This post was originaly posted to my LinkedIn profile here, in cooperation with Auxilium Cyber Security.
COVID-19 still affects our everyday life, with companies being one of the weakest links in the chain. Employees get filled with uncertainty for their future which seriously affects people’s judgment and habits.
In our last post, we discussed phishing and how COVID-19 affected people’s judgment when it comes to emails and malicious links. But people’s judgment is not always the weakest link. Some of the vital parts of working from home may be affected by misconfiguration issues or even bad choices of products and one of these parts is Virtual Private Networks used to connect employees securely with the company’s assets. We, in Auxilium Cyber Security, have years of experience in VPN architecture, setup, configuration, and security and we wanted to share our best tips on how to keep your VPN infrastructure secure during COVID-19 days and not.
VPNs are not new technology. People all over the world use VPNs for privacy concerns, censorship and malicious acts amongst others. But now that almost all employees work from home, VPNs seem mandatory and for a good reason. They can create a direct connection from one place another (e.g. from the employee’s laptop to the company’s private network) which will encrypt the communication, so MITM attacks, data leaks from network tampering and other attacks like these can be avoided.
But as with our phishing related issues, VPN choices and set-up can result in serious security implications. Our experience in secure implementations of VPN infrastructures and testing makes us believe that many companies have misconfiguration issues, because of the complexity of such systems and the overload of different options. To strengthen the security of a VPN infrastructure, Auxilium Cyber Security suggests the following moves:
- Keep your products up to date. As discussed in our last post, many entry points for malicious users are achieved by exploiting outdated client, or even server, applications. Users will need to follow strict policies when working from home, and one of them must definitely be to update their VPN client application that they use to connect to the corporate network.
- Use multi-factor authentication. Multi-factor authentication like SMS codes and hardware keys are usually ignored as they present additional complexity for novice users. But novice users usually use weak passwords or even keep their passwords in unsecure places. This means that a single employee with a weak password can be the way in for an attacker to your corporate network, and even in cases of strong passwords, ignorant and uneducated employees can be easily phished for an easy way into the network. Presenting MFA, can strengthen the VPN implementation and move part of the liability to the company, instead of employees.
- Implement scheduled testing. VPN software and services are one of the most targeted technologies currently by malicious users, as more and more people use them every day. This means that updates and security research in this field runs with the speed of light, and proper security testing has to be scheduled. Auxilium Cyber Security has years of experience in secure network architecture and testing of VPN implementations, which can help your company design, implement and test your VPN if it is your first time with this technology or even if you want to comply with current security standards.
- Prevent DDoS attacks on your VPN server. Many denial of service attacks can target your VPN server. DoS attacks can result in limited availability or no service at all, and possibly serious implications for many users and positions inside the company, if the network is down. This means that this is a serious issue, and it has to be treated delicately. In order to prevent those issues, a suitable and well crafted DDoS policy has to be implemented which will be the result of real-time visibility and proper tuning of the server. Different devices have to be monitored efficiently and session timeouts have to be implemented according to the requirements of the network.
VPN security is mostly a company’s issue with many critical options to be taken. The most popular and widespread implementations are highly customizable, which opens a huge conversation about security, privacy and cryptography, something that can really mess up a VPN implementation. Leaving unrelated to IT employees aside, companies and IT departments are also in need of proper education, especially in times of crisis, where security implications become more and more common.
It may seem huge, alongside all the other issues that surfaced with the pandemic, but with those simple steps, a company can remain secure and be more sure about the mandatory measures that most of us are obliged to follow for the common good. We hope that these tips will help most of us stay secure, but for the ones that are uncertain about it, we strongly believe that our experience can benefit you. For VPN architecture, design, implementation, security testing, and others, feel free to contact us. Stay safe, stay home, stay secure.
Thomas Sermpinis for Auxilium Cyber Security