Holiday CybersecurityAlmost one year ago to the day, the “most wonderful time of the year” became anything but for millions of Americans when news of the Target data breach broke. Not only did that attack force us all to think twice about how our digital information is managed, it forever changed the network security landscape and put IT administrators in a perpetual state of high alert.

This holiday season, having suffered through a full year of attack after attack, network administrators have battened down the hatches even further, living in constant fear that their organization could become the next target of hackers. The silver lining is that these attacks have forced IT departments to re-evaluate their internal security policies, and at least raise awareness of how crucial it is – if not actually put in place – the infrastructure necessary to protect their organizations.

But despite now having a better understanding of the landscape of cyberthreats and vulnerabilities, as well as having shored up their cyber defenses, IT departments must remain vigilant towards the potential cyberthreats lurking in the shadows this holiday season.

From the new technologies employees receive as gifts, to the vulnerabilities that could arise from employees accessing the corporate network remotely, there’s plenty for network administrators to be preoccupied by this time of year.

New Gifts, New Threats?

For a few holiday seasons now, mobile devices, Internet of Things trinkets and wearable technology have been at the top of consumer gift lists. They’re popular nearly to the point of ubiquity, which is actually bad news for the network administrators who have to account for employees connecting these new endpoints to the network, where they could create vulnerabilities.

Dark Reading offers the example of a hacker who is able to work around a company’s Wi-Fi defenses by breaking into a corporate conference room’s Bluetooth system, via an employee’s vulnerable Bluetooth-enabled device, in order to listen to privileged conversations about financial transactions.

Attackers are as agile as they are astute, and they constantly look to exploit vulnerabilities – especially the ones IT departments haven’t identified yet. New consumer technologies could be just the point of entry hackers need to launch a new volley of attacks.

The Risk of Remote

Another network security concern over the holidays is the number of employees working remotely. More than half of Americans actually plan to work remotely over the upcoming holiday break, with about half of those expecting to spend at least two hours on the clock each day. And who wouldn’t prefer to work beside a fireplace during the holidays, instead of in front of their office computer?

Yet, all this convenience could come at a cost to IT departments – if employees don’t follow established remote access and Bring-Your-Own-Device (BYOD) protocol, they could inadvertently create vulnerabilities that aren’t present when they work on-site, under the umbrella of the immediate corporate network and under the watchful eye of the IT department.

Preventing Holiday Exploits

The lesson for network administrators this holiday season is clear – the remote access and BYOD policies that may have adequately protected their networks in the past may not be sufficient in today’s world. There have never been more devices, and more types of devices, connected to enterprise networks – and with each new endpoint will come new risk.

To offset these hazards, IT departments may need to reevaluate their BYOD policies. This includes frequently updating protocol, and making sure employees are educated as to how they can play a role in limiting network vulnerabilities.

And in the event that a remote access or BYOD policy comes up short, network administrators need to have in place an overarching defense-in-depth strategy, of which BYOD is just one component. When network administrators build redundancy into their defense plans, through interlocking solutions like VPNs and firewalls, even if attackers are able to breach one element, they’ll be cut off before they can advance further.

And if these defense mechanisms are successful, network administrators will have given themselves the best holiday gift they could ask for – peace of mind.

Read More:

Cyber Monday: Why Network Security is the Best Gift of All
Adobe Hacked: The Frightening Implications for Network Security

Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now

Sony AttackHollywood is a place that can be driven mad by star-studded gossip, where the talk of the town is rarely private and where people are accustomed to their secrets not staying secret for very long. Yet, this state of play hasn’t made it any easier for the victims of last month’s cyberattack against Sony, carried out by shadowy assailants calling themselves the Guardians of Peace.

As the public knows by now, it seems as though the attackers spared nothing in their initial leak of 27 gigabytes worth of data. They released the type of information that seems to be exposed after seemingly every corporate hack, from the personal information of employees to the company’s classified assets, which in this case even included the script for an upcoming James Bond film.

But that wasn’t all.

They also exposed the kind of information unique to an entertainment giant like Sony – the lurid Hollywood gossip, revelations of celebrity aliases and even off-the-record studio executives’ opinions about some of today’s box office smashes.

