How to Secure Your Organization’s VPN for Remote Workers
Securing your organization’s virtual private network (VPN) is vital especially in today’s growing number of remote workers brought about by government-mandated quarantine, amidst the on-going threat of the Coronavirus disease 2019 (COVID-19).
COVID-19, now affecting over a hundred thousand individuals in more than 100 countries and described as a pandemic by the World Health Organization (WHO), has prompted some individuals who believed that they’ve been exposed to the virus to opt for self-imposed quarantine. National and local governments in different parts of the world, meanwhile, have imposed different levels of movement restriction, from community quarantine to lockdown.
With the growing number of quarantined individuals worldwide, remote work or telework has become, not just an option but a necessity. Remote work requires a secure VPN to connect staff to your organization’s information technology (IT) network.
What Is VPN?
VPN, short for virtual private network, allows a worker who works outside the confines of a physical office to connect to the office network. In the context of remote work, VPN secures the connection between two points, such as the laptop used by the remote worker and your organization’s network.
Between these two endpoints, remote worker’s laptop and your organization’s network, VPN serves as a tunnel connecting these two endpoints. For example, a remote worker can use a VPN to send encrypted data until it reaches its destination: a specific server in your organization that can be accessed by the remote worker.
VPN Risks and Corresponding Mitigations
VPN, being a service that allows remote connection to a network over the internet can introduce security risks to your organization. Here are some of the risks when using VPN and workarounds to avoid these risks:
- Choose the Best VPN Suited for Your Organization’s Needs
VPNs aren’t created equal. There are those that are catered for large organizations, while others are catered for small or medium-sized organizations. For instance, some VPNs have a limited number of VPN connections, after which point no other remote worker can connect.
Different VPN vendors also offer different levels of security to their services. Choose the one that offers a high-level of security for the security of your organization’s remote workers and for the security as well to your organization’s information technology (IT) network.
- Keep VPNs Up to Date
Malicious actors are aware that VPN is the tunnel that links between remote workers and the organizations that they’re working with. In recent months, VPN security vulnerabilities have been exploited by cyber criminals to gain access to their victims’ networks.
In April 2019, the Canadian Centre for Cyber Security issued an alert warning organizations in Canada about the active exploitation of VPN vulnerabilities, specifically in Fortinet Fortigate VPN, Palo Alto GlobalProtect VPN and Pulse Connect Secure and Pulse Policy Secure VPN.
Security vulnerabilities in Fortinet Fortigate VPN that were being exploited by malicious actors include CVE-2018-13382 (a backdoor that could allow an unauthenticated user to change VPN user passwords); CVE-2018-13379 (a vulnerability that could allow a remote, unauthenticated actor to view sensitive information, including plaintext usernames and passwords); and CVE-2018-13383 (a remote code execution vulnerability that could allow an authenticated user to execute code on the VPN server).
In Palo Alto GlobalProtect VPN, the exploited security vulnerability was CVE-2019-1579, which allows a remote, unauthenticated actor to execute arbitrary code on the VPN server; while in the Pulse Connect Secure and Pulse Policy Secure VPN, the exploited security vulnerability was CVE-2019-11510, which allows a remote, unauthenticated actor to view cached plaintext user passwords and other sensitive information.
Fortinet Fortigate VPN, Palo Alto GlobalProtect VPN, Pulse Connect Secure and Pulse Policy Secure VPN have all issued patches fixing the above-mentioned security vulnerabilities. Active exploitation of the above-mentioned vulnerabilities only happens when users fail to apply the patches issued by the VPN vendors.
It’s, therefore, important to keep your organization’s VPN up to date in order to protect it from malicious actors.
One of the reasons why some delay the installation of a patch is due to the fact that VPN is offered as a 24/7 service. A 24/7 work-model shouldn’t be made as an excuse for delaying patches as the repercussion of a cyberattack as a result of failing to apply the latest patch could prove more costly than the work disruption. One way to reduce the negative impact of patch application is to apply the patch during the time whereby only a few workers are using the VPN. It’s also important to inform the affected workers ahead of the scheduled patch.
- Use Multi-Factor Authentication on All VPN Connections
Malicious actors are also exploiting the natural tendency of people, including remote workers, in clicking anything without second thought. This predisposition to clicking is exploited in phishing campaigns – emails that masquerade as coming from legitimate sources that contain malicious links or attachments. Clicking these links or attachments could lead to the theft of VPN login details, including usernames and passwords.
The use of multi-factor authentication in VPN adds an additional layer of security in case of theft of login credentials. With multi-factor authentication, knowledge of the correct VPN username and password combination won’t be enough to authenticate an attacker.
- Deploy a Web Application Firewall
Another way of securing your organization’s VPN is by deploying a web application firewall. This web application firewall can detect and block web application attacks, such as specially crafted HTTP requests that exploit VPN vulnerabilities in front of the VPN web application.
Deploying secure VPN and other critical tools for your remote teams is a cumbersome task and our experts are ready to help and get your business online in no time. Call us today at (416) 920-3000 or email firstname.lastname@example.org