The concept of "Bring Your Own Device" seems so simple. Employees can just tote their personal phone or tablet with them to the office – which they're probably doing anyway – and use it for work. Or, they access the corporate network remotely, from home or while on-the-go. BYOD and remote access have always seemed like a win-win arrangement – employers pay less hardware costs and employees gain convenience.The concept of “Bring Your Own Device” seems so simple. Employees can just tote their personal phone or tablet with them to the office – which they’re probably doing anyway – and use it for work. Or, they access the corporate network remotely, from home or while on-the-go. BYOD and remote access have always seemed like a win-win arrangement – employers pay less hardware costs and employees gain convenience.

Of course, it’s never really been that simple or straightforward. And now, following a ruling by the California Second District Court of Appeal, BYOD looks poised to become even more complicated.

Last month, the court ruled that companies in the state must reimburse employees who use their personal phones for work purposes. Specifically, the ruling covers voice call expenses, and reimbursement is not contingent on an employee’s phone plan – even if the employee has unlimited minutes, for example, the employer must reimburse a “reasonable percentage” of the bill.

The consensus in IT circles is that the ruling muddies the water around BYOD. Now that there’s a legal precedent for voice call reimbursement, mandatory data reimbursement could be the next shoe to drop. And why wouldn’t it? Americans rack up more expenses for mobile data consumption than they do for voice calls. Should the law evolve, and if the California ruling sets a national precedent for other states, many companies may find BYOD no longer saves them that much money.

DataHive Consulting’s Hyoun Park has said that the ruling would be a “deal killer” for many companies, while Forrester Research’s David Johnson told Computerworld that BYOD could now be “sidetracked” for some companies as IT and business leaders scrum over how the ruling affects their own policies.

The ‘Rights’ of Employees

The reimbursement issue is one of many that have been whittling away at BYOD’s appeal to workers. Also high up on that list are security concerns. Employers are worried that many workers who participate in BYOD do not use any additional security features beyond whatever came as the default with the device.

In response, employers have clamped down by adding more security, through supplemental applications and software. This not only undermines the whole concept of BYOD – since the devices are no longer fully the employees’ “own – but there has already been a backlash by employees. Half have said they would stop using a personal mobile device for work if their employer forced them to install security applications. That seems like a very clear line in the sand.

Some have even called for some ground rules to dictate the relationship between workers and employers as it relates to BYOD and remote access. Webroot has gone as far as to call for a “BYOD Bill of Rights.” Among its eight principles, employees’ personal information would remain private, security applications would not denigrate speed or performance of a device, and employees would be able to choose whether to use their personal device for work.

One way for employers to create a secure BYOD environment, without infringing on any of the “rights” employees have defined for themselves, is through a VPN with central management capabilities, also in combination with container solutions like Samsung Knox or Open Peak Secure Workspace.

Network administrators can adopt VPNs to create a secure network tunnel through which devices connect to the corporate network. Central management functionality allows a network administrator to take action as soon as a breach is detected, whether that means revoking network access or deprovisioning a user.

The only way BYOD and remote access will continue to grow is if employers and workers are able to achieve consensus and compromise along the security-convenience spectrum.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

 That's why people are always so eager to determine what the next black swan will be, so that they can help spare the world some surprise when one does finally strike. The latest prediction comes from Chairman Greg Medcraft of the International Organization of Securities Commissions (IOSCO), who said: "The next black swan event will come from cyberspace. It is important that we pay attention."Sprinkled throughout the course of history are flashpoints that were as unexpected as they were far-reaching. Catastrophic events like the September 11 attacks come immediately to mind, but so too does the birth of the Internet and the rise of Google.

These unprecedented, unpredictable events were given a name in 2007 by author Nassim Nicholas Taleb – black swans. In his book, “The Black Swan: The Impact of the Highly Improbable,” Taleb explains how, in the aftermath of these events, we try to find bread crumbs that could have possibly predicted the event. It’s human nature.

That’s why people are always so eager to determine what the next black swan will be, so that they can help spare the world some surprise when one does finally strike. The latest prediction comes from Chairman Greg Medcraft of the International Organization of Securities Commissions (IOSCO), who said: “The next black swan event will come from cyberspace. It is important that we pay attention.”

Threats of a Different Color

At first, it would seem as though Medcraft’s prediction isn’t all that surprising. How could it be, six months after President Obama announced new cybersecurity initiatives and, in the process, called network security threats “one of the most serious economic and national security challenges we face as a nation”? If the leader of the free world has identified something as a serious threat, then it probably doesn’t check the box for “unexpected” in the “black swan criteria” list.

Of course, that doesn’t make the threat of network security attacks any less dire. A black swan event could theoretically claim more victims than the Target breach, would leak much more damaging information than the Adobe hack, and would be more infamous than Heartbleed.

Consider, for instance, the recently reported NASDAQ breach. If the hackers involved in that breach were after more than information on the exchange’s technology, it may have led to dire consequences for the financial markets.

