VPN Haus

Battlefield Mobile: Threats Targeting In-Motion Endpoints Climbed in 2014

Posted: 22nd January 2015 by VPN Haus in Endpoint Management
Tags: Defense-in-depth, m2m communications, Mobile Security

By now, cybersecurity veterans are well-versed in the most common attack vectors exploited by hackers to breach their corporate networks. Brute force attacks, phishing schemes, SQL injections – they’re all proven attack methods that network administrators prepare for and defend against.

But what about the next frontier? What attack vectors and endpoints do hackers now think are most vulnerable?

It starts with mobile devices. They look like the perfect target to many attackers, who think that they can exploit the fact that so many connections over these endpoints go unsecured and that these devices are so popular with employees – 74 percent of organizations use or plan to use BYOD. In addition to mobile, another frontier could be devices that rely on machine-to-machine (M2M) communications, which create a scenario where human beings are entirely removed from the equation.

As this small, isolated group of attack targets grows, network administrators need to be ready to fight back wherever hackers go, whether that’s on the mobile, M2M or some other battlefield.

The Next Trends in Cybercrime

The landscape of cyberthreats network administrators must be aware of is ever-evolving with the advent of new technologies and new criminal strategies. While there’s consensus in the security industry that mobile attacks will only increase in the coming years, the current prevalence of these incidents is really in the eye of the beholder. Only about 15 million mobile devices were infected by malware midway through 2014 – an infection rate of less than 1 percent. On the other hand, in the last year, mobile malware attacks did increase by 75 percent, off the back of sophisticated threats like ransomware, spyware and Trojan viruses.

Going forward, all of these figures should increase. As AT&T’s Andy Daudelin told Fierce Mobile IT, the rise of Bring-Your-Own-Device (BYOD) will lead to more mobile-based threats and remote access vulnerabilities. He warns: “Users aren’t thinking of these [devices] as computers, but they are. There needs to be more robustness across the industry.”

This “robustness” brings to mind the proven defense-in-depth approach to network security. As successful cyberattacks have shown over the last year, even if a company installs every possible anti-virus software product and other threat prevention tools, there’s still a chance that an attacker could break through. That’s why a defense-in-depth security framework, built on principles of redundancy, is so valuable – if one security mechanism fails the others are there to pick up the slack.

Defense-in-depth will be even more important as mobile devices beyond phones and tablets start to enter the workplace. Imagine the challenge of securing correspondence in environments where employees aren’t even part of the equation. Particularly when a human being isn’t situated at either endpoint, as is the case in M2M environments, all the normal best practices around network security are cast out the window. As an example, how is “implement employee training” strong advice for a network administrator when the communication is happening between two or more machines?

Again, we go back to defense-in-depth. To build this structure, network administrators begin by using a VPN to secure sensitive information that crosses the network, whether it’s through a phone, tablet, healthcare device, connected car or agricultural equipment, and then they build in fail safes around it. Network administrators that follow these steps will assure themselves of not only winning the battle against cyberattackers, but also the war.

For more information about securing M2M communications, register for our webinar “Managing Secure Communications in M2M Environments,” 2 p.m. EST, Tuesday, February 24.

Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now

The Risk Within: Could an Ex-Employee Be Responsible for the Sony Hack?

Posted: 15th January 2015 by VPN Haus in Endpoint Management, IT policy
Tags: Cyberattack, Hacking, privileged users, Sony

One month ago, we asked, “What network security lessons can we learn from the Sony attack?” Since then, new information has been slow to trickle out, save for the FBI’s mid-December statement that assigned responsibility to the North Korean government.

Despite the seeming finality of that announcement, many in the cybersecurity community are still not convinced of North Korea’s sole culpability. In fact, some have even gone as far as to construct counter-narratives to identify the responsible parties.

One of the more vocal opponents of the FBI’s North Korea theory has been Norse, a cyber-intelligence provider. Kurt Stammberger, the company’s senior vice president, recently laid out his case to the Huffington Post as to why he thinks that internal factors – specifically, an ex-employee of Sony – may have been central to the breach.

As Stammberger detailed, the malware deployed in the hack contained Sony credentials, server addresses and digital certificates. He said, “It’s virtually impossible to get that information unless you are an insider, were an insider, or have been working with an insider.”

While this evidence is compelling by itself, even if an insider is ultimately found not to have been involved in the attack, Norse’s assertion has already provided those in IT and cybersecurity with plenty to think about when it comes to the damage ex-employees can do on their way out the door.

