What We’re Reading, Week of 7/26

The Register, The Terror Beyond the Firewall ZDNet.com, Hacker Breaks Into ATMs, Dispenses Cash Remotely SC Magazine, Cybercrime Costs Businesses $3.8 Million Per Year CSO, A striking Disconnect Between CSOs and Hackers SC Magazine, Black Hat 2010: Why User Quality and Design Matter for VPNs [tweetmeme source=”vpnhaus”...

Design and Quality Matter for Effective VPNs

At this week’s Black Hat 2010 in Las Vegas, NCP engineering is releasing a new white paper that sheds light on common VPN vulnerabilities that put organizations at risk. It’s prudent to occasionally survey the threat landscape with a fresh lens because while VPNs aren’t new, the threats they combat are constantly changing and require regular monitoring and security updates to stop. The white paper, Remote Access—Attack Vectors: Threats, Findings & Remedies, chronicles recent breaches and gleans lessons for all organizations that allow remote access to their network. For example, the infamous breach at Heartland Payment Systems in 2008 occurred, in part, using a VPN. This was followed by incidents at Google earlier this year and a major breach at Energy Future Holdings that resulted in $26,000 of business. The white paper explores the two primary reasons that hackers find VPNs so alluring. For one, VPNs transmit sensitive information over public and shared networks. The extension of the network outside the perimeter makes assets much more accessible. Second, a VPN typically does not have layers of security found in perimeter defenses, yet it will pro­vide access from outside a perimeter to inside networks. This can make VPN-based attacks that bypass a perimeter more attractive than attacks that directly target the perimeter. The vulnerabilities that caused these breaches, and others like them, can be distilled into three categories. While the white paper delves deeper into these categories, in a nutshell, they include VPN quality, security, and management. For instance, VPN systems are expected to handle complex security operations but not all products are created equally. Most will contain some flaws...

What We’re Reading, Week of 7/19

*Editors’ Note: This week, Highlights will focus on Black Hat 2010, being held in Las Vegas next week. We encourage our readers to send us their thoughts and experiences from Black Hat 2010 at editor@vpnhaus.com. Ars Technica, Millions of Routers Vulnerable to New Version of Old Attack: Presentation at Black Hat 2010 CSO, Black Hat, DefCon and B-Sides: A Survival Guide InfoWorld, Black Hat and Defcon to Focus on Critical Infrastructure Network World, Black Hat Talk to Reveal Analysis of Hacker Fingerprints SearchSecurity, Black Hat Conference 2010 Coverage: News, Podcasts and Videos [tweetmeme source=”vpnhaus”...

Healthcare Provisioning: Q&A with Marshall Maglothin

VPN Haus recently talked to Marshall Maglothin, a Washington, DC-based consultant specializing in healthcare virtual management. Maglothin gives us his perspective on keeping patient information safe without hindering speedy access to urgent data. VPN Haus: What are the basics for provisioning employees at healthcare organizations? Maglothin: All systems should have all users using unique passwords. Thus, the system has an electronic audit trail to record which employees accessed which records, with statistical outlier reporting. VPN Haus: How do you ensure that the records are not so tightly controlled that it delays specialists asked to consult on the case or ICU personnel from urgently accessing the records? Maglothin: All stations should have a time-out feature, and work stations in areas such as ICU and CCU are considered more secure/personnel constantly present, so the station’s time out may be longer. Once a station is logged-on, switching users by password should be real-time. The greater issue is all the bedside workstations/wireless devices. If it takes more than 15-30 seconds to log-on (some take 90 seconds), then if a physician logs-on to 30 patients a day, that’s 45 minutes of lost PHYSICIAN productivity – no patient care and no reimbursement. Doesn’t sound like much. But calculate 40 hours per week for 250 days per year, this equals 188 hours or more than 4.5 work weeks lost to nothing but logging in! VPN Haus: Staggering. So, if the consultant couldn’t access the records, it would be an example of a poor sensitivity error. What other errors should healthcare organizations be mindful of? Maglothin: There’s the error of excessive credulity. An example would be a...

Healthcare Provisioning: Q&A with Marshall Maglothin

VPN Haus recently talked to Marshall Maglothin, a Washington, DC-based consultant specializing in healthcare virtual management. Maglothin gives us his perspective on keeping patient information safe without hindering speedy access to urgent data. VPN Haus: What are the basics for provisioning employees at healthcare organizations? Maglothin: All systems should have all users using unique passwords. Thus, the system has an electronic audit trail to record which employees accessed which records, with statistical outlier reporting. VPN Haus: How do you ensure that the records are not so tightly controlled that it delays specialists asked to consult on the case or ICU personnel from urgently accessing the records? Maglothin: All stations should have a time-out feature, and work stations in areas such as ICU and CCU are considered more secure/personnel constantly present, so the station’s time out may be longer. Once a station is logged-on, switching users by password should be real-time. The greater issue is all the bedside workstations/wireless devices. If it takes more than 15-30 seconds to log-on (some take 90 seconds), then if a physician logs-on to 30 patients a day, that’s 45 minutes of lost PHYSICIAN productivity – no patient care and no reimbursement. Doesn’t sound like much. But calculate 40 hours per week for 250 days per year, this equals 188 hours or more than 4.5 work weeks lost to nothing but logging in! VPN Haus: Staggering. So, if the consultant couldn’t access the records, it would be an example of a poor sensitivity error. What other errors should healthcare organizations be mindful of? Maglothin: There’s the error of excessive credulity. An example would be a...