Posts Tagged ‘threats’

Since posting our series on SSL myths, some people have asked how these SSL vulnerabilities apply to mobile phones. While mobile phones and other handheld devices are mistakenly considered relatively safe, this misnomer does not qualify as an SSL myth. It does, however, require addressing, as the consumerization of IT forces CIOs and network security architects to integrate these devices into the VPN structure.

Beyond the recent consumer-oriented, high profile hacks to celebrity address books, the danger to enterprises is being laid bare in a more subtle manner. In May 2011, Juniper Networks published a study that found risks to mobile phone security at an all time high, and cited a 400% rise in malware against the Android, for example. In 2008, critical mobile SSL VPN vulnerabilities were discovered by Christophe Vandeplas, as a laboratory example of the man-in- the-middle (MITM) exploit.

In mid-March 2011, after Comodo issued nine fraudulent certificates affecting several domains, Microsoft issued updates for its PC platforms to fix the vulnerabilities, but the company’s patch for Windows Phone 7 was  not immediately available. More details surrounding this attack were outlined in Myth 1. But clearly, the priority is not currently on the mobile platform, creating an undeniable threat.

By Cameron Laird

In “Die, VPN! We’re all ‘telecommuters’ now–and IT must adjust,” John C. Welch accurately describes much of the changing landscape through which corporate computing is traveling now:

  • Work is as likely to take place outside the office as in;
  • Work in some domains has become as likely to take place on an employee’s device as one owned by the corporation;
  • A large percentage of all work can be done through the Web; and
  • “Endpoint” (in)security is nothing short of horrifying: the data equivalents of bars of gold are regularly walked unescorted through neighborhoods so bad they can’t help but end up in the wrong hands.

The situation is unsustainable; what should be done?

Welch’s conclusion: adopt full-disk encryption (FDE)–and ditch VPNs. His arguments for FDE have merit. The ones against VPN? Well, I expect to use VPNs for a long time into the future, and you should, too. Here’s why:

What is VPN?

First, let’s review the basics: information technology (IT) departments are responsible for computing operations. Computers have, in general, the capacity to make general-purpose calculations. This means both that IT is called on to perform a wide, wide range of tasks–everything from routing telephone connections in a call center, to control of machine actions in a steel plant, to running accounting programs in a hair salon–and also that there is inevitably more than one technique to complete each task or fulfill each requirement.

Even the simplest analysis of the “remote problem” exhibits these characteristics. Let’s begin with Welch’s starting point: much of the work of the future will be done outside the conventional workplace, and therefore outside the usual control policies traditional IT establishes. Everyone agrees that the fundamental data of the workplace deserves protection — whether the business deals in customer names and addresses, proprietary product recipes, or factory inventories and outputs — these details must be kept private. For an IT department, data appear in two states, “in transit,” as it travels from central organization repositories to the hardware of an individual remote worker; and “at rest”, which, for this purpose, means stored on the hardware of an individual remote worker. Welch’s FDE prescriptions address “at rest” or “endpoint” vulnerabilities, with the assumption that any local copy–any file or document or report–of data on a remote machine is necessarily encrypted. In turn, to view company data, an unauthorized person would need not only physical possession of the remote machine, but also a key to unlock the latter’s storage encryption.

Data “in transit” requires a mechanism that enables protection while traveling. With computers, there are many different ways to protect data in transit. In broad terms, though, a VPN  encapsulates everything that passes back and forth from a remote worker in a single consistent way. With a VPN in place, the higher-level applications that are meaningful to an end-user, including software for project management, office productivity, multimedia chat, project collaboration, file access, enterprise resource planning (ERP), and so on, all have the impression that the remote worker is using a computer networked within the home network of the organization. The VPN takes responsibility for translating every data transmission so that what appears to be a message sent to or received from a local computer is actually a corresponding encrypted message to or from a remote location.

Cameron Laird is an award-winning author and developer for Phaseit, where his recent work has concentrated on back-end programming for secure Web applications.

By Sylvia Rosen

When small businesses grow and large businesses spread across the country, remote and traveling professionals need accessibility. That’s why both small and large businesses turn to VPN technology; it gives them the flexibility they need to work across a variety of locations.

However, with accessibility comes risk.

As a business owner, you need to make sure that your remote employees have the accessibility they need to be productive, in addition to the security that you need to have a peace of mind.

Here are three ways that you can keep your business safe from security breaches while using VPN technology:

Chose your VPN technology wisely

Rainer Enders, the CTO Americas for NCP engineering, explains that when it comes to choosing VPN technology, business owners need to keep two things in mind: convenience and company policy.

“What you want to make sure [for the employee] is that it’s simple, it won’t interfere with their work, and it’s at the least intrusive level,” Enders explains.

It’s difficult to predict where your teleworkers will be going and what devices they will be using. As a result, it’s ideal that you would select a VPN that has the “intelligence” to figure out different network types, and from different types of devices, such as cell phones.

In addition, the most important aspect to keep in mind is that your technology is in accordance with your business’ security policy.

“From the employer side, they need to ensure that what is presented is in compliance with security rules and also business rules,” Enders said.

Enders explains that this might mean that businesses will need to adapt their security profile to a reasonable solution. For example, teleworkers will need a solution that allows them to securely connect to the network in areas that are considered to be “hot spots,” such as hotels, cafes, and airports.

Firewalls and security features are your friend

Business owners might cringe at the thought of their employees working in “hot spots,” but the reality is it will happen. As a result, Enders encourages business owners to use a VPN with an integrated firewall.

