This year, with cryptography and information security becoming higher profile than ever before, more than 25,000 attendees made the trip to San Francisco for RSA Conference, which was filled to the brim with interesting discussions of new trends, research and technology. Despite several prominent experts boycotting the event in light of the $10 million the NSA secretly paid RSA, the show still sold out seven months in advance and comedian Stephen Colbert braved the backlash to deliver an electric closing keynote address. Here are three main takeaways from the conference relating to remote access security:

The Internet of Things is growing, and we need to secure it.

The Internet of Things (IoT) was the conference’s number one buzzword, and attendees were concerned with securing the billions of connected devices that are currently proliferating. Quite distressingly, the general feeling at the conference was that the industry is not yet ready to secure devices such as household appliances, medical devices or connected cars. VPNs, however, can provide a solution to secure IoT communications, by ensuring that all of the information traveling between connected devices and users stays within an encrypted tunnel, and the industry as a whole should look towards adopting them more widely within devices.

Point solutions are no longer enough.

Attendees eagerly discussed everything from forensics to advanced persistent threats (APTs), but the common thread was the importance of integrated solutions. From a remote access security perspective, it was refreshing to hear professionals who work on other security components sharing that view. In fact, Network World identified integration as the number one element that security vendors are now focusing on. Jon Oltsik, principal analyst at Enterprise Strategy Group (ESG) explained how, in the past, vendors have tended to push a collection of point products on a one-off basis. However, CISOs no longer have the resources to manage myriad products that don’t communicate with each other. Oltsik puts is quite plainly, “Smart vendors are responding with more integrated product suites and central management.”

Ease of use is paramount.

As IT administrators are increasingly having to do more with less, ease of use was another hot topic for security professionals at the conference. Gone are the days of lengthy product deployments and overly complicated customization. Now, with so many security products and services to choose from, enterprises and consumers alike are going to select to ones that are the easiest to deploy and manage, with the best user interface. With today’s advanced remote access security solutions, for example, employees can use a centrally managed VPN to connect to their corporate network in just a few clicks.

Of course, an end user friendly interface isn’t the only component for an easy to use solution – automation is another important element. For example, once upon a time, traveling employees had to log back into their VPN each time their Internet network connection changed (i.e. they moved from a coffee shop’s WiFi to a 3G connection). This was obviously disruptive to their work, and frankly, it was pretty annoying, too. But thanks to technologies such as Seamless Roaming and Friendly Net Detection, VPNs can now automatically change connection medums and recognize whether they are connecting via a known and trusted or an unknown, insecure network and automatically activate the necessary firewall rules and security mechanisms.

Overall, it was exciting to hear so much attention being given to solving the real world challenges that enterprises are currently facing. Oltsik said it best, “By all indications, security vendors are finally considering something that was minimized in the past – actual enterprise security requirements. [It is] an obvious, long overdue, and positive step for the industry. “

Who would have thought that an HVAC system could lead to the data of millions of people being compromised? Target surely didn’t. Recently, it has come to light that the Target breach hackers likely gained access to the areas of its network where customer information was stored by remotely infiltrating the company’s HVAC system contractor.

Let’s break down how this particular Advanced Persistent Threat (APT) was able to access Target’s customer information:

  • It all started with an email attack, according to information security expert Brian Krebs. The malware-laced email was likely sent out to a broad range of targets gleaned from Target’s public-facing vendor documentation. It was then downloaded by a contractor at Fazio Mechanical, a heating, air conditioning and refrigeration firm, hired by Target to maintain its HVAC system. The likely malware downloaded was Citadel, a password-stealing bot that is derived from the ZeuS banking trojan.
  • The malware was undetected by Fazio Mechanical’s malware prevention software, the free version of Malwarebytes Anti-Malware. Because the company was not using an enterprise-grade or real-time solution, the malware was able to compromise the employee’s password, thus gaining access to Fazio Mechanical’s entire network. If Target had the right access control and central management mechanisms in place, this is where the malware would have been stopped.
  • From there, the hackers connected to Target’s network and accessed the parts of its network that Fazio Mechanical had access to, its external billing system, called Ariba, and several project management-related portals. According to an unnamed source who was formerly employed by Target on its security team, “the Ariba system has a back end that Target administrators use to maintain the system and provide vendors with login credentials, [and] I would have to speculate that once a vendor logs into the portal they have active access to the server that runs the application.”
  • The network lacked advanced authentication mechanisms, such as two-factor authentication, because, according to another source who managed Target vendors, “Target would have paid very little attention to vendors like Fazio, and I would be surprised if there was ever even a basic security assessment done of those types of vendors by Target.” Essentially, because of Target’s lack of preparedness, an experienced hacker had nearly unfettered access to its network after escalating Active Directory privileges. From there, it was a piece of cake to get into Target’s Point of Sale (POS) system data and extract credit card information.

