Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities. As convenient as it would be for businesses to have all their IT service providers working on-site, just down the hall, that’s not always possible. That’s why secure remote access is a component frequently found in the digital toolboxes of service providers that offer maintenance, troubleshooting and support from locations other than where the product or system is being used.

This arrangement makes sense: It saves enterprises time and money.

Yet, that doesn’t mean remote access is always foolproof. Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities.

In April 2013, for example, it became possible to damage Vaillant Group ecoPower 1.0 heating systems by exploiting a highly critical security hole in the remote maintenance module. The vendor advised customers to simply pull the network plug and wait for the visit of a service technician.

About one year later, AVM, the maker of the Fritz!Box router, also suffered a security vulnerability. For a time, it was possible to gain remote access to routers and, via the phone port functionality, to make phone calls that were sometimes extremely expensive. Only remote access users were affected.

Then, in August 2014, Synology, a network attached storage (NAS) supplier, was affected. In this case, it was possible to gain control over the entire NAS server data through a remote access point.

Finally, at this year’s Black Hat conference in August, two security researchers revealed that up to 2 billion smartphones could be easily attacked through security gaps in software.

It’s clear that these attacks and vulnerabilities are all part of a trend – and they speak to the importance of businesses eliminating remote access security gaps.

Who is Responsible for Securing Remote Access?

There’s no doubt that remote access is an important network feature. IT support speed and troubleshooting capability would be greatly hampered without remote access. It is also needed for mobile workers to establish connections to their corporate networks via a VPN.

VPNs by design are secure and when users implement, maintain and utilize them properly, the technology works perfectly. However, security lapses may occur in cases where a user is unaware that secure remote access has been provided, i.e. it’s more or less a hidden feature, or he does not show any interest in it.

In the Fritz!Box case, the critical issue of increasing digitization in private environments could be seen very clearly. Despite the problem being reported by numerous media outlets and the vendor quickly releasing a firmware update, tens of thousands of routers were still affected, many of them weeks later.

Unfortunately for IT administrators responsible for network security, not every Internet user reads computer magazines and stays up-to-date with information from various news services. Not every router owner has the tech savvy or feels comfortable updating device firmware. They may do the bare minimum – understand the purpose of a VPN and comply with the necessary security policies – but what if they don’t? Or what if they aren’t even aware of security measures?

The value of VPN solutions is that they provide a layer of security protection, for when users unknowingly create security vulnerabilities. This means IT administrators are responsible for improving the security of remote access, by using up-to-date, approved technology and implementing automated update procedures that fix reported bugs quickly and without user intervention.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

For the last 30 years, a common line of code found in a piece of software has quietly been a dormant security vulnerability – but now, news of the exploit has gone public, sending the network security community into reaction mode.For the last 30 years, a common line of code found in a piece of software has quietly been a dormant security vulnerability – but now, news of the exploit has gone public, sending the network security community into reaction mode.

The Shellshock vulnerability can be traced back to Bash, a command shell that is commonly used across the Internet on Linux and UNIX platforms. Bash translates user commands into language a computer can understand and then act upon. In the case of Shellshock, hackers could exploit Bash by issuing arbitrary software commands, potentially allowing them to control systems.

In the immediate aftermath of Shellshock’s discovery, security experts claimed the exploit had surpassed last spring’s Heartbleed as the worst software vulnerability of all time. One reason is that Shellshock’s reach could be even greater than the Heartbleed vulnerability, which only affected software using the OpenSSL encryption protocol. Shellshock’s reach could even extend to Internet of Things devices, since their software is built on Bash script.

For the last few weeks, website administrators have been making the necessary updates to protect users. Within a week of the vulnerability going public, Amazon, Google and Apple responded with patches and internal server updates.

Even so, it will take some time for the fallout from Shellshock to subside.

The Year of the Cyberattack Continues

This year has not been kind to the network security community. Although the Target breach occurred in 2013, the fallout has continued well into this year. Then came attacks at Neiman Marcus, eBay and, just last month, Home Depot. And, of course, Heartbleed and Shellshock.

Even in the last few weeks, news broke that more than 200 stores in the Jimmy John’s sandwich chain were breached by a remote hacker who stole customer credit and debit card information. And just like in the Target breach, where hackers infiltrated the network through an HVAC contractor, a third party of Jimmy John’s was also to blame – attackers gained network access and login credentials from a point-of-sale vendor.

The Jimmy John’s attack provides yet another example of why network security isn’t as straightforward as guarding against attacks just on the immediate network. Every network endpoint is a potential attack vector, whether it’s part of the direct network or operated by a third party who only accesses the network occasionally. This is why it’s so critical for network administrators to implement secure VPNs, as part of a comprehensive, layered, defense in-depth approach to network security.

