White Paper Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts Don t let stolen VPN credentials jeopardize your security March 2015 A TECHTARGET WHITE PAPER
Most IT professionals take for granted their virtual private network (VPN) infrastructure. Yet VPNs have played a major role in some of the most damaging data breaches on record. VPNs are generally mature and reliable when it comes to encrypting communications between mobile and remote offices and the data center. But authentication can be an Achilles heel. Cybercriminals or hackers who manage to acquire legitimate user credentials end up with a huge prize: trusted access to corporate resources. In most enterprises gaining access to the corporate network through a VPN is equivalent to getting the keys to the kingdom. An attacker who comes in through a VPN often finds few barriers. He or she can move laterally through the network, create higher-level credentials, find critical systems, and exfiltrate confidential data and intellectual property for profit or ideological goals. Unfortunately, most VPN products in use today are built on old standards that do not support strong authentication. VPNs and Major Data Breaches The 2013 data breach at Target started when cybercriminals stole the VPN login credentials of a heating and air conditioning firm providing services to the retailer. The breach resulted in the loss of 40 million credit card numbers. In 2014 the United States Postal Service (USPS) was forced to shut down its entire VPN network in connection with a breach that exposed the personal data of 800,000 postal workers and 2.9 million customers. The 2014 data breach at Home Depot resulted in the loss of 56 million credit cards and 53 million email addresses. It started when an attacker gained a foothold in the company s network by obtaining the user name and password of a third party vendor. Assert Your Identity 2
Table of Centents Don t rely on passwords alone... 4 Don t make authentication difficult for users... 4 Do explore alternative two-factor authentication techniques... 4 Do implement adaptive authentication where appropriate...5 Do consider a single solution for VPN, cloud and mobile authentication...5 SecureAuth IDP: Secure, flexible, adaptive two-factor authentication plus single sign-on...5 Assert Your Identity 3
Here we offer you five do s and don ts that will dramatically improve your ability to protect yourself against VPN-based attacks. 1. Don t rely on passwords alone Passwords and static PINs are insecure. Employees write them on sticky notes, store them on devices that can be lost or stolen, and choose values that are easy to guess, like password, admin, and 1234. Contractors and service providers can be shockingly casual about protecting client credentials. According to one information security expert: I ve been in hundreds of software support centers. It was an accident, but I saw your logins. They re written on sticky notes stuck to the side of monitors. They re stored in clear text in Word documents circulated around the support center. They re clearly visible in the vendor s CRM system. 1 To make matters worse, cybercriminals and hackers are working aggressively to capture VPN credentials. One criminal group operating out of Russia and Bulgaria created a phishing and social engineering attack specifically to capture VPN logon credentials of employees of German and Swiss banks. 2 2. Don t Make Authentication Difficult for Users Of course, going beyond passwords can make authentication more difficult for users and more expensive for the enterprise. Many IT professionals have had experience with hard tokens and smartcards that confuse beginners and are easy to leave at home or misplace. These shortcomings can frustrate users, increase support costs, and result in lost time and productivity. However, there are now additional forms of advanced authentication that are much more secure and reliable than passwords, but do not impose burdens on users. 3. Do explore alternative two-factor authentication techniques Two-factor authentication (2FA) has been described as combining something you know with something you have. In the past that meant that users typically needed a password plus a smartcard or a key fob token that could generate a one-time password. However, many alternatives are available today that can supply the second factor for authentication with little extra effort or inconvenience, and with minimal administrative overhead. For example, one time passwords (OTPs) can be sent to mobile phones through apps, SMS messages, automated voice phone calls, and push notifications. They can be sent to laptops, tablets and smartphones in email messages. Users obtain OTPs quickly and easily, and there is no small authentication device that is prone to being lost. Ease of use and productivity can also be maintained by allowing users to register and make changes from a self-service web portal. When appropriate, users can be allowed to use a sign-in for a social network application (such as Facebook, Google or LinkedIn) as a second authentication factor. Another innovative 1 Blog post by Jeff Swearinggen: VPNs at the root of Home Depot data breach. 2 Trend Micro Research Report: Finding Holes: Operation Emmental. Assert Your Identity 4