The Risks Inherent to Network Privilege

On their first day at work, IT departments provide employees with all the tools they’ll need to do their jobs – the devices themselves, the necessary access credentials, remote access capabilities and more. The problem is, once ex-employees leave the company, they could use this knowledge – the same information they once used to help the company – to harm it.

It could be as innocent as an ex-employee logging into the network remotely to access a personal email from their old company email account, or as malicious as a terminated employee deliberately leaking privileged information as a means of enacting revenge.

In some instances, certain ex-employees, known as “privileged users,” could cause even more damage, because of how much more they know than the average employee. They’re the network engineers, database administrators and application developers who are responsible for network operations. They’re the users who control network resources and who may have less oversight or control over their actions. If an attacker is able to obtain these employees’ credentials, or if these privileged users become malicious actors themselves, the integrity of the network could be jeopardized.

That’s why employers need to ensure that the break with ex-employees is both clean and final. Employees cannot be permitted to have any of the same access to the corporate network that they did when they were employed. Even if just one of their credentials is still operational – be it for servers, networks or end devices – then sure enough, that will be the vulnerability that will be exploited.

Whether this type of oversight was a key element of the Sony breach is still yet to be determined – at least, if you don’t believe the FBI’s version of the hack. But if an ex-employee was involved, and was able to publicly humiliate one of the nation’s largest entertainment giants with just insider knowledge and some keystrokes – then network administrators will have officially been put on notice about the risk of their own workers and the grave potential of internal threats.

Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

Ex-Employees: All the Best, But Can We Have Our Personal Emails Back, Please?

Posted: 6th January 2015 by VPN Haus in Endpoint Management, Rethink Remote Access
Tags: employee education, HR, passwords

It doesn’t matter if employees leave a company on unpleasant terms or quite amicably – it is absolutely essential that enterprises have solid, well-defined termination processes in place, and that they’re followed to the letter.

In their final days at a company, employees can demand various personal documents, depending on local regulations. A final paycheck and unclaimed vacation days also need to be sorted out. A smooth termination process is a good business practice and documenting it in a written agreement, signed by both parties, helps to avoid misunderstandings. Putting this type of process in place is inexpensive, and in the long run costs nothing at all.

A well-defined process also contributes tremendously to the overall integrity of the corporate network security structure, in that companies that follow these processes, drastically reduce the danger of sensitive information being leaked whenever an employee leaves the company.

As part of the termination process, employees should confirm they have read and deleted all private emails on the companies’ servers, are no longer storing private data in the LAN, have transferred all personal data, e.g. phone numbers, videos, photos and text messages, from company-owned mobile devices, and that all other private information has either been deleted completely or transferred to a private data storage device.

It’s also important that both sides acknowledge the hand over of all private data and that no more data is residing on the companies’ servers. In Germany, where employers are granted full ownership of email, failure to do so could create legal repercussions for companies. As a decision by the Higher Regional Court Dresden (4 W 961/12) explains, companies that delete the email accounts of their employees without this confirmation are susceptible to indemnity claims by the employee. In instances where the mutual trust relationship between both parties has been hampered or even destroyed, a third party might oversee the screening of the private emails on the server. The whole procedure, however, is not necessary, if private Internet usage is forbidden and written into the employment contract.

Employees have obligations as well. They must return all access codes and user credentials for servers, networks and end devices. That includes credentials for VPN access, which is frequently secured with the help of two-factor authentication. Terminating VPN access is especially crucial because ex-employees aren’t easily spotted by the IT staff should they decide to abuse remote access capabilities. These user accounts should be blocked in the VPN management console with immediate effect, after notice is given, and then deleted completely after the employee has worked his or her last official day.

A practical solution to this and other credential-based systems are card-based ID documents that work as authentication devices for all sorts of company resources, ranging from the cafeteria to the data center lock. They are available in contacting and non-contacting versions. If the card is withdrawn or blocked within the management system, all access ceases.

Once access to all electronic information is addressed, what’s left is the immaterial knowledge of the employee about proprietary business information, customer projects and other intellectual property. For this kind of information, a non-disclosure agreement should be a fixed part of the resignation process. Ideally, this type of agreement is prepared by an experienced lawyer and tailored to the specific requirements of the enterprise. The non-disclosure agreement not only covers client data and related information, but also all company-related information that needs to be kept secret. However, even an NDA has its limits.

