 |
|
The VeriSign Security Review
|
April 2007
At the 3GSM World Congress held in February, VeriSign presented its
Digital Infrastructure Portfolio, which delivers communications, commerce,
and content services including mobile payment solutions and identity
protection for mobile users. As companies mobilize their services and
solutions, VeriSign digital infrastructure solutions will help businesses
to launch new services quickly and economically, with the intelligence,
scale and security necessary to deliver a compelling consumer experience. Click here to
read more.
In This Issue:
Hot Topics
- Layered Security
Offers Comprehensive Approach. New VeriSign Layered
Security Services help minimize the complexity, risk, and opportunity
costs of trying to keep pace with the contradictory demands for greater
ease of access and for tighter security.
- Cut Costs by Managing
Your Own PBX. Now large enterprises can connect PBX
sites for true end-to-end VoIP communications—and dramatically lower
telco costs, with potential savings as high as 50 percent.
- Bugs for Sale.
Software vulnerabilities are bought, sold, and traded online, both by
legitimate security companies, and by a growing class of professional
cyber criminals.
Monthly Threat
Summary
- Microsoft Corp.’s
Feb. 13 security update encompassed 20 vulnerabilities, half of them
critical, and included fixes for vulnerabilities in Office, Excel, PowerPoint,
and Internet Explorer. Also, in early February, unknown actors launched
a global distributed denial of service (DDoS) attack against three of
the Internet’s 13 root servers. Most Internet users were unaware of
the attacks.
News from VeriSign
- VeriSign and Entriq
Team to Make Launching Internet Media Businesses Faster, Simpler, More
Profitable
- VeriSign’s Card
Management System Receives Certification From GSA For HSPD-12
- VeriSign Domain
Name Industry Brief Shows Continued Strong Internet Growth
VeriSign Events
- April 16-19 National
Association of Broadcasters (NAB) 2007, Las Vegas NV
- April 25-27 Billing
and OSS World, Chicago IL
- May 15-17 Financial
Services Technology Consortium (FSTC) Annual Conference, Dallas TX
Hot Topics
Layered Security Offers Comprehensive
Approach
Businesses today increasingly use the Internet
and wireless networks to share information and content, and interact
with customers and partners. But securing these business interactions
is becoming increasingly complex, as devices are proliferating (PDAs,
mobile phones, and laptops) and the networking landscape grows to include
the Internet, Wi-Fi, GSM, and other channels. At the same time, security
threats are becoming more pervasive, malicious, and sophisticated.
In trying to address these issues, companies
are faced with a dizzying array of point products and services, many
of which are not well integrated, and none of which addresses the end-to-end
cross-systems and cross-network nature of most business interactions.
VeriSign
Layered Security Services is a comprehensive approach to
securing business interactions on the Internet that encompasses protecting
a company’s consumers, brand, Website, and network. VeriSign Layered
Security Services is a portfolio of consulting and managed technology
services that provides business transaction security reaching from the
consumer or user to the network. These services help companies minimize
the complexity, risk, and opportunity costs of trying to keep pace with
the contradictory demands for greater ease of access and for tighter
security.
Back
to Top
Cut Costs by Managing Your
Own PBX
Now small-to-medium companies and large enterprises
can connect PBX (internal voice communications) sites, including VoIP-enabled
LANS and WANs, through the firewall for true end-to-end VoIP communications
across all sites. VeriSign®
PBX IP Connect is an inter/intra-enterprise IP communications
service that provides secure multimedia communications for voice and
video-based sessions—and relieves IT departments from managing IP telephony
network operations. It enhances disaster recovery applications, presence-based
applications, and convergence with mobile networks. PBX IP Connect can
dramatically lower telco costs, with potential savings as high as 50
percent, by leveraging idle capacity on data connections for voice transport
and reducing PRI connections, rates on PSTN termination, and cost structure
through centralized network management.
With VeriSign PBX IP Connect, VeriSign installs
an appliance under a service plan that becomes the anchor point for
delivering a secure integration of VoIP-enabled LANs and WANs. There’s
no capital expenditure, no need to hire additional staff, and no changes
to existing LAN equipment.
The VeriSign PBX IP Connect service leverages
the VeriSign Network Routing Directory (NRD), a highly scalable registry
that delivers some of the fastest performance and highest reliability
in the industry while facilitating seamless interoperability between
VoIP protocols including H323, SIP, and CMSS. The NRD enables central
management of VoIP routing, dial plan management, call authorization,
and authentication and network monitoring—all based on the proprietary
VeriSign Advanced Transaction Look-Up and Signaling (ATLASSM) platform.
ATLASSM infrastructures are capable of scaling to support dramatic increases
in throughput without sacrificing availability. For example, during
the past eight years VeriSign DNS services to .com and .net have scaled
to handle over 30 billion transactions a day, all the while demonstrating
100% availability.
The VeriSign PBX IP Connect service provides
complete support, including remote fault identification and resolution,
problem isolation, and custom VoIP security features that complement
the existing firewall. Customers benefit from the same security provisions
with which VeriSign protects thousands of Web sites and hundreds of
global enterprises, including state-of-the-art encryption and perimeter
security management at network interconnect points. VeriSign’s 24/7
Security Operations Center protects VeriSign PBX IP Connect with firewall
management, intrusion detection, vulnerability protection, vulnerability
alerting, managed VPN, and incident response and forensics services. Find
out more about VeriSign PBX IP Connect.
Back
to Top
Bugs for Sale
Bounty hunters are now putting Microsoft’s
new operating system, Windows® Vista™, to the toughest security test
yet: trial by hackers motivated to sell vulnerabilities for cash. As
a recent article in the New York Times explains, when Windows® XP was
released five years ago, software bugs were typically hunted by hackers
for the thrill of discovery and recognition, not financial reward. But
now software vulnerabilities are bought, sold, and traded online, both
by legitimate security companies, and by a growing class of professional
cyber criminals.
