Security at the speed of need.

Imagine that. Let’s come back to that thought in a moment.

The modern data center has come a long way from the “server room” of twenty-plus years ago. Today, data centers might be hiding inside large, football-field-sized industrial areas, protected by fences and secure physical access. With that size and utilization, companies are working to run their data centers as efficiently as possible: power consumption and cooling come to mind, but virtualization is incredibly important. The widespread use of virtualization is taking us into the era of the software-defined data center (or SDDC).

The software-defined data center introduces many new possibilities for businesses, the key being the ability to power up new workloads supporting their business processes very quickly and easily. Adding new capabilities or capacity is now quite easy and the expectation has changed, from it taking weeks or months to setup and provision new environments to hours or even minutes.

And that brings us back to our original thought. Security at the speed of need.

Security has long been a speed bump in the race to deploy, be it the historical server room up to the modern SDDC. In today’s SDDC, it’s common practice that an application administrator can request an application from a self-service portal and, in a matter of minutes, multiple virtual machines (VMs) could easily be provisioned, deployed, and made available for use. However, security provisioning practices can inhibit that speed. Why is that? Well, let’s consider what happens once an application administrator submits their request for an application: (see Figure 1)

1. The security and server teams must assess the application’s requirements, taking into consideration details such as:
   
   1. Will this workload be public-facing or internal only?
   2. What type of data is involved, e.g. credit card information, healthcare information, etc.?
   3. Are there any compliance issues to factor in?
2. The server team creates the VMs and delivers them to the security team.
3. The security team now sets up policies for each security product such as anti-malware, server hardening, compliance, encryption, firewall settings, etc. based upon the requirements from step 1.

At that point, the application is ready to be deployed to productive use, but depending upon the processes in place to get through those steps above, that deployment might take days or weeks. How do we solve this?

The recently released Symantec’s Data Center Security 6.5 suite of products includes a feature: Operations Director (or OD). Operations Director addresses the security provisioning dilemma by enabling customers to automate and orchestrate security provisioning of anti-malware, hardening, firewall, and network intrusion prevention services at the application-level across VMware environments. Here’s how it works: (Figure 2)

1. When the application request is submitted, OD will determine the security requirements of the application by asking the application requestor a series of questions about the nature of the data in use and the overall service level requirements for the application.
2. Based upon the responses to those questions, OD will determine the required security policies that will sufficiently protect the application. These policies (and the corresponding questions in step (1) are setup ahead of time by the security team in accordance with the organizations security and compliance best practices.  This approach enables the automation of policy-based security settings, thus allowing security to bypass the need to query the application owner for the details they need to determine the appropriate level of security.
3. With the policies determined, once the workload is started, Operations Director will detect the application and apply the appropriate policies on the virtual application by orchestrating the security products required by the workload.
4. Once the security policies are applied, the security and server teams are notified that the application is ready to be added to the production network.

With Operations Director, the request-to-deployment process that previously required manual processes and time spent in meetings or exchanging e-mails can now be accomplished in a matter of minutes – Truly, security at the speed of need.

With the March 2015 release of Symantec’s Data Center Security 6.5, Operations Director can deliver security orchestration for three types of security policies:

1. Anti-malware policies delivered by Symantec Data Center Security : Server
2. Server hardening and host-based intrusion prevention/intrusion detection policies delivered by Data Center Security: Server Advanced
3. Firewall policies using Palo Alto Networks VM series firewall appliances

Operations Director delivers orchestration through REST API based connections with security products and the list of integrated security products and virtualization platforms is growing. However, Operations Director also has built-in integration with VMware NSX, VMware’s SDDC platform. As more security products are certified NSX-compatible, the breadth of security controls Operations Director can orchestrate will automatically expand.

Does the idea of security at the need of speed sound interesting to you?  Let’s talk.

Symantec is a Platinum Sponsor at the RSA Conference, being held April 20 - 24, 2015 at the Moscone Center in San Francisco.

• Attend the “Orchestrating Software Defined Networks (SDN) to Disrupt the APT Kill Chain” session (#2067) on Tues, April 21 @ 2:20pm PST at Moscone West 2009
• Stop by the Symantec Booth (#3811) at Moscone North Hall at the RSA Conference Expo. Here, our product management team will demo the new features available in Data Center Security 6.5, including Operations Director,   hardening of Openstack Keystone, and security configuration assessments for Cisco iOS networks.
• Contact your account rep or certified Symantec partner to schedule a demo and learn more.

On April 22nd, we’ll also be presenting a deep dive into the new Data Center Security 6.5 and a sneak preview of the next version. This is available to anyone in the San Francisco area at that time, even if you aren’t attending the RSA Conference.  Register for this session now.

I've tried below step in a machine & it worked fine.

But we have around 250-275 machine in our network, in which nearly 100 machines(including Servers) this files are getting generated. Is there any solution for stopping it from centralized manager? Please let me know

1) Disable Tamper Protection.
2) Open a Command Prompt window.
3) del "C:\ProgramData\Symantec\Symantec Endpoint
Protection\12.1.5337.5000.105\Data\Install\Logs\*.dmp"
4) Using regedit.exe, set
HKEY_LOCAL_MACHINE\SOFTWARE(\Wow6432Node)\Symantec\Symantec Endpoint
Protection\CurrentVersion\Common Client\Debug\CrashHandler\DumpOn* to 0.
5) Re-enable Tamper Protection.
6) Open a Command Prompt window.
7) cd "C:\Program Files (x86)\Symantec\Symantec Endpoint
Protection\12.1.5337.5000.105\Bin"
8) smc -stop
9) smc -start

Symantec’s just released Internet Security Threat Report shows that cybercriminals have been busier than ever. And social engineered attacks are one vector that continue to see growth due to the likelihood of success. Although the attacks come in different forms, one approach fools unsuspecting users to click a link which takes them to a “look-a-like” website. That imitation site is typically a highly-phished domain, (i.e. Apple ID or a popular bank or credit card site). But now, to prove their legitimacy, phishers obtain Domain Validated (DV) SSL certificates because they know that consumers have been trained to look for the padlock or “https” in the browser URL window. The appearance of this lock further legitimizes the attack and tricks consumers into disclosing their credentials or banking/credit card details.

There are three types of SSL certificates, each requiring a different level of authentication: DV, OV and EV. Understanding the differences among each SSL certificate type is important to help prevent falling victim to scammers. For example, DV certificates are quick and easy to procure and don’t require any type of information indicating the person trying to get the DV certificate actually represents a legitimate business. Fraudsters often use DV certificates to lure consumers to phishing websites that look authentic but are designed to steal sensitive information. For this reason, doing any type of ecommerce transaction on a DV-only site poses risk. While there are appropriate use cases for DV certificates, it’s important to know how cybercriminals are taking advantage of DV certificates to conduct phishing scams and how to protect against these types of cybercriminal attacks.

Online shopping isn’t going away. Until the industry requires an OV or EV certificate for e-commerce sites or an easier way to identify the types of certificates, consumers will have to bear some of the burden of combatting cyber risks. Knowing the risks ahead of time, however, is half the battle. 

A few weeks ago, Microsoft launched a new addition to their Bing Webmaster Tools which allows website operators to monitor their web domains to help insure there are no improperly issued SSL certificates.

