Stop the Bleeding: How Enterprises Can Address the Heartbleed Bug

Posted: 17th April 2014 by VPN Haus in Encryption, Industry Commentary, SSL, VPN
Tags: , , , ,
0

By now, you’ve likely heard about the recently discovered Heartbleed bug. At its simplest, this bug allows cyber criminals to exploit a flaw in technology that encrypts sensitive information, making all types of communications sent over an “HTTPS” connection, including emails and online credit card payments, as easy for them to read as this sentence. But that’s not all – once that sensitive personal and/or company data is obtained, cyber criminals can then use the stolen online personas to gain access to other password-protected areas, such as online banking accounts, social media channels and corporate networks. Security expert Bruce Schneier said that “on the scale of 1 to 10, this is an 11.” Understandably, there’s a lot of media attention being given to this topic. But before hitting the panic button, read on to see how exactly your enterprise, or even you personally, might be affected.

What’s the Heartbleed bug again?

Secure sockets layer (SSL) and transport layer security (TLS) are widely used protocols that secure a wide range of communications across the Internet, from IMs to remote access, and Heartbleed is a vulnerability specific to an open-source implementation of these protocols aptly called OpenSSL. The bug gets its name from the nature of its attack, which involves piggybacking on an OpenSSL feature known as heartbeat. By exploiting this susceptibility, cyber criminals can compromise users’ cryptographic SSL keys, making what should be encrypted communications appear in plain text.

Why it’s a problem
Heartbleed

According to Neil Rubenking of PC Mag’s SecurityWatch, the website “that was created to report on Heartbleed states the combined market share of the two biggest open source Web servers using OpenSSL is more than 66 percent.” And, as Douglas Crawford of Best VPN notes, “[Heartbleed] particularly affects websites that are powered by the Apache web server, but as this is over 50 percent of all websites on the Internet, this is of little comfort.” The threat to the average end user is apparent – cyber criminals exploiting this encryption flaw can easily intercept credit card information and other types of sensitive personal data. But enterprises are at risk, too, especially given the large number of organizations that have coped with BYOD by implementing SSL VPNs.

How to address the issue

We often discuss how the mobile security industry as a whole tends to be more reactive than proactive when it comes to identifying and mitigating threats. However, in a strange twist of irony, older versions of SSL are immune to Heartbleed. But that doesn’t mean that you shouldn’t take action. Rather, it’s a good idea to leverage ephemeral keys (a cryptographic key that is generated for each execution of a key establishment process) to further solidify an enterprises defense against the bug. If you are operating with a VPN that uses the compromised OpenSSL, ZDNet’s Steven J. Vaughn-Nichols hits the nail on the head – you need to revoke your old SSL digital certificate from your certificate authority (CA) and get a new one. If you don’t, “It would be like you replaced your old lock with a brand new one… that takes the same old key.”

Once the certificate has been renewed, the next step is to contact your VPN provider to find out how they’re handling the situation. If your VPN has central management capabilities, compromised certificates can be automatically revoked and replaced with new ones for all users by network administrators. A centrally managed VPN that can interoperate with other network and security technologies is a crucial component of a broader defense in depth strategy. If a user is compromised, technologies such as dynamic personal firewalls, a robust anti-virus solution, anti-malware software, etc. can work together to mitigate further risk and keep other users and the network safe. Despite its effectiveness, unfortunately it often takes a major revelation such as the Heartbleed bug to help enterprises recognize the importance of shoring up their network security.

If your provider is not hurrying to patch the hole in their OpenSSL implementation and/or taking steps to better implement a defense in depth framework, you may be justified in hitting the panic button. In these instances, it’s imperative to make your customers aware of the threat and what you’ve done to address it, in addition to outlining the proactive steps they can take to protect themselves. For more information, please reach out to NCP engineering via emailing info@ncp-e.com or LinkedIn.

A Closer Look at Cloud VPNs

Posted: 11th April 2014 by VPN Haus in Cloud, Encryption, Rethink Remote Access, virtualization, VPN
Tags: , , , ,
0

Virtual Private Networks as a Service (VPNaaS), Managed Security Service Providers (MSSP) and Cloud Remote Access are different solutions addressing the same market requirement – the ability for remote employees to securely access corporate networks via the Internet with a managed solution.  Many enterprises have realized the benefits of using cloud services in other areas of their IT infrastructure. As a result, they no longer want to absorb the costs and management effort involved in hosting their own VPN gateways, especially ones with large numbers of remote endpoints.

