Sony AttackHollywood is a place that can be driven mad by star-studded gossip, where the talk of the town is rarely private and where people are accustomed to their secrets not staying secret for very long. Yet, this state of play hasn’t made it any easier for the victims of last month’s cyberattack against Sony, carried out by shadowy assailants calling themselves the Guardians of Peace.

As the public knows by now, it seems as though the attackers spared nothing in their initial leak of 27 gigabytes worth of data. They released the type of information that seems to be exposed after seemingly every corporate hack, from the personal information of employees to the company’s classified assets, which in this case even included the script for an upcoming James Bond film.

But that wasn’t all.

They also exposed the kind of information unique to an entertainment giant like Sony – the lurid Hollywood gossip, revelations of celebrity aliases and even off-the-record studio executives’ opinions about some of today’s box office smashes.

Sony’s Imperfect Network Security History

So how could this have happened? Although the finger-pointing has been ongoing since the attackers revealed themselves to Sony employees at the end of November, what’s clear is that the malware used by the Guardians of Peace was undetectable by antivirus software, and, as is often the case with attacks as broad as these, human error within Sony – passwords that were both easy to crack and stored in a file directory marked “passwords” – may also have been a factor.

Unfortunately, these aren’t new criticisms of the company.

Sony’s network security defenses, from poor access control to weak passwords, were so lacking in 2007 that an auditor told the company’s executive director of information security, “If you were a bank, you’d be out of business.” Then there was the 2011 hack of Sony’s Playstation network – an attack that was preceded two weeks earlier by the company laying off two employees who were responsible for network security.

In retrospect, it’s easy to construct a seven-year trail of breadcrumbs back to Sony being hacked, and to allege that executives should have known they needed to do more to shield the company from attack. But, as it was suggested by the FBI’s Joseph Demarest, assistant director of the agency’s cyber division, the high sophistication of the attack proved to be just as much a factor as how porous the company’s network security may have been.

He said, “The malware that was used would have slipped or probably gotten past 90 percent of [Internet] defenses that are out there today in private industry and [likely] challenged even state government.”

Preventing the Next Great Hack

The massive Sony breach has shown, yet again, just how expeditious and ruthlessly efficient attackers today are. One minute, the network security fortress of a company like Sony is seemingly secure, and the next, documents and correspondence that were intended to be private are splashed across every news outlet. It should be more than enough to give network administrators significant pause, and make them wonder, “If it can happen to Sony, why couldn’t it happen to me?”

Fortunately for network administrators, there is no shortage of steps they can take to prevent attackers from breaching their walls, and there are just as many ways to limit the damage in a worst-case scenario where hackers are able to make it inside.

We’re talking about a defense-in-depth approach – a multi-layered, redundant strategy that seamlessly weaves together overlapping network security products, like strong VPNs and firewalls, with proven processes, like employee training and encryption protocol, to help network administrators defend against a range of threats looming right on their doorsteps. Additionally, if hackers do get in, layering security technologies can help mitigate the range and damage caused by the attack, making it more difficult for attackers to actually escape with sensitive information.

It’s impossible for network administrators to know for sure they have the upper hand against attackers who seek to do them harm – their methods evolve too rapidly. But with a defense-in-depth strategy, network administrators at least know they have fail-safes in place should they become the next target.

Read More:

Hacks of Houston Astros, Butler University Put Network Security on Center Stage
Cyber Threats in 2015: New Attack Vectors, More Severe Incidents


Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

Remote Access EndpointMuch to the dismay of network administrators, IT security today is complex and multi-faceted, from the varied attack vectors to the different types of attackers themselves. But there is always one constant: the endpoint. When those endpoints are attacked, and end users cannot access services, data and applications, it is futile for a business to even host and offer them.

The client, that is the device, not the human being using it, has undergone enormous changes over the last decade, thereby putting the burden on IT professionals to evolve their networks accordingly. The PC, with Windows 95, was the starting point. Next came myriad Microsoft operating system updates, followed by new form factors like tablets and smart phones, which introduced a whole new dimension.

