Your VPN May Be Your Greatest Security Risk During COVID-19
June 17, 2020
Those employees you sent to work from home in March because of the COVID-19 coronavirus are probably still working from home. While some states have relaxed their stay-home orders, most haven’t, and even in those states that have companies are making a slow transition. This means that most of your employees are using a VPN (virtual private network) to reach corporate resources whether they’re in your data center or in the cloud.
According to Alissa Knight, principal analyst at Alissa Knight & Associates, the problems start with whatever your employee is using at home. “Are they using the family computer instead of company computer?” she wonders. “Is the home network connected to the corporate VPN?”
Even worse, are they using a consumer VPN? While some VPN packages sold to consumers are reasonably secure, not all of them are, and in many cases their servers are based in countries not friendly to the U.S. making them risky services.
Knight points out that the problem with using the family computer or the home network isn’t the security of the VPN connection, but rather with the home environment. When the family computer is being used to connect to the office, then whatever is on the computer, including malware your children may have downloaded, can also reach the office.
The home network is an even greater challenge. When your home router is connected to the office VPN server, you may get a permanent connection. “This is a site to site VPN which establishes permanent connection between your network and the company.” Knight said. “Whatever’s on the home network has access to the company.”
Adding to the risk, your home network may also be using the VPN connection for its internet access, allowing your family to access games and social media through your corporate network, and to allow downloads through your company router. This in turn means that your company could be responsible for whatever your family members are downloading.
“The vast majority of organizations were not prepared for 100% work from home on a cybersecurity basis,” said Sultan Meghji, CEO of Neocova. “You had a VPN designed for emergency or off hours. Now it’s being used for significant use.”
“The infrastructure at home isn’t designed for security,” Meghji added. “The threat matrix is evolving rather rapidly. We are seeing the targeting of individuals. There are a number of bank CFOs that have been targeted by criminals and state based attackers.”
Meghji said that most companies thought the move to working at home would be just for a few months, but he cautions that this might not be the case.
“I think this is a permanent adjustment to the workforce,” Meghji said, “I don’t think this problem will go away. Companies should plan on this being a permanent thing. We’re looking at 18 months before a vaccine is available.”
In addition, companies have found that there are advantages. “Companies are finding it’s very cost effective,” he said. Unfortunately, he said, “The criminals are evolving very fast to take advantage of this.”
“Focus on educating your people on cyber,” Meghji said. “People can self manage, if you get the processes in place.”
Meghji also said that people who work from home need to make sure that their infrastructure is up to date to support the latest in security. “War driving is becoming a thing again.” He said the bad guys are looking for open WiFi and encryption that can be broken. “If your WiFi router is older than your phone, replace it,” he said.
“We had to buy equipment and licenses,” said Steve Tcherchian, CISO of XYPRO, explaining the steps his company took to get prepared. “We started off with education and awareness,” he said. The need for licenses and equipment to support a Tier 1 VPN provider is something that is frequently overlooked.
“If rushed to deploy a solution due to the dynamic nature of the pandemic many things can be overlooked and increase a company’s attack surface,” said Ken Jenkins, founder and principal of EmberSec. “A few items include use of weak encryption, use of basic authentication (username and password) complex password – no MFA (multi-factor authentication) and rush to utilize centralized authentication. Also being most organizations already have centralized authentication (LDAP or Microsoft Active Directory) they may put their larger enterprise at risk if credentials are compromised – requiring MFA is a must.”
Knight, who is an authority on VPN hacking, says that you can limit the risk associated with a poorly chosen or configured VPN by encrypting your data as it travels across your network. She also says that critical data can be protected through the use of a data security method such as Keyavi, which makes data self-protecting.
There’s a good chance that your rush to make working from home function also introduced some risks due to poor choices or the lack of availability. But that doesn’t mean you can’t fix things now. “There’s always an opportunity to catch up as long as there’s support from the top down,” Tcherchian said, “you can do it.”
Originally Posted to: Forbes