Venafi

The Split-Personality Year of 2011 will Lead Organizations to Make Sure they are Protected in 2012: The Year of Ubiquitous Encryption

People have long named years according to their personalities—in Chinese astrology, 2011 was the Year of the Tiger, for example, and in American culture, 2003 was the Year of the Blues. In the IT security sphere, pinning down 2011 to just one personality would deny another, equally strong personality: The year had a split personality. It was the Year of the Third-party Trust Compromise, and the Year of the Bring Your Own Device (BYOD) Mobile Revolution.

These two personalities have more in common than you might think. For example, both engendered 2012’s emerging personality, the Year of Ubiquitous Encryption, which is already taking shape. And both relate to a common security problem: attacks from within an organization’s systems. They also share the solution to this problem: improved processes and management.

Learn More

When news of a persistent and deeply penetrating attack against government agencies makes headlines, speculation often prompts widespread panic. A case in point is the public response to the recently revealed activities of the Operation Shady Remote Access Trojan (RAT). Primed by the summer’s latest conspiracy thriller, alarmed audiences consider governments and their allies to be the main target. As they ponder the implications of compromised, top-secret diplomatic correspondence and military secrets they concede: well, better them than me. But the Shady RAT hackers seemed equally interested in stealing intellectual property and customer data from the businesses as well, which means the problem extends into the private sector too.

Firewalls, antivirus software and intrusion detection tools may work to keep out stealthy attackers, but what is to be done about rogue insiders? The reality is that the bad buys are already in—working from the inside of your organisation. Dmitri Alperovitch—McAfee Vice President, Threat Research and author of the report on Operation Shady RAT—divides all Global 2000 companies into two camps: Those who have been compromised and know it, and those who simply don’t know it yet.

(more…)

The amount of data that enterprises must secure with encryption is growing rapidly, and with it, the number of digital certificates and keys that encrypt the data. This digital-certificate explosion, while necessary, can create management nightmares: Companies must track each and every certificate, and in keeping with best practices, renew each of them as they are set to expire (typically annually). The ability to do this hinges on a critical asset: a comprehensive inventory.

(more…)

Plans Must be in Place to Recover Anytime the Trust Provider is Compromised

When a company prides itself in providing the most advanced and sophisticated network security solutions—and that company’s own network is hacked—brand insult is added to data injury. Not only must the company compensate customers for their losses, but the breach of information incurs an unquantified cost to its reputation. No one wants to call on the services of the firehouse that burned down, and customers will invariably ask how a company’s security solutions can protect them if they couldn’t protect the company itself.

Learn More

Former Defense Secretary Donald Rumsfeld famously said the following at a Pentagon news conference in 2002: “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.”

(more…)

Defending Against Attacks Requires Good Technology, But Companies Must Also Have Effective Management Systems and Best Practices in Place.

There’s an old expression that the most dangerous part of a car is “the nut holding the steering wheel.” It means that despite all the technology that goes into making cars safer, there’s still risk associated with human error by the driver. The same holds true for an enterprise network. Despite all the technology that offers data loss prevention, encryption, intrusion detection, firewalls and vulnerability scanning, network breaches still occur. That’s because the technology has to be complimented with proper employee training, rigorous adherence to best practices, internal policies and effective IT security management. An enterprise that relies solely on technology to protect its network, without effective management, is still very much at risk.

Learn More

Members of the Amazon Cloud community can build Amazon Machine Images (AMIs) from their own virtual servers and share them to save fellow developers time. But recently, the Center for Advanced Security Research Darmstadt (CASED) discovered that many community members are sharing more than they bargained for.

Like generous souls giving their old jacket to a shivering passerby – only to find that they left their driver’s license, passport, and credit cards in the pocket – these members published their AMIs without removing sensitive data such as SSH keys and the private keys associated with digital certificates.

(more…)

2011 is the year of the “CA compromise”. We have seen 5 compromises/attacks in the last year that have targeted third-party trust providers and/or have compromised the trust they provide to their customers. Stuxnet, Comodo, StartSSL, Diginotar and now DuQu.

DuQu, the so-called “Son of Stuxnet” malware, is a direct, high-priority wakeup call to IT security. According to current analysis of the virus, a rogue SSL certificate was again used to authenticate itself within the environment—to sign driver files—allowing the malware to act as a trusted application that could communicate with other systems and applications. This is the second reported incident of a digital certificate being deployed in this type of attack, and must be viewed as an ominous sign of things to come.

(more…)

News and analysis started coming out Tuesday about the Duqu Trojan and the threat vectors it represents. The two primary sources of information are McAfee and Symantec. Their posts have some notable differences about an important detail of the attack: how the creator of Duqu was able to get a bona fide certificate that allows Duqu to authenticate itself as trusted code.

(more…)

Data breaches can be costly to a company’s bottom line and reputation. Organizations should be motivated to protect sensitive data with encryption.

Epsilon, a company that conducts e-mail marketing campaigns, isn’t a household name, but its clients are: Best Buy, Kroger, Hilton and Marriott hotels, Target and Walgreen’s, just to name a few. Epsilon got a black eye and 50 of its 2,500 clients had to do damage control when its computers were hacked and e-mail addresses of those client’s customers were exposed. All the ensuing anxiety and negative publicity could have been avoided if Epsilon had encrypted the e-mail address data. It’s a relatively easy solution to avoid a big problem.

Given the hundreds of data breaches reported annually, organizations should be well motivated to take the necessary steps to protect sensitive, valuable and regulated data by protecting it with encryption, but a troubling number of companies don’t. When data is encrypted, even if it’s exposed to hackers, they can’t do anything with it because without the proper encryption keys and credentials, accessing the data is nearly impossible.

Learn More