How to Manage Secure Communications in M2M Environments

For all the talk of the Internet of Things (IoT) and machine-to-machine (M2M) communications making our lives easier, there always seems to be a cautionary tale involving security of these devices around every corner. Take self-driving cars – something it seems like almost everyone would want. That is, until last summer, when the cybersecurity community raised a red flag around connected cars, and the possibility that hackers could tap into a vehicle’s network and disrupt its operating system. The same concerns have followed connected televisions. As of a year ago, smart TVs had taken over about one-third of the flat-screen television market. Then, just last week, news outlets picked up on the possibility that Samsung’s smart televisions could effectively “eavesdrop” on conversations, and that the company could then pass that information along to third parties. Although these specific examples are recent, questions about network security in M2M communications and the IoT are not new. ZDNet flagged the issue back in January 2013, in an article that posited security concerns could prevent M2M from reaching its full potential. REGISTER FOR WEBINAR Although M2M communications have actually been common for decades, they have never before been quite as widespread as they are now, and they now communicate over the open, public Internet, versus being confined to limited, secure networks. As NetIQ’s Ian Yip told ZDNet, in many cases security is an afterthought – it is something that is a “retrofit” to M2M. This is a mistake. Security needs to be considered from the very beginning. M2M security is already difficult enough, as human beings aren’t even part of the communications process....

Two-Factor Authentication Transforms Even ‘123456’ Into a Secure Password

Since 2011, the same two passwords have ranked as the most common (and worst) among users. Care to take a guess as to what they are? You don’t have to be a savvy hacker to figure them out – “123456” and “password” have again topped the list this year. The good news is the prevalence of these two passwords in particular has fallen quite a bit, from 8.5 percent of all passwords in 2011 to less than 1 percent now. As a password to an individual’s Facebook or Tumblr account, these are probably adequate. The accounts they’re “protecting” are low-profile, unlikely targets, and hackers wouldn’t really gain much from breaking into them anyway. It’s a different story when a user sets up a work-related email or credit card account – much more likely targets of attackers – using these easy-to-crack passwords. Instead of using brute force and repeatedly trying passwords, hackers barely have to break a sweat or exert any effort. They can simply type in “1-2-3-4-5-6” or “p-a-s-s-w-o-r-d” and they’ll be granted entry on their first try. A gold mine of information suddenly materializes right at their fingertips. At first glance, network administrators appear to have a few different courses of action to prevent these types of weak passwords and shore up their network security. They could try employee education – teaching their workforce best practices when it comes to setting up their credentials. Or they could provide them with tools that both randomly generate secure passwords and then store them securely for easy recall. The problem with each of these solutions is that they’re really just temporary...

Ex-Employees: All the Best, But Can We Have Our Personal Emails Back, Please?

It doesn’t matter if employees leave a company on unpleasant terms or quite amicably – it is absolutely essential that enterprises have solid, well-defined termination processes in place, and that they’re followed to the letter. In their final days at a company, employees can demand various personal documents, depending on local regulations. A final paycheck and unclaimed vacation days also need to be sorted out. A smooth termination process is a good business practice and documenting it in a written agreement, signed by both parties, helps to avoid misunderstandings. Putting this type of process in place is inexpensive, and in the long run costs nothing at all. A well-defined process also contributes tremendously to the overall integrity of the corporate network security structure, in that companies that follow these processes, drastically reduce the danger of sensitive information being leaked whenever an employee leaves the company. As part of the termination process, employees should confirm they have read and deleted all private emails on the companies’ servers, are no longer storing private data in the LAN, have transferred all personal data, e.g. phone numbers, videos, photos and text messages, from company-owned mobile devices, and that all other private information has either been deleted completely or transferred to a private data storage device. It’s also important that both sides acknowledge the hand over of all private data and that no more data is residing on the companies’ servers. In Germany, where employers are granted full ownership of email, failure to do so could create legal repercussions for companies. As a decision by the Higher Regional Court Dresden (4 W 961/12) explains,...

