Comfortable with a firewall and VPN - think again!
The pandemic has triggered dramatic digital transformation of the workplace. Employees have been forced to telecommute remotely using whatever means at their disposal. Information and technology have been pushed onto personal mobile phones, up to the cloud from a centralized corporate infrastructure, resulting in an expanded attack surface, the emergence of shadow-network, reduced transparency, ineffective governance and lack of control. There is a policy and standards vacuum for remote work, which is being actively exploited by our adversaries.
The expedient solution for corporations and governments have been to provide a laptop, firewall and a VPN connection to employees requiring access to work systems. But this is demonstrably inadequate for sensitive information without additional safeguards.
Similarly, simply complying with conventional security policy that relies just on encryption, is not acceptable in practice. Nor is it efficient.
The exploitation of SolarWinds by Russia demonstrates how critically exposed organizations are to hacks of the 3rd party Information Communications Infrastructure and a supply chain that they rely on.
EFFICACY
We can all see the potential problems with workers connecting to the Internet through their home router, tethering to their phone or any public WIFI hotspot. Especially with a personal laptop. And we will address those security risks in a moment. First we need to consider that using personal Internet connectivity is not ideal for other important reasons:
-
The organization no longer has visibility on the infrastructure nor control of the associated costs of the employees;
-
A loss of governance, has legal implications for public and private sector executives, whether this is under the Financial Administration Act (FAA), Privacy Act, Sarbanes–Oxley Act (SOX) or Personal Information Protection and Electronic Documents Act (PIPEDA);
-
Employees are entitled to individual remuneration for using personal infrastructure and the organization can’t take advantage of corporate data plans and significant cost savings;
-
Security monitoring personal infrastructure by the organization is prohibited by law;
-
The quality of service (QOS) is typically poor, bandwidth marginal and resiliency fragile thus impacting productivity; and
-
Poor QOS always leads to employees using other means to conduct work and share sensitive information - hence a shadow network emerges and even greater security vulnerabilities. [We are witnessing substantial use of insecure communications and collaboration tools by employees because organizations have not provided capabilities with similar performance]
Simply using a VPN is not best practice nor does it comply with existing or evolving standards:
-
The National Security Agency/Central Security Service mobile access requirements and standards strongly emphasise deploying control plane traffic defence (security at OSI levels physical, Data Link Network Transport Session) Presentation (VPN) Application.
-
CSE IT Security Risk Management: A Lifecycle Approach (ITSG-33) as derived from National Institute of Standards and Technology [NIST] Recommended Security Controls For Federal Information Systems and Organizations NIST SP 800-53 taken from ISO/IEC 27001 is an international standard on how to manage information security;
-
Cybersecurity Maturity Model Certification (CMMC) level 4 and 5; and
-
CSE Supply Chain Security for Information Technology requires positive control on all aspects of the infrastructure.
OUTSTANDING VULNERABILITIES AND EXPLOITATION
While a virtual private network (VPN) and a hardened computer are important components to secure remote work solutions, they are insufficient.
VPN provide some security at the network presentation layer but neglect the Application, Session, Transport, Network, Data Link and Physical layers. Although traffic is encrypted, users have no control of the route the packets take to their designation. Organizations don't own, control or have visibility of the infrastructure or traffic between remote workers and corporate offices. This is a problem. One should not put all their trust in encryption. The cryptosystem is susceptible to cryptanalysis and flaws in VPN implementation are routinely discovered. VPNs are also themselves vulnerable as they are being deliberately and successfully targeted at scale by both nation state and criminal actors because so many employees are now using them. DHS, CISA, NCSC, FBI and NSA have all issued warnings of exploitation of VPNs currently used by governments and corporations. Even high-grade encryption systems offer no better protection than commercial VPNs. While VPN vulnerabilities become known and patched, exploitation of High Assurance Internet Protocol Encryption are rarely revealed. This has lead to a false sense of security and prolonged exposure. All these VPNs provide on cryptographic protection and segregation but the packets travel over the public Internet. In this sense they are not true private networks. Traffic flow analysis of even the best encryption, yields a great deal of intelligence.
A virtual private network VPN is not necessarily private.
Adversaries are therefore able to attack corporate/government VPNs directly from anywhere in cyberspace. Similarly, one has no control over the path the traffic can take between destinations. The packets can be redirected and frequently are. China in particular, has been caught poisoning routes to redirect substantive volumes of Canadian industry and government Internet traffic through China for examination, enumeration and targeting.
And the security risks don't end there…
Conventional security solutions are ineffective against Advanced Persistent Threats (APT) especially if the device is addressable or accessible from the Internet. A VPN is useless if systems are compromised on either end of the VPN.
The risk of compromise is significant if employees are using the same computer to surf the web, interact on social media and answer email without a VPN or using a split-VPN. Even a dedicated hardened computer and restricted VPN remains susceptible to a multitude of attacks.
