It's Time for Retailers to Tell Point-of-Sale Hackers to 'Back Off'It’s Groundhog Day all over again for retailers, following the U.S. Department of Homeland Security’s warning that they could, once again, be exploited by malicious actors.

Less than a year after hacks of Target and Neiman Marcus caught the attention of government investigators, and the whole country, Homeland Security is again weighing in on a hack targeting retailers.

This time, the culprit – “Backoff” – is able to establish command-and-control of retail point-of-sale systems, giving hackers free reign to steal customer credit card numbers and other personal information, like email addresses and phone numbers.

According to Homeland Security, malicious actors are able to compromise PoS systems through remote desktop applications – such as LogMeIn, Join.Me, and other similar solutions from Microsoft, Apple and Google – and then use brute force attacks to deploy the PoS malware.

Once they’ve seized control of the desktop, attackers can run roughshod however they please. Variations of Backoff attacks have been traced back as far as October of last year with up to 600 retailers thought to have been affected.

Download a VPN Client or Install a Remote Desktop?

In its release, Homeland Security issued a number of network security solutions retailers can deploy to mitigate the risk of a Backoff attack – some more effective than others.

The first suggestion is for retailers to configure their remote desktop client so that specific users, or IP addresses, are locked out after multiple failed login attempts. Generally, but not always, brute force attacks like Backoff can be prevented this way.

The problem is that denial of access is only a bandage solution. We’ve written it before and we’ll say it again – LogMeIn is not a viable Virtual Private Network (VPN) alternative. Remote desktop solutions create an environment in which user convenience trumps network security, and this convenience is what has made retailers so susceptible to remote desktop attacks.

Although downloading a VPN client creates a more secure network environment than installing a remote desktop service, while still providing user convenience, doing so doesn’t by itself mitigate the threat of Backoff or any other retail PoS attack. In fact, there is never one technology that neutralizes all threats, all the time.

Where we do agree with Homeland Security is in its support for two-factor authentication. As its release says, “even if a virtual private network is used, it is important that [two-factor authentication] is implemented to help mitigate keylogger or credential dumping attacks.” Put simply, two-factor authentication adds another hurdle and makes it harder for hackers to get what they want. This is the same reason we also support the department’s suggestion to update antivirus systems. It’s all about building redundancy into a network security infrastructure and instituting defense in-depth.

Together, the best security technologies such as up-to-date antivirus software, restrictive firewalls and secure VPNs, and employees who are savvy with network security create redundancy in a network security infrastructure and keep hacks like Backoff on the outside looking in.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

Once a VPN is installed as part of a redundant, multi-layered network security infrastructure, it's up to the IT team to consistently communicate with the executive team.

In September 1862, the 27th Indiana Infantry Regiment, situated near Frederick, Maryland, made a discovery that could have altered the Civil War.

It all began without much fanfare. Two soldiers found three cigars, held together with an unassuming piece of paper. There was nothing extraordinary about it, until the soldiers realized the document was actually a Confederate battle plan. The soldiers then acted quickly, passing the battle plan up the chain of command, all the way to Union leader General George B. McClellan, who, historians note, could have used that information to “destroy the opposing army one piece at a time.”

Yet, McClellan took 18 hours to act, and by the time he started moving against the Confederate forces, General Robert E. Lee had enough time to mobilize his forces and hold off the assault.

The Power of Information

During wartime, information can create just as much of an advantage for one side as the size of an army or the weapons they hold. That is, as long as this information is accurate, passed along to the right people and then acted upon quickly. In McClellan’s case, everything fell into place, except for the “acted upon” step.

The situation is similar for IT security professionals today, in their own war against threats to cybersecurity. They constantly gather intelligence about threats to sensitive corporate information and they understand how remote access vulnerabilities could be exploited by attackers.

Where they fall short – or rather, where their “commanding officers” (executive teams) fall short – is with how that information is passed along and acted upon. Nearly one-third of IT security teams never speak with their company’s executives about cybersecurity, according to a new Websense and Ponemon Institute report. And, what’s worse, the few who do keep executives in the loop only update them once per year.

So, how is it that these “communication roadblocks,” as the report calls them, seem so simple to correct, yet so little is done to correct them?

Websense’s Jeff Debrosse explained to SC Magazine that executives simply may not understand the nuances of network security, which could explain why they don’t always give IT security teams a seat at the executive table. Yet, Debrosse encouraged IT pros to, “really insist and show the ‘why’ of having security as part of executive team meetings and discussions.”

That way, both parties will be able to speak the same language. By breaking down these communication barriers, IT security professionals are more likely to get the support they need from the powers-that-be.

Is It Time for an Infrastructure Reconstruction?

Once addressing communication breakdowns, IT professionals may want to analyze the technology that protects their networks. Many are already taking this step, and they’re not liking what they see. About 30 percent of security professionals told Websense that they would support a complete overhaul of their network security infrastructure. While this seems like an overwhelming task, a network security overhaul isn’t as unorthodox or burdensome as it may seem.

At the heart of any network security infrastructure should be a VPN with central management capabilities. This solution uses encryption to provide employees with a secure tunnel through which they can gain secure, remote access to the corporate network. It also provides network administrators with the ability to revoke network access whenever a cyberattack is detected.

