VPN Haus

Mobile Devices like a “Trojan horse” into the Enterprise

vpnhaus — Wed, 01 Sep 2010 18:50:53 +0000

John Hering, CEO of Lookout, a mobile security firm, recently told Dark Reading, allowing a mobile device access to critical data is “almost a Trojan horse into the enterprise itself. “ Powerful words.

We took Hering’s warning to heart and asked several security and enterprise experts: What major security concerns should the enterprise worry about when it comes to mobile devices, mobile terminals & the Windows CE client? Here’s what they had to say.

“One of the biggest risks is user indifference to security. Stats show, thousands of mobile devices (smartphones, USB sticks) are left in cabs, airports, etc. [This leaves] corporate and other data on them vulnerable to whomever finds the device. Along with this physical loss (and theft), the end user likely also loads sensitive corporate data on the device (emails, attachments, data files), increasing the overall risk.” – Barry Lewis, Owner Cerberus ISC Inc

“If the enterprise uses Windows CE clients, they will have thought about the devices and the platform quite thoroughly. This OS is most common in specialized embedded devices, used in Line-Of-Business solutions. Most of the (independent software) vendors in that market will have thought about data encryption, both on the device as well as during communication. The solutions commonly include a device management solution that will encrypt and wipe data on the device remotely when required. Windows Mobile is a whole different story, as those devices are not so specialized and much more consumer oriented.” – Aart Merkelijn, owner of iKnowMobility

“Massachusetts is one of the few states that have laws specifically targeting encryption for data at rest which contains PII (personally identifiable information). The ‘fix’, if you will, is to have addressed data encryption and maintaining logs to prove [a] missing device was encrypted. If you can get that addressed you will be able to sleep better at night. “ – Phillip Ogle, Systems Security Engineer

“The biggest threat to security is the human. Technology can be modified through programming or design. Humans must make a conscious effort to adhere to corporate policies and to police themselves. Policies need to address data at rest and in transit on portable devices.” – Larry Williams, Group Benefits Specialist

What We’re Reading, Week of 8/23

vpnhaus — Fri, 27 Aug 2010 17:55:14 +0000

CSO, Sticks and Stones: Picking On Users and Security Pros
Dark Reading, Mobile Devices Threaten Enterprises From Within
Help Net Security, The Dramatic Increase of Vulnerability Discoslures
SC Magazine, Four Tips to Secure Your Smart Phones
TechNewsWorld, The New Threats: The Bad Guys Up Their Game

New Survey: Employees Complain About IT Security Policies

vpnhaus — Thu, 26 Aug 2010 18:40:04 +0000

You know the scenario, you implement your organization’s security policy, and then within minutes can hear employees groaning and mumbling about IT. According to a new survey, employees don’t just complain to each other – they are now complaining directly to IT.

Four in 10 CIOs interviewed for the Robert Half Technology survey said that it’s at least “somewhat common for employees to complain about security measures that limit which websites or networks they can visit at the office.”

IT professionals have long grappled with being the organization’s “bad guys,” limiting access and denying service to frustrated employees. To dodge outright mutiny, IT professionals can help employees better understand why we have to restrict and monitor what they do. To do this, we’ve turned the survey’s suggestions for employees confronting IT administrators on its head to make the list for IT professionals.

Be Open to Questions. Nobody likes to be told policies exist “just because.” If an employee wants to know why a certain site or network is restricted, tell them why. And if they’re not super tech-savvy, do so in laymen’s terms. The answer can be simple, but fostering this dialogue will make employees more comfortable with restrictions.
Listen to Business Cases. IT professionals are sometimes so far removed from the rest of the organization, they don’t understand why blocking certain sites and networks is detrimental to business. When employees are making legitimate business cases to change the IT policy, listen. We’ve heard stories of IT departments blocking social media channels at news organizations, leaving reporters scrambling on their mobile devices to catch up on breaking news stories.
Explain Your Role. Let employees know that your job isn’t to deny them access to “fun” sites, it’s to protect the organization’s security. The better they understand your role, the more the policies will make sense.
Be flexible. When possible, work with the employees. For example, set up one computer in the office that isn’t restricted so employees can occasionally access restricted sites. Compromises like this go a long way in helping employees make peace with IT security policies.

What We’re Reading, Week of 8/16

vpnhaus — Fri, 20 Aug 2010 19:46:17 +0000

Dark Reading, Ferreting Out Rogue Access Points and Wireless Vulnerabilities

InfoWorld, 5 Reasons IT Pros Should Be Paranoid

Computerworld, Managing and securing iOS 4 devices at work

Technorati, Why a Blackberry Ban Won’t Affect Privacy

PCWorld, Google CEO Exposes Dark Side of Social Networking

Q&A on IT/HR collaboration with Volodymyr Styran

vpnhaus — Thu, 19 Aug 2010 20:32:58 +0000

VPN Haus spoke with Volodymyr Styran, a security expert, about ways IT professionals can work more closely with HR on issues like provisioning. VPN Haus has long advocated for IT departments to make user provisioning a higher priority and Stryan has some ideas on how this collaboration can be turned into reality.

