Homeland Security warns of security flaws in enterprise VPN apps: How hackers can access your intern

The DHS Acronyms, Abbreviations, and Terms (DAAT) list contains homeland security related acronyms, abbreviations, and terms that can be found in DHS documents, reports, and the FEMA Acronyms, Abbreviations, and Terms (FAAT) list.

Homeland Security warns of security flaws in enterprise VPN apps

Download File: https://urluss.com/2vDJ2u

Update April 15 07:09 EDT: PulseSecure also published an out-of-cycle security advisory regarding the improper handling of session cookies in some versions of the Pulse Desktop Client and Pulse Connect Secure (for Network Connect customers) apps. The vendor says that patched versions of Pulse Desktop Client or Pulse Connect Secure (for Network Connect customers) are available via the Pulse Secure Download Center.

The NSA issued a cybersecurity advisory Monday urging users to patch and mitigate three previously disclosed VPN vulnerabilities that "multiple nation-state advanced persistent threat (APT) actors have weaponized." In the advisory, the NSA did not specify which nations or APT groups are exploiting the flaws, or for what purpose.

By default, the security and privacy preferences of your Mac are set to allow apps from the App Store and identified developers. For additional security, you can chose to allow only apps from the App Store.

"We tested the top 150 free VPN Android apps and found that many had serious security flaws and performance issues," warns Callum Tennent, a VPN expert and the site editor at Top10VPN.com. Referring to a study his website conducted in February, Tennent alarmingly reveals that 18% of the tested VPNs contained potential malware or viruses, 85% featured excessive permissions or functions that could put a user's privacy at risk, and 25% exposed a user's traffic to DNS leaks and other leaks.

In a recent Ponemon Institute research report, "2018 State of Cybersecurity in Small and Medium Businesses," business professionals ranked VPN as #4 out of the 20 most essential security technologies (Ponemon 2018 State of Cybersecurity Study, page 22). Apart from the costs saved, VPN is an important privacy and security prerogative for any organization. From small businesses to large corporations, all have information that they need to protect and selectively share with partners and employees. This has become the default job description for the VPN. There is no other security device in the enterprise that can perform this role and provide the required privacy and security of communications. Many of the VPN appliances and VPN software products provide capabilities such as context-switching, virtual network mapping and Role Based Access Controls (RBAC) inherently. Even the recent proposals in IETF and much of research work in IEEE computer privacy and security have been considering the standardization of the way VPN provides security for today's digital data with granular role separations (RFC2764, Xu, Bo, Shu-qin GUO, and Min-fei LU. "Application of access control model based on expand RBAC to SSL VPN system [J]." and Journal of Zhejiang University of Technology 2 (2011). Bendong, Xiong Shufeng Zhou. "Application of Role-Based Access in the SSL VPN [J]." Computer & Digital Engineering 8 (2011)).

Unlike your security and patch management team who struggle to patch your VPN, mainstream hackers target VPN regularly. In February of 2019, Talos Intelligence published an article on "DNS Hijacking abuse" in which they observed "state-sponsored" attacks using DNS and targeting VPN as a prime method to steal credentials and compromise a number of Saudi Arabia's top-level domains (.sa). In this case the vulnerability was not in the VPN itself, but the VPN was targeted as the right place to find entry points into an enterprise. More recently in September 2019, Airbus was informed that sensitive data was stolen through their supplier Expleo using their VPN connection. When referring to this attack, an Expleo technical source commented that "it was very sophisticated and targeted the VPN which connected the company to Airbus." The attack provided the hackers with a stable foothold using VPN. This supply chain attack began with the VPN as the target to compromise a large aviation corporation like the Airbus SE (Airbus hacked through supplier VPNs).

