How Far Does Your Cybersecurity Umbrella Extend?

Network administrators: No matter how impenetrable you think your network defenses are, there are always going to be remote access vulnerabilities that threaten the integrity of your walls. Often, it’s a threat that originates from outside the immediate range of your defenses, and it’s one you may not have any visibility into. Recently, these threats have started to originate from third-party partners – a company’s vendors, suppliers, agencies, firms and other outside service providers. These are often smaller companies with less sophisticated remote access defenses that, when they become a target of cyber crooks, provide a path for an attacker right into the heart of another company’s network. Target found this out the hard way, after its network was breached when attackers gained entry by acquiring network credentials though a third-party HVAC vendor. So did Lowe’s, after one of its vendors backed up customer data on an unsecure server and unknowingly exposed the information to the broader Internet. Goodwill, too, suffered a breach because of a vendor, this time a retail POS operator that acknowledged its managed service environment “may have experienced unauthorized access.” While it may seem odd for big-name companies to provide such privileged access to third parties and, in the process, put themselves in harm’s way – either deliberately or inadvertently – it’s actually quite a common situation. As Brian Krebs reported in the aftermath of the Target breach, large retailers often provide HVAC and energy vendors with privileged network access so they can alert retailers around-the-clock in the event something goes wrong in one of their buildings. As a source told Krebs, “Vendors need to...

SSL Myths and Mobile Devices

Since posting our series on SSL myths, some people have asked how these SSL vulnerabilities apply to mobile phones. While mobile phones and other handheld devices are mistakenly considered relatively safe, this misnomer does not qualify as an SSL myth. It does, however, require addressing, as the consumerization of IT forces CIOs and network security architects to integrate these devices into the VPN structure. Beyond the recent consumer-oriented, high profile hacks to celebrity address books, the danger to enterprises is being laid bare in a more subtle manner. In May 2011, Juniper Networks published a study that found risks to mobile phone security at an all time high, and cited a 400% rise in malware against the Android, for example. In 2008, critical mobile SSL VPN vulnerabilities were discovered by Christophe Vandeplas, as a laboratory example of the man-in- the-middle (MITM) exploit. In mid-March 2011, after Comodo issued nine fraudulent certificates affecting several domains, Microsoft issued updates for its PC platforms to fix the vulnerabilities, but the company’s patch for Windows Phone 7 was  not immediately available. More details surrounding this attack were outlined in Myth 1. But clearly, the priority is not currently on the mobile platform, creating an undeniable...

FDE and VPN: Don’t Throw out the Security Baby with the Legacy Bathwater, Part 1

By Cameron Laird In “Die, VPN! We’re all ‘telecommuters’ now–and IT must adjust,” John C. Welch accurately describes much of the changing landscape through which corporate computing is traveling now: Work is as likely to take place outside the office as in; Work in some domains has become as likely to take place on an employee’s device as one owned by the corporation; A large percentage of all work can be done through the Web; and “Endpoint” (in)security is nothing short of horrifying: the data equivalents of bars of gold are regularly walked unescorted through neighborhoods so bad they can’t help but end up in the wrong hands. The situation is unsustainable; what should be done? Welch’s conclusion: adopt full-disk encryption (FDE)–and ditch VPNs. His arguments for FDE have merit. The ones against VPN? Well, I expect to use VPNs for a long time into the future, and you should, too. Here’s why: What is VPN? First, let’s review the basics: information technology (IT) departments are responsible for computing operations. Computers have, in general, the capacity to make general-purpose calculations. This means both that IT is called on to perform a wide, wide range of tasks–everything from routing telephone connections in a call center, to control of machine actions in a steel plant, to running accounting programs in a hair salon–and also that there is inevitably more than one technique to complete each task or fulfill each requirement. Even the simplest analysis of the “remote problem” exhibits these characteristics. Let’s begin with Welch’s starting point: much of the work of the future will be done outside the conventional workplace,...

FDE and VPN: Don't Throw out the Security Baby with the Legacy Bathwater, Part 1

By Cameron Laird In “Die, VPN! We’re all ‘telecommuters’ now–and IT must adjust,” John C. Welch accurately describes much of the changing landscape through which corporate computing is traveling now: Work is as likely to take place outside the office as in; Work in some domains has become as likely to take place on an employee’s device as one owned by the corporation; A large percentage of all work can be done through the Web; and “Endpoint” (in)security is nothing short of horrifying: the data equivalents of bars of gold are regularly walked unescorted through neighborhoods so bad they can’t help but end up in the wrong hands. The situation is unsustainable; what should be done? Welch’s conclusion: adopt full-disk encryption (FDE)–and ditch VPNs. His arguments for FDE have merit. The ones against VPN? Well, I expect to use VPNs for a long time into the future, and you should, too. Here’s why: What is VPN? First, let’s review the basics: information technology (IT) departments are responsible for computing operations. Computers have, in general, the capacity to make general-purpose calculations. This means both that IT is called on to perform a wide, wide range of tasks–everything from routing telephone connections in a call center, to control of machine actions in a steel plant, to running accounting programs in a hair salon–and also that there is inevitably more than one technique to complete each task or fulfill each requirement. Even the simplest analysis of the “remote problem” exhibits these characteristics. Let’s begin with Welch’s starting point: much of the work of the future will be done outside the conventional workplace,...

How to Keep Businesses Safe from Security Breaches

By Sylvia Rosen When small businesses grow and large businesses spread across the country, remote and traveling professionals need accessibility. That’s why both small and large businesses turn to VPN technology; it gives them the flexibility they need to work across a variety of locations. However, with accessibility comes risk. As a business owner, you need to make sure that your remote employees have the accessibility they need to be productive, in addition to the security that you need to have a peace of mind. Here are three ways that you can keep your business safe from security breaches while using VPN technology: Chose your VPN technology wisely Rainer Enders, the CTO Americas for NCP engineering, explains that when it comes to choosing VPN technology, business owners need to keep two things in mind: convenience and company policy. “What you want to make sure [for the employee] is that it’s simple, it won’t interfere with their work, and it’s at the least intrusive level,” Enders explains. It’s difficult to predict where your teleworkers will be going and what devices they will be using. As a result, it’s ideal that you would select a VPN that has the “intelligence” to figure out different network types, and from different types of devices, such as cell phones. In addition, the most important aspect to keep in mind is that your technology is in accordance with your business’ security policy. “From the employer side, they need to ensure that what is presented is in compliance with security rules and also business rules,” Enders said. Enders explains that this might mean that businesses will...