The Cloud is Covered: VPNs Enhance Data Security in the Cloud

Cloud computing not only introduces a new level of flexibility for enterprise IT services, but it often improves data security, too. A cloud provider that has to adhere to stringent privacy and compliance regulations typically has more know-how and access to more resources than a small- or medium-size company. But it is just not possible to rely on a cloud provider for every aspect of data security. In the end, the company is responsible for its own data. Many aspects of data security are beyond the purview of the cloud provider, but at least it is responsible for checking all certificates and knowing which ones are relevant. However, all basic security measures are the responsibility of the company. Among them is the protection of the data-in-transit between the company’s LAN and the data center in the cloud. The easiest way to ensure this protection is to use a location-to-location VPN tunnel. If a VPN solution is already being used, the company has to make sure there aren’t any compatibility issues between its VPN gateway and the gateway at the cloud provider’s site. The VPN standards IPsec and SSL have been in use for many years and are tried and trusted, greatly reducing the potential for trouble. Usually the cloud data center provides a virtual machine on which the company installs another instance of its VPN gateway solution. Major solution providers like Microsoft Azure, Amazon Web Services and Google Compute Engine provide extensive how-to guides and online manuals explaining how to assure compatibility with a VPN. Most providers even relieve the customer of that process by offering a turnkey, managed... read more

Mobile World Congress: E.ON Achieves Secure Remote Access with Samsung, NCP

Last month, Samsung hosted one of the largest, most-visited booths at Mobile World Congress in Barcelona – and rightfully so. The company chose the world’s largest mobile industry trade show to launch its newest phones, the Galaxy S6 and S6 Edge, to the 93,000 industry influencers in attendance. Samsung also hosted an Enterprise Mobility Showcase, where guests could “hear [Samsung’s] business strategy with key strategic partners, and meet the industry opinion leaders who are working with them.” NCP engineering is proud to have been one of those featured partners. As part of that presentation, Samsung revealed a case study exploring how it developed a secure smartphone – the KNOX – that could be used by officials from E.ON, a German electric utility. NCP’s role involved outfitting the phone with one of its most important elements – secure remote access capabilities. Because of the sensitive nature of the information passing through those devices, and the fact E.ON supplies critical infrastructure to Germany, Samsung and NCP had to follow stringent requirements laid out by the Federal Office for Information Security (BSI), the German national security agency. The BSI lists several factors for secure mobile communication, all of which Samsung and NCP had to abide by, including: Secure digital identity certificates issued by a trust center per system/user, All security operations in the device based on this digital identity, Secure two-factor authentication, Encryption of all stored local data, Secure data communication between the mobile device and the related server, Secure boot process, Controlled process for installing additional software (digital signature). The Samsung KNOX meets these requirements through integrations with etaSuite, which provides... read more

SXSW: Three Cybersecurity, Remote Access Takeaways from Austin

The South by Southwest (SXSW) Interactive Festival wrapped up last week in Austin, Texas, where 65,000 industry movers and shakers learned about some of the most innovative technology expected to hit the market over the next few years. What was on the minds of presenters, panelists, and attendees alike? “The Future” – all of its possibilities and its promise. Given all of these technology advancements, it makes sense that some of the panels and conversations happening in Austin took on a more cautious tone and focused on the surrounding cybersecurity concerns. We’ve identified three panels from SXSW that addressed cybersecurity directly – or brought to light security issues that weren’t on the agenda – and provide these lessons for each. 1. ‘Everything is Connected, Everything is Vulnerable’ Marc Goodman is hardly the first network security expert to predict that cyberthreats will become increasingly pervasive and damaging in the coming years. But few people have gone into such detail about these threats, as Goodman did during his SXSW panel, “Future Crimes of the Digital Underworld.” Goodman, the author of “Future Crimes: Everything Is Connected, Everyone Is Vulnerable,” brought with him to Austin a laundry list of possible new targets for hackers, including but not limited to Internet of Things devices like pacemakers, baby monitors, insulin dispensers, and even drone aircraft. He warned, “We’re not going to solve these problems by burying our heads and pretending they don’t exist.” For network administrators, that means acknowledging that these devices could enter their workplace, and then taking steps to neutralize any threat they may pose. As we’ve written before when discussing the Internet... read more