Where Will the Next Black Swan Land?

What’s most concerning about black swan threats is that, because they’re unexpected, unprecedented and rare, they’re impossible to plan for. It doesn’t matter if you’re an enterprise or the U.S. government.

Where organizations can defend themselves is against white swan threats – those that are expected and more common. The individual elements of a cybersecurity plan, such as firewalls and VPNs with central management capabilities, have proven that they can effectively combat white swan threats. To prevent black swan threats, though, network security administrators have to adopt a big picture view.

It all ties back to a defense in-depth approach to network security. It takes redundancy to keep a network running, should an attack of any kind occur. What’s important is that the effects of an attack do not advance beyond the initial point-of-entry, not necessarily that every attack is thwarted and every threat vector is anticipated. After all, black swan events cannot be predicted.

Incidentally, Taleb also supports a defense in-depth approach to defend against black swan events. He doesn’t use the phrase “defense in-depth” specifically, but when he talks about the best defense being “robustness” – the ability to withstand shocks, even when they’re unexpected – he’s supporting the same principles as defense in-depth.

And why wouldn’t you trust the author who drew attention to black swans in the first place?


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

Are Connected Cars on a Collision Course with Network Security?Flipping through any consumer publication that rates vehicles, you’ll see all the metrics you would expect – from safety and performance (acceleration, braking, etc.) to comfort, convenience and fuel economy.

What you won’t find is an assessment of the car’s risk of being remotely hacked. Unfortunately, if you happen to drive a 2014 Jeep Cherokee or 2015 Cadillac Escalade, your vehicle would likely have a one-star review in Consumer Reports for cybersecurity.

These vehicles, along with 22 others with network capabilities, were profiled by researchers Charlie Miller and Chris Valasek during Black Hat 2014 earlier this month. They warned that a malicious attacker could hack into a connected car, doing anything from “enabling a microphone for eavesdropping to turning the steering wheel to disabling the brakes.”

Days later, during the DefCon hacker conference, a group of security researchers calling themselves “I Am The Cavalry” sounded the same alarm, urging the automobile industry to build safer computer systems in vehicles.

The warning comes years after automakers started testing the connected car waters, most notably Ford, as far back as 2010, with its “MyFord Touch” mobile Wi-Fi hotspot. Since then, Google has been in the driver’s seat of the connected car movement. There’s been buzz around Google’s efforts to produce self-driving cars for years, and the smoke signals only grew more prominent after Google moved its head of Android, Andy Rubin, to the robotics division of the company.

While the convenience of connected cars will no doubt increase their popularity, it’s important for manufacturers of all network-ready vehicles to remember the importance of security technology. As we wrote last year about connected cars, attackers don’t care what mobile endpoint they’re hacking – as long as it’s connected to the Internet, it’s a target.

Vehicles: Just One of Many ‘Things’ Hackers Can Target

Although I Am The Cavalry gained recent attention because of its focus on connected vehicles, the hacker coalition has taken a broader approach, by focusing “on issues where computer security intersects public life and human life.”

The group has also advocated for better security over other potential hacker targets, including medical devices, public infrastructure and home electronics. As the growth of the Internet of Things has shown, computer security now intersects public life at nearly every turn!

One proposal put forth by I Am The Cavalry for defending against cyberattacks is the concept of “safety by design” – essentially, that vehicle computer systems are segmented and isolated, so that a problem with one does not impact the performance of another.

Sound familiar? It’s similar to the concept of defense in-depth, which uses redundancy to create a comprehensive, multi-tiered security infrastructure. One of the first steps enterprises should take in building this infrastructure to prevent connected devices from breaching corporate networks is implement a centrally managed VPN.

It doesn’t matter whether you’re using a VPN to secure a connected car, an employee’s phone or tablet, a smart sensor or some other Internet of Things device that relies on machine-to-machine (M2M) communication, the connection needs to be secure before a device accesses the internet or a corporate network and begins transmitting sensitive information.

What’s most important is that our collective ambition to improve technology isn’t surpassed by our ability to keep up with necessary cybersecurity mechanisms. In the case of connected cars, it’s probably best that we all “tap the brakes” and consider the security apparatuses that need to be in place before these next generation vehicles are on every highway in the country.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

BadUSB Black Hat 2014If awards were given out at Black Hat 2014, one nominee for “Exploit of the Conference” would have won in a runaway – the “BadUSB” exploit.

Researchers Karsten Nohl and Jakob Lell caused quite a stir in Las Vegas earlier this month, which quickly spread to the rest of the world of cybersecurity, when they showed how USB drives could be reprogrammed and transformed into portable malware carriers.

Nohl and Lell explained that since USB drives are designed to be reprogrammable, a hacker could make a drive masquerade as another device. In one example an attacker could reprogram a USB device to assume the function of a keyboard, and then issue commands to the computer or install malware.

