Many businesses are turning to VPNs to provide remote access to employees during the ongoing coronavirus crisis. These services provide comprehensive access to company systems, applications and data, but are also a nightmare for security teams when it comes to mitigating risks. So what questions should security professionals ask themselves when it comes to securing VPN connections?
1. How old is my current VPN service?
VPN services have become an increasingly popular attack vector in recent times. It's not just the onset of coronavirus that has encouraged employees around the world to work from home. It’s a lifestyle choice that has become fairly common, which while providing significant flexibility, also provides cyber attackers with a service to target. In 2019 alone researchers uncovered a series of new vulnerabilities in VPNs, including CVE-2019-14899, which allowed attackers to hijack VPN sessions, and the Iranian “Fox Kitten” Campaign.
These discoveries, on top of existing known vulnerabilities, only emphasize the fact that it's more important than ever - with many organizations now relying almost entirely on VPN services - to make sure that VPN servers are up to date and tightly configured.
2. How alert are my employees to trickery?
It’s well-known that attackers regularly take advantage of crisis situations, such as the ongoing global coronavirus pandemic, to attack their various goals through social engineering. This is based on the universal acceptance that employees, more than any technological systems, often represent the weakest link in the security chain.
At a time when COVID-19 is taking over our consciousness, it is easy for attackers to exploit human concerns and feed us malicious information, often cloaked behind seemingly legitimate advice on health and wellbeing, and thus create mass phishing attacks. Vaccine announcements and urgent messages on updates to company protocol around coronavirus, for example, could cause even employees who are aware of the risk of phishing attacks to fall for such schemes.
It’s therefore vital to raise awareness and ensure that cases where an employee encounters a phishing attempt are reported to relevant company staff immediately.
3. Where does our VPN client connect?
A VPN client - an application typically used to connect to virtual private networks - will most likely be pre-configured with the VPN server, although it's possible to configure it by IP address or by name.
The name of the VPN server is usually a Domain Name System (DNS) record, a more aesthetic URL which directs the user to a specific IP address. In some cases, an attacker might not attack the VPN client or server directly, but the DNS record itself, and use it to hijack or sniff the session. The latter involves attackers capturing network traffic between a website and a client containing a session ID in order to gain unauthorised access. If your organisation is vulnerable to domain hijacking – for instance if a cloud service has been used by your organisation in the past but DNS records not removed, meaning anyone can claim them - you might be in a dangerous position.
To mitigate this risk, it’s worth configuring the IP address of your company’s servers directly without using its name if that’s possible.
4. How do my employees connect to the Internet?
Typically employees are accessing the internet through their home networks, using Wi-Fi. When was the last time your IT team visited to check if that network is secure? The chances are, never.
As a result, attacks on home Wi-Fi are common. Often they are very varied and simple – attacking weakly-encrypted WEP protocols using default SSIDs and passwords, or using the WPA2 Krack Vulnerability (which capitalises on weaknesses in WiFi standards), Evil Twin (where a fraudulent Wi-Fi access point is set up to steal passwords, for example) - and other established routes.
Once they have infiltrated the network, an internal attacker might, for example, use their position to perform a DNS spoofing attack that will allow them to hijack domains. They could also directly attack the employee's computer to uncover valuable information stored locally. From this position, the route to infiltrating wider corporate networks are short and fairly straightforward.
The best way to defend against this from a corporate perspective is to only authorize the use of laptops that IT admins you have control over. This allows security teams to install the appropriate security tools to detect those kind of attacks remotely if needed.
5. Are my employees’ VPN login credentials sufficiently strong and protected?
In many organisations, the enforcement policy for system connection permissions is not strong enough. Security teams must constantly remind themselves of how lucrative login credentials are to hackers. Using multi-factor authentication mechanisms across both connection and identification processes should therefore be considered mission critical, due to their ability to attack vectors.
Nir Chako is a security researcher at CyberArk