VPN Haus: Let’s start with basic tampering. How can IT administrators prevent users, especially ones who are tech-savvy themselves, from tampering with settings?

Styran: I’d suggest application of strong organizational policies and thorough logging of user actions. Changes to local policies are usually reflected in [programs like] Eventlog. Collect it centrally in a separate log management facility, review the logs regularly, and follow up the findings via disciplinary action. This may sound a bit aggressive, and is rather reactive than preventive, but in my opinion this is the most effective approach.

VPN Haus: What’s the greatest enforcement challenge?

Stryan: The greatest enforcement challenge is making HR execute disciplinary action. Punishing is not their favorite part of the job, because it affects image…So, when it comes to HR, one has to present and explain every bit of risk and harm introduced by a violation. And all this definitely makes little sense unless strong administrative policies are established beforehand.

VPN Haus: Can you provide 3 – 5 tips on how IT departments could work more closely with HR to foster better communication between the departments?

Stryan: Sure.

- Be friendly, while being firm when needed.
- Make it formal, while maintaining good relationships. Write your policies firm and strict, but socialize with HR in a positive manner.
- Pay more attention to HR’s needs and concerns; this is relevant to relationships with any other non-IT function as well.
- Always explain. [In most cases,] they know next to nothing about [IT]. “We know better” doesn’t work. Although, the more you explain in the beginning, the less explanations they will need later on. This is how trust is developed with time.

Volodymyr Styran is based in Ukraine.

Ready or Not, IPv6 Security Threats are Coming

vpnhaus — Tue, 17 Aug 2010 21:19:53 +0000

There’s a simple math problem causing quite a lot of pain for companies who use the Internet. Here’s the math: 7 billion does not equal 4 billion. As simple as this statement is, the complexity it creates is staggering. IPv4 represents the smaller sum. The solution of course is IPv6 with it’s 128-bit scheme, compared to the 32-bit predecessor. That equates roughly to 3.4×1038 unique addresses, enough to cover the 7 billion people on the planet today and more than enough to substantially future-proof the protocol until we’re all well done and gone. The security threat for companies in this situation is how to update all the technology they rely on that runs, processes or navigates any Internet data stream.

First, let’s cover the baked-in security of IPv6 protocol stack. Is simple terms, the major difference is section RFC4601 which mandates use of IPsec for all nodes – something available for IPv4, however, not required. The large address space in IPv6 safeguards against port scanning. Again, there’s math here that Samuel Sotillo details in his East Carolina University paper. Changes to the authentication header, encapsulating security payload, transport and tunnel modes, protocol negotiation and key exchange, and neighbor discovery and address auto-configuration further improve security.

Defcon speaker, Sam Bowne warns the industry that adoption will likely cause “severe security headaches” because IT professionals haven’t really dug into the issue yet as it’s not widely adopted today. What is happening today is a slow rollout – or a dual-stack environment – where both v4 and v6 are comingling, creating two infrastructures to secure instead of just one. Bowne stressed during his presentation that it is extremely important for white-hat hackers to dig in and identify these threats. Sotillo identifies a few areas worthy of inspection, including header manipulation issues such as spoofing, and flooding issues such as Smurf-type attacks on multicast traffic. Jake Kouns and Daniel Minoli dive into these issues in detail with their 2008 book, Security in an IPv6 Environment.

Interestingly enough, much of the advice given as far back as 2005 has still not been widely adopted. For example, Mike Chapple, CISSP, offered five tips that networking pro’s should pay attention to, including education across configuration, new tunneling protocols risks and addressing complexity created by auto-configurations. Yet most professionals are still unfamiliar, according to a recent article by Robert Westervelt of SearchSecurity.com.

Buffer overflows and bugs will be an issue with the IPv6 transition as well. Joe Klein, Defcon attendee and subject matter expert with the North American IPv6 Task Force, states that it will take years for the bugs and flaws to be worked out, but will do so as it starts to gain wide acceptance. One particular flaw that is unique to IPv6 and causes chaos in networks is packet amplification attacks. This particular attack places a 0 in the routing header of each packet, and causes them to travel in a looped path. Ping pong exploits then take advantage of the 64 subnets available in the protocol, and allows attackers to send packets from one non-existent connection to another. This results in an ongoing series of ICMP Unreachable error messages and floods the network with wasteful data. In a podcast with TechRepublic’s Michael Kassner, Klein gives a great overview to of some of other issues that’s worth a listen.