And possibly the worst part of the vulnerability is that a user has no visibility into the software running a USB drive, so there’s no way to find out if their drive has been affected. In the wrong hands, a BadUSB drive really is “scarily insecure,” as Nohl put it.

USB Drives are Repeat Cybersecurity Offenders

Long before Black Hat 2014, it’s been widely known that USB drives are not the most secure way to transfer data between devices. Convenient, yes. Secure, no.

Not only are USB drives easy to lose, but any device with a USB interface could potentially be affected by malware originating from a USB drive, including laptops and phones. As far back as July 2011, the Ponemon Institute found that 70 percent of businesses could trace data breaches back to USB drives.

Even the NSA found USB drives to be useful for espionage purposes. In December 2013, it was revealed that the agency had used a series of USB implants known as “COTTONMOUTH” to target adversarial networks. If the NSA is exploiting a vulnerability, then it’s probably an effective means of attack.

A World Without USB Drives?

Even if businesses understand the risk of using USB drives, they’re usually limited to making an all-or-nothing choice. In fact, in the Ponemon survey, more than one-third of enterprises said they used software to block all usage of USB drives by employees. Other complementary solutions like antivirus software also won’t fend of exploits like BadUSB because the software that runs on USB drives isn’t visible to computers. It’s clear that USB drives are a threat, so surely, a smarter approach would be to remove the need for employees to use them altogether.

If businesses want to allow their employees to work remotely, it’s better they require them to access and transfer files using a device that is connected securely to the corporate network via a VPN, instead of allowing them to use a USB drive to move data from one device to another. As soon as a USB drive is ejected from a corporate device, the information it contains is no longer protected by the umbrella of security offered by the corporate network, and enterprises no longer have control over who has access to the data or how the data is utilized.

If an enterprise utilizes a centrally managed VPN, employees can download a VPN client that will work on any device or operating system, which they can use to access files anywhere, at any time. An enterprise will also maintain access control, limiting the information users can access according to their roles and attributes. Additionally, if a user’s computer were to be affected by malware, the network administrator could deprovision the user as soon as the breach was detected, thereby preventing the malware from spreading throughout the network.

Now that Nohl and Lell have sounded the alarm about BadUSB, the hope is that enterprises will stop using USB drives and instead turn toward comprehensive network security and a defense in-depth strategy, including utilizing a VPN with central management. Hopefully, by Black Hat 2015, BadUSB will be just a distant memory.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

It's Time for Retailers to Tell Point-of-Sale Hackers to 'Back Off'It’s Groundhog Day all over again for retailers, following the U.S. Department of Homeland Security’s warning that they could, once again, be exploited by malicious actors.

Less than a year after hacks of Target and Neiman Marcus caught the attention of government investigators, and the whole country, Homeland Security is again weighing in on a hack targeting retailers.

This time, the culprit – “Backoff” – is able to establish command-and-control of retail point-of-sale systems, giving hackers free reign to steal customer credit card numbers and other personal information, like email addresses and phone numbers.

According to Homeland Security, malicious actors are able to compromise PoS systems through remote desktop applications – such as LogMeIn, Join.Me, and other similar solutions from Microsoft, Apple and Google – and then use brute force attacks to deploy the PoS malware.

Once they’ve seized control of the desktop, attackers can run roughshod however they please. Variations of Backoff attacks have been traced back as far as October of last year with up to 600 retailers thought to have been affected.

Download a VPN Client or Install a Remote Desktop?

In its release, Homeland Security issued a number of network security solutions retailers can deploy to mitigate the risk of a Backoff attack – some more effective than others.

The first suggestion is for retailers to configure their remote desktop client so that specific users, or IP addresses, are locked out after multiple failed login attempts. Generally, but not always, brute force attacks like Backoff can be prevented this way.

The problem is that denial of access is only a bandage solution. We’ve written it before and we’ll say it again – LogMeIn is not a viable Virtual Private Network (VPN) alternative. Remote desktop solutions create an environment in which user convenience trumps network security, and this convenience is what has made retailers so susceptible to remote desktop attacks.

Although downloading a VPN client creates a more secure network environment than installing a remote desktop service, while still providing user convenience, doing so doesn’t by itself mitigate the threat of Backoff or any other retail PoS attack. In fact, there is never one technology that neutralizes all threats, all the time.

Where we do agree with Homeland Security is in its support for two-factor authentication. As its release says, “even if a virtual private network is used, it is important that [two-factor authentication] is implemented to help mitigate keylogger or credential dumping attacks.” Put simply, two-factor authentication adds another hurdle and makes it harder for hackers to get what they want. This is the same reason we also support the department’s suggestion to update antivirus systems. It’s all about building redundancy into a network security infrastructure and instituting defense in-depth.

Together, the best security technologies such as up-to-date antivirus software, restrictive firewalls and secure VPNs, and employees who are savvy with network security create redundancy in a network security infrastructure and keep hacks like Backoff on the outside looking in.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now