There are many pitfalls organizations should be aware of when implementing or scaling up VPN use.
By Joseph Pierini, US Head of Testing, Cybersecurity and Information Resilience (CSIR) at BSI
As countries continue to grapple with the COVID-19 outbreak, many organizations have implemented telework programs to ensure business continuity and mitigate the spread of the virus. The move to a workforce where a majority of people are now working remotely has posed challenges that many may not have been prepared for. In considering how to keep business networks secure amidst the increase in connections to less secure personal networks, virtual private network (VPNs) have become an important part of the security equation. Regardless of whether such a program is currently in place or if this is a completely new endeavor, there are several cybersecurity concerns to be aware of. Here are a few suggestions and pitfalls to be aware of as your organization considers increased VPN use.
An initial consideration is the capacity of the VPN. Does your organization already have guidelines written for accessing the network? At this point, we know that teleworking could go on for weeks, or even months, making the consideration of implementing a VPN service vitally important to the security of your employees, their data, and your customers data amongst other things. In order to access a VPN, users will typically need some sort of multi-factor authentication, whether it is through a mobile application, a key fob that generates a code or some other sort of token. Therefore, how will the organization communicate proper use of the multi-factor authentication to an entirely new suite of users?
An influx of new users to both using a VPN and/or using multi-factor authentication will also likely result in a variety of questions and technical challenges. Some users may not be able to access the network, while others may need to change passwords or have difficulties running new software on their devices. As a result of this new process and the influx of new users, there is likely to be an increase in the number inquiries to your organization’s IT Help Desk.
If your organization already has a VPN service in place, consider whether and how you will ramp up its usage. If your organization typically has 100 users working from home and accessing the network through a VPN connection, can the VPN still function if the organization suddenly has 3,000 users connecting? If the VPN requires a license, are there enough licenses to cover the additional influx of users? Similarly, from a capacity standpoint, it is important to ask if the organization can effectively supply all new users with multi-factor authentication capabilities.
There are also additional cybersecurity concerns to consider. On a work device connected to a VPN, updates to commonly used software are pushed to systems as part of an overall cybersecurity program. With workers now operating at home, updates may become out-of-sync and users may be more vulnerable to certain types of malware, viruses, or exploits. Companies will need to develop a way to inform users of which updates are needed and mandating those updates take place. Typically, companies with telework programs employ full-tunnel VPNs, which allows control over all traffic coming into and out of the corporate system. For example, these types of VPNs allow the organization to block certain websites and employ certain security measures. Given the influx of users, full-tunnel VPNs may saturate the network, and organizations might be tempted to split the traffic for the network, removing many of these safeguards in order to allow a greater number of user’s access. However, this is not a recommended practice as split-tunneling creates a bridge between an unsecured network and a secure one.
Regardless of whether a few additional employees are being supplied with VPNs, or if all employees are given access, your organization’s Help Desk will likely get overwhelmed with implementation or trouble-shooting issues. Not only will users likely be unable to work, but it can also be easier for malicious actors to take advantage of the situation and infiltrate the organization’s systems. While IT personnel work to resolve legitimate user issues, nefarious actors may use this opportunity to call into Help Desks claiming an inability to access the VPN with the intent of gaining access and taking advantage of the system.
Other technical concerns for organizations to keep in mind are smaller issues that may not have previously occurred to companies that did not have “work from home” arrangements in the past. For example, networked computers may require a password change every 45 days, but if an employee is unable to access the network or VPN and is unable to change their password, the employee may be out of sync and become locked out. It is important to consider how your password or other authentication policies will be impacted by people using personal devices from home, or work devices at home.
As businesses navigate this new normal of large portions of the workforce working remotely, there are many things to consider in keeping their networks and data secure, and VPNs are a key first step.
Joseph Pierini is the Head of Testing US for BSI where he is responsible for the development and execution of the penetration testing programs supporting their clients’ security as well as compliance with privacy laws and other regulations. Joseph has been a penetration tester and cyber security practitioner for over 20 years and has performed penetration tests and application assessments for over half of the Internet Retailer Top 500, Fortune 1000 and many of America’s top defense contractors.