Does your VPN policy reflect the new reality, and what risks do you face?
Organizations across the US are at increasing risk from cyberattacks due to VPN vulnerabilities, according to The National Security Agency. With an unprecedented percentage of the workforce dialling in remotely due to the ongoing global health crisis, the NSA has issued an advisory warning focused on the importance of properly securing VPNs. The report states “VPNs are essential for enabling remote access and securely connecting remote sites, but without proper configuration, patch management, and hardening, VPNs are vulnerable to attack.” Their instructions include the reduction of the VPN gateway attack surface, ensuring cryptographic algorithms are Committee on National Security Systems Policy 15-compliant, and avoiding the use of default VPN settings
The warning comes against a backdrop of increasing concerns over the vulnerabilities associated with VPNs. Just this spring it emerged that millions of users were at risk from cyberattack due the compromising of the popular android app SuperVPN. Researchers have warned that the VPN, which has been installed over 100 million times, is vulnerable to man-in-the-middle attacks which could expose messages between user and provider – and far more worryingly, could allow hackers to redirect users to malicious servers. A report issued last week by Comparitech claims that eight new VPN services, including SuperVPN and UFO VPN have reportedly leaked a massive 1.2TB of user data. The report explains, "It’s not clear how many users are affected, but our findings suggest that potentially all users who connected to UFO VPN at the time of exposure could be compromised. UFO VPN claims to have 20 million users on its website, and the database exposed more than 20 million logs per day."
The UFO VPN service is based out of Hong Kong, and while SuperVPN is in theory published by Singapore-based SuperSoftTech, in reality that company is owned by the independent developer Jinrong Zheng, who are also behind LinkVPN, and are most likely based in Beijing.
Policy vs. Reality
Against this backdrop, it has never been more important to examine VPN policy, usage and vulnerabilities. Government agencies and businesses around the world have focussed on their “at-work” security but are ill-prepared to cope with the distributed environments they currently face due to the crisis-driven push to work from home. Not only are workforces not trained in the correct usage of VPNs, but many of the organizations who should know better themselves are unaware there is even an issue. Unfortunately, many will only recognize how their perception and policies clash with reality once they have already been breached.
The driver behind this VPN failure can be as simple as overload: tools designed to serve a small proportion of employees are struggling to cope with dramatically increased demand as living in lockdown means working from home for many. "Because of bandwidth capacity issues, many organizations are struggling to provide secure VPN connections for all of their remote employees. This can result in employees not using the VPN, or having a significantly poor experience as compared to when in the office" explains Justin Jett, director of audit and compliance at analytics company Plixer. Matias Katz, CEO of the endpoint security company Byos, puts it more simply: “If Amazon’s 750,000 employees all simultaneously connect to the corporate VPN, it will likely crash.” The reality is that many employees have only very limited remote access to their networks, even when their organization’s VPN is fully functioning. The impact on productivity when staff can only access networks for less than an hour throughout an entire working day are considerable.
Of course, every time an employee is forced to abandon using their VPN in the name of speed and efficiency they and the organizations they work for are exposed to bad actors and security risks. But the slowdowns and reduced quality of service can exacerbate the damage done in an attack. As Ian Paterson, data analytics expert and CEO of security company Plurilock explains "The IT operations team that's able to respond instantly to a security breach or systems problem when in the office is now at risk of being hampered by poor connectivity. Things that might previously have involved a five or 10-minute window to resolution—whether a system outage or something more serious like an ongoing attack that needs to be stopped or addressed—may now involve double or triple that time due to slower connections."
VPNs as a focal point for attack
A VPN is effectively a data tunnel: the content in transit is only secured up to the VPN server, where it is stored in plaintext form. That then becomes a centralized point where all traffic can potentially be probed, making it a hugely valuable source of intelligence or data.