Sony’s Imperfect Network Security History

So how could this have happened? Although the finger-pointing has been ongoing since the attackers revealed themselves to Sony employees at the end of November, what’s clear is that the malware used by the Guardians of Peace was undetectable by antivirus software, and, as is often the case with attacks as broad as these, human error within Sony – passwords that were both easy to crack and stored in a file directory marked “passwords” – may also have been a factor.

Unfortunately, these aren’t new criticisms of the company.

Sony’s network security defenses, from poor access control to weak passwords, were so lacking in 2007 that an auditor told the company’s executive director of information security, “If you were a bank, you’d be out of business.” Then there was the 2011 hack of Sony’s Playstation network – an attack that was preceded two weeks earlier by the company laying off two employees who were responsible for network security.

In retrospect, it’s easy to construct a seven-year trail of breadcrumbs back to Sony being hacked, and to allege that executives should have known they needed to do more to shield the company from attack. But, as it was suggested by the FBI’s Joseph Demarest, assistant director of the agency’s cyber division, the high sophistication of the attack proved to be just as much a factor as how porous the company’s network security may have been.

He said, “The malware that was used would have slipped or probably gotten past 90 percent of [Internet] defenses that are out there today in private industry and [likely] challenged even state government.”

Preventing the Next Great Hack

The massive Sony breach has shown, yet again, just how expeditious and ruthlessly efficient attackers today are. One minute, the network security fortress of a company like Sony is seemingly secure, and the next, documents and correspondence that were intended to be private are splashed across every news outlet. It should be more than enough to give network administrators significant pause, and make them wonder, “If it can happen to Sony, why couldn’t it happen to me?”

Fortunately for network administrators, there is no shortage of steps they can take to prevent attackers from breaching their walls, and there are just as many ways to limit the damage in a worst-case scenario where hackers are able to make it inside.

We’re talking about a defense-in-depth approach – a multi-layered, redundant strategy that seamlessly weaves together overlapping network security products, like strong VPNs and firewalls, with proven processes, like employee training and encryption protocol, to help network administrators defend against a range of threats looming right on their doorsteps. Additionally, if hackers do get in, layering security technologies can help mitigate the range and damage caused by the attack, making it more difficult for attackers to actually escape with sensitive information.

It’s impossible for network administrators to know for sure they have the upper hand against attackers who seek to do them harm – their methods evolve too rapidly. But with a defense-in-depth strategy, network administrators at least know they have fail-safes in place should they become the next target.

Read More:

Hacks of Houston Astros, Butler University Put Network Security on Center Stage
Cyber Threats in 2015: New Attack Vectors, More Severe Incidents

Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

Remote Access EndpointMuch to the dismay of network administrators, IT security today is complex and multi-faceted, from the varied attack vectors to the different types of attackers themselves. But there is always one constant: the endpoint. When those endpoints are attacked, and end users cannot access services, data and applications, it is futile for a business to even host and offer them.

The client, that is the device, not the human being using it, has undergone enormous changes over the last decade, thereby putting the burden on IT professionals to evolve their networks accordingly. The PC, with Windows 95, was the starting point. Next came myriad Microsoft operating system updates, followed by new form factors like tablets and smart phones, which introduced a whole new dimension.

With each new client, the applications changed as well. Browsers and apps opened up unfamiliar, sometimes encrypted, and sometimes proprietary, data channels, from the Internet right down to the file system. And of course, attackers have kept track of those changes and adapted their methods accordingly over the years.

To cope with these ever-evolving forms of attack, network administrators developed innovative defense mechanisms. Classic anti-virus tools were followed by sandboxes that tried to detect and block malware by offering these programs a limited, simulated runtime environment. The most recent approach uses micro-VMs, which try to contain malware within the kernel process level.

Additionally, businesses now use a whole arsenal of security measures, ranging from the humble password to two-factor authentication, firewalls and encryption, to name but a few. And nothing is wrong with these measures. After all, an endpoint that uses anti-virus software is better protected than one without it. But the question is: How much better?

The problem is, enterprises often do not realize that technology alone will not save them. Businesses need to know that their combined technical barriers, no matter how recent and well maintained they might be, are far from impregnable, even under perfect conditions. It doesn’t matter which hindrances network administrators place in the path of attackers. They will eventually find a way to bypass them. And in some cases, their whole IT security budget could be wasted on a suite of diverse defense mechanisms.

