Before the pandemic, virtual private networks (VPNs) were largely the domain of the tech-savvy or people looking to watch Netflix shows from other countries.
Subscribe now for unlimited access.
or signup to continue reading
Now nearly one-third of internet-goers have used one, primarily to access their organisation's server while working remotely.
VPNs offer a number of benefits outside enabling network connectivity and access to geo-blocked content across locations.
Perhaps the biggest is their promise to keep users secure by providing a private network under which internet protocols (IPs) are protected and online movements and passwords are encrypted.
VPNs also secure peoples' information when they use public Wi-Fi, which is a key consideration in the current work-from-anywhere culture.
These services have been widely touted, from tech experts to government agencies, as a way to shield ourselves against hackers by hiding our online movements and protecting our identities.
But make no mistake, VPNs are not an infallible cure-all for the nefarious tactics employed by cyber-criminals.
Firstly, to unlock access to a VPN, users typically only need to enter a password or a multi-factor authentication (MFA) code. As we've unfortunately witnessed, these identity tokens are not hard to crack.
With the increased usage of mobile devices, there are now endless channels through which hackers can deliver credential-stealing phishing attacks, and we've recently seen several high-profile breaches resulting from stolen credentials, with targets ranging from Uber to Medibank.
Hackers can also readily purchase this information from the dark web.
As was recently reported, troves of Australians' personal information is being traded in these marketplaces, including ATO and MyGov logins.
Once a VPN profile is accessed, hackers can completely take over not only single devices, but an organisation's entire network. Spyware can be used to monitor the exchange of confidential and personal information, providing ample fuel for extortion attempts, identity fraud and financial theft.
With network access they have access to a wide range of systems, meaning they can perform discovery operations to see what other opportunities they can leverage, and move laterally in what's called a "land-and-expand" operation.
In another example of the fallibility of VPNs, in 2020, when Australia was in the throes of its first COVID lockdown, the personal details of millions of free VPN users were leaked following a data breach of these systems.
READ MORE:
Augmenting VPNs with better security practices
Due to their widespread adoption and raft of benefits, VPNs are likely to remain a fixture of hybrid work arrangements.
But it's important not to overstate their security capabilities, and to use them in conjunction with additional protections.
First off, ensure users only have access to what they need to get their job done, also known as "just-enough-privileges."
You can also limit the amount of time someone gets access with "just-in-time" access.
By rolling out these perimeters, employees are less likely to unintentionally misuse or expose information outside their remit, and lateral movements by hackers are prevented.
Don't just rely on passwords and MFA
Passwords and MFA are solid security baselines, but they alone aren't enough. Given the variety of devices, networks, and locations your users may be connecting from, it's incredibly difficult for traditional security tools to differentiate between legitimate users and malicious actors.
This is where additional factors should be considered, such as user behaviour or the risk level of the device they're using.
For example, if a user logs in from an unexpected location on a device they don't typically use, or tries multiple times to connect from different networks, these instances should be flagged.
You also need to detect when privileges change, as this is often the first tactic hackers use to gain even greater access to a network.
Protect your employees from social engineering
As mentioned, compromised credentials are often the initial foothold in a hacker's attack chain. Gone are the days of brute force attacks, as it's much easier to purchase a phishing kit on the dark web or create a proxy that reroutes the targeted user to a fake version of their corporate login.
As attackers get better at launching social engineering scams, you need to protect your employees across all devices.
The first step is to ensure they're properly trained, especially when it comes to modern phishing attacks coming through from mobile-related channels.
Next, you need the ability to block phishing attacks and malicious network traffic across your mobile devices, laptops, and desktops.
Being able to detect inbound and outbound internet connections means you can block malicious sites from reaching your users, as well as preventing any data from leaking out.
Cyber security will be a key concern among Australian business leaders as we head into 2023.
With hybrid work arrangements remaining in place, it's important we consider the security benefits and limitations of VPNs, and have more tools in our arsenal to protect employees, customers and businesses against the impacts of cybercrime.
- Don Tan is a senior director at Lookout, an endpoint security company that analyses 100,000 apps per day to identify risks for mobile users.