With each new client, the applications changed as well. Browsers and apps opened up unfamiliar, sometimes encrypted, and sometimes proprietary, data channels, from the Internet right down to the file system. And of course, attackers have kept track of those changes and adapted their methods accordingly over the years.

To cope with these ever-evolving forms of attack, network administrators developed innovative defense mechanisms. Classic anti-virus tools were followed by sandboxes that tried to detect and block malware by offering these programs a limited, simulated runtime environment. The most recent approach uses micro-VMs, which try to contain malware within the kernel process level.

Additionally, businesses now use a whole arsenal of security measures, ranging from the humble password to two-factor authentication, firewalls and encryption, to name but a few. And nothing is wrong with these measures. After all, an endpoint that uses anti-virus software is better protected than one without it. But the question is: How much better?

The problem is, enterprises often do not realize that technology alone will not save them. Businesses need to know that their combined technical barriers, no matter how recent and well maintained they might be, are far from impregnable, even under perfect conditions. It doesn’t matter which hindrances network administrators place in the path of attackers. They will eventually find a way to bypass them. And in some cases, their whole IT security budget could be wasted on a suite of diverse defense mechanisms.

The only solution is redundancy – a defense-in-depth approach that uses a combination of firewalls, VPNs, intrusion detection systems and common sense policies to govern employee remote access behavior. This type of framework will go a long way in keeping possible attack vectors at bay. It can’t be said often enough, so here it is again: Security is a process, not a product.

End-to-end encryption alone won’t save you. For example, a Trojan could gain access to the local network through an infected smartphone or a USB stick and intercept the password keystrokes right as they happen. In a worst-case scenario, the cryptography might even hinder other security tools from detecting suspicious activities on the network.

No IT-based measure alone can account for human fallibility – they won’t help if one of your employees leaves a work device out in the open, where it could be stolen, or accidentally exposes a password through a phishing scheme. The level of security is always defined through the weakest link, not through the largest budget.

Read More:

The Three Human Failures Behind Remote Access Shortcomings
When Remote Access Becomes Your Enemy


Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

CybercrimeIt’s not clear when we arrived here or when we’ll be leaving, but according to prominent cybersecurity reporter Brian Krebs, we’re in the midst of a “golden age” for cybercriminals.

Krebs’ comments came last month during an address at the 2014 Privacy XChange Forum, where he predicted a continuation of the last year’s string of cyberattacks, in the same vein as those that impacted Target and Home Depot. He said that the value of stolen information – about $20 each per stolen credit card – is too high for hackers to pass up.

Given this landscape – particularly with verticals like retail, healthcare and finance, which are perpetually in hackers’ crosshairs – organizations should be well beyond the stages of basic network security planning. In this “post-privacy” era, network administrators need to understand cyber threats against them, inside and out, in order to set up the strongest defenses.

In Dark Reading’s recap of the Privacy XChange Forum, representatives from retail, healthcare and finance shared the biggest threat to their respective industries:

1. Retail: The Onset of Apathy

Today’s reality is that every organization must assume it will be hacked. Yet, as Natural Markets Food Groups’ Arthur Tisi explained at the forum, there’s considerable apathy and a sense of “it won’t happen to me” among businesses, particularly retailers. While it’s true that only two of the top 10 U.S. retailers – Home Depot and Target – have reported major data breaches this decade, those attacks left an unprecedented impact – nearly 100 million credit and debit cards were exposed.

To avoid becoming the next high-profile victim, retailers need to further build out their cyberattack response plans in order to defend customer and corporate data throughout the threat’s life cycle – including if it breaches the fortress walls. It’s no longer enough to only have a threat prevention plan in place – the ability to quickly detect and respond to an attack is just as important.

