Securing Today's Remote Workforce - Best Practices to Secure VPN Services

Even prior to the COVID-19 outbreak forcing most companies to switch to a digital environment, 4.3 million people in the United States alone worked from home at least half of the time. Because of this, virtual private networks, or VPNs, have become all the more important. VPNs extend a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

Per the Ponemon 2018 State of Cybersecurity Study, VPNs are one of the most essential security technologies. Enterprises consider VPNs the best way to secure access for all employees to access resources and data within their organization. Encryption technologies such as SSL (Secure Sockets Layer) and TLS (Transport Layer Security), have been introduced into VPN products to make it easier for corporations to adopt the technology, while not sacrificing privacy and security to allow employees to seamlessly work remotely. 

Especially given current events, going forward, VPN security and availability will be the focus for enterprise and security teams. However, just as any other technology, VPNs are also vulnerable to attack.

Below are details on how VPN services can be vulnerable and some methodologies to detect unusual VPN access. Enterprises can also put in place some best practices to secure VPN services as preventive measures.

VPN Vulnerabilities

Multiple vulnerabilities can exist in VPNs, according to the CVE database. Each of these loopholes allow adversaries to retrieve sensitive data from an enterprise, including authentication credentials. Attackers can then use these credentials to connect to the VPN and change configuration settings or connect to other internal resources. By gaining access to the VPN, the attacker could also have the ability to run exploits such as what happened to aerospace giant Airbus when they were hit by attackers who targeted VPNs to steal sensitive company data.

The Challenge in Securing VPNs

Depending on the number of employees and the size of your organization’s IT and security teams, there can be many challenges that IT teams face when it comes to implementing VPNs. Security teams can also face tremendous pressure to comply with security controls. Some of the challenges include:

1.     Stolen credentials – Most VPNs require a traditional username and password combination, which can be easily guessed or stolen. According to the Verizon 2019 Data Breach Investigations Report (p.10), stolen credentials are the number one vector for data breaches.

2.     Handling the influx of VPN usage – Increasing VPN capacity to accommodate staff can be expensive. Organizations might have opted not to plan for more user licenses or the purchase of additional appliances.

3.     Identifying abnormal user access – Security teams have to make sure all the rules are in place to track any unusual user access to key company resources. If employees are working remotely, enterprises may have to enforce additional security controls to authorize user access.

4.     Addressing vulnerabilities quickly. Many larger organizations may require an employee to either be on the local network or VPNed in to install necessary patches on their machines. If remote employees aren’t regularly connecting to the VPN, their machines may go unpatched for weeks, if not months. IT/security teams may have to allocate dedicated time to track and call in those employees to upgrade their machines to the latest OS/application patch release or configure machines to automatically update patches from internet resources directly from software vendors.

The Role of Behavior Analytics in Protecting VPNs and their Users

Security teams need additional tools to help them make sure data privacy and security controls are in place with VPNs. Behavior analytics technology lets organizations detect unusual VPN activity that could represent misuse, and respond effectively to minimize or prevent data loss or other catastrophes to your business. Behavioral analytics can help identify a number of abnormal circumstances which may indicate an unusual activity on a VPN, including:

• Abnormal VPN connections from the user
• Abnormal VPN session duration 
• First VPN connection from an unknown device
• VPN connection from an anonymous proxy
• Abnormal amount of data uploaded during a VPN session
• Increase of company-related data files access
• MFA (News - Alert) from a new device for a user
• Physical badge access after VPN access
• Too many failed VPN logins
• VPN access from a disabled account
• Source (News - Alert) IP from unauthorized location
• Malicious VPN source IP

The biggest advantage of behavior analytics is its ability to create baselines of normal activity to distinguish abnormal activity that could indicate a breach. Regardless of whether an organization is a small business or an enterprise of tens of thousands of employees, behavior analytics is able to stitch millions of logs including VPN access, endpoint, web access, and firewall, then model the behavior for every user and all machines in an organization

Securing VPN Services

Despite its challenges, having your workforce working remotely brings an opportunity to validate some best practices to further secure your environment. Below are the best practices summarized to help guide your organization to look at existing or new security tools that your IT/security teams might need to evaluate and reinforce.

Incorporate and enforce strong authentication methods

Without strong authentication methods, organizations expose themselves to risks where hackers can gain unauthorized access to sensitive data. In addition to enforcing single sign-on (SSO) to access various applications, organizations should evaluate multi-factor authentication (MFA) options. SSO and MFA can deliver secure authentication for all environments, protecting identity and access to data wherever users go. This is extremely pertinent for organizations using VPNs and expanding into the cloud.

Have an understanding of points-of-entry

Without strong authentication methods, organizations expose themselves to risks where hackers can gain unauthorized access to sensitive data. In addition to enforcing single sign-on (SSO) to access various applications, organizations should evaluate multi-factor authentication (MFA) options. SSO and MFA can deliver secure authentication for all environments, protecting identity and access to data wherever users go. This is extremely pertinent for organizations using VPNs and expanding into the cloud.

Re-evaluate rules and threat hunting methods 

Behavior analytics can alleviate some pain for security teams as they automatically adapt to the environmental changes and make it easy for SOC teams to detect threats. But the SOC team should consider re-tuning any existing rules and threat-hunting queries in their SIEM to look for adversary techniques, since advanced threats usually have no pre-defined indicators for analysts to look for. Rules and threat-hunting queries can help SOC analysts monitor for any unusual access to the environment, privileged accounts, lateral movements, or abnormal data exfiltration.

Ensure security is in top-of-mind when incorporating wireless networks.

Employees working from home often use laptops connected to a cable or DSL modem through their own wireless access point. Unfortunately, many wireless routers are never configured for security: they are merely connected and turned on. Teach employees how to configure their wireless routers and computers for WPA or WPA2, and why it is important to keep their home networks secure. Also, encourage employees to keep their antivirus software up to date on other personal machines that are joined to their home networks. If their personal machine is compromised by an attacker, and is on the same network as their work machine, that can open up the corporate network to additional risks.

VPNs are a powerful tool to connect today’s remote worker with the enterprise. When security is properly incorporated, companies can have peace of mind knowing their data is safe while business continues on.

About the Author: Pramod Borkar serves as a lead technical marketing team member at Exabeam. In his role, Borkar provides technical guidance and demonstrates product features to prospects and analysts and spearheads competitive intelligence to peel out key product differentiators. In addition, Borkar trains sales teams on how to position the product and owns technical demo webinars.