Virtually unlimited number of incoming dynamic IPs from remote users represents a massive attack surface. The enterprise is now more susceptible to amplification attacks can cause distributed denial of service (DDoS)
An actor can determine the remote IPs of employees thereby enumerating the organization and targeting remote workers directly and anyone in the household using the same IP. Employees can still be phished with highjacking malware over e-mail, a malicious link, a man-on-the-side or a man-in-the-middle attack, thus getting around any VPN or hardened laptop. A threat actor can navigate inside trusted zones and move laterally inside the organization with stolen credentials from any of the employee’s machines.
Services and ports not protected by the VPN can be used as covert channels to egress data, or act as command and control. WIFI and Bluetooth protocols are also susceptible to compromise directly.
An actor can degrade the VPN services at either the corporate or remote device and force the employees to transmit in the clear, use other means.
Cellular systems are outperforming most home and corporate Internet connections – particularly 5G – making tethering or hotspots more common practice. Cellular connections are susceptible to a variety of attacks including:
-
Forcing 5G/4G LTE cell phones to drop to GSM modes using interference or jamming so that communications encryption can be compromised;
-
Phishing attacks or redirection to malicious sites where highjacking malware can be uploaded.
-
Trojanizing of popular applications to allowing surveillance and control;
-
Forging or offering free WIFI or cell sites to conduct man-in-the-middle attacks;
-
SIM Card Jacking/Swap exploits a mobile phone service provider's ability to seamlessly port a telephone number to a device containing a different subscriber identity module (SIM). This feature is normally used when a customer has lost or had their phone stolen, or is switching service to a new phone.
-
Downloading malware onto the Subscriber Identity Module (SIM) card.
-
Baseband Attacks and Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks monitoring incoming and outgoing calls, performing calls, sending and intercepting short messages, intercepting IP traffic, as well as turning the iPhone into a remotely activated microphone by activating its capability to auto-answer incoming calls.
-
SS7 signalling system exploitation permits the adversary to redirect calls or text messages (SMS) to a phone number under the their control, to intercept or manipulate the communication. Interception of SMS messages enables adversaries to obtain authentication codes used for multi-factor authentication.
SOLUTION
Answer is not one product or standard, but a system and application of best practices (not common practices or conventional standards)
Ideally your organization should subscribe to private network service with trusted routing from the remote device to departmental/company servers, to ensure control plane security, routing integrity and high-assurance delivery standards. The solution should provide multifactor identification, authentication and authorization at all network layers.
Cost Effective (Availability, Reliability)
-
Billing information is also secured and individual privacy protected. (not achieved under conventional approach)
-
Priority Cellular Connection
-
Higher Bandwidth, Availability and Reliably that encourages official use
-
Resiliency to DDoS
Compliance, Accountability, Governance, Transparency and Operational Control
The pandemic has created nearly the same circumstance were employees are using personal Internet access to work remotely. The GC no longer has governance, visibility or control over essential parts of the infrastructure.
-
Reduction of the organizational attack surface,
-
Enforcing trusted connectivity across physical, data-link, network, transport, session, presentation and application layers
-
Explicit routing integrity and control plane traffic defence
-
Assured data sovereignty
Enhanced Security
-
Hardened laptop and mobile device
-
Security and privacy locked down apps
-
Malware protection
-
Anomaly Detection
-
Central monitoring of endpoints and network infrastructure
-
Active Hunt
-
Moving Target Defense
-
Trusted Internet access
-
Message encryption and signing Public Key Cryptography
-
Encrypted IPSEC VPN using Commercial National Security Algorithm (CNSA) AES256 / SHA512 / DH20 or FIPS 140
-
Cellular Network Encryption 4G/5G
Multi-Factor Authentication and Enhanced Identification, Authentication and Authorization using:
-
Hardware pre-configured router
-
MAC address binds the users laptop to the infrastructure
-
Unique SIM and IP, IMEI, IMSI, MSISDN which bind the router to the infrastructure and determine routing
-
Resiliency to cellular based attacks (Baseband, SIM, SS7 etc)
-
GPS Geofencing to assure employee is only working from approved secure location
-
Revocation of compromised devices
Additional attributes of the system ought to include:
-
Routing Integrity
-
Managed Upstream Security Services
-
Firewall as a Service
-
Malware Protection
-
Intrusion Protection System
-
White Listing
-
Black Listing
-
Uniform Resource Locator (URL) Filtering
-
Global Cyber Threat Intelligence
-
Verified Supply Chain Security
-
Secure Data Centre
-
SIM Jacking Protection
-
DNS security
-
DDoS Protection
-
Remote Wipe
-
Non-attribution
-
Tempest nonstop hijacking
-
Overwatch
The management of the infrastructure ought to be free of Foreign Ownership, Control, or Influence (FOCI) and comply with Supply Chain Security for Information Technology. Data should transit only through secure hosting facilities in encrypted form using a Commercial National Security Algorithm Suite (CNSA) approved systems.
If you are using a foreign VPN for sensitive investigations, then you are highly exposed. What you will need is a managed attribution service from a trustworthy service provider.