At this week's Black Hat 2010 conference in Las Vegas, NCP engineering is releasing a new white paper that sheds light on common VPN vulnerabilities that put organizations at risk. It's prudent to occasionally survey the threat landscape with a fresh lens because while VPNs aren't new, the threats they combat are constantly changing and require regular monitoring and security updates to stop.
The white paper, Remote Access-Attack Vectors: Threats, Findings & Remedies, chronicles recent breaches and gleans lessons for all organizations that allow remote access to their network. For example, the infamous breach at Heartland Payment Systems in 2008 was perpetrated, in part, using a VPN. This was followed by incidents at Google earlier this year and a major breach at Energy Future Holdings that cost the company $26,000 worth of business.
The white paper explores the two primary reasons that hackers find VPNs so alluring. For one, VPNs transmit sensitive information over public and shared networks. The extension of the network outside the perimeter makes assets much more accessible. Second, a VPN typically does not have layers of security found in perimeter defenses, yet it will pro�vide access from outside a perimeter to inside networks. This can make VPN-based attacks that bypass a perimeter more attractive than attacks that directly target the perimeter.
The vulnerabilities that caused these breaches, and others like them, can be distilled into three categories. The white paper delves deeper into these categories, but in a nutshell, they include VPN quality, security and management. For instance, VPN systems are expected to handle complex security operations but not all products are created equal. Most will contain some flaws, but the severity of these varies based on the importance placed on quality in the VPN's engineering's process. The level of security also fluctuates, depending on whether the VPN solution emphasizes security or ease of deployment and connectivity. Finally, proper management is essential to ensuring that VPNs effectively secure data and block unauthorized users from gaining access.
Although the vast majority of breaches involve management issues, design and quality are still very important considerations. When selecting a VPN solution, consider that both design and quality are among the best ways to differentiate VPN products and solutions.