It’s no longer enough to use “123456” for all your passwords. As attacks against major companies have shown, there are just too many threats to network security for consumers to feel safe with a “set it and forget about it” password management strategy. That’s where two-factor authentication – combining something you know with something you have – will protect you.

In August, it happened again: a headline-grabbing warning that 1.2 billion passwords had been stolen by a Russian cyber gang, dubbed CyberVor, caused quite a stir. While questions were raised about the legitimacy of the CyberVor report and the scant details surrounding it, wh

In the past, these types of events did not even make it into specialized magazines and news services, much less major news outlets. And if they did, superlatives were required to capture anyone’s attention. However, just because password theft may not always garner a big news report, it doesn’t mean it isn’t happening all the time.

On the contrary, and especially during the past year, quite a few companies have admitted to being victimized by data breaches and losing control of large amounts of data. Big retail chains Home Depot and Target experienced security breaches that culled information from more than 100 million cards combined, while 233 million eBay users were put at risk of identity theft after an online security breach. 

Going forward, we have to be prepared for the possibility that private information provided to a third party, like a merchant or a public agency, will be stolen. What does this mean for the security of user passwords? “Set it and forget about it” password security simply does not exist anymore. Passwords today can only be regarded as a temporary security measure that should be limited in both time of use and number of accounts.

Nevertheless, experience shows that users recycle the same password for many or all of their accounts. For many, it’s just not feasible to memorize dozens of unique passwords that are sufficiently strong.

Users can avoid this problem and improve their data security by implementing a secure password safe, such as 1Password or KeePass, on their end devices and by using a really strong password to secure it. The safe contains the passwords of all accounts and automatically applies them during the login procedure.

Two-factor authentication is equally as safe. In addition to a password, the user is required to have a second component for verification. With this method, the user has to combine knowledge (password) and ownership (mobile phone, token).

Two-factor authentication has long been a standard for safety-critical applications. For example, it has been possible for years to secure VPN remote access using a second authentication factor. In the past, the “something you have” component of two-factor authentication consisted of a small token displaying a number necessary for login. The user had to enter this one-time password (OTP) in addition to the password. Now, other solutions are available that do not require the use of tokens. Select VPN solutions with Secure Enterprise Management (SEM) capabilities, for example, allow for use of OTP with mobile phones or smartphones.

With the exception of online banking providers, websites have rarely offered two-factor authentication. However, due to the increasing frequency of data theft, more sites are offering it. For example, Microsoft (OneDrive, Word.com, etc.) and Facebook now offer two-factor authentication, and Dropbox can also be secured with a second login factor. This added layer of security helps reduce the risk of data theft even if a user could not resist picking his pet’s name for a password, or if he decided to pick the most popular password worldwide: “123456.” 


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now

 

Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities. As convenient as it would be for businesses to have all their IT service providers working on-site, just down the hall, that’s not always possible. That’s why secure remote access is a component frequently found in the digital toolboxes of service providers that offer maintenance, troubleshooting and support from locations other than where the product or system is being used.

This arrangement makes sense: It saves enterprises time and money.

Yet, that doesn’t mean remote access is always foolproof. Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities.

In April 2013, for example, it became possible to damage Vaillant Group ecoPower 1.0 heating systems by exploiting a highly critical security hole in the remote maintenance module. The vendor advised customers to simply pull the network plug and wait for the visit of a service technician.

About one year later, AVM, the maker of the Fritz!Box router, also suffered a security vulnerability. For a time, it was possible to gain remote access to routers and, via the phone port functionality, to make phone calls that were sometimes extremely expensive. Only remote access users were affected.

Then, in August 2014, Synology, a network attached storage (NAS) supplier, was affected. In this case, it was possible to gain control over the entire NAS server data through a remote access point.

Finally, at this year’s Black Hat conference in August, two security researchers revealed that up to 2 billion smartphones could be easily attacked through security gaps in software.

It’s clear that these attacks and vulnerabilities are all part of a trend – and they speak to the importance of businesses eliminating remote access security gaps.

Who is Responsible for Securing Remote Access?

There’s no doubt that remote access is an important network feature. IT support speed and troubleshooting capability would be greatly hampered without remote access. It is also needed for mobile workers to establish connections to their corporate networks via a VPN.

VPNs by design are secure and when users implement, maintain and utilize them properly, the technology works perfectly. However, security lapses may occur in cases where a user is unaware that secure remote access has been provided, i.e. it’s more or less a hidden feature, or he does not show any interest in it.