This is a great benefit to those owners because:

1. It’s easy to use and Microsoft monitors this for free

2. The Certificate Authorities do not need to do anything special. Certificates are automatically monitored by Microsoft

3. It’s integrated into the Bing Webmaster toolset. There is no need to sign up separately for the service

4. It works for all types of SSL certificates, not just EV

However, there are a few limitations today:

1. This is currently a “preview” and only collects data from users on Windows 10 which itself is currently only in a preview release. Hence the data is limited. However, this will improve with the formal release of Windows 10.

2. The data that Microsoft is gathering is not made public which prevents the public at large from also seeing the certificates. However, the need being addressed is that of website owners.

More details are in this Microsoft blog.

Trust continues to be enhanced in the Browser/Certificate Authority ecosystem (as discussed in this prior blog) and Certificate Reputation is another tool (along with Certificate Authority Authorization-CAA, Certificate Transparency-CT, and Public Key Pinning) along this path.

Click below for our full detailed description and learn about how, why and where Contextual Access can save you time, money and headaches.

In 1994, the first online purchase crossed the World Wide Web: a large pepperoni pizza with mushrooms and extra cheese from Pizza Hut. Over the next 20 years, e-commerce has exploded into a bustling economy, exceeding $1.2 trillion in sales in 2013.

This growth in online purchases rests upon a foundation of trust. People trust that the websites they use to track finances and make online purchases are secure and legitimate largely because of Secure Socket Layer (SSL) certificates- otherwise known as that little green padlock in the URL bar of the browser.

SSL certificates verify that the provider is who they claim to be and also indicate secure connections between personal devices and company websites. Understanding SSL certificates is important to help prevent falling victim to scammers. Because at the end of the day, not all sites, or SSL certificates, are created equal.

Different types of certificates

Website owners purchase SSL certificates through Certification Authorities (CA). There are three different types of SSL certificates, each providing a different level of security. The problem is that, even though all of these certificates provide the safety padlock in the URL bar of a browser, along with the HTTPS (“S” indicating “secure”) in the address bar,  the levels of security between types of certificates differ greatly. This is why it is important to understand what kind of SSL certificate a site is using when looking to perform financial transactions or anything involving personal user data.

• Domain validated (DV): This simply verifies who owns the site. It’s a simple process where the CA will send an email to the website’s registered email address in order to verify their identity. No information about the company itself is required. Cybercriminals commonly use DV certificates because they are easy to obtain and can make a website appear more secure than it actually is. For instance, fraudsters may use DV certificates to lure consumers to phishing websites that look authentic, or to cloned websites that look legitimate, but are designed to steal sensitive information.
• Organizationally validated (OV): To receive an OV certificate, a CA must validate certain information, including the organization, physical location and its website’s domain name. This process typically takes a couple of days.
• Extended validation (EV): This certificate has the highest level of security and is the easiest to identify. In order to issue an EV certificate, the CA performs enhanced review of the applicant to increase the level of confidence in the business. The review process includes examination of corporate documents, confirmation of applicant identity and checking information with a third-party database. In addition to adding the padlock in the URL bar of the browser, the “S” part of HTTPS, this adds the company’s name in green in the browser URL bar.

Can you tell the difference?

Clearly, the last URL is an EV certificate. The first is the DV certificate and the second is an OV certificate, which both look identical to each other.

What can people do to stay safe?

Now knowing what a SSL certificate is, the three different types, and that DV-enabled sites pose a risk for scams, how can users reduce the risk of shopping or performing other sensitive transactions online?

1. Be aware! Just because a website has the padlock or “https” next to a URL doesn’t make it safe for financial transactions. Users have learned to look for those two things before conducting a transaction, which is exactly why cybercriminals are going through the trouble of obtaining SSL certificates in the first place – to look like a legitimate site.
2. Know how to look for the type of SSL certificate a website has. As a first step, look for visual cues indicating security, such as a lock symbol and green color in the address bar. Only EV-enabled websites include the company name in the web address bar. Browsers do not distinguish a DV certificate from an OV certificate, however. To make it easy to tell the difference, Norton has created a free tool. You simply paste a URL directly into the tool and it will tell you if the site is DV-, OV- or EV-enabled, with results clearly highlighting how safe a site is.
3. Only conduct transactions and provide sensitive data to sites that have OV or EV certificates. There’s a time and place for DV certificates, but that doesn’t include using them for e-commerce sites. If you drop a URL into the Norton tool and the tool reports that the site has a DV certificate, rethink conducting any type of transaction via that site. If it’s an OV or EV certificate site, you know that the business information has been confirmed.

Let’s face it – online shopping isn’t going away. Until the industry requires an OV or EV certificate for e-commerce sites or an easier way to identify the types of certificates, people will have to bear some of the burden of combatting cyber risks. Knowing the risks ahead of time, consumers are less likely to be duped by phishing websites.

Readers can find more information on SSL certificates in this recent Symantec whitepaper or by visiting our Trust Services page.

The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server.  Jouko Pynnönen discovered the zero-day vulnerability in WordPress versions 4.2 and earlier, which allows an attacker to use stored or persistent, cross-site scripting (XSS) bugs to embed code into a WordPress comment field.  From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform.

In this new WordPress vulnerability, the malicious comment has to be at least 66,000 characters long and the script will be triggered when the comment is viewed, Pynnonen said.

What is “Zero-day” vulnerability?

Zero-day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero-day attack. Uses of zero-day attacks can include infiltrating malware, spyware, or allowing unwanted access to user information. The term “zero-day” refers to the unknown nature of the hole to those other than the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

Wide-reaching impact

“Since these vulnerabilities affect default installations of WordPress, they naturally have a much wider reach, both on the public Internet and in internal, intranet installations,” said Rapid7 engineering manager Tod Beardsley.

Critical update available

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and WordPress strongly encourages users to update their sites immediately at the WordPress.org update page: https://wordpress.org/news/2015/04/wordpress-4-2-1/. If installing the update must be delayed, users are advised to restrict or disable commenting functions, and not approve existing comments until the update is completed.

Protecting your company online begins with ensuring your employees are prepared to assist in keeping your computers and networks safe.

Information security is a process that moves through phases building and strengthening itself along the way. Security is a journey not a destination. Although the Information Security process has many strategies and activities, we can group them all into three distinct phases - prevention, detection, and response.

The ultimate goal of the information security process is to protect three unique attributes of information. They are:

• Confidentiality – Information should only be seen by those persons authorized to see it. Information could be confidential because it is proprietary information that is created and owned by the organization or it may be customers’ personal information that must be kept confidential due to legal responsibilities.
• Integrity – Information must not be corrupted, degraded, or modified. Measures must be taken to insulate information from accidental and deliberate change.
• Availability – Information must be kept available to authorized persons when they need it.

Attacks compromise systems in a number of ways that affect one if not all of these attributes. An attack on confidentiality would be unauthorized disclosure of information. An attack on integrity would be the destruction or corruption of information and an attack on availability would be a disruption or denial of services.

Information security protects these attributes by:

• Protecting confidentiality
• Ensuring integrity
• Maintaining availability

An organization succeeds in protectingthese attributes by proper planning. Proper planning before an incident will greatly reduce the risks of an attack and greatly increase the capabilities of a timely and effective detection and response if an attack occurs.

