Encryption. For most organizations, the need for it is very apparent, but for some reason, its implementation often falls well short of goals and expectations. The obvious question here is: why? A recent Ponemon Institute study took a closer look at what exactly is giving enterprises such a headache when it comes to efficiently using encryption. The results were interesting, to say the least.

According to InformationAge, the research, which included more than 4,800 business and IT managers worldwide, unsurprisingly revealed encryption use is on the rise, as companies try to stay ahead of growing privacy and compliance regulations, consumer concerns and increasingly sophisticated cyber attacks. In fact, 35 percent of organizations now have enterprise-wide encryption, compared to 29 percent last year. What was surprising, however, was the apparent objective shift, “For the first time, the primary driver for deploying encryption in most organizations was to lesson the impact of data breaches, whereas in previous years the primary concern was protecting the organization’s brand or reputation.”

An alarming fact found in the study is only 20 percent of organizations polled think they are obligated to disclose data breaches, and of those, nearly 50 percent believe that because the data is encrypted, that circumvents the need to publically acknowledge an infiltration occurred. While the ethics of those policies are certainly subject to debate, a bigger problem perhaps is that all organizations surveyed are challenged with simply finding their sensitive data, as more than 60 percent agree that discovering exactly where it resides is the greatest challenge to deploying an encryption policy. More than half also agreed managing keys and certificates is a major issue, but over 70 percent concede they don’t allocate enough dedicated staff or tools to adequately maintain this task.

Could outsourcing these tasks be the quick fix? Potentially, but so, too could a centrally managed solution. For example, a centrally managed remote access solution could include public key infrastructure (PKI) enrollment functionality to connect a PKI to a remote access VPN and automate the process of managing keys and certificates. With the addition of that functionality, a central management system can act as a registration authority and manage the creation and administration of electronic certificates in conjunction with certificate authorities. Central management also enables organizations to improve network access control. An initial screening process when employees first join a company allows IT administrators to ensure that an employee is not only trustworthy, but given access to only the necessary parts of the network based on their role. By ensuring proper authentication and access control, including verifying each user’s role and attributes, enterprises can safeguard their network from cyber criminals attempting to establish encrypted communication and prevent employees from exposing data.

However, today’s savvy cyber criminals are constantly looking for the path of least resistance into corporate networks and, unfortunately, they often find that weakness in basic human error. A resounding 27% of those surveyed indicated the number one threat to the exposure of sensitive data is employee mistakes. Furthermore, “When employee mistakes are combined with accidental system or process malfunctions, concerns over inadvertent exposure outweigh concerns over actual malicious attacks by more than two-to-one.” As we’ve stressed multiple times in the past, and as this research clearly underscores, the importance of employee education cannot be emphasized enough. Of course, easy to use, one click solutions reduce the likelihood of employee error relating to VPN configurations, but parameter locks can take it a step further. Employees who are constantly on the go are usually not IT specialists, and when their VPN connection is disrupted for whatever reason, attempting to reconfigure it on their own and doing so incorrectly is a major security problem. However, parameter locks allow VPN, firewall and internet connection configurations to be centrally managed by network administrators, who can lock them and distribute them accordingly to the appropriate users.

In conclusion, despite ensuing struggles for organizations attempting to utilize encryption, there are some very attainable solutions. For example, new and more advanced types of encryption, such as elliptic curve cryptography can be used harmoniously to make sensitive data safer, and more difficult to hack, than ever before. Properly implemented encryption is an essential part of any secure remote access strategy, and centrally managed solutions help previously strained organizations make encrypted access to corporate networks a reality.

It’s been a rough couple of years for Android devices. Sure, there may have been more than 900 million of them activated in 2013 alone, but those impressive sales numbers do nothing to inhibit cyber criminals from exploiting these open source devices. We’ve discussed Android vulnerabilities at some length, and have demonstrated how a centrally managed VPN as part of a defense in depth secure remote access framework can mitigate many of these threats. However, the recent revelation from Ben Gurion University of malicious apps that can be used to bypass VPN configurations and push communications to a different network address changes the conversation entirely.

