VPNs May Increase Risk For Cyber Crime
By Patrick Hunter
With the ascent of remote work that has proliferated in the last six months, the landscape of cybersecurity and remote access virtual private networks (VPNs) has begun to evolve. As the reader is likely aware, a VPN is the extension of a private network across other network resources that are not private to the home network. These “other” network resources are typically the public Internet, but they don’t necessarily have to be, and are not always. The means of establishing the virtual connection can vary as well. The common thread is the concept that a device or user somewhere outside of the “home” network is able to connect to the home network as if actually inside. Most often, the connection is encrypted as well since the Internet as a medium is not inherently secure.
With the exponential rise in the number of employees that are required to work outside of their normal office, VPN utilization has seen an increase in adoption and utilization. It has been noted in the media that cybercrime has been on the rise since the beginning of the coronavirus pandemic, and the use of VPNs as a remote working solution greatly increases the surface area of attack available to cyber criminals. This highlights a serious problem for all businesses which rely on remote connectivity for their employees, contractors, and even third party or outsourced vendors.
The nature of the risk associated with VPN use is dependent on a number of factors. For example, does the business necessarily own and maintain its own VPN platform, or is that functionality outsourced to a “VPN as a service” provider? While contracting VPN as a service may make sense for the immediate bottom line, both in terms of up front capital expenditure and operational expense over time, the cost of a breach can far outweigh the savings. An organization with security as a high priority will likely want to have strict control over all resources associated with the remote access platform for just this reason.
Another risk that may be overlooked is the use of a VPN solution to provide third parties access to corporate resources. It is very common to see the use of “site-to-site” VPN tunnels between third party companies and an enterprise for the purpose of software development or other business needs. These tunnels most often provide a dedicated connection between the two companies across the Internet. In many cases, controls to ensure that the third party network has very limited access to corporate resources get stretched very thin due to business demands. Over time, the access control rules on the VPN termination devices (often dedicated firewalls for this purpose) start to resemble Swiss cheese as more and more holes are opened on the firewall. This approach to managing the connectivity is not only risky, but consuming. It also assumes that every employee from that company should have the same access as every other employee from that company. That is most often not the right approach. Instead, identity-based access rules are easier to manage based on groups and provide more specific access controls.
The third risk that should be taken into consideration is the fact that it is not uncommon for remote workers to have a different attitude regarding websites to which they may feel comfortable navigating when they are at home. Does the remote access VPN solution for these employees still use the same tools to monitor and block web traffic, or does this traffic pass through another environment for web management, or perhaps none at all? In some cases, to make it less cumbersome for remote users and thus reduce the volume of traffic into the help desk, a “split tunnel” approach is used for remote access VPN. This means that instead of pulling all traffic across the VPN and through the corporate controls for monitoring and restricting web traffic, the VPN client on the remote PC actually sends Internet-destined traffic out the local Internet connection. Naturally, this approach drastically increases the possibility that the user will navigate to a risky website. It is not surprising that many users of company equipment and connectivity assume that the connectivity is designed to be as safe as possible, so the “if I can surf to it, it must be okay” mentality begins to set in. Certainly, human tendencies have to be at the top of the list of risks to be mitigated when thinking about cyber security.
In summary, it is a new era of remote access to secure networks. The expected volume of VPN traffic is likely to be high for quite some time, maybe indefinitely. Approaches to facilitating that remote connectivity while protecting the assets of the company must be reviewed and assessed for the risks of today and tomorrow. Waiting to ensure that the VPN platform is resilient and secure will only lead to heartburn for an organization.
Patrick Hunter — “Hunter”
Director, IT Enterprise Network and Telecom,
Charter Communications
hunter.hunter@charter.com
Hunter has been employed with Charter since 2000 and has held numerous positions, from Installer, System Technician, Technical Operations management, Sales Engineer, and Network Engineer. His responsibilities include providing IP connectivity to all users in Charter’s approximately 4,000 facilities, including executive and regional offices, technical centers, call centers, stores, headends, hubsites, and data centers. Mr. Hunter has served on the SCTE Gateway Chapter Board of Directors since 2005. He spends his spare time mentoring, teaching, and speaking on IP and Ethernet networks as well as careers in the network field.
shutterstock