The best security technology in the world can't help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources. This will involve putting practices and policies in place that promote security and training employees to be able to identify and avoid risks.

A firm’s security strategy will only work if employees are properly trained on it. Therefore, the importance of providing information security awareness training cannot be understated. The goal of an awareness program is not merely to educate employees on potential security threats and what they can do to prevent them. A larger goal should be to change the culture of your organization to focus on the importance of security and get buy-in from end users to serve as an added layer of defense against security threats.

Once you have buy-in from employees, your focus can turn to ensuring they get the necessary information they need to secure your business. An effective security awareness program should include education on specific threat types, including but not limited to:

• Malware
• Trojans
• Viruses
• Social engineering
• Phishing

Another important area to address is the importance of password construction and security. Seems minor? It’s not. Believe it or not, password cracking is remarkably easy, particularly for advanced hackers. And this ‘minor’ step that users take every day could make a significant difference in protecting your firm’s sensitive information.

Talk to Your Employees About

• Keeping a clean machine: Your company should have clear rules for what employees can install and keep on their work computers. Make sure they understand and abide by these rules. Unknown outside programs can open security vulnerabilities in your network.
• Following good password practices: Making passwords long and strong, with a mix of uppercase and lowercase letters, numbers and symbols, along with changing them routinely and keeping them private are the easiest and most effective steps your employees can take to protect your data.
• When in doubt, throw it out: Employees should know not to open suspicious links in email, tweets, posts, online ads, messages or attachments – even if they know the source. Employees should also be instructed about your company's spam filters and how to use them to prevent unwanted, harmful email.
• Backing up their work: Whether you set your employees' computers to backup automatically or ask that they do it themselves, employees should be instructed on their role in protecting their work.
• Staying watchful and speaking up: Your employees should be encouraged to keep an eye out and say something if they notice strange happenings on their computer.

Information Security Awareness Program

A good Information Security Awareness Program highlights the importance of information security and introduces the Information Security Policies and Procedures in a simple yet effective way so that employees are able to understand the policies and are aware of the procedures.

Listed below are some of the methods used to communicate the importance of Information Security Policies and Procedures to the employees.

1. Information Classification, Handling and Disposal

All information must be labeled according to how sensitive it is and who is the target audience. Information must be labeled as “Secret”, “Confidential”, “Internal Use Only” or “Public”. Documents that are labeled “Secret” or “Confidential” must be locked away at the end of the workday. Electronic information (Secret or Confidential) should be encrypted or password protected. When the information is no longer required, documents should be shredded while files should be electronically shredded.

2. System Access

No sharing of UserID and password is allowed and staff are made aware of their responsibility on safeguarding their user account and password. Staff are also provided with some useful Password Tips on how to select a good password.

3. Virus

All computers must have anti virus software installed and it is the responsibility of all staff to scan their computer regularly. All software and incoming files should be scanned and staff are advised to scan new data files and software before they are opened or executed. Staff are educated on the importance of scanning and how a virus can crash a hard drive and bring down the office network.

4. Backup

Staff are advised that they are responsible for their own personal computer backup and they should backup at least once a week.

5. Software Licenses

Software piracy is against the law and staff are advised not to install any software without a proper license.

6. Internet Use

Staff are advised that Internet use is monitored. Staff should not visit inappropriate websites such as hacker sites, pornographic sites and gambling sites. No software or hacker tools should be downloaded as well.

7. Email Use

Staff should not use the email system for the following reasons

• Chain letters
• Non company sponsored charitable solicitations
• Political campaign materials
• Religious work, harassment
• And any other non-business use.

Staff are allowed to use the email for personal use but within reason.

8. Physical security of notebooks

All notebooks should be secured after business hours in a cabinet, in a docking station or with a cable lock.

9. Internal Network Protection

All workstations should have a password protected screen saver to prevent unauthorized access into the network. For those using, Windows 7, they should lock their workstation. To prevent staff from downloading screen savers from the Internet, you can restrict the screen savers to the default ones which come with Windows 7.

10. Release of Information to Third Parties

Confidential information should not be released to third parties unless there is a need to know and a Non Disclosure Agreement has been signed. It is the responsibility of all staff to safeguard the company’s information.

Training materials should also review corporate policies and clearly detail consequences for any suspicious or malicious behavior amongst employees. For your convenience, we’ve compiled a variety of information on various security policies, including:

• Acceptable Use
• Social Media
• Bring Your Own Device
• Security Incident Management

Dos and Don’ts

A Dos and Don’ts checklist is given to all new staff upon joining company. As it may be sometime before they attend the actual security training, the checklist would be a good and easy way for them to learn about what they should and should not do. The information in the checklist is listed below.

Don’ts

• Do not share your password with anyone including staff
• Do not write your password on any paper, whiteboard or post it pad
• Do not use easy to remember words as passwords e.g. Aug2001
• Do not use personal information or any word in any language spelled forwards or backwards in any dictionary
• Do not visit inappropriate web sites e.g. pornographic or hacker web sites
• Do not download unlawful or unlicensed software from the Internet
• Do not install unlicensed software onto your computer

Dos

• Do change your password regularly for every system.
• Do use a combination of letters, symbols and number for passwords
• Do use difficult passwords which are at least 6 characters long
• Do enable your Screen Saver Password or lock your workstation
• Do scan your computer regularly for viruses and any diskettes as well before you use them on your computer
• Do check that your virus software patches have been updated when you receive the regular update emails from Desktop Support
• Do backup your data at least once a week. It is your responsibility to do so.
• Do lock away all confidential documents, files and diskettes at the end of each work day

Training Your Employees

Training employees is a critical element of security. They need to understand the value of protecting customer and colleague information and their role in keeping it safe. They also need a basic grounding in other risks and how to make good judgments online.

Most importantly, they need to know the policies and practices you expect them to follow in the workplace regarding Internet safety.

In an effort to optimize our small business portfolio, Symantec has End of Life’d (EOL) Symantec Endpoint Protection Small Business Edition 12.1 as of May 4, 2015.  We have automatically transitioned customers’ licenses to Symantec Endpoint Protection Small Business Edition on a 1:1 ratio.

With Symantec Endpoint Protection Small Business Edition, customers will have the option to continue managing their endpoints on-premise or migrate to the cloud. By moving to the cloud, customers can take advantage of faster updates, fewer IT resources (no on-premise server needed) and availability anywhere (no need to be on site to check status or pull reports). Migrating SEP SBE to the cloud is easy, simply follow the instructions on our migration page. In addition, customers can try SEP SBE risk free for 60 days. For more information, visit: go.symantec.com/sbemigration

Please note, if you have Mac endpoints, you will need to continue to protect them with the on premise version of SEP SBE, as our cloud version does not yet support Mac.

Symantec Protection Suite Small Business Edition is also impacted by this End of Life announcement, since it contains Symantec Endpoint Protection Small Business Edition 12.1. Going forward the point products for Symantec Protection Suite Small Business Edition will be renewed individually.

For more information, visit our migration page today and check out our detailed Migration Guide, FAQ, and video.

Hello Everyone,

The Endpoint Protection Small Business Edition 12.1.x product has reached End-of-life and is set to be replaced by the Hosted (or .Cloud) version of the product.