IPv6 is a completely new protocol, not a simple patch slapped on existing IPv4 technology. Any technology has to be able to handle these changes, including VPN, routers, intrusion detection and prevention, firewalls, network access control (NAC) solutions. Work-around solutions create gaps and gaps are what hackers exploit.

What We’re Reading, Week of 8/9

vpnhaus — Fri, 13 Aug 2010 13:51:04 +0000

Computerworld, Five Windows 7 Security Features that Businesses Need to Know About

CSO, Workarounds: 5 Ways Employees Try To Access Restricted Sites

Dark Reading, Flawed Deployments Undermine Kerberos Security

InfoSecurity, A Clear Future for a Cloudy Concept: Importance of a Strong VPN

SC Magazine, BBC Experiments With Mobile Spyware As It Creates And Tests A Malicious Application

SearchEnterpriseWAN.com, Knowing When To Outsource VPN Services

Q&A with Rob Shein, IT Security Expert

vpnhaus — Thu, 12 Aug 2010 13:40:03 +0000

VPN Haus recently talked to Rob Shein, a Washington, DC-based IT security expert. Shein gives us his perspective on managing IT security for organizations.

VPN Haus: Let’s start basic. How do you prevent users from tampering with policy settings?

Rob Shein: Most technical solutions with policies that can be defined at a central management point also have the ability to lock them down, so that only administrators can change them. If you’re using a product that doesn’t have centralized policy management…replace it.

VPN Haus: That’s a good point. Let’s talk more about why is centralized management so crucial for IT management.

Shein: Centralized management is crucial for IT management for a number of reasons. The first is simply a question of scale; without a central point for control over functionality, the cost of operating an IT environment will grow horrendously as the environment grows in size. Imagine configuring Cisco switches by having to keep track of separate logins and passwords for each one, as well as documenting each one’s configuration using Notepad. Just keeping things operating would be a nightmare.

Then, add to that the challenge of ensuring that system drift doesn’t occur, ensuring that systems are configured and operating as they should be; this challenge has a real monetary impact on it when compliance comes into play, and audits need to be performed. Both the cost of the audit and the risk of being found in noncompliance go up. Last of all, there is the increased effort and risk of changing an environment, either as part of an integration project or addressing a security risk across the enterprise.

VPN Haus: With the remote access landscape changing so rapidly, sometimes IT administrators have to make quick changes “on the fly.” What should they take into account when doing this?

Shein: IT administrators should never make changes “on the fly,” but should work with change control. The larger the environment, the more important this becomes, as there are more and more dependencies and less obvious ramifications from certain kinds of change. The wireless landscape may change quickly, but the actual installed base of technologies in any enterprise doesn’t change at the same rate.

View Rob’s LinkedIn

Podcast: Securing Mobile Devices for Healthcare Organizations

vpnhaus — Tue, 10 Aug 2010 13:48:30 +0000

As healthcare organizations move online to comply with new regulations and to streamline their operations, many organizations are facing compatibility, compliance, and security challenges. Fred Cruz, IT director at American Hospice, recently spoke with HealthInfoSecurity.com about navigating his organization through this very scenario.

In the podcast, Cruz describes how he moved 180 home health workers from using an expensive, time-consuming paper-based system to using mobile devices to update their files in real-time. The move streamlined American Hospice’s scheduling and tracking system, as well as increased its cash flows. According to HealthInfoSecurity.com:

In the podcast, Cruz explains how outlines the security strategy, noting:

Setting up a virtual private network to link the phones to servers behind a firewall proved challenging; several VPNs failed to work.
The VPN communicates with the firewall and creates a secure tunnel using encryption.
Both the patient data and the home health application on the phones are encrypted.
The phones are password-protected, an essential step in case the devices are lost.

Jacksonville, Fla.-based American Hospice is the nation’s oldest hospice management company. It serves clients in five states. Cruz has 19 years of IT experience. He managed the installation of Allscripts Homecare software and VPN technology from NCP Engineering Inc.

Podcast Options:

Download MP3 File

Play Streaming Audio

What We’re Reading…Week of 8/2

vpnhaus — Fri, 06 Aug 2010 15:59:02 +0000

BusinessWeek, Mobile Health Requires Grasping Smartphone User Connection

Computerworld, State CIOs Focus on Updating IT for National Healthcare

MobiHealthNews, Clinton: mHealth Offers Unprecedented Access

PCWorld, Smartphones, Tablets Seen Boosting Mobile Health Care

The Huffington Post, Electronic Medical Records: Privacy Risks and Opportunities