The breach, which exposed the personal information of 70 million customers and 40 million credit card numbers, could have been prevented if Fazio Mechanical and Target had taken the proper network security precautions. As mentioned previously, Fazio Mechanical was likely not the first vendor associated with Target that was probed by hackers looking for a way to steal lucrative, sensitive data. APTs like this one try to exploit every potential attack vector, and it is up to enterprises to thoroughly prepare themselves by implementing best-of-breed systems.

Enterprises can secure remote access to their corporate networks and minimize the risk of breaches like this one by implementing VPNs that not only have advanced authentication mechanisms, but ones that can be centrally managed, which provide network administrators with a dashboard overview of the end devices and users that may pose a risk due to authentication issues, outdated VPN clients and more. Further, enterprises should implement remote access solutions that can interoperate and communicate with other network and security components via protocols such as IF-MAP, to nimbly adjust to attacks as they occur. For example, if an enterprise has implemented network and security solutions that include IF-MAP, components will be able to exchange security-related metadata and rapidly communicate a potential threat across the entire system if necessary, which would then trigger a response and prevent a threat from spreading. The time to be proactive is now.

Encryption. For most organizations, the need for it is very apparent, but for some reason, its implementation often falls well short of goals and expectations. The obvious question here is: why? A recent Ponemon Institute study took a closer look at what exactly is giving enterprises such a headache when it comes to efficiently using encryption. The results were interesting, to say the least.

According to InformationAge, the research, which included more than 4,800 business and IT managers worldwide, unsurprisingly revealed encryption use is on the rise, as companies try to stay ahead of growing privacy and compliance regulations, consumer concerns and increasingly sophisticated cyber attacks. In fact, 35 percent of organizations now have enterprise-wide encryption, compared to 29 percent last year. What was surprising, however, was the apparent objective shift, “For the first time, the primary driver for deploying encryption in most organizations was to lesson the impact of data breaches, whereas in previous years the primary concern was protecting the organization’s brand or reputation.”

An alarming fact found in the study is only 20 percent of organizations polled think they are obligated to disclose data breaches, and of those, nearly 50 percent believe that because the data is encrypted, that circumvents the need to publically acknowledge an infiltration occurred. While the ethics of those policies are certainly subject to debate, a bigger problem perhaps is that all organizations surveyed are challenged with simply finding their sensitive data, as more than 60 percent agree that discovering exactly where it resides is the greatest challenge to deploying an encryption policy. More than half also agreed managing keys and certificates is a major issue, but over 70 percent concede they don’t allocate enough dedicated staff or tools to adequately maintain this task.

Could outsourcing these tasks be the quick fix? Potentially, but so, too could a centrally managed solution. For example, a centrally managed remote access solution could include public key infrastructure (PKI) enrollment functionality to connect a PKI to a remote access VPN and automate the process of managing keys and certificates. With the addition of that functionality, a central management system can act as a registration authority and manage the creation and administration of electronic certificates in conjunction with certificate authorities. Central management also enables organizations to improve network access control. An initial screening process when employees first join a company allows IT administrators to ensure that an employee is not only trustworthy, but given access to only the necessary parts of the network based on their role. By ensuring proper authentication and access control, including verifying each user’s role and attributes, enterprises can safeguard their network from cyber criminals attempting to establish encrypted communication and prevent employees from exposing data.

However, today’s savvy cyber criminals are constantly looking for the path of least resistance into corporate networks and, unfortunately, they often find that weakness in basic human error. A resounding 27% of those surveyed indicated the number one threat to the exposure of sensitive data is employee mistakes. Furthermore, “When employee mistakes are combined with accidental system or process malfunctions, concerns over inadvertent exposure outweigh concerns over actual malicious attacks by more than two-to-one.” As we’ve stressed multiple times in the past, and as this research clearly underscores, the importance of employee education cannot be emphasized enough. Of course, easy to use, one click solutions reduce the likelihood of employee error relating to VPN configurations, but parameter locks can take it a step further. Employees who are constantly on the go are usually not IT specialists, and when their VPN connection is disrupted for whatever reason, attempting to reconfigure it on their own and doing so incorrectly is a major security problem. However, parameter locks allow VPN, firewall and internet connection configurations to be centrally managed by network administrators, who can lock them and distribute them accordingly to the appropriate users.

In conclusion, despite ensuing struggles for organizations attempting to utilize encryption, there are some very attainable solutions. For example, new and more advanced types of encryption, such as elliptic curve cryptography can be used harmoniously to make sensitive data safer, and more difficult to hack, than ever before. Properly implemented encryption is an essential part of any secure remote access strategy, and centrally managed solutions help previously strained organizations make encrypted access to corporate networks a reality.

