Two-Factor Authentication Transforms Even ‘123456’ Into a Secure Password 

Posted: 28th January 2015 by VPN Haus in 2 Factor Authentication, Rethink Remote Access
Tags: ,
0

Two Factor Authentication Secure PasswordSince 2011, the same two passwords have ranked as the most common (and worst) among users. Care to take a guess as to what they are?

You don’t have to be a savvy hacker to figure them out – “123456” and “password” have again topped the list this year. The good news is the prevalence of these two passwords in particular has fallen quite a bit, from 8.5 percent of all passwords in 2011 to less than 1 percent now.

As a password to an individual’s Facebook or Tumblr account, these are probably adequate. The accounts they’re “protecting” are low-profile, unlikely targets, and hackers wouldn’t really gain much from breaking into them anyway. It’s a different story when a user sets up a work-related email or credit card account – much more likely targets of attackers – using these easy-to-crack passwords.

Instead of using brute force and repeatedly trying passwords, hackers barely have to break a sweat or exert any effort. They can simply type in “1-2-3-4-5-6″ or “p-a-s-s-w-o-r-d” and they’ll be granted entry on their first try. A gold mine of information suddenly materializes right at their fingertips.

At first glance, network administrators appear to have a few different courses of action to prevent these types of weak passwords and shore up their network security. They could try employee education – teaching their workforce best practices when it comes to setting up their credentials. Or they could provide them with tools that both randomly generate secure passwords and then store them securely for easy recall.

The problem with each of these solutions is that they’re really just temporary bandages – they still don’t account completely for the human factor. An employee could still circumvent these processes, either deliberately, for convenience, or accidentally. Then the network administrator is back to square one – the network security vulnerability still exists.

A stronger solution for IT departments is two-factor authentication. By adding another step to the user verification process, beyond requiring just a password, the security of the account suddenly becomes much stronger. This is why nine in 10 global IT managers said they would plan to use one-time passwords (OTP) in 2014 as part of a two-factor authentication strategy to help improve their network security.

So why isn’t every IT department rolling out this seemingly ironclad method of verification across the board? The answer is simple. As is often the case with any issue involving network security, the conflict lies in the balance between convenience, resources and security. Simply, it’s not practical or expedient for every server or file folder to be accessible only through two-factor authentication.

At the same time, selectively protecting only certain files through two-factor authentication could leave an entire network vulnerable. As PC World’s Tony Bradley points out, “It’s like locking every door and window in your house except for one, and hoping a burglar isn’t thorough enough to find the one unlocked entrance.”

Bradley is right. And to elaborate on his point, one of the most glaring “unlocked entrances” a network can have is in its remote access infrastructure. Fortunately, some VPNs come equipped with secure enterprise management capabilities that include support for two-factor authentication and a randomly generated, one-time password sent to a user via SMS.

When faced with this additional hurdle, any hacker hoping to exploit a remote access vulnerability would be even less likely to successfully break into an account, even if a user made the mistake of setting a password to a laughably common one like “123456” or “password.”

Read More:

Why Two-Factor Authentication Matters
BYOD and Its Risks to Network Security

Want to learn more about securing M2M communications? Register for our webinar “Managing Secure Communications in M2M Environments,” 2 p.m. EST, Tuesday, February 24, or download our new whitepaper:

Secure M2M Communication

In Managing Secure Communications in M2M Environments, we cover:

– How to choose a connection method that’s right for your application.
– How to configure end devices so they can perform authentication steps.
– How to manage VPN configurations and updates without human interaction.

Download Now

Battlefield Mobile: Threats Targeting In-Motion Endpoints Climbed in 2014

Posted: 22nd January 2015 by VPN Haus in Endpoint Management
Tags: , ,
0

Mobile M2M CyberthreatsBy now, cybersecurity veterans are well-versed in the most common attack vectors exploited by hackers to breach their corporate networks. Brute force attacks, phishing schemes, SQL injections – they’re all proven attack methods that network administrators prepare for and defend against.

But what about the next frontier? What attack vectors and endpoints do hackers now think are most vulnerable?

It starts with mobile devices. They look like the perfect target to many attackers, who think that they can exploit the fact that so many connections over these endpoints go unsecured and that these devices are so popular with employees – 74 percent of organizations use or plan to use BYOD. In addition to mobile, another frontier could be devices that rely on machine-to-machine (M2M) communications, which create a scenario where human beings are entirely removed from the equation.