In the Fritz!Box case, the critical issue of increasing digitization in private environments could be seen very clearly. Despite the problem being reported by numerous media outlets and the vendor quickly releasing a firmware update, tens of thousands of routers were still affected, many of them weeks later.

Unfortunately for IT administrators responsible for network security, not every Internet user reads computer magazines and stays up-to-date with information from various news services. Not every router owner has the tech savvy or feels comfortable updating device firmware. They may do the bare minimum – understand the purpose of a VPN and comply with the necessary security policies – but what if they don’t? Or what if they aren’t even aware of security measures?

The value of VPN solutions is that they provide a layer of security protection, for when users unknowingly create security vulnerabilities. This means IT administrators are responsible for improving the security of remote access, by using up-to-date, approved technology and implementing automated update procedures that fix reported bugs quickly and without user intervention.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now

For the last 30 years, a common line of code found in a piece of software has quietly been a dormant security vulnerability – but now, news of the exploit has gone public, sending the network security community into reaction mode.For the last 30 years, a common line of code found in a piece of software has quietly been a dormant security vulnerability – but now, news of the exploit has gone public, sending the network security community into reaction mode.

The Shellshock vulnerability can be traced back to Bash, a command shell that is commonly used across the Internet on Linux and UNIX platforms. Bash translates user commands into language a computer can understand and then act upon. In the case of Shellshock, hackers could exploit Bash by issuing arbitrary software commands, potentially allowing them to control systems.

In the immediate aftermath of Shellshock’s discovery, security experts claimed the exploit had surpassed last spring’s Heartbleed as the worst software vulnerability of all time. One reason is that Shellshock’s reach could be even greater than the Heartbleed vulnerability, which only affected software using the OpenSSL encryption protocol. Shellshock’s reach could even extend to Internet of Things devices, since their software is built on Bash script.

For the last few weeks, website administrators have been making the necessary updates to protect users. Within a week of the vulnerability going public, Amazon, Google and Apple responded with patches and internal server updates.

Even so, it will take some time for the fallout from Shellshock to subside.

The Year of the Cyberattack Continues

This year has not been kind to the network security community. Although the Target breach occurred in 2013, the fallout has continued well into this year. Then came attacks at Neiman Marcus, eBay and, just last month, Home Depot. And, of course, Heartbleed and Shellshock.

Even in the last few weeks, news broke that more than 200 stores in the Jimmy John’s sandwich chain were breached by a remote hacker who stole customer credit and debit card information. And just like in the Target breach, where hackers infiltrated the network through an HVAC contractor, a third party of Jimmy John’s was also to blame – attackers gained network access and login credentials from a point-of-sale vendor.

The Jimmy John’s attack provides yet another example of why network security isn’t as straightforward as guarding against attacks just on the immediate network. Every network endpoint is a potential attack vector, whether it’s part of the direct network or operated by a third party who only accesses the network occasionally. This is why it’s so critical for network administrators to implement secure VPNs, as part of a comprehensive, layered, defense in-depth approach to network security.

Now, there have been reports that some VPNs could be vulnerable to attacks launched through the Shellshock exploit, but it’s important to note that these remote attacks only apply to servers rooted in OpenVPN. VPNs using the proven IPsec standard, on the other hand, ensure privacy, shield remote users from a range of malicious attacks, and serve as another line of defense.

And in the fight against Shellshock, users need every defense mechanism they can get their hands on.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now

The world of IT is going through the same transition, away from the traditional support of "marathoning" to meet goals. Technology has evolved to the point where it's often pure speed – not slow-moving, deliberate execution – that IT departments need to thrive.The crack of the starting gun has very different meanings for runners, depending on the distance of their race. To marathoners, it means to start conserving their energy as they take the first step in their 26.2-mile journey. To sprinters, the starting gun is a signal to channel all of their physical and mental ability toward completing one goal that is only seconds and a handful of meters away.

Perhaps that’s why we always hear “it’s a marathon, not a sprint” – most goals are far away, and they require focus to be met. But maybe this is unfair to sprinters. After all, if the average person were asked to name a runner, he or she would be more likely to say Usain Bolt – the fastest man in the world and, by the way, a short-distance runner – than the most recent winners of the Boston Marathon.

The world of IT is going through the same transition, away from the traditional support of “marathoning” to meet goals. Technology has evolved to the point where it’s often pure speed – not slow-moving, deliberate execution – that IT departments need to thrive. David Wright, CIO of McGraw-Hill Education, has seen the transition first-hand. He said that the “innovation tempo” has increased for his company as the market has changed.