Open Haus: Wi-Fi and Seamless Roaming for Mobile Workers

When you hear the term “mobile worker,” what image comes to mind? Is it the employee who is constantly taking his laptop into different corners of the office, working from their desk, conference rooms and couches? Or is it the “road warrior” executive who works from airports, trains, cafés, hotels and anywhere else she can find a Wi-Fi or 3G/4G connection? Whatever you picture, the fact is that mobility is now a key expectation of many employees. Those who work from laptops, tablets and other mobile devices need to be certain that the technology they depend on is able to follow them from place to place, without any service interruption. As an example, remote workers often use a VPN to securely connect to their corporate network, no matter their location. But what happens if their network connection changes? Imagine an employee who works on her laptop while commuting by train, but constantly loses her Wi-Fi connection as she travels. You’d think that every time the network connection switches between Wi-Fi and 4G, she would need to log into her VPN. The employee would get frustrated and not be nearly as productive. To avoid this scenario and others that impede mobile working, NCP engineering developed two key additions to its Remote Access VPN solution – Wi-Fi roaming and seamless roaming. With these features, the VPN tunnel connection is constantly maintained without disrupting the user’s computing session, even if their network connection changes. Here’s how these two features enhance NCP engineering’s Remote Access VPN solution: Wi-Fi Roaming Say a remote worker moves within the range of several wireless access points using... read more

How to Manage Secure Communications in M2M Environments

For all the talk of the Internet of Things (IoT) and machine-to-machine (M2M) communications making our lives easier, there always seems to be a cautionary tale involving security of these devices around every corner. Take self-driving cars – something it seems like almost everyone would want. That is, until last summer, when the cybersecurity community raised a red flag around connected cars, and the possibility that hackers could tap into a vehicle’s network and disrupt its operating system. The same concerns have followed connected televisions. As of a year ago, smart TVs had taken over about one-third of the flat-screen television market. Then, just last week, news outlets picked up on the possibility that Samsung’s smart televisions could effectively “eavesdrop” on conversations, and that the company could then pass that information along to third parties. Although these specific examples are recent, questions about network security in M2M communications and the IoT are not new. ZDNet flagged the issue back in January 2013, in an article that posited security concerns could prevent M2M from reaching its full potential. REGISTER FOR WEBINAR Although M2M communications have actually been common for decades, they have never before been quite as widespread as they are now, and they now communicate over the open, public Internet, versus being confined to limited, secure networks. As NetIQ’s Ian Yip told ZDNet, in many cases security is an afterthought – it is something that is a “retrofit” to M2M. This is a mistake. Security needs to be considered from the very beginning. M2M security is already difficult enough, as human beings aren’t even part of the communications process.... read more

Europe: More than Just ‘Stumbling Forward’ to Improved Cybersecurity

Two years ago almost to the day, months before cyberattacks entered the world’s collective consciousness, the European Union took the bold step of publishing an ambitious cybersecurity strategy. The strategy aims to outline the best path forward for identifying and responding to emerging digital threats. Orchestrators of the plan, “An Open, Safe and Secure Cyberspace,” believed that it would be a central step towards creating an environment in which the digital economy could thrive, having so far been largely isolated from attacks but known to be vulnerable. As the European Commission’s Catherine Ashton said, “For cyberspace to remain open and free, the same norms, principles and values that the EU upholds offline, should also apply online.” Since its inception in 2013, the EU’s Cybersecurity Strategy has focused on five pillars, namely: Achieving cyber resilience Reducing cyber crime Building cyber defense policies Deploying new cybersecurity technologies Creating a central international cybersecurity policy. Even in this short period of time, significant strides have been made towards adoption. The NIS Directive has been a cornerstone piece of legislation resulting from the plan. It requires EU member states to adopt a national strategy that “sets out concrete policy and regulatory measures to maintain a level of network and information security.” The Directive also requires private entities to disclose major cyberattacks. As Defense One points out, this amount of progress is no small feat, as institutions within the EU generally “stumble forward” because of the fragmentation that is inherent to the union. In the case of the Cybersecurity Strategy, three separate EU institutions – the Directorate General for Home Affairs, the European Council and European External Action... read more

White House Turns Attention to Cybersecurity

Cyberattackers and hackers operate in the shadows, lurking away from where conventional law enforcement can easily identify and investigate them. They prefer secrecy and anonymity. But they may not have that luxury any longer – not since the federal government and the White House, specifically, have escalated their focus on cybersecurity. First, President Barack Obama addressed the issue during his State of the Union address earlier this month, declaring, “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.” To back up his comments, the president also submitted a budget proposal that allocates funding toward combating cyberattacks. In the initial proposal, the president called for cybersecurity spending to increase by 10 percent to $14 billion – all in an effort to improve detection of and response to the kinds of massive attacks that have plagued both the public and private sector over the last year. Specifically, the budget proposal calls for: Improved data sharing Increased monitoring and diagnostics of federal computer networks More widespread deployment of the EINSTEIN intrusion detection and prevention system Government-wide testing and incident-response training New teams of engineers and technology consultants In the White House’s explanation of these budget items, it said, “Cyber threats targeting the private sector, critical infrastructure and the federal government demonstrate that no sector, network or system is immune to infiltration by those seeking to steal commercial or government secrets and property or perpetrate malicious and disruptive activity.” The cybersecurity community has largely lauded the budget and the government’s increased attention to the issue,... read more

