BYOD Dominates Interop New York

Among many key takeaways from last week’s Interop NY conference, the top-of-mind concern for CIOs, security professionals and other IT stakeholders remains mitigating the security risks associated with BYOD. While organizations that attended the conference recognize that supporting mobile devices in the workplace is inevitable, many admit to lacking the proper infrastructure to secure their mobile users. In fact, a recent industry survey reveals that only 16% of IT shops currently have a BYOD policy in place, increasing organizations’ risk to exposure as a result.

Is the concern revealed at Interop justified? Yes, but it’s certainly manageable. In fact, Rainer Enders, CTO, Americas for NCP engineering,has advocated for remote access solutions that allow businesses to manage the devices their employees are bringing in. Earlier this year, Rainer spoke with Ericka Chickowski, of Dark Reading, on this very topic. Here’s an excerpt from her piece:

According to Enders, too few organizations factor risk into their cost considerations, making it one of the most costly hidden costs if proper precautions aren’t taken.

“In my mind, the biggest hidden cost lies in the worst case scenario–when bigger issues arise like a lawsuit or a major security breach,” he says. “It really comes down to the standard security question about what are the assets. What do I need to protect from a company point of view. My legal situation–how is my IP sufficiently protected. I think that is where the main costs are: This is something that is often overlooked. Companies don’t really do a good job at assessing this kind of risk.”

As such, Enders suggests that organizations start implementing risk assessment formulas into their dollars and cents estimates for mobile costs in a BYOD model. There are other tangible costs that are often overlooked as well, many of which have to do with managing a more diverse infrastructure and enforcing security and privacy policies that will eventually reduce risks.

To read Erica’s full piece, see here: BYOD: How to Calculate Hidden Security Costs.

Less is More: Why SSL VPN is NOT What You Think It Is – #Interop

*Editor’s Note: This post is syndicated from the Interop Blog.You can see the original post by clicking here. 

By Rainer Enders, CTO at NCP engineering

At Interop 2012, I’ll be hosting a session, “Less is More: Why SSL VPN is NOT What You Think It Is” that explores the inherent flaws of SSL VPN. The reality is, SSL has been buoyed by a staggering number of myths and security assurances promised by vendors and assumed as safe by VPN users. But in fact, high profile security breaches have occurred as a result of using key security building blocks of SSL VPN technology. These have included various Certificate Authority (CA) breaches, such as those at ComodoDigiNotar, GlobalSign, Gemnet and KPN.

So, why is this happening? Do users implement the technology incorrectly, or is it simply not as good as all the hype makes it out to be? Is there something else or different we should be doing? What are solutions to the underlying problems?

These are the very questions I’ll answer in this session, drawing upon my 20 years of experience in the networking and security industry. As CTO, Americas for NCP engineering – I’m confronted with examples of SSL misunderstanding and misuse on a daily basis. With this session, I’ll expose SSL VPN security myths and dispel dangerous hype, which is leading to over-reliance on the protocol. I’ll also leverage real-life examples and provide practical ways you can strengthen your remote access connectivity.

Clearly, confusion exists about the security capabilities of SSL. Ultimately, this misinformation undermines the technology and lessens its appeal in scenarios where SSL is an ideal solution. This session will put the most persistent SSL myths to rest and clarify the technology’s capabilities – and its limitations. I’m looking forward to seeing you there.

The session Less is More: Why SSL VPN is NOT What You Think It Is will be held Thursday, May 10, 2012, 11:30am – 12:30pm at Interop 2012.

Staying Safe at Trade Shows – Implementing the VPNs

By Nicholas Greene

Earlier this week, I wrote about the importance of using VPNs at trade shows. Building on that, I wanted to expand on VPN implementations. Firstly, like anything else, VPN implementations aren’t perfect. A VPN tends to leave more traffic exposed than WEP, WPA, and WPA2, so preventing data leakage before launching the tunnel can be an exercise in futility. Roaming between IP subnets can break through your tunnels, and VPNs tend to be more than a little picky when it comes to how networks are laid out. Thankfully, all of those concerns are quite simple to address.

First up, don’t connect to a network that isn’t encrypted in some fashion. At Black Hat or Interop, this shouldn’t be a problem- their access points are encrypted by default. Second, if you’re enterprise, combine your VPN solution with endpoint security. As mobility is concerned; again, it shouldn’t be an issue with the larger tech conferences. Most of them are likely to implement subnet roaming capabilities into their access points- they’re designed to be VPN friendly.

Finally, don’t assume a VPN implementation means you’re completely protected- unencrypted data is just one of the many threats facing users at these events.  Setting up a dummy network with an SSID that appears valid is one of the most common attack methods at Black Hat. Even though organizers have implemented security to counteract this method, that doesn’t mean you shouldn’t still be on guard.

