Does Bringing an ’Ethical Hacker’ In House Pay Off?

A study last year estimated that the global losses from cybercrime ranged from $375 to $575 billion – for just 2014 alone. This figure is only expected to get higher with each passing year as cybercriminals become more sophisticated, and their ranks grow with more opportunistic hackers looking to cash in on an increasingly lucrative trend. Given that, it’s easy to see how and why panic among both enterprises and SMBs might start to set in. What’s most troubling about the cybercrime phenomenon is not only the amount of money or information that could be stolen, but how much businesses need to spend just to protect themselves. Adequate cybersecurity protocols aren’t free, and even when a company has put expensive measures into place, there is no guarantee that they will catch every single potential threat – all it takes is just one malicious email, or one spear-phishing attempt, to make it through, after all. One innovative method that businesses have explored is employing an in-house “ethical hacker” to identify potential security risks and patch them ahead of time. Essentially, these personnel are former hackers who may have used their skill sets for illicit means – stealing bank account information, breaking into corporate databases, committing identity fraud – but are now being turned legitimate by companies looking to take advantage of their skills for more beneficial purposes. Instead of hacking into the enterprise’s systems to steal something, these ethical hackers instead hack into the company’s systems to exploit certain cybersecurity vulnerabilities, essentially attempting to beat the bad guys to the punch. Once they have identified a company’s major security flaws,...

The Security Risks of Remote Support Tools

A recent study has come to light which shows that although remote support tools are being increasingly implemented within enterprises, IT decision-makers are uncertain about their safety. They should be, and for good reason. The study, conducted by Bomgar and Ovum, focused on the challenges that enterprises face in providing remote support to employees who are using a wide range of devices, such as smartphones and tablets. According to the research, nearly 25 percent of workers are currently mobile, and as a result, businesses will increase their support for remote workers over the coming 18 months. Despite this, the majority (more than two-thirds) of IT decision-maker respondents were concerned about the associated security risks. Remote support is alluring because it typically runs in web browsers, which makes it easy to install and utilize on many kinds of devices. However, because it is browser-based, all of the vulnerabilities of the browser can compromise the safety of communications with a corporate network. If a user does not log out properly, an attacker can gain total access to a network, with little oversight by IT. Plus, all network communication is transacted via third-party gateways, which exposes an enterprise’s servers to potential threats. Enterprises that are looking for all of the functionality, but none of the safety concerns associated with a remote support tool, should instead consider using an IPsec VPN gateway with a remote desktop component and a possibility to check server certificates at the VPN gateway. By using such a solution, an enterprise could have its staff access and control networked computers and devices through a highly secure and encrypted tunnel....

Why Elliptic Curve Cryptography is Necessary for Secure Remote Access

Recently, there have been many advances in cracking encryption algorithms that are the basis for the most common cryptography systems, such as Diffie-Hellman, RSA and DSA. Experts warn that within the next several years, the RSA public key cryptography system could even potentially become obsolete. If that is the case, how will enterprises be able to ensure secure remote access in the near-future? First, let’s take a look at the problem itself. Encryption algorithms ensure security by utilizing the assumption that certain mathematical operations are exponentially difficult, such as the problems of integer factorization and the discrete logarithm, to prevent the decryption of public and private keys. As the key length increases, it becomes exponentially harder to decrypt, which is why key sizes are typically 128 bits and above. After more than 30 years of little progress, researchers have recently started creating faster algorithms for limited versions of the discrete logarithm problem, which has rung the alarm for the entire cryptographic community. It has made us realize that we need to implement a more secure standard, Elliptic Curve Cryptography (ECC). ECC is the best option moving forward for secure remote access via VPNs, because it is based on an operation that not only is difficult to solve but also is a very different problem from the discrete logarithm and integer factorization. Due to its unique characteristics, it is not impacted by advances in decrypting cryptography systems that utilize either of those problems. Currently, ECC is still not widely in use, but that is starting to change. It is particularly important for enterprises to implement ECC over the next several...