View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 18, 2020updated 19 Mar 2020 9:24am

The Top 5 Questions Organisations Should Ask About their VPN Connections

"In many organisations, the enforcement policy for system connection permissions is not strong enough"

By CBR Staff Writer

Many businesses are turning to VPNs to provide remote access to employees during the ongoing coronavirus crisis. These services provide comprehensive access to company systems, applications and data, but are also a nightmare for security teams when it comes to mitigating risks, writes Nir Chako, Security Researcher, CyberArk.

So what questions should security professionals ask themselves when it comes to securing VPN connections?

1: How Old is My Current VPN Service?

VPN services have become an increasingly popular attack vector in recent times. It’s not just the onset of coronavirus that has encouraged employees around the world to work from home. It’s a lifestyle choice that has becoming fairly common, which while providing significant flexibility, also provides cyber attackers with a service to target.

In 2019 alone researchers uncovered a series of new vulnerabilities in VPNs, including CVE-2019-14899, which allowed attackers to hijack VPN sessions, and the Iranian “Fox Kitten” Campaign.

These discoveries, on top of existing known vulnerabilities, only emphasize the fact that it’s more important than ever – with many organisations now relying almost entirely on VPN services – to make sure that VPN servers are up to date and tightly configured.

2: How Alert are my Employees to Trickery?

It’s well-known that attackers regularly take advantage of crisis situations, such as the ongoing global coronavirus pandemic, to attack their various goals through social engineering. This is based on the universal acceptance that employees, more than any technological systems, often represent the weakest link in the security chain.

At a time when COVID-19 is taking over our consciousness, it is easy for attackers to exploit human concerns and feed us with malicious information, often cloaked behind seemingly legitimate advice on health and wellbeing, and thus create mass phishing attacks. Vaccine announcements and urgent messages on updates to company protocol around coronavirus, for example, could cause even employees who are aware of the risk of phishing attacks to fall for such schemes.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

It’s therefore vital to raise awareness and ensure that cases where an employee encounters a phishing attempt are reported to relevant company staff immediately.

3: Where Does our VPN Client Connect?

A VPN client – an application typically used to connect to virtual private networks – will most likely be pre-configured with the VPN server, although it’s possible to configure it by IP address or by name.

The name of the VPN server is usually a Domain Name System (DNS) record, a more aesthetic URL which directs the user to a specific IP address. In some cases, an attacker might not attack the VPN client or server directly, but the DNS record itself, and use it to hijack or sniff the session.

The latter involves attackers capturing network traffic between a website and a client containing a session ID in order to gain unauthorised access. If your organisation is vulnerable to domain hijacking – for instance if a cloud service has been used by your organisation in the past but DNS records not removed, meaning anyone can claim them – you might be in a dangerous position.

To mitigate this risk, it’s worth configuring the IP address of your company’s servers directly without using its name if that’s possible.

4: How do my Employees Connect to the Internet?

Typically employees are accessing the internet through their home networks, using Wi-Fi. When was the last time your IT team visited to check if that network is secure? The chances are, never.

As a result, attacks on home Wi-Fi are common. Often they are very varied and simple – attacking weakly-encrypted WEP protocols using default SSIDs and passwords, or using the WPA2 Krack Vulnerability (which capitalises on weaknesses in WiFi standards), Evil Twin (where a fraudulent Wi-Fi access point is set up to steal passwords, for example), and other established routes.

Once they have infiltrated the network, an internal attacker might, for example, use their position to perform a DNS spoofing attack that will allow them to hijack domains.  They could also directly attack the employee’s computer to uncover valuable information stored locally. From this position, the route to infiltrating wider corporate networks are short and fairly straightforward.

The best way to defend against this from a corporate perspective is to only authorize the use of laptops that IT admins you have control over. This allows security teams to install the appropriate security tools to detect those kind of attacks remotely if needed.

5: Are my Employees’ VPN Login Credentials Sufficiently Strong and Protected?

In many organisations, the enforcement policy for system connection permissions is not strong enough. Security teams must constantly remind themselves of how lucrative login credentials are to hackers. Using multi-factor authentication mechanisms across both connection and identification processes should therefore be considered mission critical, due to their ability to attack vectors.

See also: Avast Hacked: Intruder Got Domain Admin Privileges.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.