Virtual Private Networks, the term our industry uses to describe encrypted data tunnels, take many forms. Despite their numerous labels, the VPN serves one primary purpose; protecting data integrity as that data traverses the open internet. VPNs are the mechanism used within our industry to build and maintain information highways across the internet. Point A encrypts, the ‘tunnel’ or VPN transports and point B unencrypts sensitive data. Protecting ‘data at rest’ is one challenge served by a plethora of products such as firewalls, proxies, intrusion prevention solutions, anti-malware systems and the like. ‘Data in motion’ is another story and is best served through the use of data encryption like hashing, symmetric encryption and asymmetric encryption.
An analogy that comes to mind: I want Bob to have a letter. I gave the letter to you unsealed and I want you to walk over and give to Bob. If I wanted Bob to have this letter and did not want anyone to see it, including you, the delivery mechanism, I might instead consider sealing it an envelope, writing his mailing address on it, affixing a stamp and dropping it in the mailbox.
The sealed envelope serves the same purpose as the VPN. The sensitive data is routed to Bob, protected from all prying eyes.
An Evolving VPN Threat Landscape
Security teams around the globe face an ever-growing array of threats to ‘data in motion.’ Anyone responsible for having to update a networks’ anti-virus and malware detection software solutions understands the exponential rise in the number of virus, malware and spyware definitions. Just recently at the Black Hat conference in Las Vegas, RSA Research, a well-known and respected security analytics firm broke news of a Chinese VPN service which is comprised of over 1500 VPN nodes obtained by exploiting Windows-based servers. They named this threat Terracotta. This Terracotta network is similar in size and scope to the Bunitu botnet uncovered by ad-fraud fighting firm Sentrant and Malwarebytes.org. Of note, malicious parties and entities may access the dark web to buy access to data hosted on VPN servers due to an infection on the VPN server infrastructure.
“We believe that the operators of the Bunitu botnet are selling access to infected proxy bots as a way to monetize their botnet. People using certain VPN service providers to protect their privacy are completely unaware that the backend uses a criminal infrastructure of infected computers worldwide,” says Jérôme Segura, a leading technology consultant.
Last year, the Heartbleed bug allowed anyone on the Internet to read the memory of systems protected by the vulnerable versions of the OpenSSL software. This compromised the secret keys used to identify the service providers for encrypting traffic, identifiable end-user and company information as well as proprietary content were all data targets. Attackers eavesdropped on communications, stole data directly from the service providers and pretended to be users.
Disclosure of these types of Internet-wide bugs is still being debated today. Is the public allowed to know that something as simple as the correct implementation of a VPN could have prevented some of these breaches? Breaking cryptography for data theft is still a thing many people with moral and ethical defects are doing, but the reality is the software is usually not the issue. More often than not, and in the case of Heartbleed, it was human error on the implementation of chunks of code in the systems that were affected. VPN’s cannot save your company from a strong effort to crack your system. However, when correctly implemented they can provide the kind of cryptographic security you need in order to fend off the lower class of cyber-criminal. The long-term effects of these three examples are still unknown. Due to the wide spread of OpenSSL (implemented on two thirds of web sites) It’s difficult to understand how many sites have and will continue to be affected.
Invasion of BYOD
Bringing your own devices to work may sound like something we all should be doing. Especially since 19% of firms believe BYOD is a key factor in improving employee satisfaction. But what about the security of the data leaving the network on these devices through the many apps both Android and iOS offer technical workers?
Securing that data can be a nightmare especially if you are allowing users to run their devices on their own data plans off your network. In a bid to crack down on employee and hacker theft of data due to mobile device use, Gartner suggests that 50% of companies who previously supplied devices to their workers will cease in doing so. (Gartner)
The impact on users is usually where the conversation begins. However, the impact on the structural integrity of VPN’s is often overlooked when choosing a solution. Whether a user connects on Wi-Fi, mobile hotspots, mobile cell connections or Public Wi-Fi, the general consensus says a solid VPN must support all connections. This goes right along with supporting existing infrastructure by choosing the VPN which most seamlessly integrates with as many of your users’ devices. A simple staff survey to find out which are the most popular devices can be very helpful when choosing which VPN to run with.
Example of VPN Security
In reference to one of our premier security vendors, Jeff Wilson of Infonetics Research writes, “Customers want a consolidated offering for access control, SSL VPN, and mobile device security. Pulse Secure is in a great position to provide a unique solution.”
A key flaw dating all the way back to 2006 was an escalation vulnerability which allowed non-privileged users to gain administrative access by executing arbitrary code during a buffer overflow of data. Unlike the many VPN solutions available to the consumer and enterprise solution, we have found that Pulse Secure does not store the username in the Windows Registry. Application freedom and policy compliance should coexist without any blind spots for the Data Roamers among us. Zero-day attacks and advanced persistent threats can be stopped head on by restricting real-time visibility of security access policies.
Securing BYOD is not impossible, it’s just another layer of security on top of most focused CIO and IT Director security policies. Another advantage of Pulse Secure; it integrates with apps on a user’s phone or tablet while providing differentiated access to administrators. This way IT can find the balance between securing a network and providing simple and fast solutions to its users. With up to 82% of companies allowing staff to use personal devices in the office, it’s no wonder why the ‘invasion of BYOD’ is an actual term being floated by CIO’s across the globe.