Stop the Bleeding: How Enterprises Can Address the Heartbleed Bug

By now, you’ve likely heard about the recently discovered Heartbleed bug. At its simplest, this bug allows cyber criminals to exploit a flaw in technology that encrypts sensitive information, making all types of communications sent over an “HTTPS” connection, including emails and online credit card payments, as easy for them to read as this sentence. But that’s not all – once that sensitive personal and/or company data is obtained, cyber criminals can then use the stolen online personas to gain access to other password-protected areas, such as online banking accounts, social media channels and corporate networks. Security expert Bruce Schneier said that “on the scale of 1 to 10, this is an 11.” Understandably, there’s a lot of media attention being given to this topic. But before hitting the panic button, read on to see how exactly your enterprise, or even you personally, might be affected. What’s the Heartbleed bug again? Secure sockets layer (SSL) and transport layer security (TLS) are widely used protocols that secure a wide range of communications across the Internet, from IMs to remote access, and Heartbleed is a vulnerability specific to an open-source implementation of these protocols aptly called OpenSSL. The bug gets its name from the nature of its attack, which involves piggybacking on an OpenSSL feature known as heartbeat. By exploiting this susceptibility, cyber criminals can compromise users’ cryptographic SSL keys, making what should be encrypted communications appear in plain text. Why it’s a problem According to Neil Rubenking of PC Mag’s SecurityWatch, the website “that was created to report on Heartbleed states the combined market share of the two biggest open...

The Role of People-Centric Security Systems and Defense in Depth

Is it possible that IT administrators are actually doing too much to secure their corporate networks? Given the rate at which the enterprise security landscape changes, it almost seems like a rhetorical question at first. However, there’s growing concern that all of the remote access policies and procedures in place are doing more harm than good. In fact, at the recent Gartner Security and Risk Management Summit, Research Vice President Tom Scholtz went so far as to say that we have “lost the race in our attempt to throw controls at everything.” Could he be right? A recent ZDNet article makes a strong argument to back Scholtz’s claim. At its simplest, the problem with current controls is that they very rarely speak to individual users in a way that resonates with them. If employees working remotely don’t understand why certain protocols are in place, they probably won’t feel inclined to follow them. But what if companies did a better job explaining the dangers of not adhering to remote access policies? Would that provide the necessary incentive for remote employees? Scholtz certainly thinks so. According to the article, the key is to have companies adapt a people-centric security (PCS) system. In order for this system to be successful, the entire organization must be security-focused, and the best way to accomplish this is through employee education and awareness. It’s a concept that Scholtz compares to the “shared spaces” idea made famous by Hans Monderman, a famous Dutch road traffic engineer and innovator. Despite how dangerous the idea of vehicles and pedestrians sharing roadways with minimal signage may sound, it actually causes...

PKI for Authenticating Remote Access VPNs: How Government Agencies Ensure Secure Communications

With many documents critical to matters of national security being accessed on a daily basis, government agencies must ensure that all users trying to establish connections of any type to their networks are who they say they are, that they are authorized to access locations that they are connecting to and that all communications are encrypted. Public Key Infrastructure (PKI) compliance is the system that the public sector uses to verify a user’s information when attempting to establish a secure connection. PKI compliance in the United States, for example, is administered and monitored by The Federal PKI Policy Authority, an interagency body that was setup under the CIO Council to enforce digital certificate standards for trusted identity authentication across federal agencies and between those agencies, universities, state and local governments, and commercial entities. PKI enables users on non-secured networks to transmit data securely and privately. It does so by using a pair of public and private cryptographic keys obtained and shared through a trusted Certificate Authority (CA). The PKI system ensures that the digital certificates generated to match an identity with their public keys are stored by the CA in a central repository and can be revoked if necessary. The public key cryptography assumed by the PKI system is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditionally, cryptography has involved the creation and sharing of a secret key for the encryption and decryption of messages. The most well-known uses are email and document encryption and authentication, but PKI is actually much broader than that. It can provide authentication for VPNs...

Five BYOD Pitfalls and How to Avoid Them

Staying abreast of mobile trends and developments is one of the most important parts of being a remote access VPN solution provider. As our devoted followers know, we’ve regularly followed and offered commentary on the most talked about trends in the security world, especially BYOD. In a recent CIO article, Tom Kaneshige highlights five major BYOD pitfalls and describes how to avoid them. While we were mostly in agreement, we did have some additional thoughts of our own. 1.   An ‘Open Door’ Attitude Towards Apps Being too lenient with the types of apps CIOs allow employees to have (and even expense!) on their devices is a recipe for disaster. While the article highlights recreational apps, such as Angry Birds, it’s important to remember that Web browsers are applications, too. The Web is one of the most susceptible entry points for malware, and if enterprise security is not up-to-speed, sensitive corporate information is almost immediately at risk of being accessed and/or damaged. There are a couple of different ways to tackle this problem. The first method is to only allow employees to access the corporate network via an IPsec VPN. This will ensure that the network is protected even if the browser is compromised. SSL VPNs are the second option; they can be configured on an app-specific basis by administrators, and access can be revoked immediately. 2.   Playing the Role of Big Brother Another way that CIOs try to tackle the aforementioned application problem is through a technique called Geofencing. Essentially, a virtual perimeter is created that allows employees to have certain applications on their phone, but prohibits their use...

NCP engineering Explores Trends in IPsec and SSL VPNs on insideHPC Slidecast

Initially created as a response to the difficulty of implementing earlier versions of IPsec VPNs, SSL VPNs have become increasingly common over the past few years. Because they were built to be easier to implement, they were thought of as easier to manage than IPsec, which led to their growing popularity. However, IPsec offers many features that SSL doesn’t have, as detailed in the presentation given by Rainer Enders, NCP’s CTO of Americas, in a slidecast for insideHPC. Rainer explored recent trends in remote access technologies and delved into the progression of IPsec and SSL VPNs. In many ways, SSL has been evolving to become more like IPsec because businesses have demanded many of the features that are traditionally in IPsec VPNs, such as access to the entire corporate network rather than just applications. As a result, the formerly “client-less” option has required a bigger footprint to add those features. At the same time, IPsec has become much easier to use. NCP’s IPsec VPN client suite features a firewall and Internet connection that are integrated into a single interface. Users only need to click on a button once to securely connect or disconnect. Everything else is automated, and users never need to worry. So, it’s no longer true that IPsec is more difficult to connect to than SSL. Although SSL and IPsec are becoming more alike in many ways, each has unique features that are useful for different business needs. NCP develops VPN functionality based on both protocols, and we are constantly working to make them easier for IT administrators to manage and for users to enjoy mobility’s benefits....