As Jeffrey Ingalsbe, director of the Center for Cyber Security and Intelligence Studies at the University of Detroit Mercy, told SC Magazine, that’s because this new vulnerability “attacks one of the [security] pillars we thought we could count on in the mobile world,” – VPNs. Ingalsbe is right – VPNs have been a cornerstone to secure remote access to corporate networks for a long time now, and the possibility that the peace of mind they ensure has been compromised is alarming. However, if we take a closer look at the vulnerability uncovered by Ben Gurion University, it becomes apparent that cyber criminals are attempting to use an old trick in a new disguise.

Man-in-the-middle (MitM) attacks, a form of which the researchers used to bypass VPN security, are actually pretty simple. They are designed to intercept communications between two endpoints (e.g. an Android device and a corporate network) before those communications have entered the safety of a VPN’s encrypted tunnel. Instead, the unencrypted data is redirected to an alternate location, such as a cyber criminal’s computer, where it is quickly stored on the device’s local hard drive before being passed along into the VPN and onto a corporate network. Thankfully, VPNs are only one component of a defense in depth secure remote access strategy.

Employee education is perhaps the most important step an enterprise can take to prevent this kind of attack. In order for the new Android VPN vulnerability to be an issue in the first place, a malicious app must first be downloaded. IT security professionals must be vigilant about educating their employees on the dangers of unsecure remote access, including the importance of verifying the legitimacy of any apps downloaded onto their devices. Bearing this in mind, it’s worth noting that VPNs themselves are safe, as long as IT and employees are working together to ensure all the necessary security precautions and protocols are being adhered.

As of right now, there have been no reported cases of the so-called Android VPN vulnerability being exploited by anyone other than the researchers at Ben Gurion University. However, emerging threats such as this always reinforce the necessity of having comprehensive remote access security. With 2014 still in its infancy, the time has never been better for enterprises to reevaluate their IT security infrastructure and work to patch any gaps that may exist.

Encryption has long been one of the most effective tools to prevent the exposure of sensitive data. As such, hackers are constantly working on new ways to crack encryption algorithms and exploit lapses in security. Information security professionals must be ever vigilant and constantly create innovative new methods to thwart attacks. Recently, one interesting new encryption security method has come to light that takes inspiration from another, quite different tactic, honeypots, to trap and confuse hackers.

The new approach, called “Honey Encryption”, could potentially offer more effective digital security by making fake data appear to be legitimate and valuable information to hackers. The project, developed by former RSA chief scientist Ari Juels and the University of Wisconsin’s Thomas Ristenpart, is currently a prototype and takes advantage of the brute-force cracking methods used by attackers. With each incorrect guess a cracking program makes, the software adds a piece of made-up data to the dataset. For example, if a hacker is trying to break into an enterprise’s credit card database, the program will create numbers that look like real credit card numbers, instead of the gibberish that attackers would currently see. With thousands of attempts in a typical attack, hackers will be bombarded with fake information, making it enormously difficult to determine whether information is real or not.

Currently, the prototype only protects encrypted data stored in password vaults, but the technology could have tremendous future implications for other forms of encrypted information. One day, a similar program could perhaps generate bogus but plausible network communications when a hacker is trying to break into a VPN’s encrypted tunnel. Or, a hacker could be faced with similar useless information as he tries to compromise a public Wi-Fi hotspot. It could even help to prevent several APT attack vectors used in high-profile attacks, such as the Adobe, Target and Neiman Marcus breaches that have led to the data of tens of millions of people being compromised.

Before it hits the mainstream, though, there are several challenges the technology will have to overcome, including distinguishing real attacks from user errors and making it work with other types of data. However, the underlying idea, using trickery to thwart hackers, is sound. As Juels said, “it’s a really underappreciated defense strategy.”

The technology may never completely stop attacks, but it will certainly make life more difficult for attackers. Combined with cutting-edge encryption methods, such as elliptic curve cryptography (ECC) and quantum cryptography, the future looks bright for keeping sensitive information protected.