If all else fails, it might be worth looking into setting up your own dedicated Wi-Fi, and running the VPN through that. At the end of the day, network security can only go so far. Though the right VPN/endpoint security implementation is a great tool for protecting your data, you’ve got to do your part, too. Don’t assume that, simply because you have a secure network, you’re protected from theft- that is, after all, what the thieves are counting on.

 

 

 

 

Staying Secure at Trade Shows

By Nicholas Greene

With RSA 2012 kicking off next week, then Interop and BlackHat just around the corner after that – we are officially in trade show season. Of course, every show brings with it the challenge of connecting to its official Wi-Fi connection to plug back into corporate headquarters to do everything from email to sending documents and beyond. And as most of us know, this could invite a barrage of security vulnerabilities.

Of course, at IT conferences like Interop and Black Hat, you’ll find yourself with a better class of wireless network– it’s more or less a given that their Wi-Fi connections will be more secure than those at many other trade shows, as the organizers know enough to take an active role in securing the data of attendees. But the real risks come in when, for example, connecting via a hotel or a café near the show – or worse, a rogue unsecured network that tricks users into signing on with a strangely “official sounding” name.

So how will you stay safe this trade show season? In short, VPNs are the key. A VPN will give you all the security you’d get from a private network, and places it into a public arena; opening the requisite ports for easier connectivity, keeping your activities anonymous from others on the network, and encrypting any data you send between yourself and the server.

Unlike with unsecure (and even secure) wireless networks, no known exploits currently exist that are capable of subverting the security on most of the well-designed Virtual Private Networks. While it’s certainly true that a user connected to a VPN can interact with other systems on the network as though they were local, the users of those systems should generally be trustworthy, if you’ve implemented a proper VPN solution.

If you’re connecting to a corporate network, there’s a good chance that the company will already have some sort of VPN solution in place- all that’s left in such a situation is to set it up to run on your own system, and you’ll be golden. Generally, this is as simple as installing the client software for whatever solution you’re running- your company should provide it for you before you leave for the show.

If you’re not an enterprise attendee, or your company doesn’t yet have a VPN solution implemented, it might be worth looking into getting one- NCP has several VPN clients available– for enterprise users, the centrally managed solution’s ideal.

More on VPNs and trade show security next time.

“Taking Precautions at Black Hat is Always Good”

Black Hat 2011 has kicked off in steamy Las Vegas (highs over 100 this week!). But Black Hat isn’t about the weather, it’s about the hacking. And there will be hacking. ZDNet has already rounded up this year’s “10 can’t miss hacks and presentations.” Among those that made our ears perk up, are Moxie Marlinspike’s “SSL And The Future Of Authenticity” and Jerome Radcliffe’s “Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System.” Of course, if you’re worried about being hacked, Network World’s Tim Greene has published a checklist on “How to Survive Black Hat and Defcon without getting hacked – maybe” – love the caveat.

On that note, today we continue our conversation Travis Carelock, technical director for Black Hat, to get his thoughts on the show’s online safety.

VPN Haus: Because so many people are doing demos of hacks at Black Hat, should attendees take more precaution in protecting their data and VPN networks, than they would at a show like, say, Interop?

Travis Carelock: To be honest the demos on stage are the least of the attendee’s concerns.  The Black Hat speakers generally do a very good job displaying and demo’ing their PoC(Proof of Concept) in responsible ways.  I have never heard of an attendee compromised because of a demo onstage.  However, I have heard of an attendee compromised because of the attendee sitting to their right.  One of the primary things that differentiate Black Hat from a show like Interop is our average attendee.  Over 6,000 cutting‐edge security experts (with average cost of $3000, most companies don’t send their junior squad) will be in attendance, each smarter than the next, each with a complete hacking tool set updated, locked, loaded and ready to go, and most with a hacker’s mindset.  So, yes taking more precautions at Black Hat is always good.

VPN Haus: How is Black Hat Las Vegas different than the DC, the Abu Dhabi, and the Europe show?

Carelock: Black Hat USA is our flagship event.  It is several times bigger than our other events and serves as the yearly round up for the entire security community.  The previous year’s trends are analyzed, predictions about the next year are made, awards are given based on community response and voting.   In general, the community comes together to swap stories, techniques, and network.  Our other events are more targeted affairs, in which we try to serve some of the specific concerns of the regions in which they are held.  At all our events we try to bring the latest offensive and defensive security presentations and techniques, the smaller events merely allow Black Hat to tailor what can be.

 Here’s to a great show – and stay safe, everyone. See part one of our conversation with Travis Carelock here.