NCP WebinarIf there’s been a silver lining to the string of devastating cyberattacks against some of the biggest organizations in the world over the last year, it’s that the list of “what not to do” has continued to grow, putting other companies on notice.

If you use a third-party vendor, for example, make sure their networks are just as secure as your own. When there are known security vulnerabilities, reconsider using end of life operating systems like Windows XP on your devices.

These are some of the most prominent recent lessons, but there are plenty of other threats to network security lurking just below the surface. And these are the vulnerabilities that attackers will look to exploit. After all, why would they target a well-defended vector when there may be an easier point-of-entry somewhere else? That would be like a burglar trying to break down a locked door, instead of checking first to see if maybe a window was left cracked open.

In today’s business environment, the list of overlooked network security threats is endless. Information security professionals are modern-day gladiators, tasked with defending corporate data and networks against both known and unknown threats, but no matter how skilled they are, there will always be new threats to their networks. Here are seven to think about:

1. Rogue Employees
2. Delayed Device Deprovisioning
3. A Single, Vulnerable Security Vendor
4. Out of Date Software
5. Failure to Adapt to New Technology
6. Security Solutions and Policy Misalignment
7. Shadow IT


Most working environments would be lucky to be vulnerable to only one of these. The reality is, these threats are so pervasive that many information security professionals are bound to face multiple iterations of each, all simultaneously. They’re fighting an ongoing war on several fronts, in which the enemy’s resources are never fully depleted. And in some ways, the enemy continues to gain the upper hand – the average data breach costs about $145 per compromised record, up 9 percent from two years ago.

Yet, it’s not a losing battle. Information security professionals can emerge victorious. The best approach, after uncovering the threats, is to develop and execute a sound approach to network security, as well as enforcement of these policies. Security, flexibility and ease of management all have to work in sync to maximize success. It’s how you train your employees. It’s the technology you choose to adopt. It’s the processes that tie all of your security initiatives together.

So if you’re an information security professional, don’t be afraid to find and eliminate these threats.

Go ahead, be a hero.

To learn more, join NCP engineering and Julian Weinberger, CISSP, Director of Systems Engineering, for the webinar, “7 Security Threats You May Have Overlooked,” Tuesday, November 18, 2014 at 11:00 a.m. PST. Attendees will also receive a copy of our white paper on the same topic.

Read More:

When Remote Access Becomes Your Enemy
Network Security for CIOs: A Marathon or a Sprint?

Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

Reddit has banned remote work, joining other tech companies like Yahoo that are going against the popular workplace trend. Yet, plenty of others are finding that their workers are more productive when they work outside of a central office. And they’re usually right, as long as they give enough attention to securing remote access.Even just a decade or two ago, it would have been unfathomable to think that sometime in the near future, workers would be upset that their employer was requiring them to work in the same office as the rest of their team. Then again, so too would the concept of BYOD and the idea that workers would even have the option to work remotely, from home offices and coffee shops, without missing a beat.

But, that’s exactly what happened last month, when Reddit, the self-proclaimed “front page of the Internet,” announced that its employees would soon be required to work out of its San Francisco headquarters, or face termination.

Reddit CEO Yishan Wong described the change as one designed to “get the whole team under one roof for optimal teamwork.” No surprise there, really – you usually hear some variation of that line from executives who scrap remote work policies.

It’s the same reasoning we heard from Yahooites when that company made similar changes to its remote work policy nearly two years ago, citing the need for “working side-by-side” to spur communication and collaboration among employees. Critical reaction from Redditors and others in the tech community has been just as swift and decisive as it was against Yahoo in early 2013.

Yet, for every Reddit and Yahoo that bucks the trend toward remote work, there are plenty of other examples of companies that have embraced remote work with great enthusiasm.

All Remote, All Rewards

Automattic, the web development company behind WordPress, only has about 300 employees. For a technology business, that’s hardly a blip on the radar, when compared to companies like Google (52,000), Facebook (7,000), Yahoo (12,000) and Amazon (132,000). Yet Automattic makes the most of each member of its somewhat undersized workforce. Thanks to its generous remote work policy, only a handful of employees actually work in Automattic’s San Francisco headquarters – the rest are spread across 150 different cities all around the world.

Founder Matt Mullenweg explained his company’s attitude toward remote work as, “Rather than being anti-office, we’re more location agnostic.” Employees are still able to work together in collocation spaces, should they feel the need for face-to-face interaction. And, for camaraderie purposes, Automattic hosts an annual “Grand Meetup” in a different location each year, allowing all of its employees to spend time together.

If you asked Mullenweg whether he shared some of the same concerns as Yahoo CEO Marissa Meyer or Reddit’s Wong about remote work, specifically its impact on productivity and company culture, he’d defend his virtual-first approach.