Note: This does NOT mean the customer needs to immediately upgrade their product. Customers will be able to renew their on-premises license and continue to use their SBE SEPM’s until 2018.

Please be aware of the official announcement in case you haven't received yet.

http://www.symantec.com/page.jsp?id=sbe-migration&id=endpoint-protection-smb

Below you will find various links to documents and reference materials explaining how to migrate your environment to the Hosted Version of the SEP SBE Product. These documents are designed to walk you through the entire process of migration.

SEP SBE.Cloud Migration Information:

• SEP SBE 12.1 and SEP SBE .Cloud feature comparison:
  http://help.symantec.com/CS?locale=EN_US&vid=v102071047_v97203175&ProdId=SEPSBE2013&context=sepsbe2013
• Frequently Asked Questions:
  http://help.symantec.com/CS?locale=EN_US&vid=v109539857_v97203175&ProdId=SEPSBE2013&context=sepsbe2013
• Migration Guide:
  http://www.symantec.com/docs/DOC8174

SEP SBE.Cloud product information:

• Getting Started:
  http://static.symanteccloud.com/estore/resources/en/getting-started-with-symantec-cloud.pdf

SEP SBE.Cloud Migration Troubleshooting:

• Migration Help:
  http://help.symantec.com/CS?locale=EN_US&vid=SEPonpremMigration&ProdId=SEPSBE2013&context=sepsbe2013
• How to Install a Client:
  https://support.symantec.com/en_US/article.TECH215636.html
• Adding and Removing Services:
  https://support.symantec.com/en_US/article.TECH216038.html
• Removing SEP SBE .Cloud Using Removal Tools:
  https://support.symantec.com/en_US/article.TECH213385.html

For any additional technical concerns please reference the support landing-page which has technical documentation and support contact information: https://support.symantec.com/en_US/defaultProductLanding.64357.html .

Symantec.cloud operates 24x7x365 support for clients that subscribe to our various security services. The primary language offered on a 24x7x365 basis by Symantec.cloud Global Client Support Center is English..

The main non-English languages are also supported.

Check this article: .cloud Technical and Language Support

https://support.symantec.com/en_US/cloud/cloud-technical-and-language-support.html

Please don’t hesitate to let us know if you have any problems during the migration and we’d be happy to help.

On Wednesday, May 13, Crowdstrike researchers revealed a new zero-day vulnerability affecting a variety of virtualization platforms and cloud services. Dubbed VENOM, it allows attackers to break out of a virtual machine (VM), execute code on the host machine, and access any other VMs running on it. More information on this can be found on Crowdstrike’s VENOM website.

What is VENOM?

VENOM (CVE-2015-3456) is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. The zero-day vulnerability lies in a legacy common component in widely-used virtualization software, allowing a hacker to infiltrate potentially every machine across a datacenter's network.

What Customers Need to Know:

• VMware, Microsoft Hyper-V, and Bosch hypervisors are not impacted by this vulnerability.
• The bug is in QEMU’s virtual Floppy Disk Controller (FDC) and has been around since 2004.
• Many modern virtualization platforms, including Xen, KVM, and Oracle's VirtualBox, include the buggy code.
• The VENOM vulnerability is agnostic of the guest operating system, and an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.
• This vulnerability affects enterprise customers that use the affected virtualization platforms and appliances, notably Xen, KVM, Oracle’s VirtualBox, and the native QEMU client.  
• This vulnerability is not remotely exploitable. Attackers must have local access to the guest to launch an attack.  This means that customers should consider enforcing privileged access control to mitigate insider threats from exploiting this vulnerability.
• Customers cannot stop the vulnerability at the device driver level. RHEL has confirmed that removing the driver does not stop an exploit as attackers can directly write to the FDC ports.
• Openstack is a cloud management layer on top of the hypervisor and is not applicable for this vulnerability.  However, Symantec recommends that enterprises running OpenStack/KVM  review and monitor their systems for exploits that would take advantage of this vulnerability.

Symantec Customers Can Utilize Symantec Data Center Security: Server Advanced (formerly known as “Critical System Protection”) to secure their infrastructure

Although there are no reported and known exploits of this vulnerability in the wild, Symantec recommends that customers running potentially affected virtualization platforms and appliances (including OpenStack) and are running Symantec Data Center Security: Server Advanced (DCS:SA) to perform the following actions until they have patched the potentially affected platforms:

• For the affected Hypervisor (KVM/XEN), customers can set policies to isolate the hypervisor application on the host so that it has the bare minimum access to the hosts resources or potentially to other hosts on the network.
• Enforce Privileged Access Control. Set DCS:SA policies to remove or deprecate the admin user or root permissions, to prevent malicious insiders from running the malware. 
• Enforce Application Control. Set DCS:SA policies to prevent software installation and changes to binary and executable code.

Symantec Data Center Security: Server Advanced (DCS:SA) monitors and orchestrates security hardening across on-premise data centers (both physical and virtual servers), public clouds (AWS), and private clouds (OpenStack).  To find out more, see the DCS:SA Data Sheet

Symantec Data Center Security: Server Advanced is part of the Symantec Data Center Security product family, which also includes Symantec Data Center Security: Server, Control Compliance Suite, and the Symantec Protection Engine Brands (for NAS and Clouds).

On Wednesday, May 13, Crowdstrike researchers revealed a new zero-day vulnerability affecting a variety of virtualization platforms and cloud services. Dubbed VENOM, it allows attackers to break out of a virtual machine (VM), execute code on the host machine, and access any other VMs running on it. More information on this can be found on Crowdstrike’s VENOM website.

What is VENOM?

VENOM (CVE-2015-3456) is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. The zero-day vulnerability lies in a legacy common component in widely-used virtualization software, allowing a hacker to infiltrate potentially every machine across a datacenter's network.

What Customers Need to Know:

• VMware, Microsoft Hyper-V, and Bosch hypervisors are not impacted by this vulnerability.
• The bug is in QEMU’s virtual Floppy Disk Controller (FDC) and has been around since 2004.
• Many modern virtualization platforms, including Xen, KVM, and Oracle's VirtualBox, include the buggy code.
• The VENOM vulnerability is agnostic of the guest operating system, and an attacker (or an attacker’s malware) would need to have administrative or root privileges in the guest operating system in order to exploit VENOM.
• This vulnerability affects enterprise customers that use the affected virtualization platforms and appliances, notably Xen, KVM, Oracle’s VirtualBox, and the native QEMU client.  
• This vulnerability is not remotely exploitable. Attackers must have local access to the guest to launch an attack.  This means that customers should consider enforcing privileged access control to mitigate insider threats from exploiting this vulnerability.
• Customers cannot stop the vulnerability at the device driver level. RHEL has confirmed that removing the driver does not stop an exploit as attackers can directly write to the FDC ports.
• Openstack is a cloud management layer on top of the hypervisor and is not applicable for this vulnerability.  However, Symantec recommends that enterprises running OpenStack/KVM  review and monitor their systems for exploits that would take advantage of this vulnerability.

