VeriSign Security Review - October 2006
In October, Symantec Corp. and VeriSign, Inc. announced plans to deliver security solutions to combat the growing threat of consumer identity theft and fraud on the Internet. Symantec plans to offer support for the VeriSign Identity Protection (VIP) Authentication Service, which allows consumers to utilize one-time passwords to protect their online identity. The VIP Authentication Service is enhanced by the VIP Shared Authentication Network which enables consumers to use one credential across multiple member websites. In addition, the two companies intend to jointly market combined identity and security solutions to financial institutions, online retailers, and end users. Read more here.
In this issue:
- Microsoft Corp. released 10 bulletins on Tuesday, Oct. 10, covering 26 vulnerabilities, at least one of which impacts the Windows operating system and is rated as "Critical.”
- November 1 - 2 Secure World Expo, San Francisco, CA
- November 7 - 9 ISPCon, Santa Clara, CA
- November 12 – 14 ISF World Congress, Washington DC
- November 13 – 14 BITS, Orlando, FL
- November 29 – December 1 Gartner Identity, Las Vegas, NV
VeriSign Introduces the First Fully Managed Service to Collect, Analyze, Store, and Alert on Logs
A log management strategy helps your organization improve compliance with information security regulations through more focused collection and retention of data, and increased ability to respond to cross-platform and application threats. It can also guide your decisions about technology, processes, and services. If you have not already done so, your company should build a log management strategy that specifies what to collect, from which systems, and sets parameters for real-time alerts, periodic reviews, auditing, and future analysis.
One of the most difficult aspects of log management is the monitoring of applications. As a result, organizations often prioritize on just a few platforms and events, and hope to catch an intrusion at the network layer. This approach can leave significant gaps in network security.
But now, monitoring applications has just become easier. VeriSign recently introduced the industry's first fully managed service to help you master the complexity involved with monitoring log data. VeriSign Log Management Service extends our leading VeriSign Managed Security Services to the application level, helping you monitor and retain logs from applications, databases, and other critical infrastructure. The service makes it easier for you to collect and retain the log data you need in order to comply with information security regulations. It also enables you to leverage that data for real-time security alerting.
VeriSign Log Management Service combines the experience of our Global Security Consulting team with VeriSign's TeraGuard architecture and third party technology to help you collect, review, and store logs for better security and compliance. The team helps you identify critical systems and the logs that need to be collected from those systems. The technology then delivers the real-time correlation and analysis capabilities that enable you to track and assess user and system activity in order to more rapidly prevent, detect, and respond to security breaches and comply more broadly with regulations.
VeriSign Log Management Service is flexible, enabling you for the first time to monitor custom applications and other sources that do not have defined types of suspicious events. As a managed service, it eliminates the time, cost, and complexity associated with purchasing, configuring, deploying, and maintaining an in-house data collection solution. It also alleviates the burden of staffing experts 24x7 to monitor security events generated by the solution.
Back to Top
Take Charge of Compliance with VeriSign Solutions and Services
Chances are you have to contend not only with internal, federal, and industry-specific regulations and policies, but also with the security practices and requirements of your networked partners, suppliers, and customers. To complicate matters, each entity has its own standards for compliance and auditing, so you may have to implement and manage multiple compliance and reporting mechanisms. Compliance has become a significant source of expense and disruption, but non-compliance, with its financial penalties and even jail sentences, simply isn't an option.
In a recent white paper , VeriSign experts recommended the following measures in order to achieve and verify compliance:
- Implement carefully devised technology and process controls (such as personnel controls, physical and logical access controls, and legal and contractual controls). These controls should be efficient, clear-cut, and easily duplicated, and they must be immediately transferred when a new user, technology, or information is added. Ideally, they should be automated whenever possible.
- Demonstrate compliance by documenting and organizing compliance efforts . This includes implementing consistent, repeatable systems for quantifying, tracking, analyzing, demonstrating, and reporting on compliance.
- Enable auditors and assessors to validate documentation (audit servicing). This includes maintaining an audit data repository and enabling validation. You must be able to collect and compile assessment data and then validate it.
Unfortunately, compliance consumes business resources that ought to be focused instead on helping your company succeed. Free up those resources: let VeriSign products and services help you with regulatory compliance, business partner requirements, and industry standards and practices. VeirSign's compliance solutions help you minimize risk, focus on your core business goals, and confidently pursue new business opportunities. They also offer a variety of services that help you maintain compliance—and that may even uncover business opportunities and process improvements that could help your bottom line.
Back to Top
Intelligent Infrastructure Enables and Protects Your Business
VeriSign enables and protects digital interactions—billions of them a day. In a business world that is increasingly defined by heterogeneous environments and digital interactions, VeriSign protects everyday transactions, such as Web surfing, multimedia messaging, RFID-based product tracking, and much more. VeriSign intelligent infrastructure comprises global registries, extensive, reliable networks, and continuously operated data centers. These work in concert to protect the networks, applications, and transactions that are at the center of the digital economy, helping enterprises minimize risks and maximize business opportunities.
What this means for you is that the VeriSign intelligent infrastructure can help you resolve many issues you may have with interoperability, scalability, and security. With VeriSign taking care of these complexities and challenges, you can focus on rapidly deploying new revenue-generating services for customers.