Now, there have been reports that some VPNs could be vulnerable to attacks launched through the Shellshock exploit, but it’s important to note that these remote attacks only apply to servers rooted in OpenVPN. VPNs using the proven IPsec standard, on the other hand, ensure privacy, shield remote users from a range of malicious attacks, and serve as another line of defense.

And in the fight against Shellshock, users need every defense mechanism they can get their hands on.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

The world of IT is going through the same transition, away from the traditional support of "marathoning" to meet goals. Technology has evolved to the point where it's often pure speed – not slow-moving, deliberate execution – that IT departments need to thrive.The crack of the starting gun has very different meanings for runners, depending on the distance of their race. To marathoners, it means to start conserving their energy as they take the first step in their 26.2-mile journey. To sprinters, the starting gun is a signal to channel all of their physical and mental ability toward completing one goal that is only seconds and a handful of meters away.

Perhaps that’s why we always hear “it’s a marathon, not a sprint” – most goals are far away, and they require focus to be met. But maybe this is unfair to sprinters. After all, if the average person were asked to name a runner, he or she would be more likely to say Usain Bolt – the fastest man in the world and, by the way, a short-distance runner – than the most recent winners of the Boston Marathon.

The world of IT is going through the same transition, away from the traditional support of “marathoning” to meet goals. Technology has evolved to the point where it’s often pure speed – not slow-moving, deliberate execution – that IT departments need to thrive. David Wright, CIO of McGraw-Hill Education, has seen the transition first-hand. He said that the “innovation tempo” has increased for his company as the market has changed.

Although Wright’s comments are generally about IT as it relates to product development and other customer-facing activities, the takeaways extend into other realms of IT, including network security.

Learning to Jump Hurdles

For CIOs, network security isn’t so much about the speed vs. distance analogy. A CIO really needs the best traits of both – the endurance of a marathoner to steer a consistent network security vision and always anticipate the next threat, as well as the speed and adaptability of a sprinter to consistently fend off new attacks.

A better comparison between network security and running is probably any event that involves hurdles. In a marathon or a sprint, runners go into the event with a plan. Yes, there are other competitors out on the track, but in many ways, it’s more of a race against the clock. But in hurdling events, there’s a much greater likelihood of a runner getting tripped up – clipping a foot on a hurdle or stumbling over a fallen competitor, for example. The unexpected should always be expected.

In much the same way, today’s cyber attackers move from threat to threat quickly, putting up hurdles everywhere and always keeping CIOs on their toes. If one attack vector doesn’t work, attackers will persist and just move on to the next one.  They’ll somehow find holes in the network security infrastructure, just as they did with a vulnerable HVAC provider in the Target breach.

So, what can CIOs do?

Just as attackers constantly leave hurdles in the paths of IT departments, CIOs can build hurdles of their own to ward off attackers. A defense in-depth approach is built on redundancy. It uses different “hurdles” – including VPNs with central management functionality and firewalls – to make it harder for attackers to anticipate what might be around the next bend in the track. Even if an attacker is able to clear every network security hurdle, defense in-depth ensures that a network administrator is able to isolate an attack before its effects are able to spread.

Defense in-depth is just the strategy network administrators need to win the race against cyber attackers.

To learn more about the rapidly changing network security space, including mobile security and BYOD best practices, please join us at Interop New York, October 1-2, where we’ll be presenting at Booth #613.

Read More:

The Workplace of the Future and What it Means for Network Security


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

Industry 4.0: Flexible Production Needs Secure NetworkingAs we sit on the edge of the fourth industrial revolution, businesses are preparing for sweeping technological changes that will impact their production. Governments around the world, particularly Germany, through its Industry 4.0 initiative, have tried to help businesses anticipate these changes.

Simply put, Industry 4.0 will help enterprises adjust their production processes very quickly. The idea is to move away from the conventional approach of production facilities serving only one specific purpose. Greater flexibility will be achieved through modularity and extremely high connectivity, based on IP standards for all components. This is a first for the industrial sector because, up to this point, industry-specific protocols, media and controls have been utilized. With Industry 4.0, IP addresses, routers, switches and Ethernet will find their way onto the factory floor and into assembly shops.

Along with cost considerations, the reason Industry 4.0 focuses on IP technology is the public’s experience with it. Hardware, software, and management approaches are constantly being enhanced by IP technology, which has been available for years. IT security technology offers compliance, standards and frameworks, as well as a variety of products for enterprises to choose from.