As this small, isolated group of attack targets grows, network administrators need to be ready to fight back wherever hackers go, whether that’s on the mobile, M2M or some other battlefield.

The Next Trends in Cybercrime

The landscape of cyberthreats network administrators must be aware of is ever-evolving with the advent of new technologies and new criminal strategies. While there’s consensus in the security industry that mobile attacks will only increase in the coming years, the current prevalence of these incidents is really in the eye of the beholder. Only about 15 million mobile devices were infected by malware midway through 2014 – an infection rate of less than 1 percent. On the other hand, in the last year, mobile malware attacks did increase by 75 percent, off the back of sophisticated threats like ransomware, spyware and Trojan viruses.

Going forward, all of these figures should increase. As AT&T’s Andy Daudelin told Fierce Mobile IT, the rise of Bring-Your-Own-Device (BYOD) will lead to more mobile-based threats and remote access vulnerabilities. He warns: “Users aren’t thinking of these [devices] as computers, but they are. There needs to be more robustness across the industry.”

This “robustness” brings to mind the proven defense-in-depth approach to network security. As successful cyberattacks have shown over the last year, even if a company installs every possible anti-virus software product and other threat prevention tools, there’s still a chance that an attacker could break through. That’s why a defense-in-depth security framework, built on principles of redundancy, is so valuable – if one security mechanism fails the others are there to pick up the slack.

Defense-in-depth will be even more important as mobile devices beyond phones and tablets start to enter the workplace. Imagine the challenge of securing correspondence in environments where employees aren’t even part of the equation. Particularly when a human being isn’t situated at either endpoint, as is the case in M2M environments, all the normal best practices around network security are cast out the window. As an example, how is “implement employee training” strong advice for a network administrator when the communication is happening between two or more machines?

Again, we go back to defense-in-depth. To build this structure, network administrators begin by using a VPN to secure sensitive information that crosses the network, whether it’s through a phone, tablet, healthcare device, connected car or agricultural equipment, and then they build in fail safes around it. Network administrators that follow these steps will assure themselves of not only winning the battle against cyberattackers, but also the war.

For more information about securing M2M communications, register for our webinar “Managing Secure Communications in M2M Environments,” 2 p.m. EST, Tuesday, February 24.

Read More:

Are Connected Cars on a Collision Course with Network Security?
BYOD and Its Risks to Network Security

Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now

The Risk Within: Could an Ex-Employee Be Responsible for the Sony Hack?

Posted: 15th January 2015 by VPN Haus in Endpoint Management, IT policy
Tags: , , ,
0

Insider Threat CyberattackOne month ago, we asked, “What network security lessons can we learn from the Sony attack?” Since then, new information has been slow to trickle out, save for the FBI’s mid-December statement that assigned responsibility to the North Korean government.

Despite the seeming finality of that announcement, many in the cybersecurity community are still not convinced of North Korea’s sole culpability. In fact, some have even gone as far as to construct counter-narratives to identify the responsible parties.

One of the more vocal opponents of the FBI’s North Korea theory has been Norse, a cyber-intelligence provider. Kurt Stammberger, the company’s senior vice president, recently laid out his case to the Huffington Post as to why he thinks that internal factors – specifically, an ex-employee of Sony – may have been central to the breach.

As Stammberger detailed, the malware deployed in the hack contained Sony credentials, server addresses and digital certificates. He said, “It’s virtually impossible to get that information unless you are an insider, were an insider, or have been working with an insider.”

While this evidence is compelling by itself, even if an insider is ultimately found not to have been involved in the attack, Norse’s assertion has already provided those in IT and cybersecurity with plenty to think about when it comes to the damage ex-employees can do on their way out the door.

The Risks Inherent to Network Privilege

On their first day at work, IT departments provide employees with all the tools they’ll need to do their jobs – the devices themselves, the necessary access credentials, remote access capabilities and more. The problem is, once ex-employees leave the company, they could use this knowledge – the same information they once used to help the company – to harm it.

It could be as innocent as an ex-employee logging into the network remotely to access a personal email from their old company email account, or as malicious as a terminated employee deliberately leaking privileged information as a means of enacting revenge.

In some instances, certain ex-employees, known as “privileged users,” could cause even more damage, because of how much more they know than the average employee. They’re the network engineers, database administrators and application developers who are responsible for network operations. They’re the users who control network resources and who may have less oversight or control over their actions. If an attacker is able to obtain these employees’ credentials, or if these privileged users become malicious actors themselves, the integrity of the network could be jeopardized.

That’s why employers need to ensure that the break with ex-employees is both clean and final. Employees cannot be permitted to have any of the same access to the corporate network that they did when they were employed. Even if just one of their credentials is still operational – be it for servers, networks or end devices – then sure enough, that will be the vulnerability that will be exploited.

Whether this type of oversight was a key element of the Sony breach is still yet to be determined – at least, if you don’t believe the FBI’s version of the hack. But if an ex-employee was involved, and was able to publicly humiliate one of the nation’s largest entertainment giants with just insider knowledge and some keystrokes – then network administrators will have officially been put on notice about the risk of their own workers and the grave potential of internal threats.

Read More:

What Network Security Lessons Can We Learn from the Sony Attack?
Are Privileged Users the ‘Weak Link’ in Your Network Security?

Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

Ex-Employees: All the Best, But Can We Have Our Personal Emails Back, Please?

Posted: 6th January 2015 by VPN Haus in Endpoint Management, Rethink Remote Access
Tags: , ,
0

Laptop Network SecurityIt doesn’t matter if employees leave a company on unpleasant terms or quite amicably – it is absolutely essential that enterprises have solid, well-defined termination processes in place, and that they’re followed to the letter.

In their final days at a company, employees can demand various personal documents, depending on local regulations. A final paycheck and unclaimed vacation days also need to be sorted out. A smooth termination process is a good business practice and documenting it in a written agreement, signed by both parties, helps to avoid misunderstandings. Putting this type of process in place is inexpensive, and in the long run costs nothing at all.

A well-defined process also contributes tremendously to the overall integrity of the corporate network security structure, in that companies that follow these processes, drastically reduce the danger of sensitive information being leaked whenever an employee leaves the company.

As part of the termination process, employees should confirm they have read and deleted all private emails on the companies’ servers, are no longer storing private data in the LAN, have transferred all personal data, e.g. phone numbers, videos, photos and text messages, from company-owned mobile devices, and that all other private information has either been deleted completely or transferred to a private data storage device.

It’s also important that both sides acknowledge the hand over of all private data and that no more data is residing on the companies’ servers. In Germany, where employers are granted full ownership of email, failure to do so could create legal repercussions for companies. As a decision by the Higher Regional Court Dresden (4 W 961/12) explains, companies that delete the email accounts of their employees without this confirmation are susceptible to indemnity claims by the employee. In instances where the mutual trust relationship between both parties has been hampered or even destroyed, a third party might oversee the screening of the private emails on the server. The whole procedure, however, is not necessary, if private Internet usage is forbidden and written into the employment contract.

Employees have obligations as well. They must return all access codes and user credentials for servers, networks and end devices. That includes credentials for VPN access, which is frequently secured with the help of two-factor authentication. Terminating VPN access is especially crucial because ex-employees aren’t easily spotted by the IT staff should they decide to abuse remote access capabilities. These user accounts should be blocked in the VPN management console with immediate effect, after notice is given, and then deleted completely after the employee has worked his or her last official day.

A practical solution to this and other credential-based systems are card-based ID documents that work as authentication devices for all sorts of company resources, ranging from the cafeteria to the data center lock. They are available in contacting and non-contacting versions. If the card is withdrawn or blocked within the management system, all access ceases.

Once access to all electronic information is addressed, what’s left is the immaterial knowledge of the employee about proprietary business information, customer projects and other intellectual property. For this kind of information, a non-disclosure agreement should be a fixed part of the resignation process. Ideally, this type of agreement is prepared by an experienced lawyer and tailored to the specific requirements of the enterprise. The non-disclosure agreement not only covers client data and related information, but also all company-related information that needs to be kept secret. However, even an NDA has its limits.

Some laws prohibit companies from using an NDA as a sort of gag order or oppressive contract for an indefinite period of time. The topics covered as well as the duration and possible repercussions have to be defined explicitly if a company is to claim breach of contract.

Read More:

The Trouble with the Endpoint
The Three Human Failures Behind Remote Access Shortcomings

Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

3 New Year’s Resolutions for Network Administrators

Posted: 30th December 2014 by VPN Haus in Endpoint Management, Mobile
Tags: ,
0

New Year's Resolution Network SecurityAlthough it’s been a historically troubling year for the cybersecurity community, the advantage of a new year is that network administrators can make a fresh start.

The end-of-year Sony hack has brought even more mainstream attention to network security – not to say that a full year of prominent attacks didn’t – and this increased awareness should lead to healthier IT security budgets and more resources to prevent the next attack.

When network administrators get back to work in 2015, here are three New Year’s resolutions they should focus on:

1. Take Back Control with Remote Access Central Management

As IT administrators know all too well, employees often perceive a see-saw effect between their productivity and the degree of restrictions placed on the technology they use day-to-day. The fewer restrictions, the easier their jobs become, and vice versa. So, how can IT departments find middle ground? The answer is to selectively limit the ability of employees to access and share certain information.

Unfortunately, as a report by the Ponemon Institute found, 80 percent of IT administrators say their companies do not enforce a “need-to-know” data policy. This is despite the fact that, as the report said, “An organization that reduces the amount of data employees have access to … and streamlines their processes for granting access will likely benefit from more productive employees.” The New Year’s lesson here for network administrators is to take back some power from employees.

Just as some of the most common New Year’s resolutions focus on regaining control of some aspect of your life, whether that’s financial (reducing debt), social (planning a vacation), or physical (exercising more often), network administrators need to be sure they have 100 percent control over their network, at all times, even as the number of remote users and network-enabled endpoints increases.

Remote access central management capabilities allow IT departments to take action when the network has been breached, and subsequently, allows them to de-provision users in order to quarantine the threat. By controlling VPNs from a single point of administration, a network administrator will retain full visibility across the network, even as the organization grows.

2. Face BYOD Head On

Last month, during a discussion hosted by an IT advisory service about the Bring-Your-Own-Device (BYOD) trend, one panelist shared a story that should make data security advocates very uncomfortable. He explained that his wife, a nurse, uses text messaging to communicate with her coworkers while on the job, “because that’s the most efficient way to do their job.”

Now, on one hand, these nurses could be inadvertently running afoul of HIPAA regulations and thrusting the hospital into the murky waters of patient privacy violations. On the other, would they be able to do their jobs as effectively without the ability to communicate via text, in real-time?

Since the days of car phones and beepers, savvy network administrators have known that employees would one day bring their personal mobile devices into the workplace, and then insist on using them as part of their jobs. That’s where we find ourselves today, and that’s why organizations face the decision to roll out Bring-Your-Own-Device (BYOD) policies.

Of course, by doing so, some administrators feel they could be exposing themselves to additional vulnerabilities, since more endpoints will be brought into the network. However, by now, we’re really past the point of no return with personal devices in the workforce – it’s best to just assume employees are going to bring them into the office.

Sometimes, New Year’s resolutions are about confronting the challenges that are right in front of you. People who smoke or eat unhealthy foods often know that what they’re doing is bad for them, yet they continue anyway. In the world of network security, BYOD isn’t any different. Personal mobile devices are already here, and it’s time for IT departments to adopt BYOD policies and educate employees about best practices.

3. Make Time for Defense-in-Depth

Part of the reason many New Year’s resolutions fail is that they’re huge, life-altering adjustments. That’s why the changing of the calendar is such a necessary motivator for many people – they need to feel as though they’re starting with a clean slate before they can address whatever monumental task is at hand.

One of the more daunting tasks some network administrators will face in 2015 is overhauling their entire network security infrastructure. This is no small task. It’s about taking all the disparate security elements network administrators may already have in place, syncing them with one another, and then combining them with missing pieces, to create one, comprehensive infrastructure. This is the beginning of what is called a “defense-in-depth” approach.

With this strategy in place, when things don’t go as planned – such as when an employee falls victim to a phishing scheme – there will be other technologies in place to limit whatever threats may now lie on the horizon. An overlapping system of firewalls, VPNs and other network security tools work in tandem to shield the network from harm.

New Year, New Approach

Even by following these resolutions, network administrators can’t guarantee impenetrably of their networks. But, at least with more awareness and a new approach, network administrators can move on from 2014 – the year of “Nobody’s Safe” – to 2015 – the year of “Everyone’s Protected.”

Read More:

The Holidays Bring Both Cheer and Fear to Network Administrators
Cyber Threats in 2015: New Attack Vectors, More Severe Incidents

Want to learn more about secure remote access?

7 RequirementsIn 7 Requirements for Pain-Free VPN Client Support, we cover:

– How to deploy a VPN solutions that reduces the pain associated with supporting clients.
– How to mitigate the costs and headaches that result from more users and devices.
– Best practices to make sure your VPN is never too complex to operate securely and efficiently.

Download Now

Older Entries