Enterprises around the world trust VeriSign to secure their digital assets. Every day we provide security for more than 3,000 enterprises in 60+ countries. We provide SSL to 93% of the Fortune 500 and we secure more than 450,000 Web sites. VeriSign also provides the DNS services that keep Web sites and email communications up and running—enabling a reliable and consistent global online experience. VeriSign operates the authoritative DNS service for the .com and .net top-level domains, representing over 90 percent of the world's Web, email, and FTP traffic.
Thanks to our intelligent infrastructure, we are among the first to know whenever a new threat emerges. The VeriSign® Global Network Operations Center and VeriSign® Security Operations Centers monitor thousands of enterprises around the globe, tracking 1.5 billion security events per day. This extensive visibility into the world's networks allows us to offer proactive protection against attacks and helps us provide targeted tools for conducting vulnerability assessments and threat management.
Find out more about the VeriSign Intelligent Infrastructure by reading an overview . Or, focus on the security aspect by reading our white paper on Intelligent Infrastructure for Security . If you are interested in the bigger picture of how intelligent infrastructures have always affected economic growth, check out our point-of-view white paper: POV: Intelligent Infrastructure for the 21st Century .
Back to Top
Monthly Threat Summary
Microsoft's latest security update is one of the largest (perhaps the largest) it has ever published, encompassing a total of 26 vulnerabilities. Even more troubling is the large numbers of vulnerabilities announced in popular Microsoft Office programs such as Excel, Word, and PowerPoint. Although the most serious vulnerabilities exist in the older “2000”versions of these programs, those versions are still in widespread use. Six of the vulnerabilities in the update affect Windows XP, even in fully patched versions.
Security experts believe that the vulnerabilities of most concern are MS06-057 (in ActiveX), MS06-058 (in PowerPoint) and MSO6-061 [in XSLT (MSXML)]. All allow remote attackers to install malicious code (Trojans, worms, etc.) on a user's computer.
At the time of this report, at least one of these vulnerabilities is reportedly being used in targeted attacks “in the wild.” The VeriSign Threat Level currently stands at 1 (LOW) due to the unexpected lack of exploitation of the issues covered in this Microsoft release. However, due to the severity of the vulnerabilities and the wide user base affected by them, exploiting these issues should prove quite popular among malicious actors. VeriSign urges all customers to view the security update .
In another report, the US Department of Commerce announced that it has been the target of ongoing attacks routed through servers located in China. According to news reports, the Bureau of Industry and Security (BIS) is being specifically targeted, and the attacks have reportedly forced the organization (which is in charge of controlling the export of items, including those that have potential military purposes) to “replace hundreds of workstations and block employees from regular use of the Internet for more than a month.” A BIS spokesperson claims that there is no evidence of any data compromise. Details are vague, but The Washington Post quoted a source as saying that the attackers installed a rootkit on BIS's system, which enabled them to obtain “privileged access.”
Back to Top
Web Seminar: Expert Advice on Effective Security Risk Management
Chris Babel, VP and General Manager of VeriSign Managed Security Services, joins John Pescatore, Gartner VP and Distinguished Analyst specializing in Infrastructure Protection Management, to discuss information security risk management, with an emphasis on:
- Understanding what's critical for the success of the business and its customers
- Defining what threatens that success
- Selecting and deploying mitigations and controls to shield the business from the impact of those threats
- Monitoring effectiveness of controls
- Identifying and responding to residual risks and changing risks and requirements.
Click here to register to view this on-demand web seminar.
Back to Top
VeriSign Log Management Service Presentation
This brief and engaging animated presentation is the fastest and easiest way to come up to speed on VeriSign's Log Management Service, the first fully managed service to collect, analyze, store, and alert on logs to meet security and compliance requirements. In just a few minutes, you'll understand the basics of this offering, including:
- Why log management matters
- How it works
- How it can help your business protect itself from security issues as they arise.
Click here to view this presentation.
Back to Top
November 1 - 2 Secure World Expo, San Francisco, CA
SecureWorld Expo aims to foster communication between security professionals and technology leaders, to discuss best practices, and to form a public/private partnership with government. Themes include IT security, convergence of physical and digital security, and security management within the corporation.
November 7 - 9 ISPCon, Santa Clara, CA
At this reseller-focused conference, Jay Schiavo, Sr. Product Manager for Channels, GeoTrust, Inc., a VeriSign Company will present: Driving Profits with Development, E-commerce and Applications, on Wednesday, November 8, from 4:15 PM - 5:15 PM.
November 12 – 14 ISF World Congress, Washington DC
Continually rated “the best information security conference in the world” by its delegates, the ISF's Annual World Congress offers ISF Members an opportunity to come together for three days in an exclusive and confidential environment to discuss and debate the key issues facing information security professionals—and get practical advice they can take back and use.
November 13 – 14 BITS, Orlando, FL
This year's BITS/American Banker Financial Services Outsourcing Conference will focus on the critical issues financial services organizations face every day, including risk management, global outsourcing, change management, and corporate boundaries.
November 29 – December 1 Gartner Identity & Access Management Summit, Las Vegas, NV
The inaugural Gartner Identity & Access Management Summit is designed to help organizations address the growing exposure that IAM inefficiencies and lapses create. It will focus on the business impact of IAM, the practical applications of IAM organizations are using today, and the future direction of IAM technologies.
Back to Top