Up until now, only a few enterprises have put Industry 4.0 initiatives in place in their organizations. These pioneers include financially strong enterprises in highly competitive markets, such as those in the automotive industry. Hopefully, the implementation of Industry 4.0 initiatives will be based on the wealth of experience from the traditional IT industry, especially where security is concerned.

When IT departments are not consulted, gaps in network security could appear. Already, there are some examples of remote access points, installed at client sites by third parties to simplify device maintenance, which were not sufficiently secured and therefore were left wide open to attackers. Another threat are search engines developed to automatically find unsecured remote access points or Internet interfaces with vulnerabilities.

To protect against these vulnerabilities, network administrators can leverage a VPN to easily secure remote access, especially if used with TCP/IP. VPN technology has been available for many years. It can easily be installed, controlled and managed, however, when vigilance and robust IT policies are lacking, there are several ways for vulnerabilities to manifest. Implementation often fails because a third party supplier, not the customer, is responsible for installing the remote access system and information is not adequately communicated. Or the customer’s employees may not recognize a security threat. Or perhaps the documentation is not executed as well as it should be and remote access points are simply forgotten.

Every technology and technological process goes through a hype phase in which promises are made that are tough to keep. Presently, Industry 4.0 may be in this phase. However, the good news is, awareness about Industry 4.0 is being created by the hype. This has helped pave the way for security to be baked in as a fixed and seamlessly integrated component during the planning and introductory phases of Industry 4.0. Governments and enterprises around the globe should pay close attention to the progress of Germany’s Industry 4.0 and once they see its benefits unfold, follow its lead.

 


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

Home Depot fixes America's household problems. If you're planning a do-it-yourself project, whether it's repairing a leaky faucet or installing new linoleum flooring, you're probably going to visit a Home Depot to buy your materials or get some advice.Home Depot fixes America’s household problems. If you’re planning a do-it-yourself project, whether it’s repairing a leaky faucet or installing new linoleum flooring, you’re probably going to visit a Home Depot to buy your materials or get some advice.

America’s largest home improvement retailer seems to have a repair for everything, but after news that its payment systems had been breached, Home Depot has a lot of work ahead to get its own house in order. It faces a long road as it repairs its reputation, its relationships with customers and its network security.

In what the New York Times speculated could be the “largest known breach of a retail company’s computer network,” a massive breach that affected more than 2,000 Home Depot locations in the U.S. and Canada between April and Labor Day, exposing the credit card information of an estimated 60 million customers.

These are unprecedented numbers, topping the infamous Target breach of last holiday season. By comparison, that attack did not last as long (three weeks), affected fewer stores (about 1,500) and resulted in fewer victims (40 million).

The information security press has been quick to criticize Home Depot for its handling of the advanced persistent threat (APT) attack, particularly for its slow response. Eric W. Cowperthwaite, vice president of Core Security, told the Times, “This is not how you handle a significant security breach, nor will it provide any sort of confidence that Home Depot can solve the problem going forward.”

Lessons from the Target Breach

In KrebsOnSecurity’s original report of a possible breach earlier this month, Brian Krebs reported that Home Depot registers had been infected by “BlackPOS” – the same strain of malware found on Target point-of-sale systems last winter.

And the parallels don’t stop there.

After both network security breaches, customer data surfaced on Rescator, a black market website that peddles stolen credit card information. And what’s more, both Target and Home Depot were attacked when their sales usually spike – Target during the holiday season and Home Depot during the spring, which this year produced a record number of transactions.

Both retailers have also taken similar steps to address the attacks publically. Just as Target did, Home Depot is offering “free identity protection services, including credit monitoring” to any customer who shopped at the store from April 2014 onward.

What’s still unclear is how hackers were able to breach Home Depot’s computer network. In the case of Target, attackers gained remote access to its network by finding a vulnerable point-of-entry in the form of one of the retailer’s HVAC contractors. If that’s also the case here, as it’s been with other prominent companies that have been attacked, it’s yet another reminder of the need for more secure remote access.

Any time a mobile employee or endpoint accesses a corporate network remotely, instead of working within the safer confines of the immediate network, there’s a greater chance that an attacker could exploit a vulnerability if the proper network security measures aren’t in place. In order for a network administrator to map out a complete view of the network, including remote users, tools like centrally managed VPNs are critical. This way, if a breach is detected, an administrator can take immediate steps to halt the attack, from deprovisioning users to revoking network access.

As Home Depot rebuilds its network security infrastructure, this is just one of many steps it will need to take to prevent another attack.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now