Stop the Bleeding: How Enterprises Can Address the Heartbleed Bug

By now, you’ve likely heard about the recently discovered Heartbleed bug. At its simplest, this bug allows cyber criminals to exploit a flaw in technology that encrypts sensitive information, making all types of communications sent over an “HTTPS” connection, including emails and online credit card payments, as easy for them to read as this sentence. But that’s not all – once that sensitive personal and/or company data is obtained, cyber criminals can then use the stolen online personas to gain access to other password-protected areas, such as online banking accounts, social media channels and corporate networks. Security expert Bruce Schneier said that “on the scale of 1 to 10, this is an 11.” Understandably, there’s a lot of media attention being given to this topic. But before hitting the panic button, read on to see how exactly your enterprise, or even you personally, might be affected. What’s the Heartbleed bug again? Secure sockets layer (SSL) and transport layer security (TLS) are widely used protocols that secure a wide range of communications across the Internet, from IMs to remote access, and Heartbleed is a vulnerability specific to an open-source implementation of these protocols aptly called OpenSSL. The bug gets its name from the nature of its attack, which involves piggybacking on an OpenSSL feature known as heartbeat. By exploiting this susceptibility, cyber criminals can compromise users’ cryptographic SSL keys, making what should be encrypted communications appear in plain text. Why it’s a problem According to Neil Rubenking of PC Mag’s SecurityWatch, the website “that was created to report on Heartbleed states the combined market share of the two biggest open...

Vehicle VPNs, Part Two: Business World Implications

In recent years, remote access security has become a major focus of IT departments in businesses small and large. The rapid growth in the use of smartphones and tablet computers, the bring-your-own-device (BYOD) trend and an increasing number of companies allowing employees to work from home have all but assured this. VPNs, as such, have become widely popular as a means of securing those data tunnels between end devices and internal corporate networks. But now, there’s another endpoint that requires the attention of IT managers: cars. Actually, to be more specific, “connected cars.” In a previous blog post, we discussed the continuing evolution of connected cars and how vehicle VPNs can help prevent critical security breaches. The vulnerabilities we covered focused on travel safety and machine-to-machine (M2M) concerns in people’s homes. Today, we’ll take a look at the more business-oriented issues at play and their implications on the corporate world. The Basics of Remote Access Let’s start with the same basic principle that applies to remote access everywhere: a corporate network is only as secure as the device and communications channel used to access it. VPNs have long been used to secure communications between laptops and private company networks across many industries. In most cases, employees were using company-issued laptops. In the last five years, however, we’ve seen a paradigm shift where more and more people are using personal laptops as well as smartphones and tablet computers to work from outside the office. BYOD certainly created a few headaches for IT departments when it came to security, but the benefits were too substantial to ignore — flexibility, improved access...

Do You Plan to Use the Per App VPN Feature in iOS 7?

Despite the rise of the bring-your-own-device (BYOD) movement in recent years, Apple’s popular iPhone and iPad haven’t really been geared toward making the lives of enterprise IT administrators any easier. However, with several new business-centric features now included in the upcoming iOS 7 release, that could all be about to change. Apple is billing the new iPhone 5S as the “most secure mobile phone ever.” Whether that proves true or not remains to be seen, but so far, the iOS 7 updates are a bit more interesting. Chief among them is the new per app VPN feature. According to Apple’s website, “Apps can now be configured to automatically connect to VPN when they are launched. Per app VPN gives IT granular control over corporate network access. It ensures that data transmitted by managed apps travels through VPN — and that other data, like an employee’s personal Web browsing activity, does not.” With reports that 76 percent of enterprises are now formally supporting BYOD, IT administrators are sure to welcome such granular control. Not only does such a feature have the potential to improve data security, but it could also make company-wide app rollouts significantly easier and lighten the traffic load on corporate networks. But, perhaps the most important thing to remember is that enterprises cannot afford to become complacent when it comes to remote access policies and best practices. As mobile device manufacturers and application developers work to make their products more enterprise-friendly, they are ultimately designing them for convenient use by consumers. IT teams must remain vigilant when it comes to managing these devices and how they connect...