Less productivity? Employees working together virtually aren’t distracted by time-consuming chats at the coffee machine. Harmful for culture and collaboration? Online chat and video technology have evolved to the point where teamwork isn’t really hindered by physical distance. Plus, there are no lease agreements and no office supplies to purchase.

If your company is considering instituting a remote work policy for the reasons above, the final step is to make sure you have a plan in place for secure remote access.

No-Risk Remote Access: The Basics

To make sure remote workers are able to safely access their corporate network, administrators need to make sure that all endpoints – the company-owned devices employees use for remote work – are secure. After all, a single advanced persistent threat (APT) or phishing attack against a remote employee who doesn’t follow company protocol could expose an entire corporate network.

This speaks to the importance of a holistic approach to network security, led by secure remote access and VPN technology, along with firewalls and other security systems. If network administrators adopt these solutions, remote work is sure to be just as safe and secure as in-office work, with the added flexibility benefits.

And as long as executives don’t share the same productivity and culture concerns as those in charge at Reddit and Yahoo, remote work policies could be just what some companies need to give employees a better work-life balance and, hopefully, generate better results.

Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now

Healthcare Data Today: In Motion or Out of Control?

Posted: 28th October 2014 by VPN Haus in IT policy, VPN
Tags: ,

The healthcare industry alone is responsible for 900 major network security breaches since 2009. And it’s not hard to see why – healthcare data is far more valuable to hackers than data stolen from retailers or financial providers. Find out how, even in this hostile environment, one hospice provider has been able to secure its data in motion.

From October 2009 through the present day, one industry alone has reported 900 different breaches. And none of those 900 were limited in their scope – in each, at least 500 individuals were affected. Who knows how many other smaller breaches happened, without public knowledge.

The industry we’re describing probably isn’t any of the ones you might guess – maybe retail or financial services – it’s the healthcare industry. And we can be absolutely certain that the numbers really are this high because the healthcare providers are required by law to disclose any breach affecting 500 or more individuals.

Since the HITECH Act of 2009, the U.S. has been grappling with how best to adopt new technology like electronic health records and telemedicine tools. The challenge is always to walk the line between improving patient care, without jeopardizing patient privacy.

For that reason, the Department of Health and Human Services is now responsible for reporting breaches to the public. It doesn’t matter whether the breach is the result of negligence involving an inadequate remote access policy or the theft of a laptop – all major incidents are reported. Healthcare information is particularly valuable to attackers because it can lead to even more lucrative data, such as bank account information or prescriptions that can be used to obtain controlled substances.

Yet, these incidents involving healthcare providers aren’t the ones making national headlines. Usually, widespread public panic involving network security is reserved for high-profile breaches of retailers and financial providers instead.

The silver lining is that every time another Target or Home Depot is attacked, retailers are again reminded that they could be next in the crosshairs. Their response is to reinforce their defenses. And as we know, hackers are persistent, but they’re still governed by human nature. They will aim for the path of least resistance – there’s little reason for them to try, and potentially fail, to attack an on-notice retailer, if an unaware, vulnerable healthcare provider is also in the picture.

That’s why the FBI put healthcare providers on notice back in April, with a warning that they could be especially vulnerable to cyberattacks. The FBI said that the healthcare industry is not as “resilient” to cyberattacks, despite how much damage they could cause.

That’s in part why three government agencies – the U.S. Food and Drug Administration, and the Departments of Health and Human Services and Homeland Security – hosted a public workshop on October 21-22 to “catalyze collaboration,” as a means to improve medical device cybersecurity.

That information session helped bring these issues to the forefront, but ultimately, when it comes to healthcare network security and keeping “data in motion” safe, the responsibility rests primarily with individual providers.

Healthy Patients, Healthy Network Security

One such provider is American Hospice, which calls a secure communications environment a “cornerstone” of its mission to care for patients. For a national care provider like American Hospice, whose 180 home healthcare workers treat more than 1,500 patients, secure remote access is essential.

American Hospice employees need to be able to safely and quickly update files while on the road. It’s not just about meeting HIPAA requirements involving privacy – it’s about improving worker productivity (by removing manual, paper-based processes), reducing operating costs and protecting sensitive patient information, as well as its own IT system integrity.

In May 2010, American Hospice turned to a Secure Enterprise VPN solution and gained all of these benefits. Workers are now able to safely and remotely access the network through secure mobile devices, allowing them to keep the main office updated, in near real-time.

The goal of all healthcare providers ought to be safer care for patients and peace of mind for their families, and thanks to its secure remote access capabilities, American Hospice has finally reached that point.

Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now

It’s no longer enough to use “123456” for all your passwords. As attacks against major companies have shown, there are just too many threats to network security for consumers to feel safe with a “set it and forget about it” password management strategy. That’s where two-factor authentication – combining something you know with something you have – will protect you.

