VPN: from protector to attack conduit in the new remote work era
According to NPR, about a third of Americans are now working from home during the COVID-19 pandemic. This unique challenge presents new problems for corporate IT and Information Security departments who provide the support their employees need while working from home. Arguably, the biggest challenge they face is providing support for their employees’ home networks.
We have surpassed the era of Bring Your Own Device and have now entered into the era of Bring Your Own Network (BYON). BYON, just like BYOD, brings management and support issues as well as serious security challenges.
IT departments now have to support employee video conferencing with a client while their child is simultaneously downloading Call of Duty: Modern Warfare onto their Xbox. The InfoSec department now needs to broaden its already-broad scope of items to protect; as the employee laptop can now be targeted through new vectors, from vulnerable smart home IoT and insecure routers. All of a sudden, VPNs are turning from a way to protect corporate resources to a conduit to attack corporate resources.
On June 25th, the New York Times reported that a Russian hacker group called “Evil Corp” was targeting large companies via their employees’ working from home. Utilizing a social engineering campaign, Evil Corp tricks unsuspecting employees to download updates to their browser or Flash Player when visiting seemingly innocuous websites.
Unfortunately, those same websites have been hacked and carry malware payloads. The malware waits for the employee to connect to the corporate network over the VPN and uses that connection to attack corporate resources. The eventual goal is to encrypt critical files and install ransomware so that Evil Corp can extract a large ransom from that corporation.
According to Eric Chien from Symantec, the malware targets employees of specific corporations or government entities by identifying them by their VPN configuration. They are using the VPN as a homing beacon to target the biggest fish. So what can IT and InfoSec departments do in the era of BYON to continue to support their employees and to secure the corporate network?
Security, as always, should be approached in layers. While the VPN is an important layer, it is not enough on its own. It isn’t enough to simply slap antivirus software over the wound as the malware installed by Evil Corp has been known to disable Windows Defender and other antivirus software.
A Bring Your Own Network™ solution is needed to also protect the smart home and all the traffic from that network that does not pass through the VPN. And finally, when protecting your assets against ransomware attacks, backups are critically important. When disaster strikes and key files are encrypted by the bad guys, if you have recent backups, then the damage done can be significantly reduced in scope.