Working from home? Don't be a sitting duck for hackers.

Enterprise virtual private network (VPN) servers have become a critical part of an organisation’s IT infrastructure as more and more workers log in to private corporate systems to work from home.

VPNs enable remote workers to communicate securely with their corporate network. In a typical business scenario, they cater to maybe 10-20¹ percent of an organisation’s workforce.

As the COVID-19 crisis forced most of us to work from home, IT teams have had to respond by putting in more VPN servers to meet the surging demand for bandwidth.

With this increase in VPN capability comes an increase in exposure to cyberattacks. VPNs are an obvious target for hackers as the extended network expands the attack surface of the enterprise.

In the current situation, the threat is exacerbated by the fact that some organisations may have had to roll out these remote access technologies in haste, without proper testing to ensure that they are adequately configured for security and sometimes without implementing authentication mechanisms for the new army of telecommuters.

To make matters worse, in the home environment, the network, Wi-Fi routers and other web access devices do not have the same level of security as an enterprise network. Many workers may also be using VPNs for the first time, and can easily fall prey to social engineering attacks tricking them into installing malware posing as VPN clients.

Hackers are poised to capitalise on these weaknesses. For example, they can target unpatched and vulnerable VPN servers to launch exploits that cut off system administrators from their own servers while they raid the corporate network, stealing proprietary data, or installing ransomware.

In a ransomware campaign known as REvil (or Sodinokibi), attackers exploited gateway and VPN vulnerabilities to find a way into the enterprise network, stole credentials and elevated their privileges. They were then able to move laterally across compromised networks, installing malware payloads like ransomware.

There is also the emerging threat of extortion² as distributed denial of service (DDoS) attacks³ set their sights on VPN services. These are aimed at crashing VPN servers and crippling the organisation by cutting off its remote employees, preventing them from doing their work.

With the growing number of cybersecurity threats targeting the remote workforce, organisations need to find ways to keep their data and networks safe while ensuring that they provision enough VPN capacity to support the increase in traffic.

A starting point would be to understand the potential threats that organisations face in this current situation. With staff working from home, it is important to identify likely attack vectors and prioritise the protection of sensitive information and business-critical applications, so that the right controls can be implemented.

One of these controls is the use of multi-factor authentication (MFA) on all VPN connections to protect VPN accounts from unauthorised access.

Today, the use of passwords, no matter how complex, may not offer adequate protection in the face of phishing, keystroke logging and other means that hackers have at their disposal to get the credentials that they need to log into the system.

MFA addresses this by providing an additional layer of authentication (for example, a one-time password sent to a mobile phone or security token) to validate a user’s identity. This prevents attackers from accessing an account even if they have valid login credentials for a user’s account.

According to Microsoft, enabling MFA for online accounts usually blocks 99.9% of all account takeover attacks⁴.

Another important security measure is to follow the universal mantra of ensuring that system patches are up to date. Concern over enterprise VPN security was already on the rise last year when security researchers reported numerous vulnerabilities⁵ in widely-used VPN products from companies such as Palo Alto Networks, Fortinet, Pulse Secure, and Citrix. Patches were quickly issued but whether they were implemented is anyone’s guess.

Today, with more and more organisations deploying remote access, the attack surface has grown and any VPN device left unpatched is a sitting duck for hackers. A joint statement⁶ issued by the UK National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure Agency (CISA) warned that hackers are scanning for vulnerable VPNs to target employees who are now forced to work remotely. It is crucial, therefore, for IT staff to review their corporate VPN products to make sure that the appropriate fixes have been applied.

To defend against DDoS attacks, some of the precautions that organisations should take include active monitoring of traffic levels on their VPNs to detect any unusual increase, and ensuring that operating systems, security programs and other important software are updated with the latest patches. This will ensure that the organisation’s systems are not commandeered by hackers to launch further DDoS attacks.

VPNs are not the only targets that hackers have in their sight. Security experts have also warned about the growing use of unsecured Remote Desktop Protocol (RDP) connections by remote workers.

RDP is a Microsoft protocol that allows users to connect to another computer over a network connection. Hackers can exploit unsecured RDP connections to manipulate access to administrative privileges which will allow them to install malware at will. Like VPNs, therefore, RDP endpoints and accounts will need to be properly secured.

Endpoint security solutions can help check whether a device that is trying to access the VPN meets the organisation’s security policies. Configured properly, these solutions will deny remote access to devices with unpatched operating systems, out-of-date virus scanning software, misconfigured or no firewall, or any other security shortcomings.

To address the weakest link at the endpoint – the human user – the UK’s NCSC recommends⁷ creating written guides and how-to documents for new software that staff will be using, or existing applications that will be used in a different way. This includes very basic information such “how to log in and use an online collaboration tool”, which is important in light of the security breaches that have been reported surrounding the use of virtual meeting software such as Zoom.

Other suggestions to enhance security for the remote workforce include making sure that devices are set to encrypt data at rest, to protect the data if the device is lost or stolen. Mobile device management tools can also be deployed to ensure that devices adhere to a standard configuration, and that is possible to remotely lock devices, erase data or retrieve a backup.

These recommendations are by no means comprehensive, but they outline some of the things that organisations can and should do to ensure that their remote workforce, whilst staying safe at home, is able to stay connected - securely.

 Let us help keep your organisation safe.

¹ COVID-19 Crisis: How to Manage VPNs, Bank Info Security, March 2020

² With everyone working from home, VPN security is now paramount, ZDNet March 2020

³ Small DDoS Attacks Are Increasing; VPNs Could Fall Victim Next During Epidemic, securityboulevard.com, April 2020

⁴  Microsoft: Using multi-factor authentication blocks 99.9% of account hacks, ZDNet, August 2019

⁵ With everyone working from home, VPN security is now paramount, ZDNet, March 2020

⁶ UK and US security agencies issue COVID-19 cyber threat update, National Cyber Security Centre (UK), April 2020

⁷  Home working: preparing your organisation and staff, National Cyber Security Centre (UK), March 2020