Once a VPN is installed as part of a redundant, multi-layered network security infrastructure, it’s up to the IT team to consistently communicate with the executive team. This way, when an advanced persistent threat (APT) or a breach traced back to a privileged user is detected, for example, the executive team will have more context and a better understanding of the threat landscape. This should empower them to quickly take whatever action is required.

If there is one lesson that can translate from General McClellan to today’s CEOs, it’s that having the right amount of information is only the first step on the battlefield – it’s knowing what to do with that information that will determine how history will judge you as a leader.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now


It’s a tough time to be a BlackBerry user. BlackBerry has seen Android, Apple and Microsoft phones completely erode its market share.

Despite having a committed fan in the Oval Office and some new features to brag about, including a digital assistant, BlackBerry has seen Android, Apple and Microsoft phones completely erode its market share. Its popularity has actually receded so far that BlackBerry is now less popular than nameless “other” devices in smartphone market share surveys. As bleak as the news seems, though, a resurgence of BlackBerry is possible, at least in some circles.

Thanks to what some say are restrictive Bring-Your-Own-Device (BYOD) and remote access policies, some mobile devices users in the corporate world are rebelling against BYOD – specifically, they don’t want their personal mobile devices to be controlled by their employer’s IT administrators. They say that mobile device management products and oversight mechanisms quickly deplete their battery life, disrupt their desired workflow, and, worst of all, infringe on their privacy. This is a problem they never had with their corporate BlackBerrys, which, unlike today’s market leaders, were better suited for use in business settings.

CIO Magazine collected this information from an anonymous, frustrated IT executive at a New York City investment firm, who also shared that 60 percent of the company’s employees would rather go back to using the two separate devices, including a BlackBerry solely for business use, instead of using one phone to store both their personal and professional information. He described in detail the “nightmare” environment around the company’s BYOD woes that was caused by the company’s invasive BYOD policies.

Although the issues plaguing this investment firm could translate over to other companies, it’s not clear whether there really is a widespread nostalgia for BlackBerrys to again be the cornerstone device mobile employees use for remote access to corporate networks. What is clear is that there’s certainly a rocky road ahead for BYOD, especially considering formal BYOD policies are still not as universal as one might think.

Bring-Your-Own-Dissatisfaction?

Despite all the hype, enterprises are only starting their journey to embrace BYOD, as about half of large enterprise firms still don’t allow employees to use their personal devices in the workplace, according to CompTIA’s Third Annual Trends in Enterprise Mobility study.

The benefits of embracing BYOD are clear. According to the study’s findings, with increasing mobility, employees are more connected, productive and engaged with customers.

The study goes on to explore the reasons for corporate skepticism around BYOD, with respondents citing the logistics around device integration as the biggest hurdle, and specifically the added complexity involved in managing employee behavior and a range of different mobile devices.  As CompTIA’s Seth Robinson said, “there are enterprises aspects such as encryption, proper security settings and enterprise apps that require further and ongoing [employee] education.” So, it’s not really an issue of resources for large enterprises, as it is for small and midsize businesses.

What this all means is that enterprise BYOD is still very much in its infancy, and that there’s still time for organizations to secure their network security infrastructure before possibly exposing themselves to all the vulnerabilities that could be created when employees bring their personal mobile devices into the workplace. Specifically, as the CompTIA study mentions, the most common mobility needs for U.S. companies are improved technology and central management of security apparatuses.

A good first step for companies aiming to address these problems is to implement remote access VPNs that include central management capabilities. By using such a solution, an enterprise can provide employees access to the corporate network on any device while guaranteeing that sensitive information remains secure. Network administrators also will be able to ensure that all endpoints connected to the corporate network are policy compliant without needing to adopt what employees may perceive as invasive MDM technologies. And, if they aren’t, or if a security breach does occur, central management functionality allows admins to quickly revoke network access or deprovision problem devices.

Enterprises may still experience some BYOD pushback from employees – and some may even clamor for their BlackBerrys again – but ultimately enterprises will find the business benefits and employee happiness associated with BYOD too compelling to ignore.

 

In the 1930s, when Louis A. Simon designed the famous U.S. Bullion Depository at Fort Knox, he could only have hoped that the building would be so secure, so impenetrable, that generations of Americans would come to regard “Fort Knox” as the highest compliment that could be given to a structure whose purpose is to defend whatever is inside.

In the case of Fort Knox, what’s inside are the U.S. gold reserve vaults. In the case of Broward College in Florida, what’s “inside” is the personal information of more than 68,000 students, 2,000 staff and faculty, and thousands more alumni and other former community members. And it really is a modern-day Fort Knox when it comes to its approach to network security.

Playing the role of Louis A. Simon for Broward is Matt Santill. On paper, he’s Broward’s chief information security officer. Informally, he’s the school’s “Mr. No.” Santill is the reason that students, staff and faculty are no longer able to connect their personal devices to the school’s network without registering them first, he’s the reason peer-to-peer connections aren’t allowed, and he’s the reason that staff cannot use personal cloud-based file-sharing services.

