Your VPN Infrastructure Might Not Be as Secure As You Think

Let’s assume that the corporate network is completely secure and that members of staff working inside the network perimeter can safely send messages backwards and forwards between their PCs and the servers. This is an ideal model of how people used to work. What if one of those employees wants to work from a customer’s site, or their hotel room, or home? How can they securely access the corporate network and data? For a long time, the answer to that question has been to use a virtual private network (VPN). 

A VPN allows users to connect to the Internet and to their corporate network as if they are connecting to a private network. The Internet traffic is encrypted to prevent the data packets from being readable by anyone who might intercept them. In addition, user activity is anonymous. The VPN, in effect, creates a point-to-point connection between the remote device and the corporate network. 

VPNs provide a much-needed extra layer of privacy and security for anyone using the Internet to communicate with their company. And that’s why, when the pandemic struck, and many office workers switched to remote work, most organizations looked to VPNs as a way to provide safe and private access to their network for these home workers.

So far, so good. 

Rocketing VPN Attacks

Like everything these days, bad actors are working to find weaknesses in any secure set-up, and VPNs are no different. This has led to several high-profile hacks so far in 2021. According to NuspireOpens a new window , a managed security service provider, VPN attacks have seen a jump of nearly 2000% due to remote work. The security company witnessed a 1,916% increase in attacks against Fortinet’s SSL-VPN and a 1,527% increase in Pulse Connect Secure VPN in Q1 2021 . These figures should certainly concern any organization relying on VPN to secure corporate communications and employees’ access to the Internet.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have also warned that known security vulnerabilities in Fortinet’s FortiOS cybersecurity operating system, affecting Fortinet’s SSL VPN products, are routinely exploited by nation-state hackers.

There appeared to be a problem with the Fortinet FortiOS. The SSL VPN web portal allowed system files to be downloaded by an unauthenticated attacker using specific HTTP resource requests. Also, unauthenticated attackers on the same subnet can impersonate the LDAP server and intercept the information. Thirdly, if users changed the case of their username, they could successfully login without being prompted for a second authentication factor. 

Once hackers access a network, they can exfiltrate data or encrypt it as part of a ransomware attack, or both. Any organization that hasn’t already should patch the vulnerabilities and update all software and firmware immediately.

Learn more: 5 Ways to Secure and Manage Your 5G Network

Also, in April, New York’s Metropolitan Transportation Authority (MTA) revealed that hackers with links to the Chinese government exploited a zero-day vulnerability in Pulse Connect Secure VPN to breach its network infrastructure. Fortunately, the company acted quickly to disrupt further damage soon after it was informed about the breach.

The ransomware attack on Colonial Pipeline, which led to a massive disruption of fuel supply in the U.S. East Coast in May was triggered by a compromised VPN account. Usually, ransomware attacks start with a phishing attack, but there was no sign of it on Colonial’s network. Further investigation revealed that the hackers had got into the network on 29 April using a VPN account. Although the account wasn’t in use, it still provided access to the network. The password was available on the Dark Web, which indicates that a Colonial employee must have used the same password on a different account that had been hacked. Nowadays, use of multi-factor authentication (MFA) to verify the person’s identity trying to login is recommended. However, that wasn’t required, and the hackers gained entry with the username and password they had acquired. The account wasn’t in use when the hack took place. 

These three quite different VPN attacks, clearly show that VPN isn’t as secure as some people believe it to be. 

What Can Be Done?

Originally, VPN didn’t come with any encryption, and these days, there are many ways to improve VPN security. Firstly, as we said earlier, make sure that the servers use the latest software versions and firmware and install patches for known vulnerabilities as soon as they are released. At least that way, devices will be protected from any known problems.

Secondly, make sure that there is no longer any username and password combination that can log in to the network for anyone who has left the company. And introduce multi-factor authentication for everyone to ensure strong authentication is used for everyone. So, that way, if someone were to have their username and password stolen, the thief could not get into the network.

Strong encryption is essential:

• Internet Protocol Security (IPsec) is used with the Layer 2 Tunnelling Protocol. For encryption, IPsec wraps an IPsec packet around an IP packet. At the end of the tunnel, decryption involves unwrapping the IPsec packet and forwarding the IP packet inside to wherever it’s meant to go.
• Transport Layer Security (SSL/TLS) can secure a staff member’s connection. It’s better than IPsec where Network Address Translation and firewall rules are used.

If, for some reason, MFA can’t be used, then it’s advisable to use something like biometrics or smart cards for access. If passwords are still used, then they must be changed at regular intervals. No words from a dictionary, no pet or family names, and no phone numbers should be used for passwords. And they need to be long enough to make them hard to crack.

Learn more: 100+ Days of Biden: Where Is Cybersecurity Headed for Enterprises and Federal Establishment?

Ideally, only company-supplied laptops that are regularly updated with the latest patches etc, should be used to connect to the corporate network using VPN. This drastically reduces the chances that the device has been infected and will then go on and infect the corporate network. Otherwise, make it company policy that any device using the VPN to connect to the network has its firewall, antivirus, and anti-ransomware software installed and is up to date. It could randomly quarantine users logging in and check whether these are installed and up to date. If employees think that they are likely to be checked, they are more likely to be compliant. In fact, logging and auditing VPN activity can be used to identify or trace hacker activity.

Security can be improved by using digital certificates, which prove a person is who they claim to be. Digital certificates allow a VPN firewall to prove to a VPN gateway device that it is who it claims to be. The network should use the latest versions of antivirus software. It also needs to be running intrusion detection and prevention tools that can report immediately if an unauthorized activity is detected.

There must be strong default security for administration and maintenance ports on the server. They should also assign addresses to clients on a private network while ensuring all addresses are kept confidential.

It’s also recommended that there’s some VPN kill switch installed, which can be used to prevent the Internet address from being used by bad actors if a remote computer loses its VPN connection. The kill switch might shut down the Internet connection or shut down the apps using the connection. 

Alternatives to VPN

Rather than using VPN, employees could access some of the files they require from a secure website (https://). Password authentication could be used. This gives them access to some needed files but not access to the whole network.

Organizations could use privileged access management (PAM) tools instead of VPNs. PAM tools can be used with an Identity & Access Management (IAM) platform, implementing multi-factor authentication. The PAM tools would manage what data and applications the user could access and record their activity. This makes it easy to identify unusual or unauthorized activity by the user.

Zero Trust Network Access (ZTNA) is being talked about more and more these days, and could be used instead of a VPN. Anyone on the network is treated as a threat. No one is trusted until they have been verified. Once they have been verified, users can access the data and applications that they need. Again, they can only access the parts of the network that they have permission to access, and they can only run applications that they have permission to use. This prevents users from increasing their security level and accessing data that they weren’t initially authorized to see.

Learn more: Top 10 Firewall Security Software in 2021 

Conclusion

The pandemic caused a massive increase in the number of employees working from home. And the default method for making this happen at most sites was to expand the use of VPNs. This is still the position for many sites now supporting hybrid working. Sites using Fortinet and Pulse Secure servers may well have been regretting their server choice in the early part of this year. And there may well be many sites in a similar position to Colonial Pipeline. For everyone using VPN, now is the time to reassess their infrastructure and improve their security in whatever ways they can. And some sites might even be looking at alternatives to VPN.

What are your thoughts on the recent VPN attacks and the hornet’s nest it has stirred up. Comment below or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!