In Singapore, virtual private network (VPN) services are well known by consumers who use it to access unauthorized streaming content and data across the internet and shield browsing activity. About four years ago, the Ministry of Law (MinLaw) even proposed reviewing the legality of VPN when considering updates to the country's copyright laws.
For businesses using VPN, particularly those using it now across their entire workforce for the first time, security is a concern for IT security teams.
These services provide comprehensive access to company systems, applications and data, but are also a nightmare for security teams when it comes to mitigating risks from cyber attackers. Here are five questions security teams, and business leaders should consider securing VPN connections.
1. How old is the organization's current VPN service?
VPN services have become a popular attack vector in recent times. It is not just the onset of COVID-19 that has forced employees around the world to work from home, but a lifestyle choice that has become common, and provides cyber attackers with a service to target.
In 2019 alone, researchers uncovered a series of new vulnerabilities in VPN services, including CVE-2019-14899, which allowed attackers to hijack VPN sessions, and the Iranian “Fox Kitten” Campaign, which gained access and persistent foothold in the networks of numerous companies and organizations around the world.
These discoveries, in addition to known vulnerabilities, underscore the importance of ensuring that VPN servers are up to date and tightly configured — especially with more organizations relying almost entirely on VPN services.
2. How alert are employees about cyber threats?
It is well known that attackers take advantage of crisis situations to attack their corporate targets through social engineering based on the understanding that employees often represent the weakest link in the security chain.
It is a prime time for attackers to exploit human concerns through mass phishing attacks cloaked behind seemingly legitimate advice.
Therefore, it is vital to raise awareness and ensure that cases where an employee encounters a phishing attempt are reported to relevant company staff immediately.
3. Where does the VPN client connect?
A VPN client, or an application typically used to connect to virtual private networks, should be pre-configured with the VPN server. It is also possible to configure the VPN client by IP address or by name.
The name of the VPN server is usually a domain name system (DNS) record, directing the user to a specific IP address. Attackers may sometimes go after the DNS record, rather than the VPN client or server directly, to hijack the session. Another method is to capture network traffic between a website and a client containing a session ID to gain unauthorized access. Organizations that, for example, used a cloud service but have not removed the DNS records are vulnerable to domain hijacking.
To mitigate this risk, it is worth configuring the IP address of the company servers directly without using its name if possible.
4. How do my employees connect to the Internet?
Employees are typically accessing the internet through their home networks via Wi-Fi, but when if ever did your IT security team check to ensure that these networks are secure? The chances are, never.
As a result, attacks on home Wi-Fi networks that target weakly encrypted WEP protocols using default SSIDs and passwords, use the WPA2 Krack Vulnerability that capitalizes on weaknesses in Wi-Fi standards or use Evil Twin in which a fraudulent Wi-Fi access point is set up to steal passwords, are common.
Once they have infiltrated the network, the attacker may use their position to perform a DNS spoofing attack that will allow them to hijack domains. They can also attack an employee's computer directly to uncover valuable information stored locally. From this position, the route to infiltrating wider corporate networks is short and straightforward.
The best way to defend against this is to only authorize the use of laptops that IT administrators have control over. This allows security teams to install the appropriate security tools to detect these types of attacks remotely.
5. Are my employees’ VPN login credentials sufficiently strong and protected?
In many organizations, enforcement policies for system connection permissions are not strong enough. However, security teams must remember how lucrative login credentials are to hackers. Multi-factor authentication mechanisms should be considered mission-critical across both connection and identification processes, because of hackers' ability to attack vectors.
Teck Wee Lim, regional director for ASEAN at CyberArk wrote this article. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of HR&DigitalTrends. Photo credit: iStockphoto/Melpomenem