The only solution is redundancy – a defense-in-depth approach that uses a combination of firewalls, VPNs, intrusion detection systems and common sense policies to govern employee remote access behavior. This type of framework will go a long way in keeping possible attack vectors at bay. It can’t be said often enough, so here it is again: Security is a process, not a product.

End-to-end encryption alone won’t save you. For example, a Trojan could gain access to the local network through an infected smartphone or a USB stick and intercept the password keystrokes right as they happen. In a worst-case scenario, the cryptography might even hinder other security tools from detecting suspicious activities on the network.

No IT-based measure alone can account for human fallibility – they won’t help if one of your employees leaves a work device out in the open, where it could be stolen, or accidentally exposes a password through a phishing scheme. The level of security is always defined through the weakest link, not through the largest budget.

Read More:

The Three Human Failures Behind Remote Access Shortcomings
When Remote Access Becomes Your Enemy

Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

CybercrimeIt’s not clear when we arrived here or when we’ll be leaving, but according to prominent cybersecurity reporter Brian Krebs, we’re in the midst of a “golden age” for cybercriminals.

Krebs’ comments came last month during an address at the 2014 Privacy XChange Forum, where he predicted a continuation of the last year’s string of cyberattacks, in the same vein as those that impacted Target and Home Depot. He said that the value of stolen information – about $20 each per stolen credit card – is too high for hackers to pass up.

Given this landscape – particularly with verticals like retail, healthcare and finance, which are perpetually in hackers’ crosshairs – organizations should be well beyond the stages of basic network security planning. In this “post-privacy” era, network administrators need to understand cyber threats against them, inside and out, in order to set up the strongest defenses.

In Dark Reading’s recap of the Privacy XChange Forum, representatives from retail, healthcare and finance shared the biggest threat to their respective industries:

1. Retail: The Onset of Apathy

Today’s reality is that every organization must assume it will be hacked. Yet, as Natural Markets Food Groups’ Arthur Tisi explained at the forum, there’s considerable apathy and a sense of “it won’t happen to me” among businesses, particularly retailers. While it’s true that only two of the top 10 U.S. retailers – Home Depot and Target – have reported major data breaches this decade, those attacks left an unprecedented impact – nearly 100 million credit and debit cards were exposed.

To avoid becoming the next high-profile victim, retailers need to further build out their cyberattack response plans in order to defend customer and corporate data throughout the threat’s life cycle – including if it breaches the fortress walls. It’s no longer enough to only have a threat prevention plan in place – the ability to quickly detect and respond to an attack is just as important.

2. Healthcare: Too Many Touch Points

The primary threat against network security in the healthcare space is actually two-fold. We’ve explained previously that healthcare information is particularly valuable – and appealing – to attackers. The other issue, as explained by Dr. Deborah Peel at XChange, is just how exposed healthcare data can be when it’s in motion, traveling between in-patient facilities, clinics, insurers, pharmacies and more. And all it takes is one stolen or misplaced device, operating outside the safe boundaries of a secure VPN, to thrust thousands of patients’ personal information into the wind.

In fact, the threat of data being lost or stolen is actually more severe than malicious hacking. According to Bitglass, 68 percent of healthcare data breaches since 2010 have involved theft or loss of healthcare information. For healthcare organizations that permit employee remote access, it’s even more critical that they institute both employee policies and technology, like VPN and firewalls, to help protect sensitive patient information every time it leaves the safe confines of an organization.

3. Finance: Lack of Depth to Security Approach

Unlike in healthcare, where HIPAA requires providers to publicly divulge breaches, no such mandate exists in the financial industry. That’s despite the fact that 500 million financial records have been exposed in the last 12 months, according to federal officials, and many of the owners of those files aren’t even aware their information has been leaked.

Given the magnitude of the threat against the finance industry, it’s not surprising that, as one financial services professional said at XChange, there is no “silver bullet” to guarantee security from attackers.

But as is often the case with network security, the best defense for financial institutions is a multi-layered, redundant network security infrastructure. Typically, defense in-depth in the context of network security requires the construction of a comprehensive, multi-layered infrastructure of VPNs, firewalls and other intrusion detection systems, so that each solution acts as a failsafe for the others.

