Top enterprise VPN vulnerabilities

Hello. This is Susan Bradley for CSO Online. Today I’m going to talk about virtual private network. Or specifically VPN software. It all started when the other day the Internal Revenue Service the United States tax enforcement organization released publication for 4557 talking about steps that tax preparation firms needed to do in order to maintain data security about taxpayers information. And one of the items in the guidance that they gave kind of struck me as a bit odd. It had to do with discussing what to do with public Wi-Fi. And they recommended that you only access business similar sensitive documents if you used a VPN. It said a VPN provides a secure encrypted tunnel to transmit data between a remote user through the Internet and the company network. And then they said search for best vpns to find a legitimate vendor. Major technology sites often provide lists of top services. And I saw that and went wow you know the number of times that I’ve googled on best VPN software I’ve hit so many Malicious Web sites it’s not funny. So. Is VPN more secure? Let’s think about that. So first off when you go looking around for VPN software VPN phone applications in particular aren’t so secure. In fact a Wired article at least two years ago found that 283 mobile VPN applications on the Google Play store were found to be malicious or has significant privacy and security limitations. So don’t get pulled in by the lure of free software either. As research has shown when you don’t pay for something you’re often the product. Once again various different android VPN permission based apps were reviewed and many of them had issues with privacy and security. Two years later and now we see research that 90 percent of popular free VPN apps on Apple and Google Play stores have serious user privacy flaws. Things are not better. But what about applications in corporate VPN software? Recently attackers have been targeting VPN platforms and are being used in active attacks specific attackers are targeting telecommunications software in defense industries. VPN software is their new target once they steal the passwords into VPN software. They then use more typical attack tools to get inside the network and do lateral movements for example they use Mimi Katz. PWdump and WDigest credential harvesting to gain more access into the network. Attackers are also going after Office 365 mailboxes by using tools such as ruler penetration testing tool and abusing the exchange Web services API. Back in July a presentation was done at Black Hat talking about ways to get into networks using VPN vulnerabilities in particular using a pre auth Remote control Exploit. On the Leading SSL VPN is. Specifically if you’re using pulse connect secure look for CVE 2019- 11510. Also pulse connects secure CVE 2019-11539. If you’re using Fortinet you need to make sure your patch for CVE 2018-13379. CVE 2018-13382. And then also CVE 2018-13383. Most of these are post authorization heap overflow. It allows an attacker to gain a shell running on the router itself. Last but not least you want to make sure you patch for CVE 2019-1579. If you’re running Palo Alto VPNs. If you’ve been attacked you want to make sure you look at the log files on the virtual private network device and also look for evidence of compromised accounts and active use. Look for connections that don’t make sense that are done during odd times and other unusual events on your log files. When choosing me solutions make sure you understand and give yourself ways to that you can patch and maintain the remote access. You can also consider adding multi factor authentication when using VPN solutions. For example Duo is one vendor that allows VPN to have two factor authentication. You want to make sure that you provide guidance and education to users on how to use the two factor authentication process. Bottom line, don’t just automatically assume that VPN applications make you more secure. They can introduce more risk not less. So think about that. VPN isn’t inherently secure and treat it accordingly. Make sure you can update it make sure you can patch it look for it abilities to add to factor to it. Until next time this is Susan Bradley. Don’t forget to signe up for Techtalk from IDG and look for us on the YouTube channel. Until next time. This is Susan Bradley. Thank you again. Bye bye.

READ MORE HERE