Although Wright’s comments are generally about IT as it relates to product development and other customer-facing activities, the takeaways extend into other realms of IT, including network security.

Learning to Jump Hurdles

For CIOs, network security isn’t so much about the speed vs. distance analogy. A CIO really needs the best traits of both – the endurance of a marathoner to steer a consistent network security vision and always anticipate the next threat, as well as the speed and adaptability of a sprinter to consistently fend off new attacks.

A better comparison between network security and running is probably any event that involves hurdles. In a marathon or a sprint, runners go into the event with a plan. Yes, there are other competitors out on the track, but in many ways, it’s more of a race against the clock. But in hurdling events, there’s a much greater likelihood of a runner getting tripped up – clipping a foot on a hurdle or stumbling over a fallen competitor, for example. The unexpected should always be expected.

In much the same way, today’s cyber attackers move from threat to threat quickly, putting up hurdles everywhere and always keeping CIOs on their toes. If one attack vector doesn’t work, attackers will persist and just move on to the next one.  They’ll somehow find holes in the network security infrastructure, just as they did with a vulnerable HVAC provider in the Target breach.

So, what can CIOs do?

Just as attackers constantly leave hurdles in the paths of IT departments, CIOs can build hurdles of their own to ward off attackers. A defense in-depth approach is built on redundancy. It uses different “hurdles” – including VPNs with central management functionality and firewalls – to make it harder for attackers to anticipate what might be around the next bend in the track. Even if an attacker is able to clear every network security hurdle, defense in-depth ensures that a network administrator is able to isolate an attack before its effects are able to spread.

Defense in-depth is just the strategy network administrators need to win the race against cyber attackers.

To learn more about the rapidly changing network security space, including mobile security and BYOD best practices, please join us at Interop New York, October 1-2, where we’ll be presenting at Booth #613.

Read More:

The Workplace of the Future and What it Means for Network Security


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now

Industry 4.0: Flexible Production Needs Secure NetworkingAs we sit on the edge of the fourth industrial revolution, businesses are preparing for sweeping technological changes that will impact their production. Governments around the world, particularly Germany, through its Industry 4.0 initiative, have tried to help businesses anticipate these changes.

Simply put, Industry 4.0 will help enterprises adjust their production processes very quickly. The idea is to move away from the conventional approach of production facilities serving only one specific purpose. Greater flexibility will be achieved through modularity and extremely high connectivity, based on IP standards for all components. This is a first for the industrial sector because, up to this point, industry-specific protocols, media and controls have been utilized. With Industry 4.0, IP addresses, routers, switches and Ethernet will find their way onto the factory floor and into assembly shops.

Along with cost considerations, the reason Industry 4.0 focuses on IP technology is the public’s experience with it. Hardware, software, and management approaches are constantly being enhanced by IP technology, which has been available for years. IT security technology offers compliance, standards and frameworks, as well as a variety of products for enterprises to choose from.

Up until now, only a few enterprises have put Industry 4.0 initiatives in place in their organizations. These pioneers include financially strong enterprises in highly competitive markets, such as those in the automotive industry. Hopefully, the implementation of Industry 4.0 initiatives will be based on the wealth of experience from the traditional IT industry, especially where security is concerned.

When IT departments are not consulted, gaps in network security could appear. Already, there are some examples of remote access points, installed at client sites by third parties to simplify device maintenance, which were not sufficiently secured and therefore were left wide open to attackers. Another threat are search engines developed to automatically find unsecured remote access points or Internet interfaces with vulnerabilities.

To protect against these vulnerabilities, network administrators can leverage a VPN to easily secure remote access, especially if used with TCP/IP. VPN technology has been available for many years. It can easily be installed, controlled and managed, however, when vigilance and robust IT policies are lacking, there are several ways for vulnerabilities to manifest. Implementation often fails because a third party supplier, not the customer, is responsible for installing the remote access system and information is not adequately communicated. Or the customer’s employees may not recognize a security threat. Or perhaps the documentation is not executed as well as it should be and remote access points are simply forgotten.

Every technology and technological process goes through a hype phase in which promises are made that are tough to keep. Presently, Industry 4.0 may be in this phase. However, the good news is, awareness about Industry 4.0 is being created by the hype. This has helped pave the way for security to be baked in as a fixed and seamlessly integrated component during the planning and introductory phases of Industry 4.0. Governments and enterprises around the globe should pay close attention to the progress of Germany’s Industry 4.0 and once they see its benefits unfold, follow its lead.

 


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs

Download Now