The Three Human Failures Behind Remote Access Shortcomings

Whenever news of a network security breach reaches the public airwaves, observers are quick to assign blame to some combination of technological shortcomings and human error that allowed an attacker to slip through the victim’s cyber defenses. When it comes to remote access in particular, network security is even more dependent on technology like VPNs, and employees who do their part and follow company protocol. Unfortunately, network administrators often find themselves in a position where, due to human imperfection, remote access technology is the constant that protects their network. Here are the three types of people who are guilty of common, understandable human errors that network administrators need to have on their radar, and try to protect against, as they build a network security infrastructure: The Strained IT Pro Information security professionals are modern-day gladiators, fighting back against complex network security threats, internal and external, as quickly as they form. Yet, as a Ponemon Institute study revealed earlier this year, many IT departments are overburdened as they try to defend against all of these threats at once. The problem is actually two-fold: a dearth of talent to fill positions (according to the study, 70 percent of the organizations say they do not have sufficient IT security staff) and turnover in security positions that can be filled (CISOs leave their positions, on average, after 2.5 years). The result is that IT departments, despite their best efforts, cannot defend against every attack particularly as cyberattackers diversify and expand their efforts in the coming years. The Oblivious Employee For companies that lack a consistent frontline defense by their IT staff, employees are next...

Remote Access No More: Reddit Requires Worker Relocation Before End of Year

Even just a decade or two ago, it would have been unfathomable to think that sometime in the near future, workers would be upset that their employer was requiring them to work in the same office as the rest of their team. Then again, so too would the concept of BYOD and the idea that workers would even have the option to work remotely, from home offices and coffee shops, without missing a beat. But, that’s exactly what happened last month, when Reddit, the self-proclaimed “front page of the Internet,” announced that its employees would soon be required to work out of its San Francisco headquarters, or face termination. Reddit CEO Yishan Wong described the change as one designed to “get the whole team under one roof for optimal teamwork.” No surprise there, really – you usually hear some variation of that line from executives who scrap remote work policies. It’s the same reasoning we heard from Yahooites when that company made similar changes to its remote work policy nearly two years ago, citing the need for “working side-by-side” to spur communication and collaboration among employees. Critical reaction from Redditors and others in the tech community has been just as swift and decisive as it was against Yahoo in early 2013. Yet, for every Reddit and Yahoo that bucks the trend toward remote work, there are plenty of other examples of companies that have embraced remote work with great enthusiasm. All Remote, All Rewards Automattic, the web development company behind WordPress, only has about 300 employees. For a technology business, that’s hardly a blip on the radar, when compared...

When Remote Access Becomes Your Enemy

As convenient as it would be for businesses to have all their IT service providers working on-site, just down the hall, that’s not always possible. That’s why secure remote access is a component frequently found in the digital toolboxes of service providers that offer maintenance, troubleshooting and support from locations other than where the product or system is being used. This arrangement makes sense: It saves enterprises time and money. Yet, that doesn’t mean remote access is always foolproof. Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities. In April 2013, for example, it became possible to damage Vaillant Group ecoPower 1.0 heating systems by exploiting a highly critical security hole in the remote maintenance module. The vendor advised customers to simply pull the network plug and wait for the visit of a service technician. About one year later, AVM, the maker of the Fritz!Box router, also suffered a security vulnerability. For a time, it was possible to gain remote access to routers and, via the phone port functionality, to make phone calls that were sometimes extremely expensive. Only remote access users were affected. Then, in August 2014, Synology, a network attached storage (NAS) supplier, was affected. In this case, it was possible to gain control over the entire NAS server data through a remote access point. Finally, at this year’s Black Hat conference in August, two security researchers revealed that up to 2 billion smartphones could be easily attacked through security gaps in software. It’s clear that these attacks and vulnerabilities are all part of a trend –...