Virtual Private Networks (VPNs) for many years have already been in place in almost every organization. Their use has been mostly limited to functioning as site-to-site tunnels between offices and third-party organizations, providing remote access of IT specialists for incident/change management when they are not at their workplaces and allowing temporary remote access for employees who travel. While some enterprises may have seen wider adoption of VPNs for certain categories of employees on a permanent basis (for example, sales agents or middle/top management), for the most part, staff did not use VPN services.
The COVID-19 pandemic, however, has drastically changed the way we live and how we work. As the pandemic forced a shift toward remote working, enterprises urgently organized teleworking channels with the aid of VPNs. The urgency with which these ad-hoc setups were created often bypassed standard information security requirements, proper due diligence and IT change management processes. For many organizations, the remote work VPNs were part of their crisis management plan. As such, there was an assumption that these ad-hoc setups surely were not permanent and any temporary increase in the risk profile was acceptable. However, recent trends predict with high probability that remote working models or hybrid remote working models are a permanent fixture. Given that, there is a need to provide stronger assurance about the level of IT risk associated with the VPN technology.
ISACA’s VPN Security Audit Program provides a framework to assess the exposure of VPN setups to old and emerging threats that may impede network and security specialists. I will list in this blog post only a small subset of them. In one scenario, attackers scan enterprises’ IP ranges to identify poor security settings and unpatched vulnerable VPN devices. If they succeed in penetrating inside the firewall perimeter, they may use VPNs to maintain permanent access and keep themselves below the radars of anti-malware and intrusion detection solutions. Without a thorough analysis of VPN usage patterns, it is difficult to identify the attackers’ malicious actions.
Often the VPN address pools have wide access lists applied on the firewalls and become a jumpboard to attacking the internal server and workstation network segments. Also, consider the fact that VPNs can be targeted by attackers at almost every element of the cyber kill chain. For the sake of humor, even the well-known botnet got the name VPNFilter (as one of its artifacts was the /var/run/vpnfilterm folder).
VPN technologies are very complex in nature and diverse in the concepts that they use. Out of the box setups quickly become obsolete and potentially dangerous. Consider that a 3DES cipher for IPSEC, OpenVPN, HTTPS VPNs is prone to the Sweet32 attack as it has only 64 bits block cipher. The simultaneous support of the IKEv1 and IKEv2 on certain VPN devices led to successful exploitation of the Bleichenbacher oracles (the weak IKEv1 setup allowed to compromise more secure IKEv2 connections).
These few examples demonstrate how it is easy for VPN to go wrong and, without regular audits, it is very difficult to know when something has gone wrong and to properly manage the VPN risk. The assurance framework based on ISACA’s VPN audit program covers the effectiveness of controls in governance/technology/maintenance domains in a systematic way and will be helpful for internal and external auditors, as well as for those in performing self-assessments.
About the author: Glib Pakharenko holds Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP) and Offensive Security Certified Professional (OSCP) credentials. He has more than 15 years of experience in information security advisory, audit and delivery of IT security solutions in the various industries, including telecom, financial services, public and media sectors. Glib led IT audit practice in one of the largest Ukrainian asset management companies Eastone and worked for major international financial institutions, including ING Bank and Royal Bank of Scotland. His public work includes participation in ISACA and Open Web Application Security Project (OWASP) Kyiv chapters, translation of multiple security standards into his native Ukrainian language and research on cyberattacks and Advanced Persistent Threats (APT) in Eastern Europe. Nowdays he runs his own cybersecurity consulting company Pakurity, which provides penetration testing, training and other services to its clients. He likes to travel to different parts of Ukraine and actively supports his wife and sons video channels on YouTube.