February 12, 2021
As cyber-security advisors, we generally advise our customers and partners on choosing the best technological architecture to protect their networks and devices. Today we will discuss the use of virtual private network connections, also known as VPNs, and the wrong perception that they alone can secure remote work properly.
Implementing the company's virtual private network software on team members' home computers for remote access turned into a common practice since the last year. Still, personal assets and VPN should never coexist for professional purposes.
VPN technology became widely used with no proper control and security filters, making it an encrypted channel to infections and data breaches. With the high-scale movement for remote working policies, its vulnerabilities rapidly multiplicate and get explored by cyber-criminals. The damage will reflect large amounts of malware infections, corrupted systems, violated data, and fully exposed organizations.
Consider the following six recommendations not to implement VPN on home computers to connect corporate resources during remote work:
1. Home (personal) operating systems are more susceptible to vulnerabilities
Home users usually have previous generation operating systems, such as Windows 8, Windows 7, and Windows XP, installed on their computers. The older the home computer operating system, the worse it is defending against malware and system corruption. And more, they are not updated using vendor recommendations.
2. Personal devices are often shared by multiple users (family members)
Personal computers generally are shared among multiple individuals, and there are very few mitigations to prevent infections from compromising other accounts. Techniques like fast user switching keep other user profiles in memory, making them susceptible to various attacks based on a different active user profile. A malware that compromised a user can leverage an active VPN session connected to the organization to infect local and remote assets.
3. Lack of proper management on personal devices
Organizations do not have the authority to manage an individual's home computer, as home users are typically local administrators for their personal computers. That creates a huge security gap and goes totally against the concept of zero trust privilege policies.
Even when users allow the company to install antivirus for endpoint protection or a Network Access Control solution (NAC), there's still the risk of malware exposure and damage to sensitive data.
4. Inability to adequately secure the connection
Corporate VPN solutions typically embed a certificate into a connection or user profile to validate the connecting device or user. That happens independent of the authentication the user should provide via credentials.
The certificate can only be considered valid with proper security maintenance implemented for the asset. When a host is unprotected, it opens backdoors to threat actors to take possession of the certificate and make their connections.
5. Home computers don’t count with advanced protective resources
Home users typically only have free, basic antivirus and firewalls on their computers. These devices lack essential security resources, such as endpoint detection and response (EDR) and endpoint privilege management (EPM). Users also typically have no monitoring from security professionals to respond when something goes awry.
6. VPN is not designed for multiple users
Most corporate VPN implementations, even for corporate devices, are not sized to support many simultaneous users. That can result in unstable or poor network performance.
All these factors turn a VPN on home computers for remote work unacceptable. There are huge risks involved, and damage control can end up costing much more than proper protection.
Source: HiveCore Enterprise Solutions LLC
Implementing the company's virtual private network software on team members' home computers for remote access turned into a common practice since the last year. Still, personal assets and VPN should never coexist for professional purposes.
VPN technology became widely used with no proper control and security filters, making it an encrypted channel to infections and data breaches. With the high-scale movement for remote working policies, its vulnerabilities rapidly multiplicate and get explored by cyber-criminals. The damage will reflect large amounts of malware infections, corrupted systems, violated data, and fully exposed organizations.
Consider the following six recommendations not to implement VPN on home computers to connect corporate resources during remote work:
1. Home (personal) operating systems are more susceptible to vulnerabilities
Home users usually have previous generation operating systems, such as Windows 8, Windows 7, and Windows XP, installed on their computers. The older the home computer operating system, the worse it is defending against malware and system corruption. And more, they are not updated using vendor recommendations.
2. Personal devices are often shared by multiple users (family members)
Personal computers generally are shared among multiple individuals, and there are very few mitigations to prevent infections from compromising other accounts. Techniques like fast user switching keep other user profiles in memory, making them susceptible to various attacks based on a different active user profile. A malware that compromised a user can leverage an active VPN session connected to the organization to infect local and remote assets.
3. Lack of proper management on personal devices
Organizations do not have the authority to manage an individual's home computer, as home users are typically local administrators for their personal computers. That creates a huge security gap and goes totally against the concept of zero trust privilege policies.
Even when users allow the company to install antivirus for endpoint protection or a Network Access Control solution (NAC), there's still the risk of malware exposure and damage to sensitive data.
4. Inability to adequately secure the connection
Corporate VPN solutions typically embed a certificate into a connection or user profile to validate the connecting device or user. That happens independent of the authentication the user should provide via credentials.
The certificate can only be considered valid with proper security maintenance implemented for the asset. When a host is unprotected, it opens backdoors to threat actors to take possession of the certificate and make their connections.
5. Home computers don’t count with advanced protective resources
Home users typically only have free, basic antivirus and firewalls on their computers. These devices lack essential security resources, such as endpoint detection and response (EDR) and endpoint privilege management (EPM). Users also typically have no monitoring from security professionals to respond when something goes awry.
6. VPN is not designed for multiple users
Most corporate VPN implementations, even for corporate devices, are not sized to support many simultaneous users. That can result in unstable or poor network performance.
All these factors turn a VPN on home computers for remote work unacceptable. There are huge risks involved, and damage control can end up costing much more than proper protection.
Source: HiveCore Enterprise Solutions LLC