Striking a balance between giving remote employees the flexibility they desire while ensuring sensitive company data remains secure is admittedly a fine line to walk. Enterprises have faced that challenge for several years now as they’ve wrestled with the bring-your-own-device (BYOD) movement. Factoring the cloud into the equation only compounds the complexity of the situation. That’s why many companies today are outsourcing the operation of the VPN to a cloud solutions provider such as HOSTING. However, not all VPNs are created equal, and enterprises need to carefully examine what a provider is offering.

What to look for

Be sure the provider offers simple, yet efficient management of your cloud-based VPN. For example, centrally managed VPNs give administrators the ability to easily set up, add or dele
te users as needed. With this approach, all configuration parameters are centrally stored. This approach makes it substantially easier for end users to establish connections while making it nearly impossible for employees to bypass or manipulate them.

Will end users need to reestablish a secure network connection each time their connection channel changes? If the answer is yes, that remote access solution is probably not going to deliver the flexibility that you need. For example, your cloud VPN should make it easy for employees to change from Wi-Fi to 4G connections without stopping to reconfigure their settings each time the medium changes. If the solution is able to support the wide array of operating systems being used by your employees, that’s a major plus. So, too, are integrated personal firewalls that are capable of dynamically adapting to the type of connection the end user is leveraging.

And let’s not forget about the biggest allure to the cloud – cost-savings. Enterprises can save a lot of money by reducing their investments in hardware and software, as well as their specialist headcounts.  A cloud VPN enables them to do exactly that. Generally speaking, enterprises pay their cloud VPN providers a low per-user monthly fee. When that is combined with the cloud provider’s in-house staff, the resource savings can be substantial.

Going from “or” to “and”

By leveraging a VPN that offers a centrally managed, flexible and cost-efficient approach, enterprises can better cope with BYOD. The truth is, security and flexibility are not mutually exclusive. It’s not a matter of choosing between the security of a VPN or the flexibility and convenience of the cloud. Cloud VPNs provide enterprises with both the security and flexibility they need to tackle the complex challenges of today’s continuously evolving and increasingly mobile remote access space. Will your organization adapt, or will you be left behind?

**This post originally appeared on HOSTING. NCP engineering is part of the HOSTING Cloud Crew Partner Program.


Patrick Oliver GrafPatrick Oliver Graf has more than 18 years of technology sector experience in product and project management, marketing and international direct and channel sales. Since September 2011, Patrick has been general manager of secure remote access VPN solution provider NCP engineering

 

 

Long Live Windows XP…. And Mobile Security

Posted: 7th April 2014 by VPN Haus in Industry Commentary, IT policy, Rethink Remote Access, VPN, Windows 8
Tags: , , , , , ,
0

At one point or another, we’ve all been blindsided by news that has literally changed our lives. Though we’re often left momentarily stunned, it’s imperative to figure out how to adjust and carry on. It’s not always easy, but you know the expression – where there’s a will, there’s a way.

However, the discontinuation of support for Windows XP is not news that should take anyone by surprise, as its April 8, 2014 retirement date was officially announced almost a full year ago. Cyber criminals surely have the date circled on their calendars, as the security risks posed to the numerous users and enterprises still using Windows XP beyond that date have been well documented. Recently, these risks have become both more prominent and dangerous. ZDNet reports that, using a form of malware called Backdoor.Ploutus, hackers are starting to remotely access a portion of the 95 percent of ATMs in the United States still using the soon-to-be deceased operating system (OS). “By simply sending a text message to the compromised system, hackers can control the ATM, walk up to it, and collect dispensed cash.” Clearly, this is a major cause for concern.

End of XPAnd it’s not exactly as if Microsoft has been trying to sweep the retirement of XP under the rug, either. In addition tosending pop-up dialog boxes encouraging users of the 488 million systems still using XP to upgrade to another Microsoft OS, the corporation even went so far as to recruit tech-savvy friends and family to help “old holdouts” make the transition. Unfortunately, the results have been lackluster. HelpNetSecurity reports that many users call these efforts a “poorly disguised sales pitch,” and, according to The Indian Express, as of February 25, 2014, 16 percent of large enterprises were still stuck on the old OS. What will it take to convince them to upgrade to newer, more secure operating systems?

