Proposed IoT Security Bill
Doesn't Go Far Enough

Earlier this month, four U.S. senators introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. This piece of legislation seeks to establish minimum cybersecurity standards for federally procured Internet of Things devices. It defines a device as a physical object that can connect to – and regularly connects with – the Internet and "has computer processing capabilities that can collect, send or receive data."

In a nutshell, the act would require vendors to certify that IoT devices they are selling to the U.S. government:

  • have no known vulnerabilities;
  • can be properly authenticated and updated in a trustworthy fashion;
  • use current industry standards for communications, encryption, and interconnections;
  • eliminate fixed passwords.

The bill is endorsed by numerous legislative technology groups and companies. Cybersecurity researcher Nicholas Weaver calls it a "solid piece of common-sense legislation."

The act is a noble effort and may well pass. However, it won't adequately protect our nation's IoT devices because, all too often, a device has a software weakness unknown to the vendor. It's called a zero-day vulnerability. Hackers patiently and deliberately search for these holes because, once one is found, it can be exploited to access user information or infiltrate malware and spyware. Only after the user discovers the breach – which can take months if not years – can developers hurriedly develop a "patch" to repair the software's weak point.

To understand the severity of zero-day vulnerabilities, consider these statistics:

Here's another drawback to the bill. As detailed in this article and this article and this report, quite often hacks are not the fault of the device. Human error, stolen credentials and poor patch management can also be the cause. In fact, the largest hack in U.S. government history – the Office of Personnel Management breach – was initiated when a hacker stole the credentials of a government contractor.

And, as a February 2017 report by the U.S. Government Accountability Office found, federal agencies "consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available."

At Dispersive, we create software networks that feature highly advanced techniques that can help secure IoT devices from unauthorized access. It's technology that can change the way you use the Internet.

We welcome the chance to talk with you – or anyone in Congress who may be interested – about all this. To get the conversation started, just email us at info@dispersivegroup.com or call us at 1-844-403-5852.

Why Your Network No Longer Works
(Or RIP, VPN)

In our last post, we praised the Virtual Private Network (see below). Today, we've come to bury it.

We're going to tell you why you no longer need VPN. In fact, the longer you stay with your network, the less competitive your business will be.

You may have heard of a little something called business digitization. If you haven't, here's an article and blog and white paper and survey and video and podcast and questionnaire to fill you in.

By 2020, members of Generation C connected, communicating, content-centric, computerized and always clicking   will comprise 40% of the population of the U.S., Europe, Brazil, Russia, India and China. They will be the largest single category of consumers in the world.

This is what makes the digitization of your business so important. And what makes your current network   assuming you use VPN   so debilitating.

VPN technology was created more than 20 years ago. To put that into perspective, it was introduced the same year as the 56k dial-up modem. VPN wasn't designed to handle the 21st century business challenges of big data, cloud computing, mobile workforces and the Internet of Things.

A VPN can't deliver the secure, reliable and high-performance connectivity your employees need to collaborate and your customers need to transact business with you.

But don't take our word for it. Ask around.

Ask your employees if they ever experience dropped or choppy calls or less than ideal video downloads. We bet they do. VPNs often suffer audible errors and latency problems across locations, long distances and devices.

Ask your IT administrator how easy your VPN is to manage. Since it typically relies on a hub-and-spoke architecture, the network can take days or weeks to set up and configure.

Your VPN also requires active management and mind-numbing routing rules to move data traffic from your hub to the proper services.

And then there's the issue of security. Hackers love VPNs. One of their favorite tactics is to use compromised credentials to enter an enterprise network like yours through a VPN concentrator located at your hub. Once they're in, these cybercriminals have access not only to your network, but also all its extended services.

Then ask yourself a few questions.

Is my enterprise ready for Generation C? Am I willing to risk customer satisfaction and employee confidence just to hold onto 19th century technology? Is there a better alternative?

We can answer that last question for you. Yes, there is. It's the Dispersive™ Virtualized Network. When compared to your VPN, the Dispersive™ VN:

  • Provides a higher quality voice and video experience
  • Delivers data faster
  • Offers your remote and mobile users more reliable connectivity
  • Uses your available bandwidth more efficiently
  • Eliminates your need for hub-and-spoke network architecture
  • Centralizes your network management using a point-and-click GUI interface
  • Enables zero-touch provisioning
  • Reduces your OPEX and CAPEX

Don't let outdated network technology stand between you and your potential. Find out how we or one of our carrier partners can make your enterprise more efficient, more competitive, and more attractive to Generation C users. Email us info@dispersivegroup.com or call us at (844) 403-5852.