2. Healthcare: Too Many Touch Points

The primary threat against network security in the healthcare space is actually two-fold. We’ve explained previously that healthcare information is particularly valuable – and appealing – to attackers. The other issue, as explained by Dr. Deborah Peel at XChange, is just how exposed healthcare data can be when it’s in motion, traveling between in-patient facilities, clinics, insurers, pharmacies and more. And all it takes is one stolen or misplaced device, operating outside the safe boundaries of a secure VPN, to thrust thousands of patients’ personal information into the wind.

In fact, the threat of data being lost or stolen is actually more severe than malicious hacking. According to Bitglass, 68 percent of healthcare data breaches since 2010 have involved theft or loss of healthcare information. For healthcare organizations that permit employee remote access, it’s even more critical that they institute both employee policies and technology, like VPN and firewalls, to help protect sensitive patient information every time it leaves the safe confines of an organization.

3. Finance: Lack of Depth to Security Approach

Unlike in healthcare, where HIPAA requires providers to publicly divulge breaches, no such mandate exists in the financial industry. That’s despite the fact that 500 million financial records have been exposed in the last 12 months, according to federal officials, and many of the owners of those files aren’t even aware their information has been leaked.

Given the magnitude of the threat against the finance industry, it’s not surprising that, as one financial services professional said at XChange, there is no “silver bullet” to guarantee security from attackers.

But as is often the case with network security, the best defense for financial institutions is a multi-layered, redundant network security infrastructure. Typically, defense in-depth in the context of network security requires the construction of a comprehensive, multi-layered infrastructure of VPNs, firewalls and other intrusion detection systems, so that each solution acts as a failsafe for the others.

In this instance, defense in-depth for financial institutions additionally means using multiple defense measures to protect against account takeover – hackers targeting customers and trying to exploit them directly, versus the organizations that hold their data. In the specific instance of customers logging into their electronic accounts, many organizations already do redundancy well. The FFIEC actually requires financial institutions to use multi-factor user authentication for online banking. But in the future, financial institutions will need to look for other redundant verification techniques, such as tokenization and “device fingerprinting,” to protect customers. That way, even if a hacker breaches one line of defense, subsequent mechanisms will keep them out.

Escaping the Golden Age

Even though cybercriminals are still reaping the benefits of their golden age, events like the Privacy XChange Forum show that industries like retail, healthcare and finance not only have a plan to fight back – they actually have a good chance of soon turning the tide. And if businesses in these at-risk verticals can minimize the threat of cybercriminals, then network administrators in other industries will soon have a blueprint for defending their own interests.

Read More:

Cyber Threats in 2015: New Attack Vectors, More Severe Incidents
Healthcare Data Today: In Motion or Out of Control


Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

The Three Human Failures Behind Remote Access ShortcomingsWhenever news of a network security breach reaches the public airwaves, observers are quick to assign blame to some combination of technological shortcomings and human error that allowed an attacker to slip through the victim’s cyber defenses.

When it comes to remote access in particular, network security is even more dependent on technology like VPNs, and employees who do their part and follow company protocol. Unfortunately, network administrators often find themselves in a position where, due to human imperfection, remote access technology is the constant that protects their network.

Here are the three types of people who are guilty of common, understandable human errors that network administrators need to have on their radar, and try to protect against, as they build a network security infrastructure:

  1. The Strained IT Pro

Information security professionals are modern-day gladiators, fighting back against complex network security threats, internal and external, as quickly as they form. Yet, as a Ponemon Institute study revealed earlier this year, many IT departments are overburdened as they try to defend against all of these threats at once.

The problem is actually two-fold: a dearth of talent to fill positions (according to the study, 70 percent of the organizations say they do not have sufficient IT security staff) and turnover in security positions that can be filled (CISOs leave their positions, on average, after 2.5 years). The result is that IT departments, despite their best efforts, cannot defend against every attack particularly as cyberattackers diversify and expand their efforts in the coming years.