approach is to record a fingerprint of a device (a collection of characteristics such as the type of chip, the operating system, the level of the browser, and the language and time zone settings), and use the device itself as the second factor. In short, you can probably find a two-factor authentication method that provides high levels of security, while keeping life simple for your users and minimizing the administrative burden on your IT staff. 4. Do implement adaptive authentication where appropriate Adaptive authentication represents a leap forward in the ability to match authentication challenges with risk factors. The basic principle is to evaluate a series of risk factors related to an access request, then assign an authentication method or methods that appropriately reflect the potential risk. For example, an authentication solution at the data center might assess the request for a VPN connection coming from a mobile user. It might check to see if the source IP address is on a blacklist of IP addresses associated with hackers and botnets. It might see if the device (identified by its fingerprint ) is known to be associated with the person purportedly making the request, and if the request is consistent with the identity and group memberships of that person. It might consider whether the request is coming from a geographical location associated with user, and check to make sure that the location is not improbably distant from the location of the user s last login, given the time between logins. Based on the assessed risk, the user could be asked to authenticate with merely a password, or with a set of personal questions, or with a second authentication factor. If the circumstances are suspicious, the user could be restricted to a limited set of resources, or simply denied access to the corporate network. On the other end of the spectrum, users assessed as low risk and physically present in an office facility could be authenticated transparently, without requiring even a password. 3 5. Do consider a single sign-on solution for VPN, cloud and mobile authentication There are many advantages to having a single sign-on (SSO) solution that also provides strong authentication to VPNs, cloud-based applications and mobile connections. From the user s point of view, a unified SSO solution maximizes simplicity and minimizes the number of passwords and authentication procedures that need to be learned. It meets user expectations for strong security and a clean, easy to use interface. For the IT operations and security groups, a unified SSO solution ensures that a single, consistent set of policies and procedures are followed for all authentication requests. It reduces implementation, training and support costs. It improves security by controlling the proliferation of passwords. It also eases compliance burdens. SecureAuth IdP: Secure, flexible, adaptive two-factor authentication plus single sign-on An ideal solution to protect against attackers attempting to exploit VPN connections, SecureAuth IdP prevents cybercriminals and hackers, even those who have obtained valid user passwords, from using VPNs to burrow into corporate networks. SecureAuth IdP supports 3 For a case study of an organization that has implemented adaptive authentication, see: Houston Methodist Continues Leading Medicine with SecureAuth. Assert Your Identity 5
over 20 two-factor authentication methods, including SMS, telephony and e-mail OTPs, push notification, OATH tokens, social network IDs, device fingerprints, and of course traditional smartcards and tokens. With SecureAuth IdP, users can enroll their own devices, reset passwords, update their profiles and register authentication methods. These self-management features increase user satisfaction and reduce help desk costs. SecureAuth IdP also offers some of the industry s most advanced adaptive authentication capabilities. It performs dynamic risk analysis using multiple factors, including source IP addresses, device fingerprints, user identities and group membership and geographical locations. Integration with the industry-leading Norse DarkMatter platform ensures that IP addresses can be checked against a continuously updated list of malicious and compromised websites and other live threat intelligence. SecureAuth IdP s single sign-on also streamlines access to all applications with one set of credentials, regardless of whether the user is using a VPN, LAN, mobile, cloud or web connection. In short, SecureAuth IdP offers a secure, flexible solution that can eliminate dependence on insecure passwords, simplify the logon experience for users, match appropriate authentication challenges with risk factors, and provide single sign-on across all major connection and application types. To learn more, visit www.secureauth.com/adaptive. Assert Your Identity 6
8965 Research Drive Irvine, CA 92618 p: 1-949-777-6959 f: 1-949-743-5833 secureauth.com TechTarget 2015