Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific and Japan, CyberArk
In Singapore, virtual private network (VPN) services are well known by consumers who use it to access unauthorised streaming content and data across the internet as well as to shield browsing activity. About four years ago, the Ministry of Law (MinLaw) even proposed reviewing the legality of VPN when considering updates to the country’s copyright laws.
For businesses using VPN, particularly those using it now across their entire workforce for the first time, security is a concern for IT security teams.
These services provide comprehensive access to company systems, applications and data, but are also a nightmare for security teams when it comes to mitigating risks from cyber attackers. Here are five questions security teams and business leaders should consider to secure VPN connections.
How old is the organisation’s current VPN service?
VPN services have become an increasingly popular attack vector in recent times. It is not just the onset of COVID-19 that has forced employees around the world to work from home, but a lifestyle choice that has become fairly common, and provides cyber attackers with a service to target. In 2019 alone, researchers uncovered a series of new vulnerabilities in VPN services, including CVE-2019-14899, which allowed attackers to hijack VPN sessions, and the Iranian “Fox Kitten” Campaign, which gained access and persistent foothold in the networks of numerous companies and organizations around the world.
These discoveries, in addition to known vulnerabilities, underscore the importance of ensuring that VPN servers are up to date and tightly configured – especially with more organisations relying almost entirely on VPN services.
How alert are employees about cyber threats?
It is well-known that attackers regularly take advantage of crisis situations to attack their corporate targets through social engineering based on the understanding that employees often represent the weakest link in the security chain.
It is a prime time for attackers to exploit human concerns through mass phishing attacks cloaked behind seemingly legitimate advice.
Therefore it is vital to raise awareness and ensure that cases where an employee encounters a phishing attempt are reported to relevant company staff immediately.
Where does the VPN client connect?
A VPN client, or an application typically used to connect to virtual private networks, should be pre-configured with the VPN server. It is also possible to configure the VPN client by IP address or by name.
The name of the VPN server is usually a domain name system (DNS) record, directing the user to a specific IP address. Attackers may in some cases go after the DNS record, rather than the VPN client or server directly, to hijack the session. Another method is to capture network traffic between a website and a client containing a session ID to gain unauthorised access. Organisations that, for example, used a cloud service but have not removed the DNS records are vulnerable to domain hijacking.
To mitigate this risk, it is worth configuring the IP address of the company servers directly without using its name if possible.
How do my employees connect to the Internet?
Employees are typically accessing the internet through their home networks via WiFi, but when if ever did your IT security team check to ensure that these networks are secure? The chances are, never.
As a result, attacks on home WiFi networks that target weakly-encrypted WEP protocols using default SSIDs and passwords, use the WPA2 Krack Vulnerability that capitalises on weaknesses in WiFi standards or use Evil Twin in which a fraudulent Wi-Fi access point is set up to steal passwords, are common.
Once they have infiltrated the network, the attacker may use their position to perform a DNS spoofing attack that will allow them to hijack domains. They can also attack an employee’s computer directly to uncover valuable information stored locally. From this position, the route to infiltrating wider corporate networks is short and fairly straightforward.
The best way to defend against this is to only authorise the use of laptops that IT administrators have control over. This allows security teams to install the appropriate security tools to detect these types of attacks remotely.
Are my employees’ VPN login credentials sufficiently strong and protected?
In many organisations, enforcement policies for system connection permissions are not strong enough. However, security teams must remember how lucrative login credentials are to hackers. Multi-factor authentication mechanisms should be considered mission-critical across both connection and identification processes, due to hackers’ ability to attack vectors.