Santill acknowledges to Network World that this approach – seen more in enterprises – is a rarity on college campuses. Yet, that doesn’t mean it’s unfair or overly broad. Santill’s approach to network security has kept Broward’s name off the front page and protected its students and staff – what seems to be a rarity these days.

Broward College: An Exception to the Recent Rule

It was a spring to forget for three prominent institutions of higher education, all of which were victimized by cyber-attacks:

In February, the University of Maryland announced it had uncovered a broad cyber-attack dating back 16 years and affecting more than 300,000 members of its community.

  • That’s about the same number of victims of a North Dakota University hack weeks earlier, affecting students, alumni and applicants, as well as staff.
  • A breach of Indiana University “only” affected 146,000 students, although that information was exposed for nearly an entire year.

Why have so many colleges and universities been targeted? According to Paul Stephens, a consumer privacy rights advocate, there are structural vulnerabilities unique to institutions of higher learning.

“Universities tend to have a more open information technology architecture,” Stephens told the Capital News Service last spring. “You have various parties operating within the system — you’ve got students, you have teachers, you have faculty, you have administration staff, and so on.

And if the scope of these attacks isn’t convincing enough, consider the costs colleges and universities face as a result of a breach – internal investigation expenses, victim restitution (i.e. free identity protection and credit services), notification and call center expenses to respond to inquiries, and maybe even fees for violating PCI and HIPAA compliance. The list goes on.

Building a Campus-Based Fort Knox

Remember the June network breach that affected some 200,000 members of the Butler University community? At the time, we explained how a “think like an enterprise” approach to network security might have prevented the breach. Does that sound familiar to the network security strategy Santill has put on Broward’s syllabus?

Santill certainly has the right approach, but has he considered students and staff who live and work off campus? Anyone who accesses the college’s network remotely could represent a vulnerability. That’s why beyond thinking about internal access, educational institutions should think like enterprises and implement solutions that secure their remote access. The first step to shoring up remote access is for institutions to consider VPNs with central management functionality, allowing administrators to automatically ensure that all devices connecting to a network are in compliance at all times, centrally roll out updates to VPN clients and certificates, and revoke network access or even deprovision a user as soon as an attack is detected.

As strong as the real Fort Knox’s immediate defenses are, you can be sure that the roadways leading up to the facility are just as heavily fortified. For any organization today, those “roadways” are the tunnels users connect through to access the network remotely. And it’s critical they remain secure.

If a group is really only as strong as its “weakest link,” then why are so many enterprises, which are otherwise concerned about their network security, so quick to add new “links”? Every new user that gains privileged network access increases the risk that one link in the chain could break, thereby jeopardizing the entire organization.

Two of the highest-profile companies in the world – eBay and Target – learned this lesson the hard way, after attackers were able to gain remote access to their networks by compromising just a handful of privileged user credentials. So, while the attacks were ultimately carried out by malevolent actors, they might have never occurred if not for unknowing accomplices on the inside.

“Privileged” users are called that for a reason. In some cases, they have unfettered access to system and network resources, as well as the protected information hidden behind these systems. There may be fewer controls over them. They can also remotely access the network, from any device, further escalating risk. They can be database administrators, data center operators, application developers or network engineers. The list goes on.

In some cases, after the dust settles from a breach involving a privileged user, these insiders are found to have had ill intent. Other times, something as seemingly harmless as an administrator misplacing a password, accidentally clicking on a malicious link or failing to log out of a system can lead to a devastating leak.

So, how widespread is the problem? It’s not enough to point to the eBay and Target breaches alone and conclude that the danger posed by privileged users is on the rise. What’s clear, though, is that companies aren’t doing nearly enough to insulate themselves from privileged user threats. Only 40 percent of IT budgets include funding to fight insider threats, making the looming threat against businesses even more clear.

Strength in Numbers?

As organizations face granting rights to more privileged users, Network World has identified three steps they can take to protect themselves from widespread privileged user abuse:

  1. Reduce privileged accounts, if possible, and manage those that are given out
  2. Train employees as to best practices for network security
  3. Monitor privileged user activity

If organizations follow these steps, they will build a self-sustaining culture of network security.

There’s another step though – developing a defense in-depth network security strategy. By building in redundancy and resilience to their security infrastructure, organizations protect themselves in the worst-case event that one defense mechanism fails. Anchoring a defense in-depth strategy should be a centrally managed VPN solution that uses encryption to protect data sent and received by remote users.

The central management aspect of VPNs is also key to protecting against insider threats because it makes it easier to deprovision users. Because of the Bring-Your-Own-Device (BYOD) trend, there have never been more devices connected to enterprise networks. Each new user escalates an enterprise’s vulnerability, meaning there’s really “unlimited risk potential” for enterprises. Any time an employee is dismissed, or a breach can be traced back to them, their device should be deprovisioned as soon as possible.

As the chain analogy showed earlier, there’s strength in numbers, but only if all users pull in the same direction. Or, as Network World explains this dichotomy: “With greater access to a company’s computer assets comes greater security risk. The privileged user can be a company’s security enforcer but also its greatest security risk.”