Symantec Customers Can Utilize Symantec Data Center Security: Server Advanced (formerly known as “Critical System Protection”) to secure their infrastructure

Although there are no reported and known exploits of this vulnerability in the wild, Symantec recommends that customers running potentially affected virtualization platforms and appliances (including OpenStack), supported by Symantec Data Center Security: Server Advanced (DCS:SA), to perform the following actions until they have patched the potentially affected platforms:

• For the affected Hypervisor (KVM/XEN), customers can set policies to isolate the hypervisor application on the host so that it has the bare minimum access to the hosts resources or potentially to other hosts on the network.
• Enforce Privileged Access Control. Set DCS:SA policies to remove or deprecate the admin user or root permissions, to prevent malicious insiders from running the malware. 
• Enforce Application Control. Set DCS:SA policies to prevent software installation and changes to binary and executable code.

Symantec Data Center Security: Server Advanced (DCS:SA) monitors and orchestrates security hardening across on-premise data centers (both physical and virtual servers), public clouds (AWS), and private clouds (OpenStack).  To find out more, see the DCS:SA Data Sheet

Symantec Data Center Security: Server Advanced is part of the Symantec Data Center Security product family, which also includes Symantec Data Center Security: Server, Control Compliance Suite, and the Symantec Protection Engine Brands (for NAS and Clouds).

Hello Everyone,

SEP 12.1 RU6 (12.1.6168.6000) is now available on Flexnet to download.

Full setup file is of size 675 MB.

Installation and Administration Guide:

http://www.symantec.com/docs/DOC8645

Note: Symantec Endpoint Protection 12.1 RU6 does not ship Small Business Edition which reached End of Life (EOL) in May'15. Small Business Edition 12.1 customers can use a tool to migrate to the cloud-based Symantec Endpoint Protection.

This does NOT mean the customer needs to immediately upgrade their product. Customers will be able to renew their on-premises license and continue to use their SBE SEPM’s until 2018.

For more details check this blog: https://www-secure.symantec.com/connect/blogs/end-life-small-business-edition-121x-edition

Related articles:

Title: Upgrading or migrating to Symantec Endpoint Protection 12.1.6 (RU6)

Article URL: http://www.symantec.com/docs/TECH230601

Title: New fixes and features in Symantec Endpoint protection 12.1.6 (RU6)

Article URL: http://www.symantec.com/docs/TECH230558

Title: Symantec Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.6 Release Notes/What’s New

Article URL: http://www.symantec.com/docs/DOC8626

Title: Symantec Endpoint Protection 12.1.6 Installation and Administration Guide

Article URL: http://www.symantec.com/docs/DOC8645

Title: Symantec Endpoint Protection 12.1.6 Getting Started Guide

Article URL: http://www.symantec.com/docs/DOC8646

Title: Symantec Endpoint Protection 12.1.6 Windows Client Guide

Article URL: http://www.symantec.com/docs/DOC8647

Title: Symantec Endpoint Protection 12.1.6 Database Schema

Article URL: http://www.symantec.com/docs/DOC8633

Hello,

Symantec Data Center Security: Server Advanced (DCS:SA) is a flexible, multi-layer security solution for servers that detects abnormal system activities. It prevents and blocks viruses and worms, hacking attacks, and zero-day vulnerability attacks. DCS:SA also hardens systems, enforcing behavior-based security policies on clients and servers.

DCS:SA includes a management console, server components, and agent components that enforce policies on computers. The management server and management console run on Windows operating systems. The agent runs on Windows and UNIX operating systems.

DCS:S entitles customers to agentless anti-malware protection for VMware guest VMs, via integration with the VMware NSX platform, as well as monitoring and hardening VMware infrastructure. In addition, DCS:S orchestrates security using Operations Director. By using the intelligence of Operations Director, customers can provision a vApp/VM with the right security policies.

DCS:SA extends DCS:S and allows customers to monitor and protect physical and virtual data centers using a combination of host-based intrusion detection (HIDS), intrusion prevention (HIPS), and least privilege access control. Fully instrumented REST API provides corresponding API for all console actions to enable full internal and external Cloud automation.

What’s New in SDCS:S & SDCS:SA 6.5:

Added Features:

IDS (Intrusion Detection)

• Ability to monitor and harden OpenStack servers.
• Monitoring of extended file attributes and Access Control List (ACL) changes
• Real-Time File Integrity Monitoring (RT-FIM) support for Veritas File Systems (VxFS)
• Windows and Linux agent support on AWS Virtual systems
• Security-Enhanced Linux (SELinux)/AppArmor support
• Red Hat Enterprise Linux 7.0

IPS (Intrusion Prevention)

• Application Centric Hardening (database schema changes)
• Linux Apache MySQL PHP (LAMP) support on UNIX (new sandboxes for MySQL and PHP in Unix policy)
• Upgraded third-party components (OpenSSL, cURL, FIPSOPENSSL )
• Prevention policy now supports no run exception list
• Execution of files with non-executable extensions is blocked
• Red Hat Enterprise Linux 7.0 and CentOS 7 support
• ACL changes on Windows and UNIX

Unified Management Console (UMC) - UMC is a console appliance that is used to register and configure various features and products in Symantec™ Data Center Security (DCS).

Security orchestration using Operations Director (OD) - Security orchestration feature powered by Operations Director is intended to:

• Automate security provisioning workflow.
• Provide application-centric security service.
• Seamlessly integrate with VMware NSX.
• Provide out-of-box security product integration.

Additional Platform Support:

IDS and IPS support for SDCS:SA agents on

• Security-Enhanced Linux (SELinux)
• Red Hat Enterprise Linux 7
• OpenStack

Hypervisor Support

• Kernel-based Virtual Machine (KVM)
• Amazon Web Services (AWS)

Resolved Issues:

DCS:SA resolved issues

• Windows 2012 R2 agents used to display the OS version and type as Windows 2012 on the console.
• In case of a policy in prevention disabled state, if the prevention ON/OFF slider control is used for enabling an individual sandbox or a group of sandboxes, it overrides the disabled state in the global policy level.
• Policy used to take long time to load in a console when predefined applications are added in trusted updaters or in application rules.
• Management server upgrade used to fail with custom SQL named instance listening on custom port with SQL browser service OFF.
• In a specific scenario, CPU utilization of SQL Server was high when application data was fetched from agents.
• 'Superuser_Group_Created' event used to get generated when the user password was changed in a specific scenario.
• UNIX Baseline Detection Policy failed to apply on UNIX agents when Root Logon Failure option was not selected in the policy.
• In a specific scenario, translation used to fail when any IPS policy other than null policy was applied on the agent.
• Installation of the agent used to fail on Win XP embedded SP3.

Symantec Data Center Security: Server Advanced (DCS:SA)

Symantec Data Center Security: Server Advanced (DCS:SA) provides a policy-based approach to endpoint security and compliance. The intrusion prevention and detection features of DCS:SA operate across a broad range of platforms and applications. It provides:

• A policy-based host security agent for monitoring and protection.
• Proactive attack prevention using the least privilege containment approach.
• A centralized management environment for enterprise systems that contain Windows, UNIX, and Linux computers.