Making the Migration from Windows XP

Tim Green of Network World put it bluntly, yet eloquently, “If you haven’t retired Windows XP and you haven’t been fired, get busy.” CIOs know that migration is far from a simple or quick process, and Green correctly observes that the larger the enterprise, the longer the migration to a newer OS will be. As Gregg Keiser of Computerworld explains, “If every PC sold in the next 12 months was one designed to replace an existing Windows XP system, it would take more than a year and a half – about 20 months – to eradicate XP.” Essentially, it boils down to this: getting end users and enterprises to make the OS switch will take some time, but it is a necessary evil.

The good news is there are some steps that can be taken to minimize the mobile security threats inherent to XP while that migration is taking place. For example, as Green observes, Network Access Control (NAC) will play an important role in “isolating XP machines on corporate networks and limiting what devices they can communicate with.” Securing these endpoints with a centrally managed remote access security solution is essential to safeguard against data breaches, especially for organizations with a BYOD policy in place. That’s because IT administrators can easily adjust network access settings for XP device users and revoke access in case of a breach. IT can also ensure that a device using the discontinued OS has the required antivirus and anti-malware programs or otherwise, place it within a quarantine zone until the OS or security software is updated. With the proper precautions, IT may even be able to remotely wipe the compromised devices.

Mobile Security in the post-XP World

In the end, though, it’s worth noting that best practices for secure remote access should not come to a screeching halt once the migration to a newer OS has been completed. Today’s increasingly skilled hackers will continue to exploit every potential security flaw they can identify, including devices using newer OSs, such as Windows 8, for example, to insecurely connect to a corporate network. Using a VPN is a tried and true way to ensure communications between corporate networks and end devices are protected via an encrypted tunnel, making it substantially more difficult for cyber criminals to intercept or manipulate the data being shared. The retirement of Windows XP marks the end of an era, but it also presents enterprises with a chance to fortify their mobile security strategies. Will your organization seize this opportunity?

Ransomware Looks to Blackmail Enterprises

Posted: 19th March 2014 by VPN Haus in Encryption, Industry Commentary, VPN
Tags: , , , ,
0

When most people think of threats to their computer systems and networks, the usual suspects come to mind — malware and keystroke loggers that are meant to steal passwords to remotely access corporate networks and online accounts. Then, of course, there are the viruses designed simply for the sake of destruction, rendering one’s computer little more than an expensive, oversized paperweight.

But perhaps the most dangerous threat of all is one that, while it has been around for a long time, is only now coming into prominence. It’s called “ransomware,” and if it sounds scary, that’s because it is. CryptoLocker is a well-known example circulating today. Ransomware is an accurate moniker, as this breed of malware encrypts the contents of your computer and then its creator offers to provide the decryption key — for a nominal fee, of course.

Thinking of booting up in safe mode and deleting the ransomware from your computer? That’s all well and good, except your files are still encrypted and you still don’t have the key to unlock them.

Ransomware Threatens Enterprises on Multiple Levels

Encrypting your most important files isn’t the only method that cyber criminals employ, however. They can also place files on your computer that put you in an awkward position. Common practice includes downloading indecent materials on a computer that one uses for work. Employees fearful of losing their jobs for having illicit content found on their devices are that much more likely to pay the “ransom.”

And if it works against one employee, cyber criminals have good reason to suspect that others in the same organization will acquiesce, meaning the organization’s entire workforce has now become a target. Not to mention the fact that if machines used to access the corporate network are being infiltrated by the likes of CryptoLocker, the next logical step is for the cyber scoundrels to target the company directly, holding critical files on the network for ransom, and likely at a much higher ransom than the individual employees were “invited” to pay. Even more worrisome is that beyond individual files, the network itself could be held for ransom, if a hacker gained the necessary read and write privileges by infiltrating a network administrator’s device. Cybercrime goes where the money is, and eventually, all roads lead to the enterprise.

The Link Between Ransomware and BYOD

So why is ransomware gaining so much momentum among cyber criminals? Well, its rise to prominence has paralleled the explosion in popularity of the bring-your-own-device (BYOD) movement. The number of personally owned mobile devices connecting to corporate networks and being granted access to critical files is at an all-time high. It’s what you would call a “target-rich environment,” where hackers and their ilk have no shortage of potential victims to choose from.

What makes for an even scarier scenario — as if there wasn’t enough already — is that an individual looking to deploy CryptoLocker or similar machinations doesn’t even have to be an expert in encryption algorithms. As a recent CSO article points out, ransomware toolkits can be developed and sold to those willing to pay the price tag. This means that anyone with a few bucks and ill intent, regardless of their hacking know-how, could start targeting people and companies.