It’s been a rough couple of years for Android devices. Sure, there may have been more than 900 million of them activated in 2013 alone, but those impressive sales numbers do nothing to inhibit cyber criminals from exploiting these open source devices. We’ve discussed Android vulnerabilities at some length, and have demonstrated how a centrally managed VPN as part of a defense in depth secure remote access framework can mitigate many of these threats. However, the recent revelation from Ben Gurion University of malicious apps that can be used to bypass VPN configurations and push communications to a different network address changes the conversation entirely.

As Jeffrey Ingalsbe, director of the Center for Cyber Security and Intelligence Studies at the University of Detroit Mercy, told SC Magazine, that’s because this new vulnerability “attacks one of the [security] pillars we thought we could count on in the mobile world,” – VPNs. Ingalsbe is right – VPNs have been a cornerstone to secure remote access to corporate networks for a long time now, and the possibility that the peace of mind they ensure has been compromised is alarming. However, if we take a closer look at the vulnerability uncovered by Ben Gurion University, it becomes apparent that cyber criminals are attempting to use an old trick in a new disguise.

Man-in-the-middle (MitM) attacks, a form of which the researchers used to bypass VPN security, are actually pretty simple. They are designed to intercept communications between two endpoints (e.g. an Android device and a corporate network) before those communications have entered the safety of a VPN’s encrypted tunnel. Instead, the unencrypted data is redirected to an alternate location, such as a cyber criminal’s computer, where it is quickly stored on the device’s local hard drive before being passed along into the VPN and onto a corporate network. Thankfully, VPNs are only one component of a defense in depth secure remote access strategy.

Employee education is perhaps the most important step an enterprise can take to prevent this kind of attack. In order for the new Android VPN vulnerability to be an issue in the first place, a malicious app must first be downloaded. IT security professionals must be vigilant about educating their employees on the dangers of unsecure remote access, including the importance of verifying the legitimacy of any apps downloaded onto their devices. Bearing this in mind, it’s worth noting that VPNs themselves are safe, as long as IT and employees are working together to ensure all the necessary security precautions and protocols are being adhered.

As of right now, there have been no reported cases of the so-called Android VPN vulnerability being exploited by anyone other than the researchers at Ben Gurion University. However, emerging threats such as this always reinforce the necessity of having comprehensive remote access security. With 2014 still in its infancy, the time has never been better for enterprises to reevaluate their IT security infrastructure and work to patch any gaps that may exist.

Encryption has long been one of the most effective tools to prevent the exposure of sensitive data. As such, hackers are constantly working on new ways to crack encryption algorithms and exploit lapses in security. Information security professionals must be ever vigilant and constantly create innovative new methods to thwart attacks. Recently, one interesting new encryption security method has come to light that takes inspiration from another, quite different tactic, honeypots, to trap and confuse hackers.

The new approach, called “Honey Encryption”, could potentially offer more effective digital security by making fake data appear to be legitimate and valuable information to hackers. The project, developed by former RSA chief scientist Ari Juels and the University of Wisconsin’s Thomas Ristenpart, is currently a prototype and takes advantage of the brute-force cracking methods used by attackers. With each incorrect guess a cracking program makes, the software adds a piece of made-up data to the dataset. For example, if a hacker is trying to break into an enterprise’s credit card database, the program will create numbers that look like real credit card numbers, instead of the gibberish that attackers would currently see. With thousands of attempts in a typical attack, hackers will be bombarded with fake information, making it enormously difficult to determine whether information is real or not.

Currently, the prototype only protects encrypted data stored in password vaults, but the technology could have tremendous future implications for other forms of encrypted information. One day, a similar program could perhaps generate bogus but plausible network communications when a hacker is trying to break into a VPN’s encrypted tunnel. Or, a hacker could be faced with similar useless information as he tries to compromise a public Wi-Fi hotspot. It could even help to prevent several APT attack vectors used in high-profile attacks, such as the Adobe, Target and Neiman Marcus breaches that have led to the data of tens of millions of people being compromised.

Before it hits the mainstream, though, there are several challenges the technology will have to overcome, including distinguishing real attacks from user errors and making it work with other types of data. However, the underlying idea, using trickery to thwart hackers, is sound. As Juels said, “it’s a really underappreciated defense strategy.”

The technology may never completely stop attacks, but it will certainly make life more difficult for attackers. Combined with cutting-edge encryption methods, such as elliptic curve cryptography (ECC) and quantum cryptography, the future looks bright for keeping sensitive information protected.