For many businesses, to get a “working” VPN is sufficient enough for their
staff to work remotely from home.
However did you know that staff 70% more likely to become complacent with company procedures and security, which in turn puts your whole company at risk?
So what questions should you be asking to minimize the likelihood of one of your staff opening up that dodgy looking email and putting company data at risk?
1. Are my staff trained to know the difference between fake and real emails?
It’s well-known that attackers regularly take advantage of crisis situations, such as the ongoing global coronavirus pandemic, to attack their various goals through social engineering. This is based on the universal acceptance that employees, more than any technological systems, often represent the weakest link in the security chain.
At a time when COVID-19 is taking over our consciousness, it is easy for attackers to exploit human concerns and feed us with malicious information, often cloaked behind seemingly legitimate advice on health and wellbeing, and thus create mass phishing attacks. Vaccine announcements and urgent messages on updates to company protocol around coronavirus, for example, could cause even employees who are aware of the risk of phishing attacks to fall for such schemes.
It’s therefore vital to raise awareness and ensure that cases where an employee encounters a phishing attempt are reported to relevant company staff immediately.
2. Are my employees home internet connections secure?
when was the last time your employees had a professional I.T consultant audit their home internet and Wi-Fi security?
The answer is probably never. This now becomes a huge concern knowing that you are giving your employee direct access into the office via a VPN. What if their Wi-Fi has an open connection? this then allows anyone onto your employee’s home internet to then perform malicious attacks and could even hi-jack their VPN connection..
3. Are my Employee’s VPN Login Credentials Sufficiently Strong and Protected?
In many organisations, the enforcement policy for system connection permissions is not strong enough. Security teams must constantly remind themselves of how lucrative login credentials are to hackers. Using multi-factor authentication mechanisms across both connection and identification processes should therefore be considered mission critical, due to their ability to attack vectors.
4. How Old is My Current VPN Service?
VPN services have become an increasingly popular attack vector in recent times. It’s not just the onset of coronavirus that has encouraged employees around the world to work from home. It’s a lifestyle choice that has becoming fairly common, which while providing significant flexibility, also provides cyber attackers with a service to target.
In 2019 alone researchers uncovered a series of new vulnerabilities in VPNs, including CVE-2019-14899, which allowed attackers to hijack VPN sessions, and the Iranian “Fox Kitten” Campaign.
These discoveries, on top of existing known vulnerabilities, only emphasize the fact that it’s more important than ever – with many organisations now relying almost entirely on VPN services – to make sure that VPN servers are up to date and tightly configured.
5.Where Does our VPN Client Connect?
A VPN client – an application typically used to connect to virtual private networks – will most likely be pre-configured with the VPN server, although it’s possible to configure it by IP address or by name.
The name of the VPN server is usually a Domain Name System (DNS) record, a more aesthetic URL which directs the user to a specific IP address. In some cases, an attacker might not attack the VPN client or server directly, but the DNS record itself, and use it to hijack or sniff the session.
The latter involves attackers capturing network traffic between a website and a client containing a session ID in order to gain unauthorised access. If your organisation is vulnerable to domain hijacking – for instance if a cloud service has been used by your organisation in the past but DNS records not removed, meaning anyone can claim them – you might be in a dangerous position.
To mitigate this risk, it’s worth configuring the IP address of your company’s servers directly without using its name if that’s possible.
see sources: cbronline.com/