Over the past several decades as a security professional, I’ve witnessed countless security architectures, and been privy to decisions for policies and implementations. Perhaps the most reckless recurring security practice I’ve continually observed over the years is the installation of an organization’s VPN (virtual private network) software on an employee’s home computer for remote access. Simply put, BYOD and VPN should never mix or co-exist.
Today, with the largescale move to go remote to support social distancing and help mitigate the Coronavirus health threat, the flaws of this practice are being hastily multiplied exponentially, and the damage will be reflected in widespread malware infections, corrupted systems, breached data, and organizations that get outright “owned”.
Corporate VPN technology—whether hosted in the cloud or within a business’s DMZ (perimeter network or screened subnet)—is designed to allow remote access to an organization’s network through protocol tunnelling and encryption technology. The goal is to connect remote assets to an organizations network when the physical location of the connection is beyond traditional firewalls and the network perimeter. Generally, this technology is implemented using a single network access connection, or multiple locations based on geography, to provide a demarcation point from an external connection into a controlled network and segments within an environment.
Risks and Challenges of VPNs
While we’re in a time of elevated societal risk, adding cybersecurity risk will only compound our inability to function. Even in the most prosperous and stable of times, giving VPN access to workers using personal computers is a completely unacceptable risk. Here are a few reasons why:
- Personal computer users are typically local administrators on their devices. While the best practice is to abide by the principle of least privilege by creating a standard user account that is used for routine computing (only using the admin account to perform system updates, and other tasks that require higher privilege), few users carry out this practice—if they are even aware of it at all. Thus, these users are highly susceptible to malware when performing routine computing (emailing, web surfing, etc.). Most malware requires privilege to execute and install, and once an account is exploited, it then gains access to the privileges and access of that account. Older home computer operating system, including Windows 8, Windows 7 and Windows XP, are not only worse at defending against malware that require administrative rights for exploitation of the system, but they are no longer supported platforms. Many users have yet to migrate to a newer operating system or just purchased a new computer with the latest software. This lack of support potentially means vulnerabilities will not be vigorously discovered and patched. All of this adds up to completely unjustifiable risk for any organization.
- In instances when a personal home computer is shared amongst family members, there are very few mitigations to prevent an infection or poor judgement of one individual from infecting others. This holds true even when each person has their own, unique user profile. Windows systems also have a feature called Fast User Switching, which allows users to sign in to accounts while other users remain signed in on the machine. By keeping multiple user profiles in memory, Fast User Switching can make the accounts susceptible to a variety of attacks based on other active profiles. So, for instance, the compromise of one user, not related at all to the organization, could be leveraged against an active VPN session connected to the organization. These are serious risks that should not be glossed over.
- Organizations typically lack the authority to manage an individual’s home computer. If permitted by the end user and legal within that particular country, NAC (Network Access Control) solutions can validate antivirus signature versions and other basic hardware characteristics. However, NACs still cannot inventory a home computer to ensure it is hardened and maintained like a corporate asset. There may not be a compatible local agent to provide these details remotely. The presence of these gaps, even when connected to a bastion host for remote access, can expose the enterprise to data leakage from keystroke loggers and screen capturing malware.
- Corporate VPN solutions usually embed a certificate into the VPN profile to validate the connection. This is independent of the authentication the user should provide via credentials and multi-factor authentication. Both the certificate and the credentials are only as secure as the security maintenance implemented for those particular assets. These are prime targets for a threat actor. A poorly maintained host makes it easy for a threat actor to initiate their own connections, steal the certificates or VPN installer, or hijack sessions used by remote employees who are using their home computers. If you cannot secure the host, how can you secure the connection software it is running? You can’t.
- Personal home computers generally only have antivirus and a basic, free firewall (i.e. Windows Firewall) software on their computers, if they have any security software installed and enabled at all. These users do not have EDR (endpoint, detection, and response), EPM (endpoint privilege management), nor vulnerability or patch management solutions. Additionally, home users typically operate as independent workstations with no monitoring from security professionals to react when something goes awry.
- VPN technology is highly dependent on the bandwidth of the external connection into the environment, internal network links connecting the VPN into the network, and network segmentation to isolate external connections from sensitive resources. With this in mind, it cannot suddenly sustain all of the users normally operating in an office based on bandwidth alone that would be connected via traditional network switches and routers. The VPN is also not normally configured to allow access to all of the resources that are available when someone is physically sitting on a trusted network within an office building. Simply put, most corporate VPN implementations, even with corporate-issued mobile devices, are not scaled to support large quantities of users all operating simultaneously into an environment. In addition to injecting security issues into the corporate environment, movement to VPNs en masse can result in severe network performance issues.
Best Practices for Enabling an Expanding Remote Workforce
Some organizations recognize the risks of VPNs, yet still try to make them work through complex workarounds. For instance, they may develop and maintain highly secure VDI (virtual desktop infrastructures) environments and bastion hosts to proxy (or gateway) the connection to protect applications and sensitive data. They have created isolated networks and resources in the cloud just to manage these connections and, in many cases, invested exorbitant sums of money in licensing costs and personnel just to stand up resources in a defensive network strategy to mitigate these risks. While organizations can sometimes be effective in mitigating VPN risk with this approach, it’s not generally cost-effective from a human and asset resources perspective.
In my strong opinion, based on many years of security experience, enterprises should reconsider the risks of VPN software on home assets, and consider lower risk and more highly scalable ways to extend remote access to remote workers. Here are my two recommendations:
- Provision corporate-owned assets that are hardened and managed (potentially through the cloud) to provide secure remote access. If employees that need remote access have a traditional desktop computer, consider replacing it with a corporate-owned and managed laptop with a docking station. In the office, it would operate like a regular desktop, including having large monitors, but when required at home, the laptop can travel with them as a managed asset minimizing, the risk and providing secure connectivity.
- License a modern, elegantly architected remote access solution that does not require a complex environment to provide secure connectivity. Ideally, your solution is cloud-based and provides the ability to perform the connection through a web browser without the need for VPN software, dedicated applications, nor protocol tunneling.
VPN use on personal computers is a practice that was never sound from a security perspective in the first place. With the availability of enterprise-class remote access technologies today, there’s no excuse, and probably no justifiable benefit, of deploying VPNs for remote access on worker-owned computers.
Learn about BeyondTrust Secure Remote Access solutions:
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.