The virtual private network can give organizations a false sense of security when they assume that the encrypted tunnel is enough to lock down the communication between a traveling user and the home network. And VPNs increasingly have become an overlooked attack platform, especially in targeted attacks, security experts say.
In 55 percent of the breaches investigated by Trustwave SpiderLabs this year, the attackers got in via a VPN or remote access connection. The encrypted tunnel to the corporate network secures the traffic going back and forth from the user and the company servers and resources, but it can also carry malware from the user to the enterprise via that connection, and attackers can grab a user's VPN credentials to make themselves at home in the corporate network as well.
That's because many organizations still use static usernames and passwords for VPN users rather than two-factor authentication, and many don't have user access policies in place and enforced, either.
"A VPN is designed to encrypt and tunnel traffic to enable a user to have a network connection back to their [enterprise] network or data center. In an SSL or any VPN, interception of that traffic is not likely to happen," says Nicholas Percoco, senior vice president at Trustwave and head of Trustwave SpiderLabs.
[ Assuming your VPN equals secure remote access can backfire, as can other common mistakes. See Six Deadly Security Blunders Businesses Make.]
But at the point when an end user joins a guest network, such as an airport WiFi or hotel wired network -- prior to setting up a VPN connection -- his machine can be exposed. "A lot of organizations still issue VPN credentials to their end users with static usernames and passwords. That's the way we saw a lot of breaches that have occurred [via the VPN]," Percoco says. "The credentials get intercepted by a piece of malware on their computer, like a keylogger."
Another mode of attack Trustwave has seen is via a third party that has been given VPN credentials to an organization's network. One company that outsourced its PBX to a third party had given the firm a VPN account to perform maintenance on the PBX systems, and that account was abused, Percoco says. But the company hadn't checked its VPN logs: If it had, it would have noticed that the third-party vendor's VPN account had been active 24/7 for three to four weeks, he says. "They would have noticed something else was going on," Percoco says.
Nimmy Reichenberg, vice president of marketing and business development for AlgoSec, says organizations often mistakenly assume their VPN traffic is as secure as traffic on their internal networks. "In a nutshell, that's a mistake," he says. "When a typical user is on a VPN from a remote [site], home office, or on the road, they may not have [proper] security controls in place."
The VPN is just another flavor of an endpoint breach, says Rainer Enders, CTO of NCP engineering. "The paradigm shift going on is moving away from securing the perimeter. SSL is just a tunnel, and the same is true for IPsec. It's just a pipe, so you need to have additional security measures and components," Enders says.
In the case earlier this year of a disgruntled Gucci network engineer who had been fired, then created a phony employee account and went on a sabotage spree, deleting virtual servers, taking a storage area network offline, and deleting mailboxes from the corporate email server, two-factor authentication would have stopped it, he says.
"If they had a token or something else that had to be turned in when you were terminated," it would have protected the network, Enders says.
The dangers of unsecured WiFi networks are legendary, but many travelers still use them if they have a VPN client. The risk, of course, is that a user's WiFi connection will be intercepted via an attacker on the network who executes a man-in-the-middle attack.
And on a wired network, such as a hotel LAN, an attacker can ARP [Address Resolution Protocol]-spoof, says Trustwave's Percoco. "The attacker can announce on the wire that he is now the default gateway" to the Internet and perform a man-in-the middle attack, he says. The user won't likely notice anything, he says.
"If VPN credentials are sent in the clear, the attacker can sniff it and record it. If it's SSL-encrypted, he can try to throw up rogue certificates to try to intercept that [connection]," he says. Attackers typically save those stolen credentials and monetize or sell them, for example.
Look for these attacks to continue: Percoco is currently working on Trustwave's next security report, and he says these remote access attacks "are going to look very similar."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.