  1. The Oblivious Employee

For companies that lack a consistent frontline defense by their IT staff, employees are next in line to defend against network security threats. They’re tasked with following remote access policies, the most common of which often include proper VPN use and safe data management practices. Yet, even the very basics of secure remote access are often a problem for employees – 44 percent of respondents to an Imation survey said that company information they remove from their office isn’t encrypted.

Those weren’t the only network security faux pas employees fessed up to. Just under half said they still used a USB stick to transfer information – especially dangerous in light of threats like the “BadUSB” exploit – while about the same number said they used their own mobile devices for remote access, instead of those supplied by the company.

These employees are right to be criticized, although the blame doesn’t always rest solely with them. As Imation’s Nick Banks said, “A lot of companies don’t have a remote working policy [while others] break the policy without knowing it exists.” Every company needs a remote work policy, not just those in which data is generally considered to be most at risk – financial services, healthcare and the public sector.

  1. The Fatigued Stakeholder

The third obstacle impacting IT departments and employees as well as the general public is a creeping feeling of what Ponemon has dubbed “breach fatigue.” While conventional wisdom may dictate, and network administrators may think, that digital consumers have grown even more risk averse in how they manage digital information, the opposite actually appears to be true.

This current state of “breach fatigue” means that consumers have become so overwhelmed by the recent onslaught of data breaches involving their favorite institutions that the news is no longer attention grabbing or behavior altering. Only 14 percent of those polled by Ponemon said they would interact differently with an institution they do business with if it were to report a data breach.

Defense In-Depth Reduces Human Error

This all brings us back to the importance of strong remote access technology and a comprehensive, defense in-depth approach to network security. When IT staff and employees do fall short – and they will from time to time – it’s this multi-layered, redundant approach to network security, which includes technologies like firewalls, VPNs and intrusion detection systems all working together that will keep a company’s digital secrets safe.


Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

Cyber Threats in 2015: New Attack Vectors, More Severe IncidentsOne year ago today, Target was gearing up for Black Friday sales and projecting a strong end to the year. That was the company’s primary focus. The same could be said for Neiman Marcus and Home Depot. And no one had even heard of Heartbleed or Shellshock yet.

Needless to say, much has changed in the last year.

If 2014 ends up going down in the history books as the “Year of the Cyberattack,” then what does 2015 have in store for network administrators? We’re already started to see the predictions start to roll in, the first coming from the report, “The Invisible Becomes Visible,” by Trend Micro.

The report paints the new network security threat landscape as becoming much more broad and diverse than it has ever been, evolving beyond the advanced persistent threats (APTs) and targeted attacks that have been the favorite weapon of hackers.

Trend Micro CTO Raimund Genes told InfoSecurity that cyberattack tools now require less expertise to use and don’t cost as much. He listed “botnets for hire … downloadable tools such as password sniffers, brute-force and cryptanalysis hacking programs … [and] routing protocols analysis” as just a few of hackers’ new favorites.

Given these new threats, how can network administrators shore up their network security for 2015 and beyond?

The ‘Three-Legged Stool’ of Network Security

As network administrators build out their network security infrastructure, it’s best to focus on the so-called “three-legged stool” approach – prevention, detection and response. Network security cannot be limited to simply installing prevention measures and hoping for the best. Why? Because there is no one universal, surefire way to prevent an attack, especially as attackers diversify and escalate their efforts.

Even if network administrators are cautious to the point where they assume their network could be hacked at any minute, some endpoints could still be exploited. Or, employees might not follow network security protocol.

In the event that these prevention measures are not entirely successful, organizations need to have a plan, and that means putting in place strong detection and response protocols – these are the two other “legs” in the stool. What do they look like in practice?

In the case of VPN management, central management capabilities within the technology provide network administrators with a single view of all remote access endpoints, allowing them to quickly launch a response when an attack  is detected, often by deprovisioning the vulnerable device.

With these three elements working in tandem, network administrators will be prepared and armed for any threat 2015 might bring to their network security.

Read More:

7 Security Threats You May Have Overlooked
When Remote Access Becomes Your Enemy


Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now