In the previous blog, we talked about protecting endpoints. