The Target Breach: How Network Security Best Practices Could Have Prevented It

Posted: 27th February 2014 by VPN Haus in 2 Factor Authentication, Endpoint Management, Industry Commentary
Tags: , , , , , ,
0

Who would have thought that an HVAC system could lead to the data of millions of people being compromised? Target surely didn’t. Recently, it has come to light that the Target breach hackers likely gained access to the areas of its network where customer information was stored by remotely infiltrating the company’s HVAC system contractor.

Let’s break down how this particular Advanced Persistent Threat (APT) was able to access Target’s customer information:

  • It all started with an email attack, according to information security expert Brian Krebs. The malware-laced email was likely sent out to a broad range of targets gleaned from Target’s public-facing vendor documentation. It was then downloaded by a contractor at Fazio Mechanical, a heating, air conditioning and refrigeration firm, hired by Target to maintain its HVAC system. The likely malware downloaded was Citadel, a password-stealing bot that is derived from the ZeuS banking trojan.
  • The malware was undetected by Fazio Mechanical’s malware prevention software, the free version of Malwarebytes Anti-Malware. Because the company was not using an enterprise-grade or real-time solution, the malware was able to compromise the employee’s password, thus gaining access to Fazio Mechanical’s entire network. If Target had the right access control and central management mechanisms in place, this is where the malware would have been stopped.
  • From there, the hackers connected to Target’s network and accessed the parts of its network that Fazio Mechanical had access to, its external billing system, called Ariba, and several project management-related portals. According to an unnamed source who was formerly employed by Target on its security team, “the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application.”
  • The network lacked advanced authentication mechanisms, such as two-factor authentication, because, according to another source who managed Target vendors, “Target would have paid very little attention to vendors like Fazio, and I would be surprised if there was ever even a basic security assessment done of those types of vendors by Target.” Essentially, because of Target’s lack of preparedness, an experienced hacker had nearly unfettered access to its network after escalating Active Directory privileges. From there, it was a piece of cake to get into Target’s Point of Sale (POS) system data and extract credit card information.

The breach, which exposed the personal information of 70 million customers and 40 million credit card numbers, could have been prevented if Fazio Mechanical and Target had taken the proper network security precautions. As mentioned previously, Fazio Mechanical was likely not the first vendor associated with Target that was probed by hackers looking for a way to steal lucrative, sensitive data. APTs like this one try to exploit every potential attack vector, and it is up to enterprises to thoroughly prepare themselves by implementing best-of-breed systems.

Enterprises can secure remote access to their corporate networks and minimize the risk of breaches like this one by implementing VPNs that not only have advanced authentication mechanisms, but ones that can be centrally managed, which provide network administrators with a dashboard overview of the end devices and users that may pose a risk due to authentication issues, outdated VPN clients and more. Further, enterprises should implement remote access solutions that can interoperate and communicate with other network and security components via protocols such as IF-MAP, to nimbly adjust to attacks as they occur. For example, if an enterprise has implemented network and security solutions that include IF-MAP, components will be able to exchange security-related metadata and rapidly communicate a potential threat across the entire system if necessary, which would then trigger a response and prevent a threat from spreading. The time to be proactive is now.

Why Enterprises Are Struggling So Much with Encryption

Posted: 18th February 2014 by VPN Haus in Encryption, Industry Commentary, IT policy, VPN
Tags: , , , , , ,
0

Encryption. For most organizations, the need for it is very apparent, but for some reason, its implementation often falls well short of goals and expectations. The obvious question here is: why? A recent Ponemon Institute study took a closer look at what exactly is giving enterprises such a headache when it comes to efficiently using encryption. The results were interesting, to say the least.

According to InformationAge, the research, which included more than 4,800 business and IT managers worldwide, unsurprisingly revealed encryption use is on the rise, as companies try to stay ahead of growing privacy and compliance regulations, consumer concerns and increasingly sophisticated cyber attacks. In fact, 35 percent of organizations now have enterprise-wide encryption, compared to 29 percent last year. What was surprising, however, was the apparent objective shift, “For the first time, the primary driver for deploying encryption in most organizations was to lesson the impact of data breaches, whereas in previous years the primary concern was protecting the organization’s brand or reputation.”

An alarming fact found in the study is only 20 percent of organizations polled think they are obligated to disclose data breaches, and of those, nearly 50 percent believe that because the data is encrypted, that circumvents the need to publically acknowledge an infiltration occurred. While the ethics of those policies are certainly subject to debate, a bigger problem perhaps is that all organizations surveyed are challenged with simply finding their sensitive data, as more than 60 percent agree that discovering exactly where it resides is the greatest challenge to deploying an encryption policy. More than half also agreed managing keys and certificates is a major issue, but over 70 percent concede they don’t allocate enough dedicated staff or tools to adequately maintain this task.

Could outsourcing these tasks be the quick fix? Potentially, but so, too could a centrally managed solution. For example, a centrally managed remote access solution could include public key infrastructure (PKI) enrollment functionality to connect a PKI to a remote access VPN and automate the process of managing keys and certificates. With the addition of that functionality, a central management system can act as a registration authority and manage the creation and administration of electronic certificates in conjunction with certificate authorities. Central management also enables organizations to improve network access control. An initial screening process when employees first join a company allows IT administrators to ensure that an employee is not only trustworthy, but given access to only the necessary parts of the network based on their role. By ensuring proper authentication and access control, including verifying each user’s role and attributes, enterprises can safeguard their network from cyber criminals attempting to establish encrypted communication and prevent employees from exposing data.

However, today’s savvy cyber criminals are constantly looking for the path of least resistance into corporate networks and, unfortunately, they often find that weakness in basic human error. A resounding 27% of those surveyed indicated the number one threat to the exposure of sensitive data is employee mistakes. Furthermore, “When employee mistakes are combined with accidental system or process malfunctions, concerns over inadvertent exposure outweigh concerns over actual malicious attacks by more than two-to-one.” As we’ve stressed multiple times in the past, and as this research clearly underscores, the importance of employee education cannot be emphasized enough. Of course, easy to use, one click solutions reduce the likelihood of employee error relating to VPN configurations, but parameter locks can take it a step further. Employees who are constantly on the go are usually not IT specialists, and when their VPN connection is disrupted for whatever reason, attempting to reconfigure it on their own and doing so incorrectly is a major security problem. However, parameter locks allow VPN, firewall and internet connection configurations to be centrally managed by network administrators, who can lock them and distribute them accordingly to the appropriate users.

In conclusion, despite ensuing struggles for organizations attempting to utilize encryption, there are some very attainable solutions. For example, new and more advanced types of encryption, such as elliptic curve cryptography can be used harmoniously to make sensitive data safer, and more difficult to hack, than ever before. Properly implemented encryption is an essential part of any secure remote access strategy, and centrally managed solutions help previously strained organizations make encrypted access to corporate networks a reality.

A Closer Look at the Android VPN Flaw

Posted: 13th February 2014 by VPN Haus in Encryption, Industry Commentary, Mobile, VPN
Tags: , , , ,
0

It’s been a rough couple of years for Android devices. Sure, there may have been more than 900 million of them activated in 2013 alone, but those impressive sales numbers do nothing to inhibit cyber criminals from exploiting these open source devices. We’ve discussed Android vulnerabilities at some length, and have demonstrated how a centrally managed VPN as part of a defense in depth secure remote access framework can mitigate many of these threats. However, the recent revelation from Ben Gurion University of malicious apps that can be used to bypass VPN configurations and push communications to a different network address changes the conversation entirely.

As Jeffrey Ingalsbe, director of the Center for Cyber Security and Intelligence Studies at the University of Detroit Mercy, told SC Magazine, that’s because this new vulnerability “attacks one of the [security] pillars we thought we could count on in the mobile world,” – VPNs. Ingalsbe is right – VPNs have been a cornerstone to secure remote access to corporate networks for a long time now, and the possibility that the peace of mind they ensure has been compromised is alarming. However, if we take a closer look at the vulnerability uncovered by Ben Gurion University, it becomes apparent that cyber criminals are attempting to use an old trick in a new disguise.

Man-in-the-middle (MitM) attacks, a form of which the researchers used to bypass VPN security, are actually pretty simple. They are designed to intercept communications between two endpoints (e.g. an Android device and a corporate network) before those communications have entered the safety of a VPN’s encrypted tunnel. Instead, the unencrypted data is redirected to an alternate location, such as a cyber criminal’s computer, where it is quickly stored on the device’s local hard drive before being passed along into the VPN and onto a corporate network. Thankfully, VPNs are only one component of a defense in depth secure remote access strategy.

Employee education is perhaps the most important step an enterprise can take to prevent this kind of attack. In order for the new Android VPN vulnerability to be an issue in the first place, a malicious app must first be downloaded. IT security professionals must be vigilant about educating their employees on the dangers of unsecure remote access, including the importance of verifying the legitimacy of any apps downloaded onto their devices. Bearing this in mind, it’s worth noting that VPNs themselves are safe, as long as IT and employees are working together to ensure all the necessary security precautions and protocols are being adhered.

As of right now, there have been no reported cases of the so-called Android VPN vulnerability being exploited by anyone other than the researchers at Ben Gurion University. However, emerging threats such as this always reinforce the necessity of having comprehensive remote access security. With 2014 still in its infancy, the time has never been better for enterprises to reevaluate their IT security infrastructure and work to patch any gaps that may exist.

Stopping Remote Access Breaches with “Honey”

Posted: 6th February 2014 by VPN Haus in Encryption, IT policy, VPN
Tags: , , , ,
0

Encryption has long been one of the most effective tools to prevent the exposure of sensitive data. As such, hackers are constantly working on new ways to crack encryption algorithms and exploit lapses in security. Information security professionals must be ever vigilant and constantly create innovative new methods to thwart attacks. Recently, one interesting new encryption security method has come to light that takes inspiration from another, quite different tactic, honeypots, to trap and confuse hackers.

The new approach, called “Honey Encryption”, could potentially offer more effective digital security by making fake data appear to be legitimate and valuable information to hackers. The project, developed by former RSA chief scientist Ari Juels and the University of Wisconsin’s Thomas Ristenpart, is currently a prototype and takes advantage of the brute-force cracking methods used by attackers. With each incorrect guess a cracking program makes, the software adds a piece of made-up data to the dataset. For example, if a hacker is trying to break into an enterprise’s credit card database, the program will create numbers that look like real credit card numbers, instead of the gibberish that attackers would currently see. With thousands of attempts in a typical attack, hackers will be bombarded with fake information, making it enormously difficult to determine whether information is real or not.

Currently, the prototype only protects encrypted data stored in password vaults, but the technology could have tremendous future implications for other forms of encrypted information. One day, a similar program could perhaps generate bogus but plausible network communications when a hacker is trying to break into a VPN’s encrypted tunnel. Or, a hacker could be faced with similar useless information as he tries to compromise a public Wi-Fi hotspot. It could even help to prevent several APT attack vectors used in high-profile attacks, such as the Adobe, Target and Neiman Marcus breaches that have led to the data of tens of millions of people being compromised.

Before it hits the mainstream, though, there are several challenges the technology will have to overcome, including distinguishing real attacks from user errors and making it work with other types of data. However, the underlying idea, using trickery to thwart hackers, is sound. As Juels said, “it’s a really underappreciated defense strategy.”

The technology may never completely stop attacks, but it will certainly make life more difficult for attackers. Combined with cutting-edge encryption methods, such as elliptic curve cryptography (ECC) and quantum cryptography, the future looks bright for keeping sensitive information protected.

The Workplace of the Future and What It Means for Network Security

Posted: 27th January 2014 by VPN Haus in Industry Commentary, IT policy, Mobile, VPN
Tags: , , , , , , , , ,
0

The convergent trends of BYOD, the consumerization of IT and mobility are causing rapid shifts in employees’ expectations for their work environment. Employees are driving the change by working remotely and on their own devices resulting in the workplace itself becoming increasingly flexible. These trends, combined with the blurring of boundaries between consumer and enterprise technologies due to them, necessitate IT departments everywhere having to rethink their network security infrastructure.

It’s an undeniable fact that for many employees, the notion of having a physical office is becoming increasingly irrelevant. In fact, since 2005, there has been a more than 60 percent increase in the number of employees working outside of a traditional office environment, according to Inc. Magazine. Those remote and mobile workers are demanding tools that let them access corporate networks and resources remotely from anywhere at anytime.

However, many businesses aren’t providing the technologies that employees need fast enough. This is evidenced by the fact that a recent Unisys study showed that 71 percent of the workers who are driving the uptake of technology in the workplace are using unsupported apps that are outside the control of IT. This is one example of how employees are using their devices unsafely, and IT staff must find ways to limit the risk to their networks.

Both smarter approaches and better remote access technologies are required to keep networks safe while providing employees the remote access they need. As we’ve discussed before, an ounce of prevention is worth a pound of cure, and employee education can greatly aide in the prevention of a wide range of potential threats. Beyond making employees aware of corporate policies, enterprises should look to implement secure remote access technologies, such as VPNs, that are designed to work with every device users may have and ensure stable, encrypted connections with corporate networks no matter where employees are located. Central management and interoperability with other security components are two important features to look for in a remote access solution for the workplace of the future, because they give network administrators the ability to respond faster to potential threats.

As the Information Age article linked to in the beginning of this post mentioned, the original purpose of an office was to “create an environment where employees could access the resources required to do their job. Now [that] the resources (technology and data) have become mobile, the workplace must follow suit.” And so must IT departments, by equipping the modern workforce with remote access technologies that are built for them.

Older Entries