The major features of DCS:SA are as follows:

1) Intrusion detection facility for compliance auditing

• Real-time file integrity monitoring
• Granular change detection of registry values, file contents, and attributes
• Operating system and application log monitoring
• Local event correlation and smart response actions

2) Intrusion Prevention facility for malware prevention and system lockdown

• Sandbox containment of operating system and application processes by an in-kernel reference monitor
• Granular access control of network, file systems, registry, process-to-process memory access, system calls, and application and child process launches
• Privileged user and program behavior

3) Anti-malware security

DCS:SA Security Virtual Appliance (SVA) provides agentless anti-malware security services for the virtualized network through integration with the VMware Network and Security Virtualization (NSX) platform. SVA provides two types of policies: Antivirus policies, and configuration policies.

• Comprehensive out-of-the-box policies for complete system monitoring and protection of physical and virtual systems
• Security orchestration using Operations Director. Operations Director is intended to:
  
  • Automate security provisioning workflow.
  • Provide application-centric security service.
  • Seamlessly integrate with VMware NSX.
  • Provide out-of-box security product integration.

• Centralized management environment for administering agents, policies, and events
• Integration with Security Information and Event Management (SIEM) and other security tools, as well as enterprise infrastructure components such as Active Directory, SMTP, and SNMP
• Broad platform support across Windows, Linux, UNIX and virtual environments for critical servers, workstations, laptops, and standalone systems

The major benefits of DCS:SA are as follows:

• Reduces emergency patching and minimizes patch-related downtime and IT expenses through proactive protection that does not require continuous updates.
• Reduces incidents and remediation costs with continuous security. Once the agent has a policy, it enforces the policy even when the computer is not connected to the corporate network. And even if a computer is unable to obtain the latest patches in a timely fashion, DCS:SA continues to block attacks so that the computer is always protected.
• Provides visibility and control over the security posture of business-critical enterprise assets.
• Uses predefined compliance and hardening policies to provide efficient security management, reporting, alerting, and auditing of activities. Also provides compensating controls for compliance failures.

Prevention Strategies for Physical and Virtual Servers

• Application Whitelisting and Protected Whitelisting: Discover applications via system inspection for creating default-deny policies, or allow applications to run in a restricted sandbox.
• Targeted Prevention Policies: Respond to server incursion or compromise immediately with quickly customizable hardening policies.
• Granular Intrusion Prevention Policies: Protect against zero day threats and restrict the behavior of approved applications even after they are allowed to run with least privilege access controls.
• File, System and Admin Lockdown: Harden virtual and physical servers to maximize system uptime and avoid ongoing support costs for legacy operating systems.

Detection Strategies for Physical and Virtual Servers

• File Integrity Monitoring: Identify changes to files in real-time, including who made the change and what changed within the file.
• Configuration Monitoring: Identify policy violations, suspicious administrators or intruder activity in real-time.

Key Benefits

• Enforce server protection strategies without requiring foreknowledge of complex server applications.
• Stop zero-day exploits and targeted attacks on servers with targeted prevention policies.
• Secure legacy systems and mitigate patching requirements by hardening the OS and sandboxing applications.
• Make security responsive to new software defined data center architectures — controls and policies follow servers across the virtual infrastructure.
• Provide real-time visibility and control into compliance, in a single real-time monitoring and prevention solution.
• Achieve complete protection for vSphere leveraging out-of-the-box policies based on the latest vSphere hardening guidelines.

Symantec Endpoint Protection 12.1

Symantec Endpoint Protection Enterprise Edition 12.1 - Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Mac computers, and servers in your network against malware such as viruses, worms, Trojan horses, spyware, and adware.

Additionally it is able to provide protection against even the more sophisticated attacks that evade traditional security measures such as rootkits and zero-day attacks.

The suite comprises of Antivirus / Antimalware protection, Firewall, IPS and Application and Device Control.

In Symantec Endpoint Protection 12.1 version, SEP is built on multiple additional layers of protection, including Symantec Insight and SONAR both of which provide protection against new and unknown threats. The most recent Symantec Endpoint Protection version is 12.1 RU6.

The Symantec Endpoint Protection Manager now supports Linux clients, allowing administrators to configure antivirus policies the same way they would for Windows and Macs.

Power Eraser has been fully integrated into Symantec Endpoint Protection, allowing administrators to remotely scan an infected endpoint and remediate the infection remotely from the management console.

Administrators can remotely install Mac clients from the Symantec Endpoint Protection Manager.

Removes over 300 products from more than 60 vendors, ensuring endpoint safety during any update.

The layers of protection that are integrated into Symantec Endpoint Protection

Difference between

Symantec Data Center Security : Server Advanced

and

Symantec Endpoint Protection (Antivirus)

Conclusion:

• If no prevention policy or a 'disabled' prevention policy is in use, full 'real-time' anti-virus is still definitely recommended.

• With the 'core' prevention policy in full prevention mode, 'real-time'anti-virus becomes less important, but still a good idea. The 'core' policy locks down the main attack points that viruses and hacking attacks use, but any application that is not specifically called out by the policy operates as a 'safe' application - i.e. it can still modify executables and infect a system.

• With a 'strict' or 'limited execution', the system is significantly protected against threats, so 'real-time'AV protection is not needed as much. No application can be changed or modified without either user intervention or modification by a privileged app (i.e. software distribution tool). Turning off SEP AutoProtect ('real-time' protection) would improve file access performance and reduce memory impact.

• For 'core', 'strict' and 'limited execution'I would still recommend AV with at least regular file scans (scheduled or manual scan), just to make sure no infected files linger around on a system. Otherwise infected files could be dropped on the system in lesser protected locations (assuming they are not executable files) and end up being 'distributed' to other users download these files - a particularly likely case for sharepoint, file servers and web servers. Office files would be good examples of files that could be infected but would not be controlled/blocked by SDCS, but would be caught by AV.

Also consider the following benefits that SEP provides when installed on the same system as SDCS:

1. Cleans systems regardless of how they’ve been infected once the signatures are up to date.

2. Protects against the types of attacks that are “normal behaviors” in SDCS’s various Behavior Controls. One example is a Word macro virus that just wants to be malicious and delete all of the files on your system.

You may also like to check this below article:

Symantec Critical System Protection and how is it different from Symantec Endpoint Protection

https://www-secure.symantec.com/connect/articles/symantec-critical-system-protection-and-how-it-different-symantec-endpoint-protection

Overview

Today, Symantec released Symantec Endpoint Protection 12.1.6, which integrates the existing features currently in Symantec Endpoint Protection for Windows XP Embedded 5.1. This release continues the positive momentum of Symantec Endpoint Protection 12.1- Unrivaled Security, Blazing Performance, and Smarter Management.

With this latest release, Symantec Endpoint Protection 12.1 now has features specific to the embedded platform. This change removes the need for the separate Symantec Endpoint Protection for Windows Embedded 5.1 offering. Symantec will cease selling Symantec Endpoint Protection for Windows XP Embedded today, June 1, 2015. The technical support services of the old 5.1 product will close on October 15, 2016. There is no direct migration between Symantec Endpoint Protection 12.1 and the Symantec Endpoint Protection for Windows XP Embedded 5.1. We encourage customers who have embedded systems in their environments to upgrade to this latest version.