Defense in Depth vs. Ransomware

As the threat landscape continues to evolve, enterprises need to adjust their approach to security in kind. Remote access and BYOD have become too ingrained in the working world to disappear now. The top-level talent that every company wants to attract will only sign on the dotted line if they are afforded what were once considered luxuries, but are now simply expected.

The answer is for enterprises to implement a comprehensive, defense in depth information security framework that allows for BYOD and remote access without compromising the corporate network. Because IT staff can’t monitor everything employees do on their devices, enterprises should invest in interoperable solutions that can work together to prevent threats like CryptoLocker. The first line of defense would be to require best-of-breed anti-virus and anti-malware solutions on employee devices to protect them against a range of malicious software. Next, those solutions could work in tandem with other network and security solutions such as firewalls blocking access to known CryptoLocker servers, Intrusion Prevention Systems which can block the malware from interacting with the remote command-and-control server and a robust VPN solution that offers central management capabilities to monitor endpoint devices and ensure anti-virus tools are up-to-date. With a centrally managed VPN, users with old versions are sent into a digital quarantine zone until their software has been updated, ensuring that every device accessing the corporate network is properly secured. Central management also means that IT administrators can roll out security and remote access policy updates across the whole company than working their way manually through one device at a time.

With a defense-in-depth strategy that includes network and security components working together to prevent and mitigate threats, enterprises will be well on their way to defending against the rapidly expanding threat vector known as ransomware.

RSA 2014: Three Key Remote Access Takeaways

Posted: 11th March 2014 by VPN Haus in Industry Commentary, Shows, VPN
Tags: , , ,
0

This year, with cryptography and information security becoming higher profile than ever before, more than 25,000 attendees made the trip to San Francisco for RSA Conference, which was filled to the brim with interesting discussions of new trends, research and technology. Despite several prominent experts boycotting the event in light of the $10 million the NSA secretly paid RSA, the show still sold out seven months in advance and comedian Stephen Colbert braved the backlash to deliver an electric closing keynote address. Here are three main takeaways from the conference relating to remote access security:

The Internet of Things is growing, and we need to secure it.

The Internet of Things (IoT) was the conference’s number one buzzword, and attendees were concerned with securing the billions of connected devices that are currently proliferating. Quite distressingly, the general feeling at the conference was that the industry is not yet ready to secure devices such as household appliances, medical devices or connected cars. VPNs, however, can provide a solution to secure IoT communications, by ensuring that all of the information traveling between connected devices and users stays within an encrypted tunnel, and the industry as a whole should look towards adopting them more widely within devices.

Point solutions are no longer enough.

Attendees eagerly discussed everything from forensics to advanced persistent threats (APTs), but the common thread was the importance of integrated solutions. From a remote access security perspective, it was refreshing to hear professionals who work on other security components sharing that view. In fact, Network World identified integration as the number one element that security vendors are now focusing on. Jon Oltsik, principal analyst at Enterprise Strategy Group (ESG) explained how, in the past, vendors have tended to push a collection of point products on a one-off basis. However, CISOs no longer have the resources to manage myriad products that don’t communicate with each other. Oltsik puts is quite plainly, “Smart vendors are responding with more integrated product suites and central management.”

Ease of use is paramount.

As IT administrators are increasingly having to do more with less, ease of use was another hot topic for security professionals at the conference. Gone are the days of lengthy product deployments and overly complicated customization. Now, with so many security products and services to choose from, enterprises and consumers alike are going to select to ones that are the easiest to deploy and manage, with the best user interface. With today’s advanced remote access security solutions, for example, employees can use a centrally managed VPN to connect to their corporate network in just a few clicks.

Of course, an end user friendly interface isn’t the only component for an easy to use solution – automation is another important element. For example, once upon a time, traveling employees had to log back into their VPN each time their Internet network connection changed (i.e. they moved from a coffee shop’s WiFi to a 3G connection). This was obviously disruptive to their work, and frankly, it was pretty annoying, too. But thanks to technologies such as Seamless Roaming and Friendly Net Detection, VPNs can now automatically change connection medums and recognize whether they are connecting via a known and trusted or an unknown, insecure network and automatically activate the necessary firewall rules and security mechanisms.

Overall, it was exciting to hear so much attention being given to solving the real world challenges that enterprises are currently facing. Oltsik said it best, “By all indications, security vendors are finally considering something that was minimized in the past – actual enterprise security requirements. [It is] an obvious, long overdue, and positive step for the industry. “

Older Entries