Common Entry Points #2 – VPN
In our last Common Entry Points post, we discussed how ITaaS can be a major weak link, providing bad actors entry into an infrastructure. Another common but often overlooked entry point for attackers is a business’s virtual private network (VPN). Work from home and bring your own device (BYOD) policies have led to expanded attack surfaces, triggering a wider adoption of VPNs to give companies an additional layer of security.
VPNs offer significant and extensive benefits for organizational security by enhancing endpoint protection. Instead of connecting via an ISP, VPNs create an impenetrable tunnel between your IT environment and your employees. You can use a VPN to better control access to systems, granting it to employees regardless of their device or location while preventing unwanted access to protect sensitive data. VPNs can also help you gain more network visibility and alert you to anomalies, making it easier to identify possible intrusions.
However, like most security protocols, maintaining security comes down to humans acting with intent and care. When that fails, other security measures will follow suit, as we recently saw with one of our clients.
A real-world example of poor VPN security
The business was on the right track, requiring employees to use a VPN and multi-factor authentication (MFA) to access its network. However, one day the company’s Head of QA received an MFA push notification on his mobile device out of the blue. Without much thought, he clicked “Allow” instead of ignoring or denying it.
Our investigation revealed that when the user approved the MFA, he unknowingly allowed an attacker to access the company VPN through his account. Once in the system, the attacker immediately began scanning the network, eventually entering through a remote desktop protocol (RDP) to an AWS EC2 instance with administrative credentials and stealing a role’s secret key.
VPNs are a powerful security tool but only if used properly. By gaining a deeper understanding of how they can be used to infiltrate a network and then establishing best practices for your business, you can make the most of them.
The growing importance of VPNs
The global pandemic rapidly accelerated a trend already on the rise: working from home. As home workstations are rarely as secure as they should be, businesses had to revamp their security strategies quickly. In addition to creating new employee guidelines, hardening email protection systems, and ensuring servers and software are up-to-date, many companies turned to VPNs.
Since the onset of the pandemic, 68% of businesses either began using VPNs or increased their usage. Given that Gartner expects nearly 50% of employees to continue working from home even after the pandemic is fully behind us, it’s no surprise that the VPN market is valued at almost $46 billion this year and expected to reach over $91 billion in 2026.
A technical look at VPNs
When using a VPN, data is sent from a machine to a point in the VPN network which then encrypts the data before sending it across the internet. A different VPN point decrypts the data and pushes it to the desired internet resource, such as your business’s intranet or a web or email server. Then that resource sends data back to a VPN network point, where it’s encrypted and sent across the internet to another VPN point. That final point decrypts the data and sends it to a machine.
VPNs tend to use one or multiple technologies such as:
- PPTP (Point-to-Point Tunneling Protocol): PPTP tunnels data packets using a GRE protocol for encapsulation, but it doesn’t do any encryption. This technology isn’t very secure and, therefore, not advised for business use.
- IPSec: IPSec uses a combination of technologies and protocols, making it a far better option. ESP protocol is used for packed encapsulation, and encryption is done through HMAC-SHA1/SHA2, AES-GCM, 3DES-CBC, or AES-CBC.
- L2TP (Layer 2 Tunneling Protocol): Businesses can use L2PT for tunneling and combine it with IPSec for additional security.
- SSH (Secure Shell): SSH can be used for tunneling and encryption on a VPN network.
How can attackers use VPNs to infiltrate a network?
One of the main takeaways from Verizon’s 2021 Data Breach Investigations Report is that businesses that failed to use VPNs and MFAs represented a significant percentage of the victims targeted during the pandemic.
VPNs and RDPs are vulnerable if appropriate measures aren’t taken to protect them. They are easy entry points because they are constantly running and active. Since they need to be updated through manual patching, which companies often struggle to stay on top of, they are more vulnerable.
Attackers can use brute-force attacks or gain control through a situation like we described above when an employee carelessly accepts an MFA request without thinking. In the same vein, lazily constructed logins and passwords are no match for savvy hackers. The list goes on.
Best practices for securing VPNs
As with many things in cybersecurity, once you’ve laid the foundation for security, extra protection comes down to implementing minor behavioral and policy tweaks.
As our example company did, using MFA is an excellent step but needs to be structured the right way. It’s too easy for an overworked or distracted employee to become an unintentional insider threat when they mindlessly click an “Allow” or “Deny” button from a push notification. Instead, MFA should force the user to enter an OTP (one-time password) or a refreshing code from a third-party authentication application. Requiring direct user interaction and input should bring the person’s attention to the task at hand, causing them to think about their actions and dramatically reducing the chance of an accidental click.
With dispersed employees, security leaders must know where users are located. Using that as a resource, you can set your VPN parameters, only allowing specific geolocations that correspond to employees. Any suspicious IP addresses or geolocations should trigger an alert, be blocked immediately, and then investigated.
Next steps
Hackers, by nature, are unscrupulous, and they are constantly looking for new ways to attack companies. They know that businesses, especially SMBs, are understaffed, and employees are spread thin, making them the ideal targets for attacks. As such, hackers know they can rely on employees’ careless behaviors and successfully launch attacks. As discussed here, we’ve seen that even using MFA tied to push notifications creates an easy breach point.
If you’ve implemented a VPN and the right additional security to go along with it, then you’re on the right track to hardening your security posture. However, monitoring and investigating alerts requires significant resources. It can easily fall by the wayside as your team focuses on other security aspects and maintaining your IT environment.
You can reduce your team’s workload and allow them to focus on business-critical tasks by implementing a SOC platform. Constant monitoring of all of your infrastructure to detect and respond to suspicious activity in real-time, drastically reducing and eliminating threats before attackers do any real damage.