In this instance, defense in-depth for financial institutions additionally means using multiple defense measures to protect against account takeover – hackers targeting customers and trying to exploit them directly, versus the organizations that hold their data. In the specific instance of customers logging into their electronic accounts, many organizations already do redundancy well. The FFIEC actually requires financial institutions to use multi-factor user authentication for online banking. But in the future, financial institutions will need to look for other redundant verification techniques, such as tokenization and “device fingerprinting,” to protect customers. That way, even if a hacker breaches one line of defense, subsequent mechanisms will keep them out.

Escaping the Golden Age

Even though cybercriminals are still reaping the benefits of their golden age, events like the Privacy XChange Forum show that industries like retail, healthcare and finance not only have a plan to fight back – they actually have a good chance of soon turning the tide. And if businesses in these at-risk verticals can minimize the threat of cybercriminals, then network administrators in other industries will soon have a blueprint for defending their own interests.

Read More:

Cyber Threats in 2015: New Attack Vectors, More Severe Incidents
Healthcare Data Today: In Motion or Out of Control

Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now

The Three Human Failures Behind Remote Access ShortcomingsWhenever news of a network security breach reaches the public airwaves, observers are quick to assign blame to some combination of technological shortcomings and human error that allowed an attacker to slip through the victim’s cyber defenses.

When it comes to remote access in particular, network security is even more dependent on technology like VPNs, and employees who do their part and follow company protocol. Unfortunately, network administrators often find themselves in a position where, due to human imperfection, remote access technology is the constant that protects their network.

Here are the three types of people who are guilty of common, understandable human errors that network administrators need to have on their radar, and try to protect against, as they build a network security infrastructure:

  1. The Strained IT Pro

Information security professionals are modern-day gladiators, fighting back against complex network security threats, internal and external, as quickly as they form. Yet, as a Ponemon Institute study revealed earlier this year, many IT departments are overburdened as they try to defend against all of these threats at once.

The problem is actually two-fold: a dearth of talent to fill positions (according to the study, 70 percent of the organizations say they do not have sufficient IT security staff) and turnover in security positions that can be filled (CISOs leave their positions, on average, after 2.5 years). The result is that IT departments, despite their best efforts, cannot defend against every attack particularly as cyberattackers diversify and expand their efforts in the coming years.

  1. The Oblivious Employee

For companies that lack a consistent frontline defense by their IT staff, employees are next in line to defend against network security threats. They’re tasked with following remote access policies, the most common of which often include proper VPN use and safe data management practices. Yet, even the very basics of secure remote access are often a problem for employees – 44 percent of respondents to an Imation survey said that company information they remove from their office isn’t encrypted.

Those weren’t the only network security faux pas employees fessed up to. Just under half said they still used a USB stick to transfer information – especially dangerous in light of threats like the “BadUSB” exploit – while about the same number said they used their own mobile devices for remote access, instead of those supplied by the company.

These employees are right to be criticized, although the blame doesn’t always rest solely with them. As Imation’s Nick Banks said, “A lot of companies don’t have a remote working policy [while others] break the policy without knowing it exists.” Every company needs a remote work policy, not just those in which data is generally considered to be most at risk – financial services, healthcare and the public sector.

  1. The Fatigued Stakeholder

The third obstacle impacting IT departments and employees as well as the general public is a creeping feeling of what Ponemon has dubbed “breach fatigue.” While conventional wisdom may dictate, and network administrators may think, that digital consumers have grown even more risk averse in how they manage digital information, the opposite actually appears to be true.

This current state of “breach fatigue” means that consumers have become so overwhelmed by the recent onslaught of data breaches involving their favorite institutions that the news is no longer attention grabbing or behavior altering. Only 14 percent of those polled by Ponemon said they would interact differently with an institution they do business with if it were to report a data breach.

Defense In-Depth Reduces Human Error

This all brings us back to the importance of strong remote access technology and a comprehensive, defense in-depth approach to network security. When IT staff and employees do fall short – and they will from time to time – it’s this multi-layered, redundant approach to network security, which includes technologies like firewalls, VPNs and intrusion detection systems all working together that will keep a company’s digital secrets safe.

Want to learn more threats to your company’s network?

7 Security Threats Your May Have Overlooked

In 7 Security Threats You May Have Overlooked, we cover:

– How to handle environments fraught with rogue employees, personal devices, and EOL products.
– A sound approach to security policies and their enforcement, including the important of executive involvement.
– A new way to think about VPN solutions to simultaneously maximize security, flexibility, and ease of management.

Download Now