SSL VPNs provide a convenient entry point into the enterprise, but as mentioned above, they lack many of the security concerns that have plagued various TLS implementations. For example, in a recent vulnerability discovered in Pulse Secure VPN, an old directory traversal vulnerability from 1999 was still being exploited. In this case, the pre-authentication SSL session did not provide enough restrictions from access of sensitive resources. This shows how SSL VPN has repeated many of the security mistakes seen in early webserver implementations. Another example would be the vulnerability "Clientless SSL VPN products break web browser domain-based security models" published by CERT (VU#261869). In this Vulnerability note, there were a number of vendors shown to have not ensured trust models of domain-based security into their products. These best practices are to be adopted by the SSL VPN vendors and enforced using proper configuration by the enterprise to ensure services have sufficient protection from well-known HTTPS attacks.

The full lifecycle of VPN adoption (from design, implementation, ongoing monitoring into end-of-life) should be a critical consideration for your enterprise's security architecture and security monitoring teams. For example, VPN placement is a crucial decision that should be reviewed by your security architecture team (see recommendations in NIST 800-133 Section 4 "Architecture"). Teams that do penetration testing and threat modeling should look at VPN as an important part of your enterprise's attack and threat vector. Even when VPNs are placed securely in the enterprise's demilitarized zone (DMZ), they sometimes go virtually unnoticed or unmonitored by many Security Operations Centers (SOCs). Your SOC should be very familiar with VPNs and modeled response plans for scenarios such as VPN compromise. These clear processes should be in your SOC's handbook to know how to operate when an alert is confirmed that your VPN is compromised. In industries such as Critical Infrastructure Sectors, corporate VPN has spelled out by ICS-CERT as a critical consideration in Cyber Vulnerabilities assessments.

NIST 800-113 section 3.3.3 specifically captures high-availability considerations for VPN. In many large organizations, VPN cannot be patched or repaired due to the lack of high availability in the VPN setup. Although VPN products provided by many vendors come with preset capabilities for running VPN in high-availability modes, they are not configured and used in a way that it is possible to do patching and maintenance. The newer VPN products also provide the ability to operate VPN in active/active configurations allowing organizations to patch and restore VPN service with no downtime and even provide live migration of active sessions. This crucial design in the VPN architecture gives Information Technology (IT) teams the ability to pursue patching without hesitation when vulnerabilities are announced by the vendor. VPN vendors are also recommended to continuously move their devices into a live-patching capability to minimize downtime and be more effective in ensuring ongoing security of this critical system for the enterprise.

Forbes recently published a post on "The Future of VPNs," in which they highlight the trends in VPN from cloud to consumer drivers making VPN "advance across the board." As the article highlights, the VPN trends follow recent computing trends that impact organizations from very small businesses to large corporations interconnected through the Internet. Many systems from entertainment/gaming to mission-critical infrastructure all take advantage of the Internet while they depend on their private communications through a VPN of some sort. Today's critical day-to-day transactions from credit card processing to smart grid switching systems depend on secure communications enabled by VPN to provide reliable (atomic) transactions that will complete accurately within guaranteed time windows. VPN security is crucial for us, enabling a secure yet cost-effective way to use the Internet for many essential business needs from the individual to the enterprise.

For many organizations, their employees, contractors, business partners, vendors, and/or others use enterprise telework or remote access technologies to perform work from external locations. All components of these technologies, including organization-issued and bring your own device (BYOD) client devices, should be secured against expected threats as identified through threat models. This publication provides information on security considerations for several types of remote access solutions, and it makes recommendations for securing a variety of telework, remote access, and BYOD technologies. It also gives advice on creating related security policies.

We identify security vulnerabilities via a number of different sources such as automated scanners, internal security reviews, customer reports, and our public bug bounty program. Once a vulnerability has been identified, a ticket is logged in our purpose-built company-wide vulnerability tracking Jira project and assigned to the relevant system owner or engineering team. Our centralized approach allows us to leverage automation to provide proactive notifications, automated escalations, and enterprise-wide reporting to ensure that vulnerabilities are remediated in a timely fashion. 2ff7e9595c