Some laws prohibit companies from using an NDA as a sort of gag order or oppressive contract for an indefinite period of time. The topics covered as well as the duration and possible repercussions have to be defined explicitly if a company is to claim breach of contract.

Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

Download Now

3 New Year’s Resolutions for Network Administrators

Posted: 30th December 2014 by VPN Haus in Endpoint Management, Mobile
Tags: BYOD, Defense-in-depth

Although it’s been a historically troubling year for the cybersecurity community, the advantage of a new year is that network administrators can make a fresh start.

The end-of-year Sony hack has brought even more mainstream attention to network security – not to say that a full year of prominent attacks didn’t – and this increased awareness should lead to healthier IT security budgets and more resources to prevent the next attack.

When network administrators get back to work in 2015, here are three New Year’s resolutions they should focus on:

1. Take Back Control with Remote Access Central Management

As IT administrators know all too well, employees often perceive a see-saw effect between their productivity and the degree of restrictions placed on the technology they use day-to-day. The fewer restrictions, the easier their jobs become, and vice versa. So, how can IT departments find middle ground? The answer is to selectively limit the ability of employees to access and share certain information.

Unfortunately, as a report by the Ponemon Institute found, 80 percent of IT administrators say their companies do not enforce a “need-to-know” data policy. This is despite the fact that, as the report said, “An organization that reduces the amount of data employees have access to … and streamlines their processes for granting access will likely benefit from more productive employees.” The New Year’s lesson here for network administrators is to take back some power from employees.

Just as some of the most common New Year’s resolutions focus on regaining control of some aspect of your life, whether that’s financial (reducing debt), social (planning a vacation), or physical (exercising more often), network administrators need to be sure they have 100 percent control over their network, at all times, even as the number of remote users and network-enabled endpoints increases.

Remote access central management capabilities allow IT departments to take action when the network has been breached, and subsequently, allows them to de-provision users in order to quarantine the threat. By controlling VPNs from a single point of administration, a network administrator will retain full visibility across the network, even as the organization grows.

2. Face BYOD Head On

Last month, during a discussion hosted by an IT advisory service about the Bring-Your-Own-Device (BYOD) trend, one panelist shared a story that should make data security advocates very uncomfortable. He explained that his wife, a nurse, uses text messaging to communicate with her coworkers while on the job, “because that’s the most efficient way to do their job.”

Now, on one hand, these nurses could be inadvertently running afoul of HIPAA regulations and thrusting the hospital into the murky waters of patient privacy violations. On the other, would they be able to do their jobs as effectively without the ability to communicate via text, in real-time?

Since the days of car phones and beepers, savvy network administrators have known that employees would one day bring their personal mobile devices into the workplace, and then insist on using them as part of their jobs. That’s where we find ourselves today, and that’s why organizations face the decision to roll out Bring-Your-Own-Device (BYOD) policies.

Of course, by doing so, some administrators feel they could be exposing themselves to additional vulnerabilities, since more endpoints will be brought into the network. However, by now, we’re really past the point of no return with personal devices in the workforce – it’s best to just assume employees are going to bring them into the office.

Sometimes, New Year’s resolutions are about confronting the challenges that are right in front of you. People who smoke or eat unhealthy foods often know that what they’re doing is bad for them, yet they continue anyway. In the world of network security, BYOD isn’t any different. Personal mobile devices are already here, and it’s time for IT departments to adopt BYOD policies and educate employees about best practices.

3. Make Time for Defense-in-Depth

Part of the reason many New Year’s resolutions fail is that they’re huge, life-altering adjustments. That’s why the changing of the calendar is such a necessary motivator for many people – they need to feel as though they’re starting with a clean slate before they can address whatever monumental task is at hand.

One of the more daunting tasks some network administrators will face in 2015 is overhauling their entire network security infrastructure. This is no small task. It’s about taking all the disparate security elements network administrators may already have in place, syncing them with one another, and then combining them with missing pieces, to create one, comprehensive infrastructure. This is the beginning of what is called a “defense-in-depth” approach.

With this strategy in place, when things don’t go as planned – such as when an employee falls victim to a phishing scheme – there will be other technologies in place to limit whatever threats may now lie on the horizon. An overlapping system of firewalls, VPNs and other network security tools work in tandem to shield the network from harm.

New Year, New Approach

Even by following these resolutions, network administrators can’t guarantee impenetrably of their networks. But, at least with more awareness and a new approach, network administrators can move on from 2014 – the year of “Nobody’s Safe” – to 2015 – the year of “Everyone’s Protected.”

