{"id":33906,"date":"2020-03-18T14:38:00","date_gmt":"2020-03-18T14:38:00","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/31033\/With-Everyone-WFH-VPN-Security-Has-Become-Paramount.html"},"modified":"2020-03-18T14:38:00","modified_gmt":"2020-03-18T14:38:00","slug":"with-everyone-wfh-vpn-security-has-become-paramount","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/with-everyone-wfh-vpn-security-has-become-paramount\/","title":{"rendered":"With Everyone WFH, VPN Security Has Become Paramount"},"content":{"rendered":"

With most employees working from home amid today’s COVID-19 (coronavirus) outbreak<\/a><\/span>, enterprise VPN servers have now become paramount to a company’s backbone, and their security and availability must be the focus going forward for IT teams.<\/p>\n

“It will be very important [that] the VPN service is patched and up-to-date because there will be way more scrutiny (scanning) against these services,” said Guy Bruneau, an ISC SANS instructor in a post last week.<\/p>\n

Bruneau’s warning<\/a> is just one of the many cybersecurity industry alerts published over the past few days on the topic of VPN security. ZDNet’s sister site CNET reviews the best VPN services<\/a>.<\/p>\n

Similar warnings and security bulletins were published by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency<\/a> (DHS CISA), the New Jersey Cybersecurity and Communications Integration Cell<\/a> (NJCCIC), and cyber-security firm Radware<\/a>.<\/p>\n

The perfect time to detect VPN account compromises<\/h3>\n

According to Bruneau, it is now more important than ever that companies and IT staff set up systems to capture metrics about the performance and availability of VPN services.<\/p>\n

The ISC SANS instructor says these systems will help companies avoid downtime of mission-critical VPN services, especially now since employees work from home, and the VPN service represents the most secure way of accessing company networks and private resources.<\/p>\n

Bruneau encourages companies to sift through logs to detect compromises of VPN accounts. Since most employees will now be using VPN systems, they are more likely to fall for phishing attacks that steal VPN account credentials.<\/p>\n

\n<\/section>\n

In theory, with the proper logging in place, it should now be much easier to spot compromised accounts by looking at irregular VPN usage patterns for each enterprise user working from home.<\/p>\n

“The activity that should be scrutinized over the coming weeks would be ports associated with VPN like OpenVPN (1194) or SSL VPN (TCP\/UDP 443, IPsec\/IKEv2 UDP 500\/4500) with their associated logs to ensure these services are accessed by the right individuals and are not abused, exploited or compromised,” Bruneau said.<\/p>\n

\n

Directory<\/span><\/h3>\n
\"Best<\/span><\/a><\/div>\n

Best VPN services for 2020 (CNET)<\/a><\/p>\n

A virtual private network lets you send and receive data while remaining anonymous and secure online. In this directory, CNET looks at a few of the very best commercial VPN service providers on the Internet.<\/p>\n

Read More<\/a><\/p>\n<\/div>\n

Enable MFA for VPN accounts<\/h3>\n

In the light of an expected increase in VPN phishing attacks, the ISC SANS expert recommends that companies look very closely at enabling a multi-factor authentication (MFA) solution to protect VPN accounts from unauthorized access.<\/p>\n

His recommendation was also echoed by the NJCCIC and DHS CISA in a US-CERT alert the agency sent out last week.<\/p>\n

In a report last year, Microsoft said that enabling a MFA solution for online accounts usually blocks 99.9% of all account takeover (ATO) attacks<\/a>, even if the attacker has valid credentials for the victim’s account.<\/p>\n

Also:<\/strong> Protect yourself: How to choose the right two-factor authenticator app<\/strong><\/a><\/p>\n

VPN servers should be patched and up-to-date<\/h3>\n

But besides enabling MFA to protect VPN accounts for employees working from home, CISA also recommended that companies review the patching levels of corporate VPN products. The same advice was also echoed today in a Radware security alert.<\/p>\n

Both CISA and Radware point out that corporate VPN solutions have been the targets of a wide range of attacks that began over the 2019 summer.<\/p>\n

