 |
|
VeriSign Security Review
|
October 2006
In October, Symantec Corp. and VeriSign, Inc. announced plans to deliver
security solutions to combat the growing threat of consumer identity
theft and fraud on the Internet. Symantec plans to offer support for
the VeriSign Identity Protection (VIP) Authentication Service, which
allows consumers to utilize one-time passwords to protect their online
identity. The VIP Authentication Service is enhanced by the VIP Shared
Authentication Network which enables consumers to use one credential
across multiple member websites. In addition, the two companies
intend to jointly market combined identity and security solutions to
financial institutions, online retailers, and end users. Read our press
release.
In this issue:
Hot Topics
Monthly Threat
Summary
- Microsoft Corp.
released 10 bulletins on Tuesday, Oct. 10, covering 26 vulnerabilities,
at least one of which impacts the Windows operating system and is rated
as "Critical.”
News from VeriSign
- VeriSign and JoWooD
Set New Standards in Mobile Gaming.
- iVeriSign PrePayIN
Enables Better Customer Experience for Next-Generation Wireless Services.
Security Events
- November 1 - 2 Secure
World Expo, San Francisco, CA
- November 7 - 9 ISPCon,
Santa Clara, CA
- November 12 – 14
ISF World Congress, Washington DC
- November 13 – 14
BITS, Orlando, FL
- November 29 – December
1 Gartner Identity, Las Vegas, NV
VeriSign
Introduces the First Fully Managed Service to Collect, Analyze, Store,
and Alert on Logs
A log management strategy helps your organization
improve compliance with information security regulations through more
focused collection and retention of data, and increased ability to respond
to cross-platform and application threats. It can also guide your decisions
about technology, processes, and services. If you have not already
done so, your company should build a log management strategy that specifies
what to collect, from which systems, and sets parameters for real-time
alerts, periodic reviews, auditing, and future analysis.
One of the most difficult aspects of log management
is the monitoring of applications. As a result, organizations often
prioritize on just a few platforms and events, and hope to catch an
intrusion at the network layer. This approach can leave significant
gaps in network security.
But now, monitoring applications has just become
easier. VeriSign recently introduced the industry’s first fully managed
service to help you master the complexity involved with monitoring log
data. VeriSign
Log Management Service extends our leading VeriSign
Managed Security Services to the application level, helping
you monitor and retain logs from applications, databases, and other
critical infrastructure. The service makes it easier for you to collect
and retain the log data you need in order to comply with information
security regulations. It also enables you to leverage that data for
real-time security alerting.
VeriSign Log Management Service combines the
experience of our Global Security Consulting team with VeriSign’s TeraGuard
architecture and third party technology to help you collect, review,
and store logs for better security and compliance. The team helps
you identify critical systems and the logs that need to be collected
from those systems. The technology then delivers the real-time correlation
and analysis capabilities that enable you to track and assess user and
system activity in order to more rapidly prevent, detect, and respond
to security breaches and comply more broadly with regulations.
VeriSign Log Management Service is flexible,
enabling you for the first time to monitor custom applications and other
sources that do not have defined types of suspicious events. As
a managed service, it eliminates the time, cost, and complexity associated
with purchasing, configuring, deploying, and maintaining an in-house
data collection solution. It also alleviates the burden of staffing
experts 24x7 to monitor security events generated by the solution.
Back
to Top
Take
Charge of Compliance with VeriSign Solutions and Services
Chances are you have to contend not only with
internal, federal, and industry-specific regulations and policies, but
also with the security practices and requirements of your networked
partners, suppliers, and customers. To complicate matters, each entity
has its own standards for compliance and auditing, so you may have to
implement and manage multiple compliance and reporting mechanisms. Compliance
has become a significant source of expense and disruption, but non-compliance,
with its financial penalties and even jail sentences, simply isn’t an
option.
In a recent white
paper, VeriSign experts recommended the following measures
in order to achieve and verify compliance:
- Implement carefully devised technology and process controls
(such as personnel controls, physical and logical access controls, and
legal and contractual controls). These controls should be efficient,
clear-cut, and easily duplicated, and they must be immediately transferred
when a new user, technology, or information is added. Ideally, they
should be automated whenever possible.