Key New Features in Symantec Endpoint Protection 12.1.6

Integration of the existing features in Symantec Endpoint Protection for Windows XP Embedded

• Reduced size client- 80-90% smaller than the standard size client that fits embedded systems, greatly reducing the definition set and improving performance
• Supported OS systems- Windows embedded systems, Win10, RedHat7.0
• Write filters support- File based write filter and registry filter are fully supported on all the supported Windows embedded systems

Feature Enhancements

• Reducing the attack surface using System Lockdown- Integrated workflow for System Lockdown makes it easier to collect File Fingerprint list
• Large content mitigation- Ability to alert the admin when Symantec Endpoint Protection clients request for full content, which mitigates network overload
• Better with Advanced Threat Protection (ATP Integration)- Get a suspicious file from the client to the ATP server for further analysis

Technical Resources

What’s New in Symantec Endpoint Protection 12.1.6

FAQ: Symantec Endpoint Protection for Windows XP Embedded EOL

Upgrade or migrate to Symantec Endpoint Protection 12.1.6

Symantec Endpoint Protection has been released & available to download

Product guides for all versions of Symantec Endpoint Protection and Symantec Endpoint Protection Small Business Edition

Symantec is taking data protection to new heights – the cloud. Symantec recently expanded its information protection portfolio with the launch of Data Loss Prevention 14 and a strategic partnership with Box, an online file sharing and personal cloud content management service for businesses. Symantec Data Loss Prevention (DLP) now extends data loss prevention policies to cloud storage apps and gives deep visibility into valuable data stored and shared in Box.

The announcement solidifies Symantec’s commitment to protecting data and identities regardless of where they reside – on premise, in transit, or in the cloud.

The Cloud Creates Data Protection Challenges

It’s a data-driven world today. Data is everywhere – on the network and in the cloud – and it’s always within reach of users. Businesses and consumers are mobile, 24/7, and are often remote. Organizations, from small businesses to enterprise, are moving their information from legacy, on-premises systems and realizing the benefits of cloud storage.

However, as information moves offsite and into the cloud, it raises concerns about security, privacy, and compliance. Before the cloud and mobility, IT teams were able to keep things on-premise such as data, devices, visibility and control. Enterprises now live in a hybrid environment as the cloud adds extra levels of complexity for IT teams.

“Keeping corporate information safe and compliant has never been easy. Today’s cloud and mobile-driven world create new data protection challenges. Sensitive information is no longer within the safety of your corporate network,” said Cheryl Tang, Sr. Product Marketing Manager, Enterprise Security, Symantec. “More employees routinely share files using consumer cloud storage solutions - often without IT knowing about it. That means a lot of data is being created and stored in the cloud – undiscovered, unmonitored and potentially unprotected.”

“As companies seek to move their information to the cloud, they’re looking for security providers who can keep their information protected regardless of where it resides. Data Loss Prevention (DLP) is one of the key technologies to enable anytime, anywhere, any device data protection. DLP is a foundational technology for cloud security,” said Tang.

Learn more about Symantec Data Loss Prevention the market-leading data loss prevention solution.

オンラインでの企業の安全対策は、コンピュータとネットワークの安全対策に従業員も関与するところから始まります。

情報セキュリティとは、常に構築と強化の段階を続けていくプロセスです。セキュリティは過程であって目的地ではありません。情報セキュリティのプロセスには多くの戦術と活動がありますが、いずれも大きく言うと予防、検出、対応の 3 つのフェーズに分類することができます。

情報セキュリティのプロセスの最終的な目標は、次にあげる情報の 3 つの属性を保護することです。

• 機密性 -情報は、閲覧の権限をもつユーザーのみが閲覧するようにします。情報に機密が求められるのは、組織が開発し所有している専有の情報だから、あるいは法的な責任において守秘義務のある顧客の個人情報かもしれないからです。
• 整合性 -情報は破損、劣化、改変されていてはなりません。不慮もしくは故意の変更から情報を隔離する措置をとる必要があります。
• 可用性 -情報は、権限をもつユーザーが必要とするときにいつでも利用できなければなりません。

攻撃があるとシステムはさまざまな形で侵害され、これらの属性のすべてではないにしても、いずれかに影響します。機密性に対する攻撃は、情報の不正な開示につながります。整合性に対する攻撃は、情報の破壊や減損につながり、可用性に対する攻撃は業務の中断やサービス拒否（DoS）を引き起こします。

情報セキュリティは、こうした属性を以下の手段で保護します。

• 機密性を保護する
• 整合性を確保する
• 可用性を管理する

組織がこうした属性を確実に保護するには、適切な計画が必要です。インシデントが発生する前に適切な計画があれば、攻撃のリスクは大幅に小さくなり、仮に攻撃が起こってしまった場合にも、タイムリーで効果的な検出と対応ができる可能性ははるかに高くなります。

重要なデータの保全と企業リソースの保護について、従業員が各自の役割と責任を理解していなければ、たとえ世界最高のセキュリティ技術があっても何の役にも立ちません。たとえば、セキュリティを推進する慣例とポリシーを実施すること、リスクを見極めて回避できるように従業員をトレーニングすることが必要です。

企業のセキュリティ戦術は、従業員がそれに関して適切なトレーニングを受けて初めて機能します。したがって、情報セキュリティ意識に関するトレーニングの重要性はけっして軽視できません。意識向上プログラムの目標は、セキュリティ上想定される脅威と、それを防ぐ対策について従業員をトレーニングすることだけにはとどまりません。セキュリティの重要性に重きを置き、セキュリティ上の脅威から身を守るうえでユーザー自身もひとつの保護層として機能するという考え方に賛同してもらえるように、いわば企業文化を変革することが、もっと大きい目標です。

従業員からの賛同を得られたら、業務の保護に必要な情報を従業員に提供するよう図るという段階に移ります。有効なセキュリティ意識向上プログラムでは、具体的な脅威の種類についての教育が必要です。以下のような脅威がありますが、これに限るものではありません。

• マルウェア
• トロイの木馬
• ウイルス
• ソーシャルエンジニアリング
• フィッシング

トレーニングで考えるうえでもうひとつ重要なのが、パスワード作成の大切さとセキュリティの問題です。小さいことのように思えますが、甘く見てはいけません。信じられないかもしれませんが、上級のハッカーの手にかかれば特に、パスワード解析は驚くほど簡単だからです。ユーザーが毎日繰り返すこの「小さな」手順が、企業の重要な情報を保護するうえで、大きい違いになることがあります。

従業員に伝えること

• コンピュータをクリーンな状態に保つ: 従業員が各自のコンピュータでインストールあるいは常用してよい範囲を明確にルール化する。従業員がルールを理解し順守する指導も必要です。素性のわからない外部のプログラムは、ネットワークでセキュリティ上の脆弱性を悪用する恐れがあります。
• パスワードに関するベストプラクティスを守る: 大文字小文字の英字、数字、記号を組み合わせて、長く強力なパスワードを決める。そのうえで、定期的に変更し、秘密にしておくことが、データを保護するために従業員がとれる確実に有効な手順です。
• 疑わしきは、捨てる: 電子メール、ツイート、投稿、オンライン広告、メッセージ、添付ファイルなど、たとえ送信元がわかっていても、そこにある疑わしいリンクは開かないよう従業員に徹底する。企業が用意しているスパムフィルタと、フィルタを利用して有害な一斉メールを防ぐ方法についても指導します。
• 作業をバックアップする: 従業員のコンピュータが自動バックアップに設定されていても、手動バックアップが必要でも、作業内容を保護するうえでの役割について周知させる。
• 警戒を怠らず、情報を共有する: 従業員には、常に警戒を怠らず、コンピュータで何か異常に気付いた場合には連絡するよう奨励する。