“The role that the firewall plays is to basically put firm access boundaries around the user’s device and allow or disallow user connectivity,” he explains. “With this, you can enforce that they can only connect to a company network – and not the Internet.”

Enders adds that security features such as “authentication” are great moves toward preventing security breaches because it ensures that the person, who is trying to connect to your company network, is in fact your employee. For example, if a device gets lost or stolen, a strong authentication will makes sure that no one can steal that person’s identity.

Keep track of each employee who has VPN access

Hackers are everywhere, and in today’s technology-driven society, it’s very easy to break into company networks – if you aren’t careful. One of the easiest ways to prevent security breaches is by paying attention to your employees and how they are accessing your company outside of the office.

For example, mobile devices increase the chances of a security breach being reached because of how small they are. With mobile devices, you’re limited from a processing perspective and UI perspective, and also limited in what type of security software you can install.

One resource that Enders suggests businesses turn towards is the cloud. Cloud services providers can adopt an approach where they can offer outsource VPN services that will allow easy manageability in order to connect to VPN services.

Being able to connect to business networks outside the office is a necessity for teleworkers and traveling professionals. As a result, it’s up to business owners to be able to select a VPN solution that is convenient, flexible, and follows security policies.

Sylvia Rosen writes articles on business products, including: Small Business Phone Systems, Document Management Systems, and Business and Home Security Systems.

Black Hat 2011 has kicked off in steamy Las Vegas (highs over 100 this week!). But Black Hat isn’t about the weather, it’s about the hacking. And there will be hacking. ZDNet has already rounded up this year’s “10 can’t miss hacks and presentations.” Among those that made our ears perk up, are Moxie Marlinspike’sSSL And The Future Of Authenticity” and Jerome Radcliffe’s “Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System.” Of course, if you’re worried about being hacked, Network World’s Tim Greene has published a checklist on “How to Survive Black Hat and Defcon without getting hacked – maybe” – love the caveat.

On that note, today we continue our conversation Travis Carelock, technical director for Black Hat, to get his thoughts on the show’s online safety.

VPN Haus: Because so many people are doing demos of hacks at Black Hat, should attendees take more precaution in protecting their data and VPN networks, than they would at a show like, say, Interop?

Travis Carelock: To be honest the demos on stage are the least of the attendee’s concerns.  The Black Hat speakers generally do a very good job displaying and demo’ing their PoC(Proof of Concept) in responsible ways.  I have never heard of an attendee compromised because of a demo onstage.  However, I have heard of an attendee compromised because of the attendee sitting to their right.  One of the primary things that differentiate Black Hat from a show like Interop is our average attendee.  Over 6,000 cutting‐edge security experts (with average cost of $3000, most companies don’t send their junior squad) will be in attendance, each smarter than the next, each with a complete hacking tool set updated, locked, loaded and ready to go, and most with a hacker’s mindset.  So, yes taking more precautions at Black Hat is always good.

VPN Haus: How is Black Hat Las Vegas different than the DC, the Abu Dhabi, and the Europe show?

Carelock: Black Hat USA is our flagship event.  It is several times bigger than our other events and serves as the yearly round up for the entire security community.  The previous year’s trends are analyzed, predictions about the next year are made, awards are given based on community response and voting.   In general, the community comes together to swap stories, techniques, and network.  Our other events are more targeted affairs, in which we try to serve some of the specific concerns of the regions in which they are held.  At all our events we try to bring the latest offensive and defensive security presentations and techniques, the smaller events merely allow Black Hat to tailor what can be.

 Here’s to a great show – and stay safe, everyone. See part one of our conversation with Travis Carelock here.

The world of remote access is, no doubt, a complicated one. On one hand, we can’t imagine life without it – and on another – it sometimes feels like the bane of every IT administrator’s existence. So, what do end users think of remote access? VPN Haus asked around and got an interesting variety of responses. But no matter the sentiment, it seems people are rarely neutral when it comes to remote access.

Nick Armstrong, a so-called geek superhero, shares the common complaint of elapsed lag times when connecting remotely. He told VPN Haus, “Any time there’s a possibility for lag, I absolutely loathe a remote working environment. Since I work on a Mac, the conversions very rarely work correctly and there’s often a lot of right-click confusion that just shouldn’t be there.”

But here’s where things get complicated. Nick has worked as a software developer and is exceptionally tech savvy and this know-how makes him informed enough to expect better than slow-downs and headaches when connecting remotely.

“If the user interface isn’t simple, I just don’t want to work on it,” he said.  “Also, I really, really dislike having to turn over my computer’s control to an internal IT person to remotely give me access. [It’s] really frustrating considering my level of tech expertise.”

Nick’s frustrations are, unfortunately, far too common. To get around this issue, Nick says he sometimes bypasses IT-mandated remote access for a more efficient option.

“SSH or secure FTP allow for the secure transfer of files,” he explained. “Skype and other communication platforms use encryption, as does GoToMyPC  (the one non-clunky virtual work environment I’ve used). I’d much rather use my own work environment where I can assure productivity rather than be forced into something that ‘meets IT’s standards.’ If my methods are good enough for HIPPA compliance, it should be good enough for a business. “

Nick is an ideal scenario – he’s savvy enough to know to look for secure options when forgoing IT protocols. But the danger comes in when employees who don’t know to look for secure options follow the same path.

What annoys you about remote access? Share your stories with us.