SSL: Still Secure When Configured Correctly

The Secure Socket Layer (SSL ) protocol is under attack: in recent months, a succession of vulnerabilities and successful breaches have raised questions about the effectiveness of this ubiquitous security standard. The emergence of DROWN (Decrypting RSA with Obsolete and Weakened Encryption) in early March 2016 may have finally forced IT admins to take action.

The fact that so many attacks are now focused on SSL is more important than you might think.

Stop the Bleeding: How Enterprises Can Address the Heartbleed Bug

By now, you’ve likely heard about the recently discovered Heartbleed bug. At its simplest, this bug allows cyber criminals to exploit a flaw in technology that encrypts sensitive information, making all types of communications sent over an “HTTPS” connection, including emails and online credit card payments, as easy for them to read as this sentence. But that’s not all – once that sensitive personal and/or company data is obtained, cyber criminals can then use the stolen online personas to gain access to other password-protected areas, such as online banking accounts, social media channels and corporate networks. Security expert Bruce Schneier said that “on the scale of 1 to 10, this is an 11.” Understandably, there’s a lot of media attention being given to this topic. But before hitting the panic button, read on to see how exactly your enterprise, or even you personally, might be affected. What’s the Heartbleed bug again? Secure sockets layer (SSL) and transport layer security (TLS) are widely used protocols that secure a wide range of communications across the Internet, from IMs to remote access, and Heartbleed is a vulnerability specific to an open-source implementation of these protocols aptly called OpenSSL. The bug gets its name from the nature of its attack, which involves piggybacking on an OpenSSL feature known as heartbeat. By exploiting this susceptibility, cyber criminals can compromise users’ cryptographic SSL keys, making what should be encrypted communications appear in plain text. Why it’s a problem According to Neil Rubenking of PC Mag’s SecurityWatch, the website “that was created to report on Heartbleed states the combined market share of the two biggest open...

The Role of People-Centric Security Systems and Defense in Depth

Is it possible that IT administrators are actually doing too much to secure their corporate networks? Given the rate at which the enterprise security landscape changes, it almost seems like a rhetorical question at first. However, there’s growing concern that all of the remote access policies and procedures in place are doing more harm than good. In fact, at the recent Gartner Security and Risk Management Summit, Research Vice President Tom Scholtz went so far as to say that we have “lost the race in our attempt to throw controls at everything.” Could he be right? A recent ZDNet article makes a strong argument to back Scholtz’s claim. At its simplest, the problem with current controls is that they very rarely speak to individual users in a way that resonates with them. If employees working remotely don’t understand why certain protocols are in place, they probably won’t feel inclined to follow them. But what if companies did a better job explaining the dangers of not adhering to remote access policies? Would that provide the necessary incentive for remote employees? Scholtz certainly thinks so. According to the article, the key is to have companies adapt a people-centric security (PCS) system. In order for this system to be successful, the entire organization must be security-focused, and the best way to accomplish this is through employee education and awareness. It’s a concept that Scholtz compares to the “shared spaces” idea made famous by Hans Monderman, a famous Dutch road traffic engineer and innovator. Despite how dangerous the idea of vehicles and pedestrians sharing roadways with minimal signage may sound, it actually causes...

PKI for Authenticating Remote Access VPNs: How Government Agencies Ensure Secure Communications

With many documents critical to matters of national security being accessed on a daily basis, government agencies must ensure that all users trying to establish connections of any type to their networks are who they say they are, that they are authorized to access locations that they are connecting to and that all communications are encrypted. Public Key Infrastructure (PKI) compliance is the system that the public sector uses to verify a user’s information when attempting to establish a secure connection. PKI compliance in the United States, for example, is administered and monitored by The Federal PKI Policy Authority, an interagency body that was setup under the CIO Council to enforce digital certificate standards for trusted identity authentication across federal agencies and between those agencies, universities, state and local governments, and commercial entities. PKI enables users on non-secured networks to transmit data securely and privately. It does so by using a pair of public and private cryptographic keys obtained and shared through a trusted Certificate Authority (CA). The PKI system ensures that the digital certificates generated to match an identity with their public keys are stored by the CA in a central repository and can be revoked if necessary. The public key cryptography assumed by the PKI system is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditionally, cryptography has involved the creation and sharing of a secret key for the encryption and decryption of messages. The most well-known uses are email and document encryption and authentication, but PKI is actually much broader than that. It can provide authentication for VPNs...

Five BYOD Pitfalls and How to Avoid Them

Staying abreast of mobile trends and developments is one of the most important parts of being a remote access VPN solution provider. As our devoted followers know, we’ve regularly followed and offered commentary on the most talked about trends in the security world, especially BYOD. In a recent CIO article, Tom Kaneshige highlights five major BYOD pitfalls and describes how to avoid them. While we were mostly in agreement, we did have some additional thoughts of our own. 1.   An ‘Open Door’ Attitude Towards Apps Being too lenient with the types of apps CIOs allow employees to have (and even expense!) on their devices is a recipe for disaster. While the article highlights recreational apps, such as Angry Birds, it’s important to remember that Web browsers are applications, too. The Web is one of the most susceptible entry points for malware, and if enterprise security is not up-to-speed, sensitive corporate information is almost immediately at risk of being accessed and/or damaged. There are a couple of different ways to tackle this problem. The first method is to only allow employees to access the corporate network via an IPsec VPN. This will ensure that the network is protected even if the browser is compromised. SSL VPNs are the second option; they can be configured on an app-specific basis by administrators, and access can be revoked immediately. 2.   Playing the Role of Big Brother Another way that CIOs try to tackle the aforementioned application problem is through a technique called Geofencing. Essentially, a virtual perimeter is created that allows employees to have certain applications on their phone, but prohibits their use...