情報セキュリティ意識向上プログラム

良好な情報セキュリティ意識向上プログラムでは、情報セキュリティの重要性を強調し、情報セキュリティに関するポリシーと手続きを、シンプルだが有効な形で導入することによって、従業員がそのポリシーを理解し、手続きを自覚できるようにします。

情報セキュリティに関するポリシーと手続きを従業員に伝える際の手法を以下にあげておきます。

1. 情報の機密区分、取り扱い、処分

あらゆる情報は、機密度と対象者に応じてラベルを付けます。情報のラベルは「Secret（極秘）」「Confidential（機密）」「Internal Use Only（社内限定）」「Public（一般）」などとし、「Secret」または「Confidential」のラベルが付いた文書は、就業時間の最後に鍵をかけて保管してください。「Secret」または「Confidential」扱いの電子情報は、暗号化するかパスワードで保護します。情報が不要になったら、文書はシュレッダーで処分し、ファイルは電子的に完全消去してください。

2. システムアクセス

ユーザー ID とパスワードの共有を禁止し、従業員にはユーザーアカウントとパスワードを守る責任を自覚させます。また従業員には、安全なパスワードを選択する方法について、パスワードに関する実用的なヒントも示してください。

3. ウイルス

すべてのコンピュータにウイルス対策ソフトウェアをインストールします。そのうえで、各自が定期的にコンピュータをスキャンするのは従業員の責任です。ソフトウェアと受信したファイルをすべてスキャンし、新しいデータファイルとソフトウェアは、開いたり実行したりする前にスキャンするよう従業員に助言します。従業員には、スキャン実行の重要性を徹底し、ウイルスがハードディスクをクラッシュさせ、オフィスのネットワークを停止に追い込む経緯を説明します。

4. バックアップ

各自が使っているコンピュータのバックアップを少なくとも週に 1 回は、それぞれの責任で作成するよう助言します。

5. ソフトウェアライセンス

ソフトウェアの不正コピーは法律違反であることを伝え、正規のライセンスがないソフトウェアは絶対にインストールしないよう従業員に助言します。

6. インターネットの利用

インターネットの利用は監視されていることを従業員に伝えます。ハッカーサイト、アダルトサイト、ギャンブルサイトなどの不適切な Web サイトにはアクセスしないように指示してください。ソフトウェアもハッカーツールも、ダウンロードは禁止です。

7. 電子メールの使用

従業員は、以下の理由で電子メールシステムを使ってはなりません。

• チェーンメール
• 会社の後援しないチャリティーの勧誘
• 政治活動
• 宗教活動、いやがらせ
• それ以外でも、業務に関係のないあらゆる用途

メールの私的な利用は、妥当な範囲で許可します。

8. ノート PC の物理的なセキュリティ

ノート PC はすべて、就業時間が終わったらキャビネットやドッキングステーションに保管し、チェーン錠をかけます。

9. 社内ネットワークの保護

ネットワークに不正アクセスされないように、ワークステーションはすべて、スクリーンセーバーをパスワードで保護します。Windows 7 を使っている場合には、ワークステーションをロックしてください。従業員がインターネットからスクリーンセーバーをダウンロードしないように、スクリーンセーバーは Windows 7 付属のデフォルトに制限することもできます。

10. 第三者への情報提供

機密情報は第三者に提供しないでください。知る必然性があれば例外ですが、その場合でも秘密保持契約を交わしてからにします。企業の情報を守ることは、従業員全員の責任です。

トレーニング用資料についても企業ポリシーの確認は必要で、従業員のなかに疑わしい、もしくは悪質な行為があった場合の結果を詳しく記載します。便宜上、各種のセキュリティポリシーに関する情報を以下にまとめてみました。

• 利用規定
• ソーシャルメディア
• Bring Your Own Device（個人所有デバイスの持ち込み）
• セキュリティインシデント管理

推奨事項と禁止事項

新しく入社した従業員には、「推奨事項と禁止事項」のチェックリストを渡します。まだ実際のセキュリティトレーニングを受けていない段階かもしれないので、このチェックリストは、すべきことと、してはいけないこととを新しい従業員に伝えるには簡単で有効な手段です。このチェックリストに載せる情報を以下にまとめました。

禁止事項

• パスワードは、たとえば従業員間であっても他人と共有しない。
• パスワードを紙、ホワイトボード、付箋紙などに書いておかない。
• 「Aug2001」のような覚えやすい言葉をパスワードとして使わない。
• 個人情報や、言語にかかわらず回文になる（前からでも後ろからでもスペルが変わらない）語は使わない。
• 不適切な Web サイト（アダルトサイトやハッカー用 Web サイトなど）にアクセスしない。
• 非合法の、またはライセンスのないソフトウェアをインターネットからダウンロードしない。
• ライセンスのないソフトウェアをコンピュータにインストールしない。

推奨事項

• パスワードは、各システムで定期的に変更する。
• パスワードには、英字、数字、記号を組み合わせて使う。
• 6 文字以上の難しいパスワードを使う
• ［スクリーン セーバー パスワードの設定］を有効にするか、ワークステーションをロックする。
• コンピュータで定期的にウイルススキャンを実行し、ディスク類もコンピュータで使用する前にスキャンする。
• デスクトップサポートから定期アップデートに関するメールを受け取ったときは、ウイルス対策ソフトウェアのパッチが更新されていないかどうかチェックする。
• 少なくとも週に 1 回はデータをバックアップする。バックアップは各ユーザーの責任。
• 機密文書、ファイル、ディスク類は就業時間の最後にすべて厳重に保管する。

従業員のトレーニング

従業員のトレーニングは、セキュリティに不可欠の要素です。顧客や同僚の情報を保護することの意味と、保護するうえでの各自の役割を従業員は理解する必要があります。また、その他のリスクと、オンラインでの適切な判断についても基本的な知識が必要です。

なかでも、インターネットの安全性に関して職場で従業員が従うべきポリシーと慣例については必ず知っておかねばなりません。

【参考訳】

Please join us for the Pittsburgh Security & Compliance User Group meeting in July!  Agenda and details are below.

You may sign up here.

AGENDA

Welcome & Introductions

Presentations:

• Two Factor Authentication – Symantec VIP – Frank Hervert & Jeff Lagana from Reed Smith
• New SEP release RU6/SEP Device Control & ATP:Endpoint – Josh Etsten Product Manager Symantec

Wrap up, Prize drawings & Conclusion

Happy Hour

*************************************************

Location:  Sharp Edge, 922 Penn Ave, Pittsburgh, PA 15222 (location and catering)
Time:  2pm - 5pm EST

Save the date for the next Midwest DLP User Group Meeting!

Date: July 29, 2015 12pm to 4pm

Location: Maggiano's Little Italy (Dolcetto Room) - Westfield Old Orchard, 4999 Old Orchard Center, Skokie, IL 60077 

Topics: TBD

Look forward to seeing everyone!

REGISTER HERE!

Questions about Symantec User Group Programs, please email user_groups@symantec.com
Thank you!