Developing a Comprehensive Remote Access Security Framework

As previously discussed, mobility and bring-your-own-device (BYOD) programs have become staples of today’s working world. As such, it is more important than ever to recognize that the overall integrity and security of IT networks is ultimately determined by the weakest links in the communication chain. Ironically, the weakest links tend to be the same mobile endpoints spurring the BYOD movement – laptops, tablets, smartphones, etc. There are several reasons why these mobile endpoints are particularly vulnerable, including: They lack many physical access control mechanisms They attract malware They are often used while connected to unsafe networks, such as public Wi-Fi hotspots or unsecured hotel networks Of course, if mobile endpoints are vulnerable, so too are the networks they access. Developing a comprehensive security framework that allows IT teams to assess and monitor these endpoints is a formidable challenge. In this series of posts, we’ll discuss why comprehensive remote access security is so important, and how it can be achieved.  To start, we’ll examine the current state of BYOD and how unsecure mobile devices accessing corporate networks jeopardize sensitive company data. The Current Situation Increasingly, people are conducting transactions on-the-go while connected to unsecured networks in airports, coffee shops, restaurants, etc. Even with a basic out-of-the-box VPN solution, users may be opening themselves and their corporate networks to severe security threats, including viruses, spyware or bot infections, and Advanced Persistent Threats (APTs). APTs are arguably the most damaging, due to their stealthy nature and narrow focus. They are usually designed and executed with a very specific target in mind, such as the pending sales agreements of financial institutions. (We’ll take...

Countering Advanced Persistent Threats with Comprehensive Network Security

The technological savvy and tenacity of cyber criminals has never been greater, and IT administrators trying to prepare for impending attacks are often left backpedaling. With all of the different ways a corporate network may be attacked, IT administrators must strive to implement a comprehensive remote access security framework within their enterprises.  Especially with the proliferation of mobile devices, with a wide variety of operating systems, being used to access the network, companies need to make sure they have all of their bases (or, in this case, endpoints) covered. While traditional attacks, such as viruses, spyware or bot infections are far from extinct, advanced persistent threats (APTs) have recently been garnering a lot of attention. APTs give IT teams headaches, because they are extremely stealthy in nature and are almost always aimed at a very specific target. Traditional attacks are generally created to quickly harm the machine and network they’re infiltrating, leaving before they can be detected by the network’s intrusion detection system (IDS). APTs, on the other hand, are designed to remain in the network undetected for extended periods of time, all the while stealing sensitive company data. The wide range of methods and vulnerabilities that these attacks use to gain access is what makes them so tricky to discover. Unfortunately, once an attack has commenced, it usually requires an IT administrator to notice anomalies in outbound data before anyone realizes there is a problem at all. Sophisticated APTs can be very difficult to spot, especially without the right framework in place. One recent example of an APT struck the New York Times. It appears that the cyberespionage...

PKI for Authenticating Remote Access VPNs: How Government Agencies Ensure Secure Communications

With many documents critical to matters of national security being accessed on a daily basis, government agencies must ensure that all users trying to establish connections of any type to their networks are who they say they are, that they are authorized to access locations that they are connecting to and that all communications are encrypted. Public Key Infrastructure (PKI) compliance is the system that the public sector uses to verify a user’s information when attempting to establish a secure connection. PKI compliance in the United States, for example, is administered and monitored by The Federal PKI Policy Authority, an interagency body that was setup under the CIO Council to enforce digital certificate standards for trusted identity authentication across federal agencies and between those agencies, universities, state and local governments, and commercial entities. PKI enables users on non-secured networks to transmit data securely and privately. It does so by using a pair of public and private cryptographic keys obtained and shared through a trusted Certificate Authority (CA). The PKI system ensures that the digital certificates generated to match an identity with their public keys are stored by the CA in a central repository and can be revoked if necessary. The public key cryptography assumed by the PKI system is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditionally, cryptography has involved the creation and sharing of a secret key for the encryption and decryption of messages. The most well-known uses are email and document encryption and authentication, but PKI is actually much broader than that. It can provide authentication for VPNs...