We Come To Praise VPN
Not To Bury It...Yet

Every now and then, we like to give the devil his due. And by "devil," we mean the Virtual Private Network (VPN).

We're not saying the VPN is demonic. No, we actually want to tip our thinking cap to the brilliance of the network. Few technologies have had such an impact on the way businesses do business.

Long ago, when the Internet was in its Wild West stage, users sent information across it at their peril. All too often, documents either inexplicably disappeared into the netherworld or were captured by hackers.

This created a dilemma for big businesses and government agencies. They needed the reach and relatively low cost the Internet afforded them versus other intracommunications options. However, they could not risk losing sensitive documents and secrets that were the lifeblood of their operations.

Enter VPN.

VPN established a private connection for these enterprises, sort of a private network over the public Internet. In fact, if you're reading this at work, chances are it's being delivered to you via the traditional VPN hub-and-spoke architecture. Your corporate headquarters serves as the hub, while the branch offices are the spokes. VPN (or VPN over MPLS) connects each branch to the hub, where a VPN concentrator gives each branch access to the entire network.

(What keeps all these balls in the air is your IT staff. Love 'em or hate 'em, your IT staffers spend a lot of time and effort making sure your VPN remains functional, scalable, redundant and secure. Please keep that in mind the next time you want to chew your IT administrator out about a dropped call, choppy video or slow downloads.)

There are many impressive things about VPN. However, perhaps the most amazing is its longevity. The underlying technology was created in...you're sitting down, right?....1996. To put that into perspective, the 56k dial-up modem was invented in 1996.

Yeah, the 56k dial-up modem.

No matter how many times technicians revise it, marketers rename it or providers repackage it, VPN is still 20th century technology trying to handle 21st century challenges. It simply wasn't created to handle remote users, multiple clouds, colocation data centers or other elements of digitization. Which forces enterprises like yours to make a tough but necessary choice.

You can stay with your very familiar, once outstanding but now outdated VPN.

Or you can stay in business.

New Research Reports Reveal Disturbing DDoS Statistics

Distributed denial-of-service (DDoS) attacks are more powerful, harder to prevent and costlier to deal with than ever before.

And if you need any proof, take a look at two major, recently released research studies.

According to the 2017 Data Breach Investigations Report from Verizon, enterprises experienced 11,246 DDoS incidents last year. Virtually all (98%) of the attacks were aimed at large organizations. Most of the incidents lasted a couple of days or less — more than enough time to bring down a website and render important systems useless.

The May 2017 Worldwide DDoS Attacks and Cyber Insights Research Report from information services firm Neustar gets into more detail. Neustar and Harris Interactive conducted global, independent research of directors, managers, CISOs, CSOs, CTOs and other c-suite executives. Respondents came from various industries, including financial services, technology, healthcare, retail and energy. Annual revenues of about half of these enterprises ranged from $500 million to $1 billion.

Of the 1,010 organizations surveyed, 849 had experienced a DDoS attack within the past year; 86 percent of those companies had been hit more than once. Furthermore:

  • 45 percent of DDoS attacks were more than 10 gigabits per second
  • 15 percent of attacks were at least 50 Gbps
  • 43 percent of organizations lost an average of $250,000 per hour
  • 51 percent needed three hours or more to detect an attack
  • 40 percent needed at least three hours to respond once an attack was discovered

What makes these numbers especially disturbing is that virtually all of the organizations surveyed (99 percent) were using some type of DDoS protection.

The Mirai Factor

Until recently, DDoS attacks rarely grabbed headlines the way cyber-espionage forays do. However, the Internet of Things (IoT) has changed all that. It's empowered DDoS attackers in unimaginable ways. the best example is Mirai malware.

Mirai, the Japanese word for "the future," infects IoT devices like cameras and servers, turning them into bots to be employed in DDoS attacks. Hackers can conduct large-scale DDoS attacks on services from hundreds or thousands of devices unattributable to the attacker.