Two-Factor Authentication Transforms Even ‘123456’ Into a Secure Password

Since 2011, the same two passwords have ranked as the most common (and worst) among users. Care to take a guess as to what they are? You don’t have to be a savvy hacker to figure them out – “123456” and “password” have again topped the list this year. The good news is the prevalence of these two passwords in particular has fallen quite a bit, from 8.5 percent of all passwords in 2011 to less than 1 percent now. As a password to an individual’s Facebook or Tumblr account, these are probably adequate. The accounts they’re “protecting” are low-profile, unlikely targets, and hackers wouldn’t really gain much from breaking into them anyway. It’s a different story when a user sets up a work-related email or credit card account – much more likely targets of attackers – using these easy-to-crack passwords. Instead of using brute force and repeatedly trying passwords, hackers barely have to break a sweat or exert any effort. They can simply type in “1-2-3-4-5-6” or “p-a-s-s-w-o-r-d” and they’ll be granted entry on their first try. A gold mine of information suddenly materializes right at their fingertips. At first glance, network administrators appear to have a few different courses of action to prevent these types of weak passwords and shore up their network security. They could try employee education – teaching their workforce best practices when it comes to setting up their credentials. Or they could provide them with tools that both randomly generate secure passwords and then store them securely for easy recall. The problem with each of these solutions is that they’re really just temporary... read more

Battlefield Mobile: Threats Targeting In-Motion Endpoints Climbed in 2014

By now, cybersecurity veterans are well-versed in the most common attack vectors exploited by hackers to breach their corporate networks. Brute force attacks, phishing schemes, SQL injections – they’re all proven attack methods that network administrators prepare for and defend against. But what about the next frontier? What attack vectors and endpoints do hackers now think are most vulnerable? It starts with mobile devices. They look like the perfect target to many attackers, who think that they can exploit the fact that so many connections over these endpoints go unsecured and that these devices are so popular with employees – 74 percent of organizations use or plan to use BYOD. In addition to mobile, another frontier could be devices that rely on machine-to-machine (M2M) communications, which create a scenario where human beings are entirely removed from the equation. As this small, isolated group of attack targets grows, network administrators need to be ready to fight back wherever hackers go, whether that’s on the mobile, M2M or some other battlefield. The Next Trends in Cybercrime The landscape of cyberthreats network administrators must be aware of is ever-evolving with the advent of new technologies and new criminal strategies. While there’s consensus in the security industry that mobile attacks will only increase in the coming years, the current prevalence of these incidents is really in the eye of the beholder. Only about 15 million mobile devices were infected by malware midway through 2014 – an infection rate of less than 1 percent. On the other hand, in the last year, mobile malware attacks did increase by 75 percent, off the back of... read more

The Risk Within: Could an Ex-Employee Be Responsible for the Sony Hack?

One month ago, we asked, “What network security lessons can we learn from the Sony attack?” Since then, new information has been slow to trickle out, save for the FBI’s mid-December statement that assigned responsibility to the North Korean government. Despite the seeming finality of that announcement, many in the cybersecurity community are still not convinced of North Korea’s sole culpability. In fact, some have even gone as far as to construct counter-narratives to identify the responsible parties. One of the more vocal opponents of the FBI’s North Korea theory has been Norse, a cyber-intelligence provider. Kurt Stammberger, the company’s senior vice president, recently laid out his case to the Huffington Post as to why he thinks that internal factors – specifically, an ex-employee of Sony – may have been central to the breach. As Stammberger detailed, the malware deployed in the hack contained Sony credentials, server addresses and digital certificates. He said, “It’s virtually impossible to get that information unless you are an insider, were an insider, or have been working with an insider.” While this evidence is compelling by itself, even if an insider is ultimately found not to have been involved in the attack, Norse’s assertion has already provided those in IT and cybersecurity with plenty to think about when it comes to the damage ex-employees can do on their way out the door. The Risks Inherent to Network Privilege On their first day at work, IT departments provide employees with all the tools they’ll need to do their jobs – the devices themselves, the necessary access credentials, remote access capabilities and more. The problem is, once... read more

Ex-Employees: All the Best, But Can We Have Our Personal Emails Back, Please?

