VPN Security Oversights

          VPNs have two core promises – to create secure pathways for data and keep user information safe – which
          is what makes them appealing to companies, especially those working from home.
          However, many VPN services fail to abide by these promises and provide little transparency to
          users, leaving openings for hackers to exploit and breaking down the trust of everyone using the service.
          This can be seen with the Zyxel vulnerability, where more than 100,000 Zyxel firewalls, VPN gateways, and
          access point controllers contained admin-level backdoor accounts, allowing hackers access to devices and
          companies’ networks.

          Additionally, after installing a VPN on a device, employees might find it challenging to determine if their pri-
          vate network is connected, and remaining connected while in use.  This is because there is a lack of visibility
          and visual cues, which creates consumer uncertainty on if they are actually
          browsing securely.  To remedy this issue, VPN providers should ensure that their services are
          connecting automatically to prevent unwanted disconnections. To enforce this, there should be
          universal standards and guidelines in place to guarantee that the VPNs are working as intended and protect-
          ing end-users from breaches.

          Best Practices

          Before installing VPNs, companies should choose the one that is best for its employees, but making that
          decision can be difficult due to the abundance of options available. There are a few things to consider before
          companies install VPNs and how to enforce best practices after devices are
          distributed to employees.

          •   Free VPNs don’t guarantee protection: While free VPNs are present in the market, these options are
              not highly recommended since they typically collect users’ data and sell it to third parties in exchange for
              there being no monetary cost. Even though free VPNs, and other mobile apps, are enticing, companies
              and employees are better off purchasing a VPN to ensure that personal and private corporate information
              remains secure.

          •   Proactively check VPNs: To make sure that a VPN is working, employees should check the location of
              the device. If the VPN is working properly, the device should display a location that differs from where the
              user truly is, remaining anonymous and undetected from hackers trying to find vulnerabilities.

          A More Secure VPN Market

          To create a more secure VPN market, there needs to be guidelines led by the industry to help keep compa-
          nies and its employees safe. With these industry-led standards organizations, major
          technology, security and government stakeholders are working together to create scalable
          global standards and testing to ensure a higher level of security across VPNs that become certified through
          these programs. The security standards require VPNs to have security by default, standard cryptography,
          no universal passwords, automatic connection when in use, end-to-end encryption, and regularly released
          updates and maintenance. By implementing these requirements from the development phase, VPN services
          can assure companies and their employees that they will work as intended to protect them from bad actors
          and data exposure through their networks. This
          transparency will save companies time, money and headaches from rectifying issues in the long run.













             59    Cyber Defense eMagazine – April 2021 Edition
                   Copyright © 2021, Cyber Defense Magazine.  All rights reserved worldwide.