Virtual Private Networks (VPNs) for many years have already been in place in almost every organization. Their use has been mostly limited to functioning as site-to-site tunnels between offices and third-party organizations, providing remote access of IT specialists for incident/change management when they are not at their workplaces and allowing temporary remote access for employees who travel. While some enterprises may have seen wider adoption of VPNs for certain categories of employees on a permanent basis (for example, 销售代理或中高层管理人员), 在很大程度上, 员工未使用VPN服务.
The COVID-19 pandemic, however, has drastically changed the way we live and how we work. As the pandemic forced a shift toward remote working, enterprises urgently organized teleworking channels with the aid of VPNs. The urgency with which these ad-hoc setups were created often bypassed standard information security requirements, proper due diligence and IT change management processes. For many organizations, the remote work VPNs were part of their crisis management plan. 像这样, there was an assumption that these ad-hoc setups surely were not permanent and any temporary increase in the risk profile was acceptable. 然而, recent trends predict with high probability that remote working models or hybrid remote working models are a permanent fixture. 考虑到, there is a need to provide stronger assurance about the level of IT risk associated with the VPN technology.
ISACA的 VPN安全审计程序 provides a framework to assess the exposure of VPN setups to old and emerging threats that may impede network and security specialists. I will list in this blog post only a small subset of them. 在一个场景中, attackers scan enterprises’ IP ranges to identify poor security settings and unpatched vulnerable VPN devices. If they succeed in penetrating inside the firewall perimeter, they may use VPNs to maintain permanent access and keep themselves below the radars of anti-malware and intrusion detection solutions. 没有对VPN使用模式进行彻底的分析, it is difficult to identify the attackers’ malicious actions.
Often the VPN address pools have wide access lists applied on the firewalls and become a jumpboard to attacking the internal server and workstation network segments. 也, consider the fact that VPNs can be targeted by attackers at almost every element of the cyber kill chain. 为了幽默起见,甚至是众所周知的僵尸网络 查询到VPNFilter的名称 (as one of its artifacts was the /var/run/vpnfilterm folder).
VPN technologies are very complex in nature and diverse in the concepts that they use. Out of the box setups quickly become obsolete and potentially dangerous. Consider that a 3DES cipher for IPSEC, OpenVPN, HTTPS VPNs is prone to the Sweet32 attack 因为它只有64位分组密码. The simultaneous support of the IKEv1 and IKEv2 on certain VPN devices led to successful exploitation of the Bleichenbacher oracles (the weak IKEv1 setup allowed to compromise more secure IKEv2 connections).
These few examples demonstrate how it is easy for VPN to go wrong and, 没有定期审核, it is very difficult to know when something has gone wrong and to properly manage the VPN risk. The assurance framework based on ISACA的 VPN audit program covers the effectiveness of controls in governance/technology/maintenance domains in a systematic way and will be helpful for internal and external auditors, as well as for those in performing self-assessments.
作者简介: Glib Pakharenko holds Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP) and Offensive Security Certified Professional (OSCP) credentials. He has more than 15 years of experience in information security advisory, audit and delivery of IT security solutions in the various industries, 包括电信, 金融服务, 公营及传媒界别. Glib led IT audit practice in one of the largest Ukrainian asset management companies Eastone and worked for major international financial institutions, 包括荷兰国际集团银行和苏格兰皇家银行. His public work includes participation in ISACA and Open Web Application Security Project (OWASP) Kyiv chapters, translation of multiple security standards into his native Ukrainian language and research on cyberattacks and Advanced Persistent Threats (APT) in Eastern Europe. Nowdays he runs his own cybersecurity consulting company Pakurity, 它提供了渗透测试, 为客户提供培训和其他服务. He likes to travel to different parts of Ukraine and actively supports his wife and sons video channels on YouTube.