It doesn’t matter if employees leave a company on unpleasant terms or quite amicably – it is absolutely essential that enterprises have solid, well-defined termination processes in place, and that they’re followed to the letter. In their final days at a company, employees can demand various personal documents, depending on local regulations. A final paycheck and unclaimed vacation days also need to be sorted out. A smooth termination process is a good business practice and documenting it in a written agreement, signed by both parties, helps to avoid misunderstandings. Putting this type of process in place is inexpensive, and in the long run costs nothing at all. A well-defined process also contributes tremendously to the overall integrity of the corporate network security structure, in that companies that follow these processes, drastically reduce the danger of sensitive information being leaked whenever an employee leaves the company. As part of the termination process, employees should confirm they have read and deleted all private emails on the companies’ servers, are no longer storing private data in the LAN, have transferred all personal data, e.g. phone numbers, videos, photos and text messages, from company-owned mobile devices, and that all other private information has either been deleted completely or transferred to a private data storage device. It’s also important that both sides acknowledge the hand over of all private data and that no more data is residing on the companies’ servers. In Germany, where employers are granted full ownership of email, failure to do so could create legal repercussions for companies. As a decision by the Higher Regional Court Dresden (4 W 961/12) explains,... read more

The Holidays Bring Both Cheer and Fear to Network Administrators

Almost one year ago to the day, the “most wonderful time of the year” became anything but for millions of Americans when news of the Target data breach broke. Not only did that attack force us all to think twice about how our digital information is managed, it forever changed the network security landscape and put IT administrators in a perpetual state of high alert. This holiday season, having suffered through a full year of attack after attack, network administrators have battened down the hatches even further, living in constant fear that their organization could become the next target of hackers. The silver lining is that these attacks have forced IT departments to re-evaluate their internal security policies, and at least raise awareness of how crucial it is – if not actually put in place – the infrastructure necessary to protect their organizations. But despite now having a better understanding of the landscape of cyberthreats and vulnerabilities, as well as having shored up their cyber defenses, IT departments must remain vigilant towards the potential cyberthreats lurking in the shadows this holiday season. From the new technologies employees receive as gifts, to the vulnerabilities that could arise from employees accessing the corporate network remotely, there’s plenty for network administrators to be preoccupied by this time of year. New Gifts, New Threats? For a few holiday seasons now, mobile devices, Internet of Things trinkets and wearable technology have been at the top of consumer gift lists. They’re popular nearly to the point of ubiquity, which is actually bad news for the network administrators who have to account for employees connecting these... read more

What Network Security Lessons Can We Learn from the Sony Attack?

Hollywood is a place that can be driven mad by star-studded gossip, where the talk of the town is rarely private and where people are accustomed to their secrets not staying secret for very long. Yet, this state of play hasn’t made it any easier for the victims of last month’s cyberattack against Sony, carried out by shadowy assailants calling themselves the Guardians of Peace. As the public knows by now, it seems as though the attackers spared nothing in their initial leak of 27 gigabytes worth of data. They released the type of information that seems to be exposed after seemingly every corporate hack, from the personal information of employees to the company’s classified assets, which in this case even included the script for an upcoming James Bond film. But that wasn’t all. They also exposed the kind of information unique to an entertainment giant like Sony – the lurid Hollywood gossip, revelations of celebrity aliases and even off-the-record studio executives’ opinions about some of today’s box office smashes. Sony’s Imperfect Network Security History So how could this have happened? Although the finger-pointing has been ongoing since the attackers revealed themselves to Sony employees at the end of November, what’s clear is that the malware used by the Guardians of Peace was undetectable by antivirus software, and, as is often the case with attacks as broad as these, human error within Sony – passwords that were both easy to crack and stored in a file directory marked “passwords” – may also have been a factor. Unfortunately, these aren’t new criticisms of the company. Sony’s network security defenses, from... read more

The Trouble with the Endpoint

Much to the dismay of network administrators, IT security today is complex and multi-faceted, from the varied attack vectors to the different types of attackers themselves. But there is always one constant: the endpoint. When those endpoints are attacked, and end users cannot access services, data and applications, it is futile for a business to even host and offer them. The client, that is the device, not the human being using it, has undergone enormous changes over the last decade, thereby putting the burden on IT professionals to evolve their networks accordingly. The PC, with Windows 95, was the starting point. Next came myriad Microsoft operating system updates, followed by new form factors like tablets and smart phones, which introduced a whole new dimension. With each new client, the applications changed as well. Browsers and apps opened up unfamiliar, sometimes encrypted, and sometimes proprietary, data channels, from the Internet right down to the file system. And of course, attackers have kept track of those changes and adapted their methods accordingly over the years. To cope with these ever-evolving forms of attack, network administrators developed innovative defense mechanisms. Classic anti-virus tools were followed by sandboxes that tried to detect and block malware by offering these programs a limited, simulated runtime environment. The most recent approach uses micro-VMs, which try to contain malware within the kernel process level. Additionally, businesses now use a whole arsenal of security measures, ranging from the humble password to two-factor authentication, firewalls and encryption, to name but a few. And nothing is wrong with these measures. After all, an endpoint that uses anti-virus software is better... read more