Attacks targeted VPN servers from Palo Alto Networks, Fortinet, Pulse Secure, and Citrix:<\/p>\n

\u2022 Palo Alto Network Security Advisory PAN-SA-2019-0020<\/a>, in relation to CVE-2019-1579<\/a>;
\u2022 FortiGuard Security Advisories FG-IR-18-389<\/a>, in relation to CVE-2018-13382<\/a>; FG-IR-18-388<\/a> in relation to CVE-2018-13383<\/a>; FG-IR-18-384<\/a>, in relation to CVE-2018-13379<\/a>;
\u2022 Pulse Secure Security Advisory SA44101<\/a>, in relation to CVE-2019-11510<\/a>, CVE-2019-11508<\/a>, CVE-2019-11540<\/a>, CVE-2019-11543<\/a>, CVE-2019-11541<\/a>, CVE-2019-11542<\/a>, CVE-2019-11539<\/a>, CVE-2019-11538<\/a>, CVE-2019-11509<\/a>, https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-11507<\/a>CVE-2019-11507.
\u2022 Citrix Security Advisory CTX267027<\/a>, in relation to CVE-2019-19781<\/a>.<\/p>\n

All of these systems should have been patched last year when the vulnerabilities were disclosed, and the first attacks began hitting organizations.<\/p>\n

With more and more companies needing VPN capabilities to allow workers to log into private corporate systems and do their duties, IT staff are responding by putting up more VPN servers to deal with the surging traffic.<\/p>\n

IT staff now need to pay close attention to the new VPN servers they are putting up and make sure these systems have been patched for the vulnerabilities listed above, which are some of the most targeted vulnerabilities today.<\/p>\n

The danger of DDoS attacks on VPN servers<\/h3>\n

But with so many organizations moving their employee workforce to work-from-home jobs, there is now a new threat on the horizon — extortions.<\/p>\n

Hackers could launch DDoS attacks on VPN services and exhaust their resources, crashing the VPN server and limiting its availability.<\/p>\n

With the VPN server acting as a gateway to a company’s internal network, this would prevent all remote employees from doing their jobs, effectively crippling an organization that has little to no workers on-site.<\/p>\n

Radware says that these types of DDoS attacks don’t even have to be massive in size.<\/p>\n

In a non-public report seen by ZDNet, Dileep Mishra, a Sales Engineering Manager at Radware, says that a fine-tuned TCP Blend (DDoS) attack with an attack volume as low as 1 Mbps is enough to crash a VPN server or a firewall.<\/p>\n

Furthermore, SSL-based VPNs (like Pulse Secure, Fortinet, Palo Alto Networks, and others) are also vulnerable to an SSL Flood (DDoS) attack, just like web servers, Mishra said.<\/p>\n

Attackers can initiate thousands of SSL connections to an SSL VPN, and then leave them hanging. The VPN server allocates resources to deal with the flood of the attacker’s useless connections, exhausting memory, and preventing legitimate users from using the service.<\/p>\n

Furthermore, because even the IT staff will most likely be working from home, any weakness left in VPN servers would be exploited by attackers to cut off system administrators from their own servers while they rampage through the internal network, steal proprietary data, or install ransomware.<\/p>\n

Other considerations<\/h3>\n

But VPN servers are only one option in an array of remote\/telework tools available to companies today.<\/p>\n

The NJCCIC also recommends that companies pay close attention to the security of cloud and Software-as-a-Service (SaaS) applications that remote workers will be using in the coming months because of the COVID-19<\/a><\/span> outbreak.<\/p>\n

Similarly, Radware also warns about the increased usage of Remote Desktop Protocol (RDP) connections inside companies with ever-increasing remote workforces. RDP endpoints and accounts will need to be properly secured as well, just like VPNs.<\/p>\n

Last, but not least, Bruneau also lays out a series of questions and considerations that companies will need to ponder if they’re using VPN systems to grant remote workers access to their internal networks.<\/p>\n