- Demonstrate compliance by documenting and organizing compliance efforts.
This includes implementing consistent, repeatable systems for quantifying,
tracking, analyzing, demonstrating, and reporting on compliance.
- Enable auditors and assessors to validate documentation (audit servicing).
This includes maintaining an audit data repository and enabling validation.
You must be able to collect and compile assessment data and then validate
it.
Unfortunately,
compliance consumes business resources that ought to be focused instead
on helping your company succeed. Free up those resources: let VeriSign
products and services help you with regulatory compliance, business
partner requirements, and industry standards and practices. Our compliance solutions
help you minimize risk, focus on your core business goals, and confidently
pursue new business opportunities. We also offer a variety of services
that help you maintain compliance—and that may even uncover business
opportunities and process improvements that could help your bottom line.
Back
to Top
Intelligent
Infrastructure Enables and Protects Your Business
VeriSign enables and protects digital interactions—billions
of them a day. In a business world that is increasingly defined by heterogeneous
environments and digital interactions, VeriSign protects everyday transactions,
such as Web surfing, multimedia messaging, RFID-based product tracking,
and much more. VeriSign intelligent infrastructure comprises global
registries, extensive, reliable networks, and continuously operated
data centers. These work in concert to protect the networks, applications,
and transactions that are at the center of the digital economy, helping
enterprises minimize risks and maximize business opportunities.
What this means for you is that the VeriSign
intelligent infrastructure can help you resolve many issues
you may have with interoperability, scalability, and security. With
VeriSign taking care of these complexities and challenges, you can focus
on rapidly deploying new revenue-generating services for customers.
Enterprises around the world trust VeriSign
to secure their digital assets. Every day we provide security for more
than 3,000 enterprises in 60+ countries. We provide SSL to 93% of the
Fortune 500 and we secure more than 450,000 Web sites. VeriSign also
provides the DNS services that keep Web sites and email communications
up and running—enabling a reliable and consistent global online experience.
VeriSign operates the authoritative DNS service for the .com and .net
top-level domains, representing over 90 percent of the world's Web,
email, and FTP traffic.
Thanks to our intelligent infrastructure, we
are among the first to know whenever a new threat emerges. The VeriSign®
Global Network Operations Center and VeriSign® Security Operations Centers
monitor thousands of enterprises around the globe, tracking 1.5 billion
security events per day. This extensive visibility into the world's
networks allows us to offer proactive protection against attacks and
helps us provide targeted tools for conducting vulnerability assessments
and threat management.
Find out more about the VeriSign Intelligent
Infrastructure by reading an overview.
Or, focus on the security aspect by reading our white paper on Intelligent
Infrastructure for Security. If you are interested in the
bigger picture of how intelligent infrastructures have always affected
economic growth, check out our point-of-view white paper: POV:
Intelligent Infrastructure for the 21st Century.
Back
to Top
Monthly Threat Summary
Recent Events
Microsoft's latest
security update is one of the largest (perhaps the largest) it has ever
published, encompassing a total of 26 vulnerabilities. Even more troubling
is the large numbers of vulnerabilities announced in popular Microsoft
Office programs such as Excel, Word, and PowerPoint. Although the most
serious vulnerabilities exist in the older “2000”versions of these programs,
those versions are still in widespread use. Six of the vulnerabilities
in the update affect Windows XP, even in fully patched versions.
Security experts believe that the vulnerabilities
of most concern are MS06-057 (in ActiveX), MS06-058 (in PowerPoint)
and MSO6-061 [in XSLT (MSXML)]. All allow remote attackers to install
malicious code (Trojans, worms, etc.) on a user’s computer.
At the time of this report, at least one of
these vulnerabilities is reportedly being used in targeted attacks “in
the wild.” The VeriSign Threat Level currently stands at 1 (LOW) due
to the unexpected lack of exploitation of the issues covered in this
Microsoft release. However, due to the severity of the vulnerabilities
and the wide user base affected by them, exploiting these issues should
prove quite popular among malicious actors. VeriSign urges all customers
to view the security
update.