In August, it happened again: a headline-grabbing warning that 1.2 billion passwords had been stolen by a Russian cyber gang, dubbed CyberVor, caused quite a stir. While questions were raised about the legitimacy of the CyberVor report and the scant details surrounding it, wh

In the past, these types of events did not even make it into specialized magazines and news services, much less major news outlets. And if they did, superlatives were required to capture anyone’s attention. However, just because password theft may not always garner a big news report, it doesn’t mean it isn’t happening all the time.

On the contrary, and especially during the past year, quite a few companies have admitted to being victimized by data breaches and losing control of large amounts of data. Big retail chains Home Depot and Target experienced security breaches that culled information from more than 100 million cards combined, while 233 million eBay users were put at risk of identity theft after an online security breach. 

Going forward, we have to be prepared for the possibility that private information provided to a third party, like a merchant or a public agency, will be stolen. What does this mean for the security of user passwords? “Set it and forget about it” password security simply does not exist anymore. Passwords today can only be regarded as a temporary security measure that should be limited in both time of use and number of accounts.

Nevertheless, experience shows that users recycle the same password for many or all of their accounts. For many, it’s just not feasible to memorize dozens of unique passwords that are sufficiently strong.

Users can avoid this problem and improve their data security by implementing a secure password safe, such as 1Password or KeePass, on their end devices and by using a really strong password to secure it. The safe contains the passwords of all accounts and automatically applies them during the login procedure.

Two-factor authentication is equally as safe. In addition to a password, the user is required to have a second component for verification. With this method, the user has to combine knowledge (password) and ownership (mobile phone, token).

Two-factor authentication has long been a standard for safety-critical applications. For example, it has been possible for years to secure VPN remote access using a second authentication factor. In the past, the “something you have” component of two-factor authentication consisted of a small token displaying a number necessary for login. The user had to enter this one-time password (OTP) in addition to the password. Now, other solutions are available that do not require the use of tokens. Select VPN solutions with Secure Enterprise Management (SEM) capabilities, for example, allow for use of OTP with mobile phones or smartphones.

With the exception of online banking providers, websites have rarely offered two-factor authentication. However, due to the increasing frequency of data theft, more sites are offering it. For example, Microsoft (OneDrive,, etc.) and Facebook now offer two-factor authentication, and Dropbox can also be secured with a second login factor. This added layer of security helps reduce the risk of data theft even if a user could not resist picking his pet’s name for a password, or if he decided to pick the most popular password worldwide: “123456.” 

Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now


Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities. As convenient as it would be for businesses to have all their IT service providers working on-site, just down the hall, that’s not always possible. That’s why secure remote access is a component frequently found in the digital toolboxes of service providers that offer maintenance, troubleshooting and support from locations other than where the product or system is being used.

This arrangement makes sense: It saves enterprises time and money.

Yet, that doesn’t mean remote access is always foolproof. Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities.

In April 2013, for example, it became possible to damage Vaillant Group ecoPower 1.0 heating systems by exploiting a highly critical security hole in the remote maintenance module. The vendor advised customers to simply pull the network plug and wait for the visit of a service technician.

About one year later, AVM, the maker of the Fritz!Box router, also suffered a security vulnerability. For a time, it was possible to gain remote access to routers and, via the phone port functionality, to make phone calls that were sometimes extremely expensive. Only remote access users were affected.

Then, in August 2014, Synology, a network attached storage (NAS) supplier, was affected. In this case, it was possible to gain control over the entire NAS server data through a remote access point.

Finally, at this year’s Black Hat conference in August, two security researchers revealed that up to 2 billion smartphones could be easily attacked through security gaps in software.

It’s clear that these attacks and vulnerabilities are all part of a trend – and they speak to the importance of businesses eliminating remote access security gaps.

Who is Responsible for Securing Remote Access?

There’s no doubt that remote access is an important network feature. IT support speed and troubleshooting capability would be greatly hampered without remote access. It is also needed for mobile workers to establish connections to their corporate networks via a VPN.

VPNs by design are secure and when users implement, maintain and utilize them properly, the technology works perfectly. However, security lapses may occur in cases where a user is unaware that secure remote access has been provided, i.e. it’s more or less a hidden feature, or he does not show any interest in it.

In the Fritz!Box case, the critical issue of increasing digitization in private environments could be seen very clearly. Despite the problem being reported by numerous media outlets and the vendor quickly releasing a firmware update, tens of thousands of routers were still affected, many of them weeks later.

Unfortunately for IT administrators responsible for network security, not every Internet user reads computer magazines and stays up-to-date with information from various news services. Not every router owner has the tech savvy or feels comfortable updating device firmware. They may do the bare minimum – understand the purpose of a VPN and comply with the necessary security policies – but what if they don’t? Or what if they aren’t even aware of security measures?

The value of VPN solutions is that they provide a layer of security protection, for when users unknowingly create security vulnerabilities. This means IT administrators are responsible for improving the security of remote access, by using up-to-date, approved technology and implementing automated update procedures that fix reported bugs quickly and without user intervention.

Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now