることを確認しています。

Microsoft 社は、限定的な標的型攻撃に悪用されている Internet Explorer の脆弱性についてセキュリティアドバイザリ（2963983）を公開しました。この脆弱性に対するパッチはまだ提供されていません。また、このブログの執筆時点で、パッチのリリース予定日も公表されていません。

シマンテックでテストしたところ、この脆弱性によって Windows XP 上の Internet Explorer がクラッシュすることを確認しています。Microsoft 社は 2014 年 4 月 8 日（日本時間の 2014 年 4 月 9 日）をもって Windows XP のサポートを終了しているため、これは Windows XP ユーザーにパッチが提供されない初のゼロデイ脆弱性となります。ただし、Microsoft 社は、Enhanced Mitigation Experience Toolkit（EMET）4.1 以降のバージョンによって、Internet Explorer に影響するこの脆弱性が緩和され、EMET を Windows XP 上でも使用できることを公表しています。シマンテックセキュリティレスポンスは、EMET を使うことに加えて、Microsoft 社からパッチが提供されるまでは、一時的に別の Web ブラウザを使用することを推奨します。

シマンテック製品をお使いのお客様は、以下の検出定義によってこの攻撃から保護されています。

• Bloodhound.Exploit.552
• Web Attack: MSIE Use After Free CVE-2014-1776

詳しいことがわかり次第このブログでお伝えします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

In this blog, we look at the top issues for April, how we're improving Symantec.cloud support, and introduce a few key people!

From time to time it might be necessary to grant a user (eg the Vault Service Account) permission to every mailbox archive in an environment. You may need to search for a particular word or phrase across the entire organisation. Let's see how to do that.

The Best Way

Of course the best way is to use Discovery Accelerator. This is optimised for handling complex searches, and for ensuring the Enterprise Vault environment isn't overwhelmed by the search request over 5000+ archives.

The 'Poor Mans' Way

For some environments and for some searches Discovery Accelerator might not be an option. In those situations there are a couple of steps:

Give Access to All

To be able to search all archives an account needs to be given the ability to search archive. Not even the Vault Service Account has this ability out of the box. So an EVPM script is needed in order to touch all archives, and give the permissions necessary.

Initially an archive might show the following:

We'll have to build an EVPM INI file. EVPM is quite well described in the Utilities Guide and after a few minutes you should be able to get a script file together, which will look a little bit like this:

And then EVPM needs to be run with that file:

Since EVPM doesn't have to login to each mailbox associated with each archive, running the script is pretty quick. 10+ archives should be touched per second, easily.

Afterwards our sample archive looks like this:

Do the Search

After this Browser Search can be used, and the option to 'Search All' can be selected:

Have you ever tried this mechanism? How has it worked for you?

Emerging Threat: Apache Struts Zero-Day (CVE-2014-0050, 0094) DoS and Remote Code Execution Vulnerability

EXECUTIVE SUMMARY:

On April 24, 2014, the Apache Software Foundation (ASF) (http://www.apache.org) released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerability, which may result in Remote Code Execution via ClassLoader manipulation (CVE-2014-0094), or DoS attacks (CVE-2014-0050).

[Apache] Struts is an extensible framework used for creating enterprise Java Web applications.

According to Apache, in Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved [on March 2]. Unfortunately, the correction (Apache Struts Security Bulletin S2-020) was not sufficient. A security fix release fully addressing this issue is in preparation and will be released as soon as possible [likely within 72 hours as per the Apache Struts team].

Once the release is available, all [Apache] Struts 2 users are strongly recommended to update their installations.

Emerging Threat: Microsoft Internet Explorer Zero-Day (CVE-2014-1776) Remote Code Execution Vulnerability

EXECUTIVE SUMMARY:

On April 26th 2014, Microsoft released a security advisory (2963983) for a zero-day vulnerability in Internet Explorer (CVE-2014-1776). Exploitation of the vulnerability is reportedly being used in limited, targeted attacks. The vulnerability exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. There is currently no patch available for this vulnerability and Microsoft did not provide a release date for a patch.

Windows users running vulnerable versions of Internet Explorer are at risk, when visiting compromised websites containing malicious code to exploit this vulnerability.

This blog links to a webcast video that includes Gartner and Symantec sharing their perspectives of Business Continuity.

Adobe has published a Security Bulletin for the Adobe Flash Player CVE-2014-0515 Buffer Overflow Vulnerability (CVE-2014-0515). The new Security Bulletin, APSB14-13, identifies a buffer overflow vulnerability that affects various versions of Adobe Flash Player across multiple platforms. Exploitation of this critical vulnerability could allow an attacker to remotely execute arbitrary code. Adobe has acknowledged that exploitation of the vulnerability has been reported in the wild. Further details indicate it has been used in targeted attacks.

Per the bulletin, the following versions of Adobe Flash Player are vulnerable:

• Adobe Flash Player 13.0.0.182 and earlier versions for Windows
• Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh
• Adobe Flash Player 11.2.202.350 and earlier versions for Linux

Symantec Security Response is continuing to monitor the situation for additional information related to this vulnerability and will provide further guidance once it is available. We recommend applying the vendor supplied patches to mitigate possible exploitation. Updates can be obtained directly from the Adobe Flash Player Download Center or by accepting the update prompt through the installed product. Versions of Flash Player embedded in Chrome and Internet Explorer can be updated to non-vulnerable versions by updating the respective browsers.

Information Availability Sessions at Symantec Vision

Por Paola Zeni, Diretora de Privacidade Global, Ética e Governança na Symantec

Symantec foi reconhecida pelo Ethisphere Institute como uma das Empresas Mais Éticas do Mundo em 2014. O Instituto Ethisphere é um centro de pesquisa independente que promove as melhores práticas na ética empresarial e governança. Esta é a sétima vez que a Symantec é homenageada com o prêmio, que reconhece as organizações que continuam a elevar os padrões de liderança ética e comportamento corporativo.

A Symantec é uma das 10 empresas de tecnologia  nomeadas este ano no mundo.

Este prêmio pertence a todos os funcionários da Symantec que realizam seu trabalho diário dentro dos mais altos padrões éticos.

"As empresas mais éticas do mundo acreditam que seus clientes, funcionários, investidores e reguladores agregam um alto valor na confiança, sendo a ética e boa governança, pontos-chave para ganhar esse reconhecimento" disse o CEO da Ethisphere, Timothy Erblich . "A Symantec é parte de um grupo exclusivo, comprometido em promover um bom desempenho por meio de práticas de liderança nos negócios. Parabenizamos todos da Symantec por essa conquista extraordinária".

A avaliação das " Empresas Mais Éticas do Mundo", baseia-se no quadro do coeficiente de Ética do Instituto Ethisphere, que foi desenvolvido por líderes no campo para avaliar de forma objetiva, consistente e padronizada o desempenho das organizações . Para concorrer a este título, a Symantec forneceu informações sobre seu programa de conformidade ética, reputação, liderança e inovação, cidadania corporativa e responsabilidade, juntamente com a cultura ética.

A lista completa das Empresas Mais Éticas do Mundo de 2014 pode ser encontrada em http://ethisphere.com/worlds-most-ethical/wme-honorees/ 

Dear Friends,

Please find the attached sheet with the reasons for respective fields as to why they are left blank while exporting the endpoint incidents.

Thanks...