In another report, the US Department of Commerce
announced that it has been the target of ongoing attacks routed through
servers located in China. According to news reports, the Bureau of Industry
and Security (BIS) is being specifically targeted, and the attacks have
reportedly forced the organization (which is in charge of controlling
the export of items, including those that have potential military purposes)
to “replace hundreds of workstations and block employees from regular
use of the Internet for more than a month.” A BIS spokesperson
claims that there is no evidence of any data compromise. Details are
vague, but The Washington Post quoted a source as saying that the attackers
installed a rootkit on BIS’s system, which enabled them to obtain “privileged
access.”
Back
to Top
News
from VeriSign
VeriSign and JoWooD Set New Standards in Mobile Gaming.
VeriSign today announced its partnership with JoWooD Productions Software
AG to deliver popular computer, online, and video games to mobile
devices. VeriSign transforms these best-selling and classic games into
Java applications for a wide range of mobile devices. Read
the release.
VeriSign PrePayIN™ Enables Better Customer Experience for Next-Generation
Wireless Services.
VeriSign announced the release of VeriSign PrePayIN, which converges
VeriSign’s wireless and content assets with real-time rating for voice,
data, and IMS-based services. PrePayIN allows wireless carriers around
the world to more quickly launch new services and generate new revenues
while managing the cost and complexity of supporting the entire customer
lifecycle. Read
the release.
Back
to Top
Web Seminar
Web Seminar: Expert Advice on Effective Security Risk Management
Chris Babel, VP and General Manager of VeriSign
Managed Security Services, joins John Pescatore, Gartner VP and Distinguished
Analyst specializing in Infrastructure Protection Management, to discuss
information security risk management, with an emphasis on:
- Understanding what’s
critical for the success of the business and its customers
- Defining what threatens
that success
- Selecting and deploying
mitigations and controls to shield the business from the impact of those
threats
- Monitoring effectiveness
of controls
- Identifying and
responding to residual risks and changing risks and requirements.
Click
here to register to view this on-demand web seminar.
Back
to Top
Video Presentation
VeriSign Log Management Service Presentation
This brief and engaging animated presentation
is the fastest and easiest way to come up to speed on VeriSign’s Log
Management Service, the first fully managed service to collect, analyze,
store, and alert on logs to meet security and compliance requirements.
In just a few minutes, you’ll understand the basics of this offering,
including:
- Why log management
matters
- How it works
- How it can help
your business protect itself from security issues as they arise.
Click
here to view this presentation.
Back
to Top
Security Events
November
1 - 2 Secure World Expo, San Francisco, CA
SecureWorld Expo aims to foster communication between security professionals
and technology leaders, to discuss best practices, and to form a public/private
partnership with government. Themes include IT security, convergence
of physical and digital security, and security management within the
corporation.
November
7 - 9 ISPCon, Santa Clara, CA
At this reseller-focused conference, Jay Schiavo, Sr. Product Manager
for Channels, GeoTrust, Inc., a VeriSign Company will present: Driving
Profits with Development, E-commerce and Applications, on Wednesday,
November 8, from 4:15 PM - 5:15 PM.
November
12 – 14 ISF World Congress, Washington DC
Continually rated “the best information security conference in the world”
by its delegates, the ISF's Annual World Congress offers ISF Members
an opportunity to come together for three days in an exclusive and confidential
environment to discuss and debate the key issues facing information
security professionals—and get practical advice they can take back and
use.
November
13 – 14 BITS, Orlando, FL
This year’s BITS/American Banker Financial Services Outsourcing Conference
will focus on the critical issues financial services organizations face
every day, including risk management, global outsourcing, change management,
and corporate boundaries.
November
29 – December 1 Gartner Identity & Access Management Summit, Las
Vegas, NV
The inaugural Gartner Identity & Access Management Summit is designed
to help organizations address the growing exposure that IAM inefficiencies
and lapses create. It will focus on the business impact of IAM, the
practical applications of IAM organizations are using today, and the
future direction of IAM technologies.
Back
to Top
|
|
Worldwide Sites