Mirai botnets have done considerable damage since they were first discovered on Olympic websites last August. In September, they executed a record 620 Gbps attack on the cybersecurity blog KrebsOnSecurity, taking it offline. In October, the target was Internet infrastructure firm Dyn. That resulted in taking down many of the most-used web services, including Twitter, Reddit, Netflix and Spotify websites. Since then, other Mirai victims have included nearly a million Internet users in Germany and the entire country of Liberia.

"The Mirai botnet attacks were a wake-up call," said Deborah Clark-McGinn, senior director or product marketing at Neustar. "What most organizations have in place is not enough, especially in the face of new and emerging attack methods. Most organizations have some sort of DDoS protection in place, yet 90 percent are investing more than they did a year ago, and 36 percent think they should be investing even more."

Is your enterprise prepared? We can help. Our Dispersive™ Virtualized Network will enable you to prosper from the benefits of IoT while minimizing the security risks IoT poses.

Find out how we or one of our carrier partners can improve your situation. Email us at info@dispersivegroup.com or call us at (844) 403-5852.

 

Protect Your POS System From Hungry Hackers And Careless Vendors

Hundreds of millions of Americans dine at restaurants each year. Unfortunately, so do hackers.

In the past year alone, we've learned about cybercriminals devouring credit card information from CiCi's Pizza, Wendy's and Arby's. What makes these retailers so attractive to attackers is their highly vulnerable point-of-sale (POS) systems. The problem is so severe that cybercrime investigative journalist Brian Krebs recently blogged on KrebsOnSecurity:

From my perspective, organized crime gangs have so completely overrun the hospitality point-of-sale systems here in the United States that I just assume my card may very well be compromised whenever I use it at a restaurant or hotel bar/eatery.

According to the just-released 2017 Data Breach Investigations Report from Verizon, almost 65% of POS breaches involved the use of stolen credentials as the hacking variety. And 95% of breaches featuring the use of stolen credentials leveraged vendor remote access to hack into their customer's POS environments.

Anatomy Of A POS Hack

A vendor-enabled POS hack usually involves three basic steps. To illustrate this, we'll use the infamous Target hack, which compromised 40 million credit cards.

First, the hacker steals vendor login credentials. In the case of Target, a phishing email loaded malware on the computers of one of the retailer's HVAC vendors. The next time that vendor logged into the Target portal, the attacker captured the login credentials.

Next, the hacker uses these credentials to enter and roam the network. Target never released details on how its Windows servers were breached, but speculation has it that they fell to SQL injection attacks. This would have helped attackers attain elevated credentials, allowing them to move across Target's internal network.

And finally, the hacker begins exfiltrating POS credit card data. Target's attackers infected the system with malware that scraped the RAM off POS devices and grabbed data as cards were swiped. This information was sent to a "dump" server outside the compromised network, from which cybercriminals then moved the stolen data to off-site FTP servers.

Protecting Your POS System

Obviously, you can't eliminate third-party vendors. Doing away with your vendor portal is also unfeasible. It would greatly limit your working relationship with these important suppliers.

However, keep in mind that all it takes is one compromised vendor to put your entire POS system in jeopardy. So it's imperative you do all you can to prevent that. Here are some suggestions:

Require two-factor authentication. Make sure your vendors can't access your portal with just a user name and password. For even higher security, add a third factor of authentication for client devices.

Secure your network perimeter. Insist that third-party vendors access your network only with authorized devices. With software-defined networks, this means only devices on which the software is registered. This prevents attackers using stolen credentials from entering your portal via their devices.

Hide your vendor portal. It should not be visible, reachable or scannable from the public Internet. Instead, establish a zero-trust firewall to protect your enterprise applications and vendor portal from prying eyes.

Limit vendor access. Once inside the Target network, attackers moved laterally from server to server, searching for valuable data. Prevent this by locking down vendor access to just one application or server. That way, if an attacker does sneak through your vendor portal, he's limited to only that portal application.

Vet your vendors. We'll end with where you should begin. As the Verizon report stated:

"We recommend all businesses, small and large, ask the right questions to any third-party management vendors about their security practices, specifically about use of two-factor authentication."

Don't wait to be the next victim. Talk to Dispersive. Our virtualized networks can bring unmatched security to your POS systems, minimizing your concerns about hungry hackers and careless vendors.

Find out how we or one of our carrier partners can improve your situation. Email us at info@dispersivegroup.com or call us at (844) 403-5852.