China itself faced attack this year from hackers identified as DarkHotel, who are believed to be a state-sponsored group operating out of the Korean peninsula. The intrusions were spotted by Chinese security firm Qihoo 360, who say the hackers used a zero-day vulnerability to attack more than 200 VPN servers. Meanwhile, the crisis has seen Microsoft send a “first of its kind notification” to several dozen hospitals that their gateway and VPNs are being actively targeted by ransomware groups. US-based security firm Barracuda has warned that these sorts of Covid-19 attacks have increased 667% worldwide.
However, intrusions may not be from external hackers, but can come from the server hosts themselves. A study by privacy and security research firm VPNpro has revealed 30% of the world’s top VPNs are secretly owned by six Chinese companies, while many others are based in countries with similarly lax or non-existent privacy laws. For example, at least seven prominent VPNs are owned by the Pakistani company Gaditek. The laws in Pakistan are such that, without a warrant, the government there can access any of the data held by these VPNs, and share with foreign institutions at will. All of which could make using a VPN counterproductive to an organization’s privacy requirements.
For these reasons it is unsurprising that VPNs are seen as a key weakness by many within defence and intelligence agencies. As agencies and organizations operate more in mobile or distributed environments, concerns over availability, severability and disruption, network capacity, stability, connectivity in bandwidth constrained environments and focused vulnerability points in a network increase significantly.
What can you do to ensure your VPN protects you?
Despite the various vulnerabilities detailed, there are steps you can take to ensure your VPN gives you the best protection possible.
First and foremost, check that your VPN provider is identifiably reputable and ideally certified using established standards and recognized third parties. Updates are not optional – they are vital to ensuring that new patches are installed, and your VPN is functioning optimally. Provide full staff training on how, why and when to use your VPN – do not assume familiarity or capability. Perform tests as close to full capacity as possible, and if throttling or reduced service occurs talk to your provider. The National Cyber Security Centre in the UK has warned “Protecting data in transit is one of the most important security aspects to consider when using mobile devices. Attackers with access to unprotected data (or inadequately-protected data) may be able to intercept and modify data, potentially causing harm.” So, push back if colleagues are slow to get on board. Be pragmatic and realistic. It is the only way to close the gap between policy and reality.
Perhaps most important of all, be aware of what your VPN is being used for, and do not overextend it. If your organization is using the VPN for Voice over IP (VoIP) calls and conference calling, that traffic is taking up valuable bandwidth and is likely to lead to problematic calls and could even bring down the VPN completely. Furthermore, even the most robust VPN is no replacement for end-to-end encrypted messaging and file transfers – make sure you are using specialized tools for the purpose intended.
Protect communications properly
Cellcrypt’s mobile and desktop apps can be downloaded and used on existing smartphones, tablets and PCs in minutes, offering the highest level of end-to-end, certified encryption for voice calls, conference calls, instant messaging and file transfers. The platform’s trusted security is relied on at the highest levels of Governments around the world, and is enterprise-ready: integrating with existing IT infrastructure (no need to rip and replace), with optional add-ons ranging from regulatory compliance auditing to private stacks that provide full management control. Cellcrypt Voice Gateway extends your existing PBX to Cellcrypt mobile enabled-devices; a lifeline in this remote-working environment.
Cellcrypt was first FIPS 140-2 certified in 2010, with UK CESG CAPS certification in 2012 and US NIAP (National Information Assurance Program) Common Criteria certification in 2014. Cellcrypt exceeds the Suite B encryption mandated by the NSA for all US Government classified communications, up to Top Secret. Every single message and call has a unique encryption key, with each session authenticated at the end points, for true end-to-end encryption.
At this time of great need, we are committed to supporting government and commercial enterprises affected by the global health emergency. We are proud to have launched our Secure Communications for Home Workers quick-start initiative, offering our military-grade encryption with unparalleled discounts on licenses and full enterprise solutions. Organizations needing to transition to telework while ensuring business continuity will be able to employ Cellcrypt rapidly to lessen the strain, costs and vulnerabilities during this emergency.
Please visit our dedicated page for more information, and to learn more about how Cellcrypt is contributing our military-grade business solutions during this public health crisis.