Are Connected Cars on a Collision Course with Network Security?Flipping through any consumer publication that rates vehicles, you’ll see all the metrics you would expect – from safety and performance (acceleration, braking, etc.) to comfort, convenience and fuel economy.

What you won’t find is an assessment of the car’s risk of being remotely hacked. Unfortunately, if you happen to drive a 2014 Jeep Cherokee or 2015 Cadillac Escalade, your vehicle would likely have a one-star review in Consumer Reports for cybersecurity.

These vehicles, along with 22 others with network capabilities, were profiled by researchers Charlie Miller and Chris Valasek during Black Hat 2014 earlier this month. They warned that a malicious attacker could hack into a connected car, doing anything from “enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes.”

Days later, during the DefCon hacker conference, a group of security researchers calling themselves “I Am The Cavalry” sounded the same alarm, urging the automobile industry to build safer computer systems in vehicles.

The warning comes years after automakers started testing the connected car waters, most notably Ford, as far back as 2010, with its “MyFord Touch” mobile Wi-Fi hotspot. Since then, Google has been in the driver’s seat of the connected car movement. There’s been buzz around Google’s efforts to produce self-driving cars for years, and the smoke signals only grew more prominent after Google moved its head of Android, Andy Rubin, to the robotics division of the company.

While the convenience of connected cars will no doubt increase their popularity, it’s important for manufacturers of all network-ready vehicles to remember the importance of security technology. As we wrote last year about connected cars, attackers don’t care what mobile endpoint they’re hacking – as long as it’s connected to the Internet, it’s a target.

Vehicles: Just One of Many ‘Things’ Hackers Can Target

Although I Am The Cavalry gained recent attention because of its focus on connected vehicles, the hacker coalition has taken a broader approach, by focusing “on issues where computer security intersects public life and human life.”

The group has also advocated for better security over other potential hacker targets, including medical devices, public infrastructure and home electronics. As the growth of the Internet of Things has shown, computer security now intersects public life at nearly every turn!

One proposal put forth by I Am The Cavalry for defending against cyberattacks is the concept of “safety by design” – essentially, that vehicle computer systems are segmented and isolated, so that a problem with one does not impact the performance of another.

Sound familiar? It’s similar to the concept of defense in-depth, which uses redundancy to create a comprehensive, multi-tiered security infrastructure. One of the first steps enterprises should take in building this infrastructure to prevent connected devices from breaching corporate networks is implement a centrally managed VPN.

It doesn’t matter whether you’re using a VPN to secure a connected car, an employee’s phone or tablet, a smart sensor or some other Internet of Things device that relies on machine-to-machine (M2M) communication, the connection needs to be secure before a device accesses the internet or a corporate network and begins transmitting sensitive information.

What’s most important is that our collective ambition to improve technology isn’t surpassed by our ability to keep up with necessary cybersecurity mechanisms. In the case of connected cars, it’s probably best that we all “tap the brakes” and consider the security apparatuses that need to be in place before these next generation vehicles are on every highway in the country.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

BadUSB Black Hat 2014If awards were given out at Black Hat 2014, one nominee for “Exploit of the Conference” would have won in a runaway – the “BadUSB” exploit.

Researchers Karsten Nohl and Jakob Lell caused quite a stir in Las Vegas earlier this month, which quickly spread to the rest of the world of cybersecurity, when they showed how USB drives could be reprogrammed and transformed into portable malware carriers.

Nohl and Lell explained that since USB drives are designed to be reprogrammable, a hacker could make a drive masquerade as another device. In one example an attacker could reprogram a USB device to assume the function of a keyboard, and then issue commands to the computer or install malware.

And possibly the worst part of the vulnerability is that a user has no visibility into the software running a USB drive, so there’s no way to find out if their drive has been affected. In the wrong hands, a BadUSB drive really is “scarily insecure,” as Nohl put it.

USB Drives are Repeat Cybersecurity Offenders

Long before Black Hat 2014, it’s been widely known that USB drives are not the most secure way to transfer data between devices. Convenient, yes. Secure, no.

Not only are USB drives easy to lose, but any device with a USB interface could potentially be affected by malware originating from a USB drive, including laptops and phones. As far back as July 2011, the Ponemon Institute found that 70 percent of businesses could trace data breaches back to USB drives.

Even the NSA found USB drives to be useful for espionage purposes. In December 2013, it was revealed that the agency had used a series of USB implants known as “COTTONMOUTH” to target adversarial networks. If the NSA is exploiting a vulnerability, then it’s probably an effective means of attack.

A World Without USB Drives?

Even if businesses understand the risk of using USB drives, they’re usually limited to making an all-or-nothing choice. In fact, in the Ponemon survey, more than one-third of enterprises said they used software to block all usage of USB drives by employees. Other complementary solutions like antivirus software also won’t fend of exploits like BadUSB because the software that runs on USB drives isn’t visible to computers. It’s clear that USB drives are a threat, so surely, a smarter approach would be to remove the need for employees to use them altogether.