3 New Year’s Resolutions for Network Administrators

Although it’s been a historically troubling year for the cybersecurity community, the advantage of a new year is that network administrators can make a fresh start. The end-of-year Sony hack has brought even more mainstream attention to network security – not to say that a full year of prominent attacks didn’t – and this increased awareness should lead to healthier IT security budgets and more resources to prevent the next attack. When network administrators get back to work in 2015, here are three New Year’s resolutions they should focus on: 1. Take Back Control with Remote Access Central Management As IT administrators know all too well, employees often perceive a see-saw effect between their productivity and the degree of restrictions placed on the technology they use day-to-day. The fewer restrictions, the easier their jobs become, and vice versa. So, how can IT departments find middle ground? The answer is to selectively limit the ability of employees to access and share certain information. Unfortunately, as a report by the Ponemon Institute found, 80 percent of IT administrators say their companies do not enforce a “need-to-know” data policy. This is despite the fact that, as the report said, “An organization that reduces the amount of data employees have access to … and streamlines their processes for granting access will likely benefit from more productive employees.” The New Year’s lesson here for network administrators is to take back some power from employees. Just as some of the most common New Year’s resolutions focus on regaining control of some aspect of your life, whether that’s financial (reducing debt), social (planning a vacation), or... read more

The Three Human Failures Behind Remote Access Shortcomings

Whenever news of a network security breach reaches the public airwaves, observers are quick to assign blame to some combination of technological shortcomings and human error that allowed an attacker to slip through the victim’s cyber defenses. When it comes to remote access in particular, network security is even more dependent on technology like VPNs, and employees who do their part and follow company protocol. Unfortunately, network administrators often find themselves in a position where, due to human imperfection, remote access technology is the constant that protects their network. Here are the three types of people who are guilty of common, understandable human errors that network administrators need to have on their radar, and try to protect against, as they build a network security infrastructure: The Strained IT Pro Information security professionals are modern-day gladiators, fighting back against complex network security threats, internal and external, as quickly as they form. Yet, as a Ponemon Institute study revealed earlier this year, many IT departments are overburdened as they try to defend against all of these threats at once. The problem is actually two-fold: a dearth of talent to fill positions (according to the study, 70 percent of the organizations say they do not have sufficient IT security staff) and turnover in security positions that can be filled (CISOs leave their positions, on average, after 2.5 years). The result is that IT departments, despite their best efforts, cannot defend against every attack particularly as cyberattackers diversify and expand their efforts in the coming years. The Oblivious Employee For companies that lack a consistent frontline defense by their IT staff, employees are next... read more

Cyber Threats in 2015: New Attack Vectors, More Severe Incidents

One year ago today, Target was gearing up for Black Friday sales and projecting a strong end to the year. That was the company’s primary focus. The same could be said for Neiman Marcus and Home Depot. And no one had even heard of Heartbleed or Shellshock yet. Needless to say, much has changed in the last year. If 2014 ends up going down in the history books as the “Year of the Cyberattack,” then what does 2015 have in store for network administrators? We’re already started to see the predictions start to roll in, the first coming from the report, “The Invisible Becomes Visible,” by Trend Micro. The report paints the new network security threat landscape as becoming much more broad and diverse than it has ever been, evolving beyond the advanced persistent threats (APTs) and targeted attacks that have been the favorite weapon of hackers. Trend Micro CTO Raimund Genes told InfoSecurity that cyberattack tools now require less expertise to use and don’t cost as much. He listed “botnets for hire … downloadable tools such as password sniffers, brute-force and cryptanalysis hacking programs … [and] routing protocols analysis” as just a few of hackers’ new favorites. Given these new threats, how can network administrators shore up their network security for 2015 and beyond? The ‘Three-Legged Stool’ of Network Security As network administrators build out their network security infrastructure, it’s best to focus on the so-called “three-legged stool” approach – prevention, detection and response. Network security cannot be limited to simply installing prevention measures and hoping for the best. Why? Because there is no one universal, surefire way... read more

