NIST’s New Cryptography Guidance: What It Means for Enterprises

We recently weighed in on the significance of the Heartbleed bug, which was arguably the biggest rift in the cybersecurity space since Edward Snowden’s NSA revelations. While the OpenSSL vulnerability has received a deserved amount of attention, it’s imperative to not let other industry developments pass below the radar. One such development is a recent announcement by the National Institute of Standards and Technology, highlighting the organization’s release of its latest version of cryptography guidance, titled “Recommendation for Random Number Generation Using Deterministic Random Bit Generators,” was specifically published to make clear the removal of an algorithm known as a deterministic random bit generator (DRBG). Why such a major revision? The NSA. Not-So-Random Numbers Back in November 2013, the NIST found itself under heavy scrutiny from IT security experts and the media because of allegations that the NSA had somehow corrupted, or at least strongly influenced, the way the organization composed its cryptography guidance. It was widely believed that a specific DRBG algorithm, Dual_EC_DRBG, was being leveraged by the NSA to “circumvent encryption that shields much of global commerce, banking systems, medical records and Internet communications.” Up to that point, DRBG was considered an efficient, secure way to provide randomly generated cryptographic keys that granted users access to corporate networks, for example. The ironic thing was that encryption was being evaded using certain parameters specified within the NIST guidance. As Eric Chabrow of BankInfoSecurity explains, that exploit could in turn allow attackers to successfully predict the secret cryptographic keys that form the foundation for the assurances provided by NIST. With the entire world still feeling out the long-term implications...

Remote Workers Demand VPNs

With more companies going global, and more employees spread across multiple geographic locations, the demand for remote access technologies has never been greater. The good news is that telecommuting has the potential to be mutually beneficial to the increasingly mobile workforce and their companies. Remote employees believe they are more productive with a flexible schedule that allows them to work both in the office and at home, whenever they need to, and their employers obviously stand to benefit from this increased productivity. As Jeffrey Burt of eWeek explains, “Greater worker mobility is one of the key trends…changing the way corporate IT works.” The current situation BYOD is here to stay, that much has been known for several years now. However, thanks to research recently conducted by Pertino, we have a better understanding of exactly what it is that employees are looking for in terms of working remotely. One interesting revelation from the study is, though people want their jobs to fit their more flexible lifestyles, there are still some lingering frustrations with remote access to corporate networks that are falling behind the times, and are unable to deliver an optimized telecommuting experience. In fact, a shocking 77 percent of survey respondents are not completely satisfied with the remote access capabilities they’re given, and 30 percent said they don’t have any remote access at all. That’s a major problem, as 99 percent said “they need to be able to access business files and applications via their computer or mobile device if they’re to get their jobs done.” Reading between the lines, it’s clear that there is substantial room for improvement...

Stop the Bleeding: How Enterprises Can Address the Heartbleed Bug

By now, you’ve likely heard about the recently discovered Heartbleed bug. At its simplest, this bug allows cyber criminals to exploit a flaw in technology that encrypts sensitive information, making all types of communications sent over an “HTTPS” connection, including emails and online credit card payments, as easy for them to read as this sentence. But that’s not all – once that sensitive personal and/or company data is obtained, cyber criminals can then use the stolen online personas to gain access to other password-protected areas, such as online banking accounts, social media channels and corporate networks. Security expert Bruce Schneier said that “on the scale of 1 to 10, this is an 11.” Understandably, there’s a lot of media attention being given to this topic. But before hitting the panic button, read on to see how exactly your enterprise, or even you personally, might be affected. What’s the Heartbleed bug again? Secure sockets layer (SSL) and transport layer security (TLS) are widely used protocols that secure a wide range of communications across the Internet, from IMs to remote access, and Heartbleed is a vulnerability specific to an open-source implementation of these protocols aptly called OpenSSL. The bug gets its name from the nature of its attack, which involves piggybacking on an OpenSSL feature known as heartbeat. By exploiting this susceptibility, cyber criminals can compromise users’ cryptographic SSL keys, making what should be encrypted communications appear in plain text. Why it’s a problem According to Neil Rubenking of PC Mag’s SecurityWatch, the website “that was created to report on Heartbleed states the combined market share of the two biggest open...

A Closer Look at Cloud VPNs

Virtual Private Networks as a Service (VPNaaS), Managed Security Service Providers (MSSP) and Cloud Remote Access are different solutions addressing the same market requirement – the ability for remote employees to securely access corporate networks via the Internet with a managed solution.  Many enterprises have realized the benefits of using cloud services in other areas of their IT infrastructure. As a result, they no longer want to absorb the costs and management effort involved in hosting their own VPN gateways, especially ones with large numbers of remote endpoints. Striking a balance between giving remote employees the flexibility they desire while ensuring sensitive company data remains secure is admittedly a fine line to walk. Enterprises have faced that challenge for several years now as they’ve wrestled with the bring-your-own-device (BYOD) movement. Factoring the cloud into the equation only compounds the complexity of the situation. That’s why many companies today are outsourcing the operation of the VPN to a cloud solutions provider such as HOSTING. However, not all VPNs are created equal, and enterprises need to carefully examine what a provider is offering. What to look for Be sure the provider offers simple, yet efficient management of your cloud-based VPN. For example, centrally managed VPNs give administrators the ability to easily set up, add or dele te users as needed. With this approach, all configuration parameters are centrally stored. This approach makes it substantially easier for end users to establish connections while making it nearly impossible for employees to bypass or manipulate them. Will end users need to reestablish a secure network connection each time their connection channel changes? If the...

Long Live Windows XP…. And Mobile Security

At one point or another, we’ve all been blindsided by news that has literally changed our lives. Though we’re often left momentarily stunned, it’s imperative to figure out how to adjust and carry on. It’s not always easy, but you know the expression – where there’s a will, there’s a way. However, the discontinuation of support for Windows XP is not news that should take anyone by surprise, as its April 8, 2014 retirement date was officially announced almost a full year ago. Cyber criminals surely have the date circled on their calendars, as the security risks posed to the numerous users and enterprises still using Windows XP beyond that date have been well documented. Recently, these risks have become both more prominent and dangerous. ZDNet reports that, using a form of malware called Backdoor.Ploutus, hackers are starting to remotely access a portion of the 95 percent of ATMs in the United States still using the soon-to-be deceased operating system (OS). “By simply sending a text message to the compromised system, hackers can control the ATM, walk up to it, and collect dispensed cash.” Clearly, this is a major cause for concern. And it’s not exactly as if Microsoft has been trying to sweep the retirement of XP under the rug, either. In addition tosending pop-up dialog boxes encouraging users of the 488 million systems still using XP to upgrade to another Microsoft OS, the corporation even went so far as to recruit tech-savvy friends and family to help “old holdouts” make the transition. Unfortunately, the results have been lackluster. HelpNetSecurity reports that many users call these efforts a...