If businesses want to allow their employees to work remotely, it’s better they require them to access and transfer files using a device that is connected securely to the corporate network via a VPN, instead of allowing them to use a USB drive to move data from one device to another. As soon as a USB drive is ejected from a corporate device, the information it contains is no longer protected by the umbrella of security offered by the corporate network, and enterprises no longer have control over who has access to the data or how the data is utilized.

If an enterprise utilizes a centrally managed VPN, employees can download a VPN client that will work on any device or operating system, which they can use to access files anywhere, at any time. An enterprise will also maintain access control, limiting the information users can access according to their roles and attributes. Additionally, if a user’s computer were to be affected by malware, the network administrator could deprovision the user as soon as the breach was detected, thereby preventing the malware from spreading throughout the network.

Now that Nohl and Lell have sounded the alarm about BadUSB, the hope is that enterprises will stop using USB drives and instead turn toward comprehensive network security and a defense in-depth strategy, including utilizing a VPN with central management. Hopefully, by Black Hat 2015, BadUSB will be just a distant memory.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

It's Time for Retailers to Tell Point-of-Sale Hackers to 'Back Off'It’s Groundhog Day all over again for retailers, following the U.S. Department of Homeland Security’s warning that they could, once again, be exploited by malicious actors.

Less than a year after hacks of Target and Neiman Marcus caught the attention of government investigators, and the whole country, Homeland Security is again weighing in on a hack targeting retailers.

This time, the culprit – “Backoff” – is able to establish command-and-control of retail point-of-sale systems, giving hackers free reign to steal customer credit card numbers and other personal information, like email addresses and phone numbers.

According to Homeland Security, malicious actors are able to compromise PoS systems through remote desktop applications – such as LogMeIn, Join.Me, and other similar solutions from Microsoft, Apple and Google – and then use brute force attacks to deploy the PoS malware.

Once they’ve seized control of the desktop, attackers can run roughshod however they please. Variations of Backoff attacks have been traced back as far as October of last year with up to 600 retailers thought to have been affected.

Download a VPN Client or Install a Remote Desktop?

In its release, Homeland Security issued a number of network security solutions retailers can deploy to mitigate the risk of a Backoff attack – some more effective than others.

The first suggestion is for retailers to configure their remote desktop client so that specific users, or IP addresses, are locked out after multiple failed login attempts. Generally, but not always, brute force attacks like Backoff can be prevented this way.

The problem is that denial of access is only a bandage solution. We’ve written it before and we’ll say it again – LogMeIn is not a viable Virtual Private Network (VPN) alternative. Remote desktop solutions create an environment in which user convenience trumps network security, and this convenience is what has made retailers so susceptible to remote desktop attacks.

Although downloading a VPN client creates a more secure network environment than installing a remote desktop service, while still providing user convenience, doing so doesn’t by itself mitigate the threat of Backoff or any other retail PoS attack. In fact, there is never one technology that neutralizes all threats, all the time.

Where we do agree with Homeland Security is in its support for two-factor authentication. As its release says, “even if a virtual private network is used, it is important that [two-factor authentication] is implemented to help mitigate keylogger or credential dumping attacks.” Put simply, two-factor authentication adds another hurdle and makes it harder for hackers to get what they want. This is the same reason we also support the department’s suggestion to update antivirus systems. It’s all about building redundancy into a network security infrastructure and instituting defense in-depth.

Together, the best security technologies such as up-to-date antivirus software, restrictive firewalls and secure VPNs, and employees who are savvy with network security create redundancy in a network security infrastructure and keep hacks like Backoff on the outside looking in.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

Once a VPN is installed as part of a redundant, multi-layered network security infrastructure, it's up to the IT team to consistently communicate with the executive team.

In September 1862, the 27th Indiana Infantry Regiment, situated near Frederick, Maryland, made a discovery that could have altered the Civil War.

It all began without much fanfare. Two soldiers found three cigars, held together with an unassuming piece of paper. There was nothing extraordinary about it, until the soldiers realized the document was actually a Confederate battle plan. The soldiers then acted quickly, passing the battle plan up the chain of command, all the way to Union leader General George B. McClellan, who, historians note, could have used that information to “destroy the opposing army one piece at a time.”

Yet, McClellan took 18 hours to act, and by the time he started moving against the Confederate forces, General Robert E. Lee had enough time to mobilize his forces and hold off the assault.

The Power of Information

During wartime, information can create just as much of an advantage for one side as the size of an army or the weapons they hold. That is, as long as this information is accurate, passed along to the right people and then acted upon quickly. In McClellan’s case, everything fell into place, except for the “acted upon” step.

The situation is similar for IT security professionals today, in their own war against threats to cybersecurity. They constantly gather intelligence about threats to sensitive corporate information and they understand how remote access vulnerabilities could be exploited by attackers.

Where they fall short – or rather, where their “commanding officers” (executive teams) fall short – is with how that information is passed along and acted upon. Nearly one-third of IT security teams never speak with their company’s executives about cybersecurity, according to a new Websense and Ponemon Institute report. And, what’s worse, the few who do keep executives in the loop only update them once per year.

So, how is it that these “communication roadblocks,” as the report calls them, seem so simple to correct, yet so little is done to correct them?

