Virtual private networks have long been a fundamental element of digital security away from the office, but there’s a huge target on their backs thanks to COVID-19. That’s why the NSA is offering configuration tips.
For many organizations, associations included, the virtual private network (VPN) has long been a standby of work away from work.
Essentially a secure channel meant for connecting users to remote servers, the model has been fundamental for many organizations worried about concerns of security and access over the years. In recent years, VPNs have even gone mainstream, with services like NordVPN and TunnelBear frequently advertising on popular YouTube channels.
The whole pitch behind these services is that they keep you secure, prevent outside access to your corporate network … and, for consumers, allow them to bypass content blocks on local networks. (Beyond their security considerations, they tend to make it easy to see what it’s like to use Netflix in Iceland.)
But despite this promise, the mass shift to remote work has raised questions about their security potential going forward.
Some prominent officials have even made a case for the VPN’s retirement. In a blog post last week, Greg Touhill, an Obama administration appointee who was the first-ever Federal Chief Information Security Officer, argued that VPNs were outdated technology (first introduced in the 1990s) that were more trouble than they were worth.
“Like Xerox became synonymous with photocopying, many people consider VPN synonymous with secure remote access,” he explained in Security. “This is unfortunate as it perpetuates an aging, expensive and increasingly vulnerable technology.”
He suggested a software-defined perimeter-driven approach instead, which effectively minimizes access that an individual user has to a specific product, limiting the attack surface in the process.
The NSA Speaks Up
Last week, concerns about the uptick in VPN use in teleworking led the National Security Agency to release a cybersecurity advisory warning about the rise in attacks on teleworking infrastructure, as well as the prevalence of vulnerabilities.
“We certainly see adversaries focused on telework infrastructure,” an NSA official said of the guide in comments reported by CBS News. “We’ve seen exploitation and as a result, have felt that this was a product that is particularly helpful now.”
The problem, as explained by FCW, is not the use of VPNs on their own, but issues with maintenance and upkeep that have limited their value long term. Essentially, an official told reporters last week, the shift from occasional tool to daily driver has put VPNs in a dangerous spot.
“Over the last 5-10 years, network owners, companies, and agencies had made a lot of progress in hardening network security, and then when COVID hit we all essentially left that environment and moved to a telework environment that in some cases existed before but was used one off, not at the scale, scope and constancy it’s used now,” the official told reporters.
In an effort to help IT departments better strengthen VPN software, the NSA’s guide—which comes in an executive summary form [PDF] and a more detailed variant [PDF]—explains to IT departments how to best set up a VPN to limit the potential for exploits. The long-form version even lists specific configurations for different kinds of platforms. The guide also recommends a focus on regular maintenance.
“Over the past several years, multiple vulnerabilities have been released related to [internet protocol security] VPNs,” the guide states. “Many of these vulnerabilities are only mitigated by applying vendor-provided patches. Applying patches to VPN gateways and clients needs to be a part of a regular routine.”
The Problem at Home
These recommendations are, of course, sound. But they may not be enough to solve the bigger issues at play—which include the fairly basic, unavoidable fact that the boss doesn’t have direct control over employees’ home networks.
In an article on the topic in Forbes last month, tech writer Wayne Rash cites a bevy of concerns with VPNs, including the fact that some such services, generally not the ones used by employers, may be based in far-off countries. But he emphasizes that the addition of the home-networking variable, along with the use of equipment not supplied by the IT department, could worsen the issue.
“When the family computer is being used to connect to the office, then whatever is on the computer, including malware your children may have downloaded, can also reach the office,” he writes.
And this requires a tougher approach to security, Neocova CEO Sultan Meghji told Rash. He warns that, for all of the benefits offered from working remotely, the risks can be extremely high if employees are not properly trained to do so safely.
“Focus on educating your people on cyber,” Meghji added. “People can self manage, if you get the processes in place.”
This is a complicated situation to get right. As I wrote just a couple of weeks ago, there is a push-pull going on between information technology department interests and user flexibility. And security surprises keep emerging—just last week, LinkedIn got dinged for copying user clipboards in its iOS app, a big problem for a social network your staff most assuredly uses.
You can’t look at a VPN, or anything else, like a silver bullet. Treat it like a tool, and ensure your users understand the importance of good security practices—even on the family computer.