In January, VeriSign subsidiary iDefense Labs
offered $8,000 for the first six researchers to find holes in Vista,
and $4,000 more for the “exploit,” a program to take advantage of the
weakness. iDefense runs the world’s most successful Vulnerability Contributor
Program, and sells this information to companies using Vista, so they
can protect their own systems.
But vulnerabilities are worth more than a few
thousand dollars to criminals looking to launch identity-theft schemes
and spam attacks. The Japanese security firm Trend Micro said in December
that it had found a Vista flaw for sale on a Romanian Web forum for
$50,000—and such sales are not uncommon.
Traditionally, software vendors have asked
security researchers to alert them first when they found bugs in their
software. That worked when researchers were motivated by acclaim and
a desire to improve security. But with a growing market for software
bugs, researchers can now get more from their investment of time and
effort than the token sum or “thank you” that software vendors offer.
And there is, after all, nothing illegal about discovering and selling
vulnerabilities. Increasingly, the market prices for such bugs are no
longer set by software companies, but by professional cyber criminals.
Prices range from a couple of hundred dollars to tens of thousands.
In 2002, recognizing these changing dynamics,
iDefense Labs led the way and became one of the first companies to pay
for software flaws, offering just a few hundred dollars for a vulnerability.
Its aim was to inform software makers and clients before announcing
bugs to the general public. In 2005, TippingPoint, a division of 3Com,
joined iDefense in the nascent marketplace for software bugs, and last
year bought and sold 82 software vulnerabilities. iDefense said its
freelance researchers discovered 305 holes in commonly used software
during 2006, up from 180 in 2005. iDefense paid $1,000 to $10,000 for
each, depending on the severity.
Back
to Top
Monthly Threat Summary
Microsoft Corp.’s Feb. 13 security update was
substantially larger than previous releases, with 12 bulletins encompassing
20 vulnerabilities, half of which the company rates as CRITICAL, which
means that they “allow remote code execution” or allow an attacker to
gain control of a user’s computer. This month’s release includes fixes
for vulnerabilities in popular programs such as Office, Excel, PowerPoint,
and Internet Explorer. Although Microsoft states that only six of the vulnerabilities
are being actively exploited, some security companies are claiming that
hackers are exploiting all but one. VeriSign urges any customers that
could potentially be affected by these vulnerabilities to download
and install the appropriate patches.
In early February,
unknown actors, working with unknown motive, launched a global distributed
denial of service (DDoS) attack against three of the Internet’s 13 root
servers. The attacks temporarily degraded the performance of the UK
Internet, but most Internet users were unaware of the attacks, a testament
to the resilience and redundancy of the DNS system and the Internet
in general. Click here
for more information on the attacks.
In February, VeriSign
announced the launch of “Project Titan,” a $100-million campaign
to dramatically increase the number of DNS queries it can process, and
to detect suspicious traffic that could be a precursor to an attack.
These efforts should help mitigate such attacks.
In a speech at the RSA IT security conference
in San Francisco, Greg Garcia, the assistant secretary for Cyber Security
and Telecommunications at the US Department of Homeland Security (DHS),
assured immediate and unwavering action in protecting the nation’s critical
infrastructures. Garcia discussed plans for next year’s Cyber Storm
exercise. He also reiterated his commitment to implementing the National
Strategy for Securing Cyberspace. In other government-related
news, the National
Cyber Response Coordination Group announced last week that
it refused to rule out countering large-scale cyber attacks with physical
violence.
Back
to Top
News from VeriSign
VeriSign and Entriq Team to Make Launching Internet Media Businesses
Faster, Simpler, More Profitable
A joint
offering from Entriq and VeriSign offers media companies
a comprehensive and cost effective solution for managing, monetizing,
and delivering media assets online. The new offering makes it easy and
affordable to produce and generate revenue from Internet video.
VeriSign Card Management System Receives Certification from GSA for
HSPD-12
VeriSign is the first vendor to receive its Card
Management System (CMS) certification using FIPS 201-compliant
Shared Service Provider (SSP) Public Key Infrastructure (PKI) certificates,
and the only vendor that has both its SSP PKI and CMS on the GSA FIPS
201 Approved Product List.
VeriSign Domain Name Industry Brief Shows Continued Strong Internet
Growth
According to the Q4
VeriSign Domain Name Industry Brief, total domain name registrations
reached 120 million, a 32 percent increase over the previous year, and
an eight percent increase over the third quarter of 2006. VeriSign processed
an average of 24 billion queries per day during the fourth quarter of
2006, but the VeriSign Domain Name System (DNS) continued to maintain
operational accuracy and stability for 100 percent of the time. Read
the press release.
Back
to Top
VeriSign Events
April
16-19 National Association of Broadcasters (NAB) 2007, Las Vegas NV
This is the essential destination for anyone
in electronic media who's looking for comprehensive education, inspiration,
and innovation. Visit us in booth C2546.
April
25-27 Billing and OSS World, Chicago IL
This year’s theme is orchestration: see the
latest in the systems, software and services offerings from industry
leaders in the OSS/BSS sector who are tackling orchestration challenges
every day.
May
15-17 Financial Services Technology Consortium (FSTC) Annual Conference,
Dallas TX
VeriSign’s Fran Rosch will speak on New Weapons
to Fight Fraud: Getting Ahead of Cyber Crime on May 16 at 2:00 p.m.
VeriSign is a sponsor of this event.
Back
to Top
|
|
Worldwide Sites