The convergent trends of BYOD, the consumerization of IT and mobility are causing rapid shifts in employees’ expectations for their work environment. Employees are driving the change by working remotely and on their own devices resulting in the workplace itself becoming increasingly flexible. These trends, combined with the blurring of boundaries between consumer and enterprise technologies due to them, necessitate IT departments everywhere having to rethink their network security infrastructure.

It’s an undeniable fact that for many employees, the notion of having a physical office is becoming increasingly irrelevant. In fact, since 2005, there has been a more than 60 percent increase in the number of employees working outside of a traditional office environment, according to Inc. Magazine. Those remote and mobile workers are demanding tools that let them access corporate networks and resources remotely from anywhere at anytime.

However, many businesses aren’t providing the technologies that employees need fast enough. This is evidenced by the fact that a recent Unisys study showed that 71 percent of the workers who are driving the uptake of technology in the workplace are using unsupported apps that are outside the control of IT. This is one example of how employees are using their devices unsafely, and IT staff must find ways to limit the risk to their networks.

Both smarter approaches and better remote access technologies are required to keep networks safe while providing employees the remote access they need. As we’ve discussed before, an ounce of prevention is worth a pound of cure, and employee education can greatly aide in the prevention of a wide range of potential threats. Beyond making employees aware of corporate policies, enterprises should look to implement secure remote access technologies, such as VPNs, that are designed to work with every device users may have and ensure stable, encrypted connections with corporate networks no matter where employees are located. Central management and interoperability with other security components are two important features to look for in a remote access solution for the workplace of the future, because they give network administrators the ability to respond faster to potential threats.

As the Information Age article linked to in the beginning of this post mentioned, the original purpose of an office was to “create an environment where employees could access the resources required to do their job. Now [that] the resources (technology and data) have become mobile, the workplace must follow suit.” And so must IT departments, by equipping the modern workforce with remote access technologies that are built for them.

Even if you’re not one of the tens of millions of customers that have had your credit card data stolen and sold on the black market, you’ve almost certainly heard about the Target hack that occurred in late 2013. In that attack, over 40 million credit cards and the personal information of up to 70 million people were compromised.

More recently, Neiman Marcus publicly acknowledged that its network had been breached. According to Jim Finkle and Mark Hosenball at Reuters, it was revealed this week that at least three additional well-known US retailers have experienced similar, though smaller breaches. These types of network infiltrations are alarming for consumers and enterprises alike, although there is a valuable lesson to be learned from them.

Despite the fact that Target has not yet disclosed how the cyber criminals managed to obtain access to its network, an inside source who spoke to Reuters believes the attackers used a type of malware called a RAM scraper. RAM scraping, as described by Re/code’s Arik Hesseldahl, is an old attack technique that is usually disguised as something innocuous and consequently may enter networks for all the usual reasons – unpatched security vulnerabilities in the system, unsecure endpoints, a mistakenly opened email attachment, etc.

Even though point-of-sale (POS) systems have extremely strict encryption requirements, there is one instance, literally only a couple of milliseconds, where credit card information is decrypted so it can be processed and charged. That’s when the RAM scraping malware attacks. The malware is designed to recognize certain data, such as credit card numbers, and immediately save that information to a text file that easily expands with each new number acquired.  According to Hesseldahl, when the attackers are satisfied with the size of that file, they simply “exfiltrate” it to themselves and head to the black market.

We said it when Adobe was hacked and we’ll say it again now: Hackers are far from lazy, and if you leave a door in your network security open even an inch, they will find it and they will sneak in. These prominent hacks serve as scary reminders of the growing threat of advanced persistent threats (APTs). We fully support the notion that one of the best defenses against APTs is a centrally managed remote access control solution, which can actually help prevent network breaches from occurring. A centrally managed VPN, for example, gives IT administrators the ability to monitor and control all communications within the corporate network, all the while ensuring that these communications are encrypted. Working in conjunction with other security elements such as intrusion prevention systems (IPSs), firewalls and other network and security components, centrally managed VPNs help enterprises safeguard their data and systems against hacks and reduce the risk of becoming a cyber criminal’s next Target.