Websense’s Jeff Debrosse explained to SC Magazine that executives simply may not understand the nuances of network security, which could explain why they don’t always give IT security teams a seat at the executive table. Yet, Debrosse encouraged IT pros to, “really insist and show the ‘why’ of having security as part of executive team meetings and discussions.”

That way, both parties will be able to speak the same language. By breaking down these communication barriers, IT security professionals are more likely to get the support they need from the powers-that-be.

Is It Time for an Infrastructure Reconstruction?

Once addressing communication breakdowns, IT professionals may want to analyze the technology that protects their networks. Many are already taking this step, and they’re not liking what they see. About 30 percent of security professionals told Websense that they would support a complete overhaul of their network security infrastructure. While this seems like an overwhelming task, a network security overhaul isn’t as unorthodox or burdensome as it may seem.

At the heart of any network security infrastructure should be a VPN with central management capabilities. This solution uses encryption to provide employees with a secure tunnel through which they can gain secure, remote access to the corporate network. It also provides network administrators with the ability to revoke network access whenever a cyberattack is detected.

Once a VPN is installed as part of a redundant, multi-layered network security infrastructure, it’s up to the IT team to consistently communicate with the executive team. This way, when an advanced persistent threat (APT) or a breach traced back to a privileged user is detected, for example, the executive team will have more context and a better understanding of the threat landscape. This should empower them to quickly take whatever action is required.

If there is one lesson that can translate from General McClellan to today’s CEOs, it’s that having the right amount of information is only the first step on the battlefield – it’s knowing what to do with that information that will determine how history will judge you as a leader.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now


It’s a tough time to be a BlackBerry user. BlackBerry has seen Android, Apple and Microsoft phones completely erode its market share.

Despite having a committed fan in the Oval Office and some new features to brag about, including a digital assistant, BlackBerry has seen Android, Apple and Microsoft phones completely erode its market share. Its popularity has actually receded so far that BlackBerry is now less popular than nameless “other” devices in smartphone market share surveys. As bleak as the news seems, though, a resurgence of BlackBerry is possible, at least in some circles.

Thanks to what some say are restrictive Bring-Your-Own-Device (BYOD) and remote access policies, some mobile devices users in the corporate world are rebelling against BYOD – specifically, they don’t want their personal mobile devices to be controlled by their employer’s IT administrators. They say that mobile device management products and oversight mechanisms quickly deplete their battery life, disrupt their desired workflow, and, worst of all, infringe on their privacy. This is a problem they never had with their corporate BlackBerrys, which, unlike today’s market leaders, were better suited for use in business settings.

CIO Magazine collected this information from an anonymous, frustrated IT executive at a New York City investment firm, who also shared that 60 percent of the company’s employees would rather go back to using the two separate devices, including a BlackBerry solely for business use, instead of using one phone to store both their personal and professional information. He described in detail the “nightmare” environment around the company’s BYOD woes that was caused by the company’s invasive BYOD policies.

Although the issues plaguing this investment firm could translate over to other companies, it’s not clear whether there really is a widespread nostalgia for BlackBerrys to again be the cornerstone device mobile employees use for remote access to corporate networks. What is clear is that there’s certainly a rocky road ahead for BYOD, especially considering formal BYOD policies are still not as universal as one might think.

Bring-Your-Own-Dissatisfaction?

Despite all the hype, enterprises are only starting their journey to embrace BYOD, as about half of large enterprise firms still don’t allow employees to use their personal devices in the workplace, according to CompTIA’s Third Annual Trends in Enterprise Mobility study.

The benefits of embracing BYOD are clear. According to the study’s findings, with increasing mobility, employees are more connected, productive and engaged with customers.

The study goes on to explore the reasons for corporate skepticism around BYOD, with respondents citing the logistics around device integration as the biggest hurdle, and specifically the added complexity involved in managing employee behavior and a range of different mobile devices.  As CompTIA’s Seth Robinson said, “there are enterprises aspects such as encryption, proper security settings and enterprise apps that require further and ongoing [employee] education.” So, it’s not really an issue of resources for large enterprises, as it is for small and midsize businesses.

What this all means is that enterprise BYOD is still very much in its infancy, and that there’s still time for organizations to secure their network security infrastructure before possibly exposing themselves to all the vulnerabilities that could be created when employees bring their personal mobile devices into the workplace. Specifically, as the CompTIA study mentions, the most common mobility needs for U.S. companies are improved technology and central management of security apparatuses.

A good first step for companies aiming to address these problems is to implement remote access VPNs that include central management capabilities. By using such a solution, an enterprise can provide employees access to the corporate network on any device while guaranteeing that sensitive information remains secure. Network administrators also will be able to ensure that all endpoints connected to the corporate network are policy compliant without needing to adopt what employees may perceive as invasive MDM technologies. And, if they aren’t, or if a security breach does occur, central management functionality allows admins to quickly revoke network access or deprovision problem devices.

Enterprises may still experience some BYOD pushback from employees – and some may even clamor for their BlackBerrys again – but ultimately enterprises will find the business benefits and employee happiness associated with BYOD too compelling to ignore.