Forget using the public WiFi at the airport or poaching the McDonald’s signal in the parking lot. You’ve installed a VPN for your client. Now when they travel out of the office for remote work, their data will be safe, right? Well, not so fast…
There has been a spate of incidents recently involving the VPN ecosystem. One of the most recent involved hackers who breached Airbus’s VPN and came away with some proprietary design information, possibly orchestrated by a foreign competitor.
Earlier in 2019, PulseConnect and Fortinet both scrambled to release patches to shore up a discovered vulnerability in their VPN service. But customers, including some MSPs, were slow to deploy the patches, leaving prolonged exposure to hackers.
Ironically, earlier this year, Citrix, one of the largest suppliers of VPN networks, suffered its own breach. While there’s no word on whether hackers got into Citrix through a VPN, the fact that Citrix was targeted illustrates the trove of sensitive information potentially available in VPN networks.
With MSPs having myriad issues on their menu besides security, it can be forgivable if VPN security maintenance falls further down the list. VPN security is a logical upsell for MSPs looking to diversify their package of offerings. The term “VPN security” used to be a redundancy, but hackers have caught up, and VPNs aren’t the fortresses they used to be.
Once your client is on board for a VPN security sweep, what are some things you – and your client – should be on guard for?
Beware of VPN clones
First, try not to be fooled. Make sure a fake VPN doesn’t dupe you or your client. Some hackers are creating clone sites that download banking trojans when you access the site. The cloned sites are so well re-engineered that it is easy to fall for them.
For instance, popular VPN service NordVPN was targeted by hackers who created a clone site. NordVPN’s URL is NordVPN.com, but hackers created a clone at Nord-VPN.club (we aren’t printing the full scam URL). A fake representative can call or email an actual NordVPN client, urge them to respond to an email and have them download an application that is packed with malware. NordVPN is just one of several examples of spoof sites.
VPNs provide the keys to the castle
Nashville-based cybersecurity expert and owner of L2 Security, Lance Leger describes the appeal of VPNs – to hackers – is that if they can breach a VPN, they’ve essentially got the keys to the castle.
“It’s basically the same as someone sitting at a computer on your network, except there is no one to bother them,” notes Leger.
A VPN’s weakest points are usually the endpoints. If someone has a weak password, fell for a phishing email, or was infected with malware, then a VPN is not going to do any good.
Managing a VPN for your client and then saying “whew, they are completely protected now” isn’t a good strategy. Complacency can be a VPNs biggest vulnerability.
Two-factor authentication should be standard for VPNs and MSPs should keep VPN products patched and up to date. Another layer of security on top of that is even better, if your client is receptive.
“Companies should also monitor VPN logins regularly to ensure that session coincides with expected norms for a given user,” suggests Leger. This includes details like location, time of day, duration, and data volumes. If irregularities are spotted, then a deeper dive is in order.
Channa Rajaratne is an independent cybersecurity expert in Toronto. He says the most significant vulnerabilities of a VPN come down to what the servers are using for protocols and encryption methods and if the service being used has a “no logs” policy, which would provide more privacy.
“These are difficult to be determined outside of what the service itself advertises, so a thorough analysis is usually required to find the most suitable VPN,” explains Rajaratne.
Do your research and choose a reputable VPN service for your client, advises Rajaratne. Configuring it correctly in either the network or on individual devices is important. Implementing an internet kill-switch if the service stops and using privacy-focused DNS servers are advisable measures, he says.
VPN security needs to continue to improve, or Rajaratne fears the vulnerabilities will only increase.
“I think that weak security on VPNs will make hacking and monitoring the network easy. If not configured correctly, that network may also leak data, which may render the usage of the VPN useless,” warns Rajarante.
If VPNs are too cumbersome for your client and you’re finding security lacking, alternatives to VPNs are emerging that are worth exploring.
Photo: Alexander Yakimov / Shutterstock