7 Security Threats You May Have Overlooked

If there’s been a silver lining to the string of devastating cyberattacks against some of the biggest organizations in the world over the last year, it’s that the list of “what not to do” has continued to grow, putting other companies on notice. If you use a third-party vendor, for example, make sure their networks are just as secure as your own. When there are known security vulnerabilities, reconsider using end of life operating systems like Windows XP on your devices. These are some of the most prominent recent lessons, but there are plenty of other threats to network security lurking just below the surface. And these are the vulnerabilities that attackers will look to exploit. After all, why would they target a well-defended vector when there may be an easier point-of-entry somewhere else? That would be like a burglar trying to break down a locked door, instead of checking first to see if maybe a window was left cracked open. In today’s business environment, the list of overlooked network security threats is endless. Information security professionals are modern-day gladiators, tasked with defending corporate data and networks against both known and unknown threats, but no matter how skilled they are, there will always be new threats to their networks. Here are seven to think about: 1. Rogue Employees 2. Delayed Device Deprovisioning 3. A Single, Vulnerable Security Vendor 4. Out of Date Software 5. Failure to Adapt to New Technology 6. Security Solutions and Policy Misalignment 7. Shadow IT REGISTER FOR WEBINAR Most working environments would be lucky to be vulnerable to only one of these. The reality is,... read more

Remote Access No More: Reddit Requires Worker Relocation Before End of Year

Even just a decade or two ago, it would have been unfathomable to think that sometime in the near future, workers would be upset that their employer was requiring them to work in the same office as the rest of their team. Then again, so too would the concept of BYOD and the idea that workers would even have the option to work remotely, from home offices and coffee shops, without missing a beat. But, that’s exactly what happened last month, when Reddit, the self-proclaimed “front page of the Internet,” announced that its employees would soon be required to work out of its San Francisco headquarters, or face termination. Reddit CEO Yishan Wong described the change as one designed to “get the whole team under one roof for optimal teamwork.” No surprise there, really – you usually hear some variation of that line from executives who scrap remote work policies. It’s the same reasoning we heard from Yahooites when that company made similar changes to its remote work policy nearly two years ago, citing the need for “working side-by-side” to spur communication and collaboration among employees. Critical reaction from Redditors and others in the tech community has been just as swift and decisive as it was against Yahoo in early 2013. Yet, for every Reddit and Yahoo that bucks the trend toward remote work, there are plenty of other examples of companies that have embraced remote work with great enthusiasm. All Remote, All Rewards Automattic, the web development company behind WordPress, only has about 300 employees. For a technology business, that’s hardly a blip on the radar, when compared... read more

Healthcare Data Today: In Motion or Out of Control?

From October 2009 through the present day, one industry alone has reported 900 different breaches. And none of those 900 were limited in their scope – in each, at least 500 individuals were affected. Who knows how many other smaller breaches happened, without public knowledge. The industry we’re describing probably isn’t any of the ones you might guess – maybe retail or financial services – it’s the healthcare industry. And we can be absolutely certain that the numbers really are this high because the healthcare providers are required by law to disclose any breach affecting 500 or more individuals. Since the HITECH Act of 2009, the U.S. has been grappling with how best to adopt new technology like electronic health records and telemedicine tools. The challenge is always to walk the line between improving patient care, without jeopardizing patient privacy. For that reason, the Department of Health and Human Services is now responsible for reporting breaches to the public. It doesn’t matter whether the breach is the result of negligence involving an inadequate remote access policy or the theft of a laptop – all major incidents are reported. Healthcare information is particularly valuable to attackers because it can lead to even more lucrative data, such as bank account information or prescriptions that can be used to obtain controlled substances. Yet, these incidents involving healthcare providers aren’t the ones making national headlines. Usually, widespread public panic involving network security is reserved for high-profile breaches of retailers and financial providers instead. The silver lining is that every time another Target or Home Depot is attacked, retailers are again reminded that they could... read more

Why Two-Factor Authentication is Too Important to Ignore

In August, it happened again: a headline-grabbing warning that 1.2 billion passwords had been stolen by a Russian cyber gang, dubbed CyberVor, caused quite a stir. While questions were raised about the legitimacy of the CyberVor report and the scant details surrounding it, wh In the past, these types of events did not even make it into specialized magazines and news services, much less major news outlets. And if they did, superlatives were required to capture anyone’s attention. However, just because password theft may not always garner a big news report, it doesn’t mean it isn’t happening all the time. On the contrary, and especially during the past year, quite a few companies have admitted to being victimized by data breaches and losing control of large amounts of data. Big retail chains Home Depot and Target experienced security breaches that culled information from more than 100 million cards combined, while 233 million eBay users were put at risk of identity theft after an online security breach.  Going forward, we have to be prepared for the possibility that private information provided to a third party, like a merchant or a public agency, will be stolen. What does this mean for the security of user passwords? “Set it and forget about it” password security simply does not exist anymore. Passwords today can only be regarded as a temporary security measure that should be limited in both time of use and number of accounts. Nevertheless, experience shows that users recycle the same password for many or all of their accounts. For many, it’s just not feasible to memorize dozens of unique passwords that... read more

