Corporate VPNs Are Flawed, Security Researchers Discover
No one wants their security measures to backfire. Business or corporate VPN is one of the means employed by corporations to protect their data from hacks and thefts. However, it has been revealed recently that corporate VPN might have certain security flaws that could put sensitive data at risk.
In this entry, we will give you a concise summary of what a VPN is, we will go through the flaws that were unearthed by security researchers, and then we will look at the differences between a corporate VPN and a consumer VPN. Finally, we will look at what you can do to mitigate those flaws and make your system safer.
What is a corporate VPN?
To put it simply, a corporate VPN is an application that allows encrypting business device connection. All the devices connected to the same network then can share data through a secured connection. A VPN application protects the corporate network from hackers, fake Wi-Fi services, and even advertisers. Some security researchers suggest that a VPN is a better solution than an antivirus program because it encrypts data within the network. Likewise, it makes data sharing safer, and you can even access your data on a cloud through VPN services.
Of course, if you want to implement a business VPN, you should definitely learn more about the service, its setup, and costs. It is important to choose the service that suits you and your business needs the best. Let’s not forget that you may need help with managing the security and operations of your VPN service. Yet, considering that information is the biggest commodity these days, the costs of managing a VPN service might be just a fraction of what you could lose if your network and your information aren’t protected. Hence, you have to make your choices wisely.
What are the corporate VPN flaws?
Since we’re talking about wise choices, we have to look at the corporate VPN flaws that were reported by several news outlets. Researchers Orange Tsai and Meh Change at Devcore have found fundamental flaws in several popular corporate VPN providers, including Fortinet, Pulse Secure, and Palo Alto Networks. Usually, companies issue usernames and passwords for their employees to access their VPN networks. However, unearthed flaws could easily allow hackers to access networks without authentication credentials. This is especially worrisome because a lot of corporate data could be at risk.
The flaws were found in the SSL VPN or the Secure Sockets Layer VPN. These networks use the SSL protocol (or sometimes the Transport Layer Security protocol) to ensure the remote access function. This security protocol employs the end-to-end encryption, which protects data that is shared between the server and the endpoint device. As a result, it gives users a convenient way to access important data remotely. To provide this access, the SSL VPN servers have to always be online, and this is what the security researchers are worried about.
They believe that the moment an SSL VPN server gets compromised, hackers could infiltrate the target network, and all the connections within the network could be taken over. As a result, the information would be stolen. The researchers claim that the infiltration is possible due to a remote code execution flaw (CVE-2019-1579) that happens to exist in the PAN SSL Gateway.
Software developers often take care of such vulnerabilities with software updates and patches, but researchers say that there are still companies that use outdated VPN app versions, thus turning themselves into perfect hacking targets. This means that you have to keep your VPN products up to date if you want to avoid malicious infiltrations.
Corporate VPN vs. Consumer VPN
If corporate VPN can become a hacker target, does that mean that consumer VPN could be attacked, too? What are the differences between corporate VPN vs. consumer VPN? Let’s take a closer look at the consumer VPN to make this comparison clearer.
Perhaps the biggest difference is that business VPN has multiple users while a personal service is designed for one user. Consumer VPN service gives full control to one user, where they can create their own usernames and passwords. Of course, this is a challenge because then the account security rests on user’s shoulders, but it is always possible to employ a password manager that would help create strong and unique passwords for personal accounts.
The next corporate VPN vs. consumer VPN point is servers. Personal VPN service does not have a solely dedicated server. The account would connect to any regularly available server that is intended for a private network. On the other hand, business VPN services have their own servers. This would mean that corporate users have a better connection and better service quality, but now we know that this may not always be true due to the flaws discovered in popular VPN apps.
Another important difference that we are going to mention here (there are definitely more, but that’s a story for another post) is the aspects of use. As we have mentioned at the beginning of this entry, business VPNs are used for business activities, to keep the corporate data secure and allow easy access, which ensures smooth business communication. Consumer VPN is more often used to access blocked websites or subscribe to services from other countries. For example, if some service is not available in your country, you might use a consumer VPN service to access that service through a virtual network.
To put it simply, whether you employ business VPN or consumer VPN, the security of such networks boils down to proper management and cybersecurity awareness. It is up to the VPN app developers to make their services as safe as possible. But you should also make sure that the software you use is updated to the latest version, and that your authentication tokens are strong and safe. For business VPN services, it would also be a good idea to employ a professional management team. It is definitely worth it if you want to ensure that your information is secured against malicious hacks.