Technology #1: Secure Remote VPN Access
One of the biggest challenges our customers faced a few weeks ago was providing business continuity when working from home. Many organizations grew continuous VPN capacity from 20% to greater than 80% of employees in a matter of weeks. The mandate for many organizations was to get employees up and running first and address security afterward. Many of these employees did not have remote access before this crisis.
Today, we know that during the COVID-19 crisis, some adversaries are abusing the situation to launch target campaigns. Phishing campaigns and sites related to COVID-19 are being actively used to spread malicious files and perform credentials harvesting. It’s now time to address security!
What are the challenges for Secure Remote VPN Access?
In order to ensure remote access and provide business continuity in a very short time, a lot of organizations scaled-up VPN connections for teleworkers often without security features enabled. In some cases, the load on VPN systems grew tremendously and forced some organizations to disable security features as well.
IT and Security teams have to maintain business continuity in a secure way and keep visibility and control. For that reason, we summarize in this blogpost the most important secure remote VPN access considerations to reduce risks.
How can you decrease the risk by providing a secure remote VPN access?
Secure remote VPN access typically needs to support security objectives like confidentiality, integrity, and availability; all the components of secure remote access solutions should be secured against a variety of threats. In light of the threats caused by the malicious campaigns, we highlight the most important:
- VPN Tunnel
Many organizations use VPN tunneling technology to provide access to company resources. Getting all network traffic of teleworkers back through the organization’s firewall would decrease the risk when users are working outside the organization’s network and protect them as if they would be in the office. This is the best and most secure approach. However, the increased number of users and double usage of internet capacity puts a lot of stress on the capacity of your VPN solution and firewalls. Organizations might choose to decrease the pressure on the VPN and firewall by using split VPN tunnel functionalities. Split VPN tunneling allows teleworks to only use VPN for applications hosted by the organization and connect directly to the internet for anything else. In this way, malicious sites like phishing sites and malware on your computer could connect directly to the internet as well. Credentials harvested from the phishing campaign can give the cybercriminal a big initial footprint in your organization. If malware gets installed it might launch a ransomware attack the encrypts local but also files on a share.For that reason, it is essential to consider a full VPN tunnel or supplement a split VPN tunnel solution with alternative security controls like DNS Security for example. If your VPN and firewall solution have some constraints on capacity, VPN and firewall solutions delivered directly from the cloud help to resolve the inconvenience. A cloud-based solution would be a good idea for the future as well – considering the changing landscape on Business Cloud Applications and growing Mobility of your workforce.
(In a next blogpost we will elaborate more on the details of a cloud-based solution and DNS Security.)
- Remote Access Authentication
A lot of organizations scaled-up VPN connections for teleworkers often without the use of multi-factor authentication (MFA). Knowing that phishing and credentials theft are the number 1 hacking methods to get access to your data and applications, the access gateways to deliver telework capabilities must be implemented securely. Multi-factor authentication will ask the teleworker to prove his identity with an extra factor. This can be a hardware or software token. Physical tokens are hard to manage in times when users are not able to meet each other in the work environment. It is a logistical challenge to get all these tokens in the right place, with the right person. Apps on mobile devices are fast to deploy and often already in use by end-users (ex. Google Authenticator). Every Office 365 or G Suite user can be enabled with MFA without additional cost. In case of an on-premise VPN solution, they can be extended with an MFA solution, which is a must in any situation.
- Teleworking client device security
There are many threats to telework client devices. A security-aware end-user is an excellent first security control. However, telework client devices are facing threats from malware, to trojan horses, rootkits, spyware, and bots. For that reason, it is vital to ensure that a maximum of functionalities on your endpoint security solution is activated. At the same time, it is important to guarantee that the client devices remain up-to-date and patched to protect them against known vulnerabilities.
(In a next blogpost we will elaborate more on managing patches and vulnerabilities.)
A practical checklist
The following checklist is a summary to guide you to ensure secure remote VPN access:
- Verify if internet access of teleworker clients is secured, either via:
- Full VPN tunnel
- DNS Security
- URL Filtering
- Verify if the appropriate firewall security policies are applied for teleworker clients
- Verify if all VPN connections are authenticated with multi-factor authentication
- Verify if all endpoint security features are enabled
- Verify if all teleworker clients are patched and up-to-date
How can we help?
Orange Cyberdefense can help you with:
- A review of your VPN and firewall resources and configuration
- Assist you to enable multi-factor authentication
- Assist you in enabling maximum functionalities on your endpoint security