When Remote Access Becomes Your Enemy

As convenient as it would be for businesses to have all their IT service providers working on-site, just down the hall, that’s not always possible. That’s why secure remote access is a component frequently found in the digital toolboxes of service providers that offer maintenance, troubleshooting and support from locations other than where the product or system is being used. This arrangement makes sense: It saves enterprises time and money. Yet, that doesn’t mean remote access is always foolproof. Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities. In April 2013, for example, it became possible to damage Vaillant Group ecoPower 1.0 heating systems by exploiting a highly critical security hole in the remote maintenance module. The vendor advised customers to simply pull the network plug and wait for the visit of a service technician. About one year later, AVM, the maker of the Fritz!Box router, also suffered a security vulnerability. For a time, it was possible to gain remote access to routers and, via the phone port functionality, to make phone calls that were sometimes extremely expensive. Only remote access users were affected. Then, in August 2014, Synology, a network attached storage (NAS) supplier, was affected. In this case, it was possible to gain control over the entire NAS server data through a remote access point. Finally, at this year’s Black Hat conference in August, two security researchers revealed that up to 2 billion smartphones could be easily attacked through security gaps in software. It’s clear that these attacks and vulnerabilities are all part of a trend –... read more

Shellshock Leaves Deep Impact on Network Security

For the last 30 years, a common line of code found in a piece of software has quietly been a dormant security vulnerability – but now, news of the exploit has gone public, sending the network security community into reaction mode. The Shellshock vulnerability can be traced back to Bash, a command shell that is commonly used across the Internet on Linux and UNIX platforms. Bash translates user commands into language a computer can understand and then act upon. In the case of Shellshock, hackers could exploit Bash by issuing arbitrary software commands, potentially allowing them to control systems. In the immediate aftermath of Shellshock’s discovery, security experts claimed the exploit had surpassed last spring’s Heartbleed as the worst software vulnerability of all time. One reason is that Shellshock’s reach could be even greater than the Heartbleed vulnerability, which only affected software using the OpenSSL encryption protocol. Shellshock’s reach could even extend to Internet of Things devices, since their software is built on Bash script. For the last few weeks, website administrators have been making the necessary updates to protect users. Within a week of the vulnerability going public, Amazon, Google and Apple responded with patches and internal server updates. Even so, it will take some time for the fallout from Shellshock to subside. The Year of the Cyberattack Continues This year has not been kind to the network security community. Although the Target breach occurred in 2013, the fallout has continued well into this year. Then came attacks at Neiman Marcus, eBay and, just last month, Home Depot. And, of course, Heartbleed and Shellshock. Even in the last... read more

Network Security for CIOs: A Marathon or a Sprint?

The crack of the starting gun has very different meanings for runners, depending on the distance of their race. To marathoners, it means to start conserving their energy as they take the first step in their 26.2-mile journey. To sprinters, the starting gun is a signal to channel all of their physical and mental ability toward completing one goal that is only seconds and a handful of meters away. Perhaps that’s why we always hear “it’s a marathon, not a sprint” – most goals are far away, and they require focus to be met. But maybe this is unfair to sprinters. After all, if the average person were asked to name a runner, he or she would be more likely to say Usain Bolt – the fastest man in the world and, by the way, a short-distance runner – than the most recent winners of the Boston Marathon. The world of IT is going through the same transition, away from the traditional support of “marathoning” to meet goals. Technology has evolved to the point where it’s often pure speed – not slow-moving, deliberate execution – that IT departments need to thrive. David Wright, CIO of McGraw-Hill Education, has seen the transition first-hand. He said that the “innovation tempo” has increased for his company as the market has changed. Although Wright’s comments are generally about IT as it relates to product development and other customer-facing activities, the takeaways extend into other realms of IT, including network security. Learning to Jump Hurdles For CIOs, network security isn’t so much about the speed vs. distance analogy. A CIO really needs the best... read more

Industry 4.0: Flexible Production Needs Secure Networking

As we sit on the edge of the fourth industrial revolution, businesses are preparing for sweeping technological changes that will impact their production. Governments around the world, particularly Germany, through its Industry 4.0 initiative, have tried to help businesses anticipate these changes. Simply put, Industry 4.0 will help enterprises adjust their production processes very quickly. The idea is to move away from the conventional approach of production facilities serving only one specific purpose. Greater flexibility will be achieved through modularity and extremely high connectivity, based on IP standards for all components. This is a first for the industrial sector because, up to this point, industry-specific protocols, media and controls have been utilized. With Industry 4.0, IP addresses, routers, switches and Ethernet will find their way onto the factory floor and into assembly shops. Along with cost considerations, the reason Industry 4.0 focuses on IP technology is the public’s experience with it. Hardware, software, and management approaches are constantly being enhanced by IP technology, which has been available for years. IT security technology offers compliance, standards and frameworks, as well as a variety of products for enterprises to choose from. Up until now, only a few enterprises have put Industry 4.0 initiatives in place in their organizations. These pioneers include financially strong enterprises in highly competitive markets, such as those in the automotive industry. Hopefully, the implementation of Industry 4.0 initiatives will be based on the wealth of experience from the traditional IT industry, especially where security is concerned. When IT departments are not consulted, gaps in network security could appear. Already, there are some examples of remote access points,... read more