Want to learn more about secure remote access?

In 7 Requirements for Pain-Free VPN Client Support, we cover:

– How to deploy a VPN solutions that reduces the pain associated with supporting clients.
– How to mitigate the costs and headaches that result from more users and devices.
– Best practices to make sure your VPN is never too complex to operate securely and efficiently.

Download Now

The Holidays Bring Both Cheer and Fear to Network Administrators

Posted: 23rd December 2014 by VPN Haus in Endpoint Management, IT policy
Tags: BYOD, cyber attack, IT policy

Almost one year ago to the day, the “most wonderful time of the year” became anything but for millions of Americans when news of the Target data breach broke. Not only did that attack force us all to think twice about how our digital information is managed, it forever changed the network security landscape and put IT administrators in a perpetual state of high alert.

This holiday season, having suffered through a full year of attack after attack, network administrators have battened down the hatches even further, living in constant fear that their organization could become the next target of hackers. The silver lining is that these attacks have forced IT departments to re-evaluate their internal security policies, and at least raise awareness of how crucial it is – if not actually put in place – the infrastructure necessary to protect their organizations.

But despite now having a better understanding of the landscape of cyberthreats and vulnerabilities, as well as having shored up their cyber defenses, IT departments must remain vigilant towards the potential cyberthreats lurking in the shadows this holiday season.

From the new technologies employees receive as gifts, to the vulnerabilities that could arise from employees accessing the corporate network remotely, there’s plenty for network administrators to be preoccupied by this time of year.

New Gifts, New Threats?

For a few holiday seasons now, mobile devices, Internet of Things trinkets and wearable technology have been at the top of consumer gift lists. They’re popular nearly to the point of ubiquity, which is actually bad news for the network administrators who have to account for employees connecting these new endpoints to the network, where they could create vulnerabilities.

Dark Reading offers the example of a hacker who is able to work around a company’s Wi-Fi defenses by breaking into a corporate conference room’s Bluetooth system, via an employee’s vulnerable Bluetooth-enabled device, in order to listen to privileged conversations about financial transactions.

Attackers are as agile as they are astute, and they constantly look to exploit vulnerabilities – especially the ones IT departments haven’t identified yet. New consumer technologies could be just the point of entry hackers need to launch a new volley of attacks.

The Risk of Remote

Another network security concern over the holidays is the number of employees working remotely. More than half of Americans actually plan to work remotely over the upcoming holiday break, with about half of those expecting to spend at least two hours on the clock each day. And who wouldn’t prefer to work beside a fireplace during the holidays, instead of in front of their office computer?

Yet, all this convenience could come at a cost to IT departments – if employees don’t follow established remote access and Bring-Your-Own-Device (BYOD) protocol, they could inadvertently create vulnerabilities that aren’t present when they work on-site, under the umbrella of the immediate corporate network and under the watchful eye of the IT department.

Preventing Holiday Exploits

The lesson for network administrators this holiday season is clear – the remote access and BYOD policies that may have adequately protected their networks in the past may not be sufficient in today’s world. There have never been more devices, and more types of devices, connected to enterprise networks – and with each new endpoint will come new risk.

To offset these hazards, IT departments may need to reevaluate their BYOD policies. This includes frequently updating protocol, and making sure employees are educated as to how they can play a role in limiting network vulnerabilities.

And in the event that a remote access or BYOD policy comes up short, network administrators need to have in place an overarching defense-in-depth strategy, of which BYOD is just one component. When network administrators build redundancy into their defense plans, through interlocking solutions like VPNs and firewalls, even if attackers are able to breach one element, they’ll be cut off before they can advance further.

And if these defense mechanisms are successful, network administrators will have given themselves the best holiday gift they could ask for – peace of mind.

Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

Download Now

VPN Haus

Email Subscription

Get NCP’s VPN for Android

Connect With Us

Contributing Member

Want to contribute?

Industry Recognition

Recent Posts

Categories

Blogroll

Archives

Battlefield Mobile: Threats Targeting In-Motion Endpoints Climbed in 2014

The Risk Within: Could an Ex-Employee Be Responsible for the Sony Hack?

Ex-Employees: All the Best, But Can We Have Our Personal Emails Back, Please?

3 New Year’s Resolutions for Network Administrators

The Holidays Bring Both Cheer and Fear to Network Administrators