No Quick Fixes for Home Depot After Record Cyberattack

Home Depot fixes America’s household problems. If you’re planning a do-it-yourself project, whether it’s repairing a leaky faucet or installing new linoleum flooring, you’re probably going to visit a Home Depot to buy your materials or get some advice. America’s largest home improvement retailer seems to have a repair for everything, but after news that its payment systems had been breached, Home Depot has a lot of work ahead to get its own house in order. It faces a long road as it repairs its reputation, its relationships with customers and its network security. In what the New York Times speculated could be the “largest known breach of a retail company’s computer network,” a massive breach that affected more than 2,000 Home Depot locations in the U.S. and Canada between April and Labor Day, exposing the credit card information of an estimated 60 million customers. These are unprecedented numbers, topping the infamous Target breach of last holiday season. By comparison, that attack did not last as long (three weeks), affected fewer stores (about 1,500) and resulted in fewer victims (40 million). The information security press has been quick to criticize Home Depot for its handling of the advanced persistent threat (APT) attack, particularly for its slow response. Eric W. Cowperthwaite, vice president of Core Security, told the Times, “This is not how you handle a significant security breach, nor will it provide any sort of confidence that Home Depot can solve the problem going forward.” Lessons from the Target Breach In KrebsOnSecurity’s original report of a possible breach earlier this month, Brian Krebs reported that Home Depot registers had... read more

Who Will Foot the Bill for BYOD?

The concept of “Bring Your Own Device” seems so simple. Employees can just tote their personal phone or tablet with them to the office – which they’re probably doing anyway – and use it for work. Or, they access the corporate network remotely, from home or while on-the-go. BYOD and remote access have always seemed like a win-win arrangement – employers pay less hardware costs and employees gain convenience. Of course, it’s never really been that simple or straightforward. And now, following a ruling by the California Second District Court of Appeal, BYOD looks poised to become even more complicated. Last month, the court ruled that companies in the state must reimburse employees who use their personal phones for work purposes. Specifically, the ruling covers voice call expenses, and reimbursement is not contingent on an employee’s phone plan – even if the employee has unlimited minutes, for example, the employer must reimburse a “reasonable percentage” of the bill. The consensus in IT circles is that the ruling muddies the water around BYOD. Now that there’s a legal precedent for voice call reimbursement, mandatory data reimbursement could be the next shoe to drop. And why wouldn’t it? Americans rack up more expenses for mobile data consumption than they do for voice calls. Should the law evolve, and if the California ruling sets a national precedent for other states, many companies may find BYOD no longer saves them that much money. DataHive Consulting’s Hyoun Park has said that the ruling would be a “deal killer” for many companies, while Forrester Research’s David Johnson told Computerworld that BYOD could now be “sidetracked”... read more

The Next ‘Black Swan’ Event: A Cyberattack?

Sprinkled throughout the course of history are flashpoints that were as unexpected as they were far-reaching. Catastrophic events like the September 11 attacks come immediately to mind, but so too does the birth of the Internet and the rise of Google. These unprecedented, unpredictable events were given a name in 2007 by author Nassim Nicholas Taleb – black swans. In his book, “The Black Swan: The Impact of the Highly Improbable,” Taleb explains how, in the aftermath of these events, we try to find bread crumbs that could have possibly predicted the event. It’s human nature. That’s why people are always so eager to determine what the next black swan will be, so that they can help spare the world some surprise when one does finally strike. The latest prediction comes from Chairman Greg Medcraft of the International Organization of Securities Commissions (IOSCO), who said: “The next black swan event will come from cyberspace. It is important that we pay attention.” Threats of a Different Color At first, it would seem as though Medcraft’s prediction isn’t all that surprising. How could it be, six months after President Obama announced new cybersecurity initiatives and, in the process, called network security threats “one of the most serious economic and national security challenges we face as a nation”? If the leader of the free world has identified something as a serious threat, then it probably doesn’t check the box for “unexpected” in the “black swan criteria” list. Of course, that doesn’t make the threat of network security attacks any less dire. A black swan event could theoretically claim more victims than the... read more

Stay up to date

Subscribe for email updates

Connect With Us

Contributing Member

Want to contribute?

Want to contribute? Drop us a line at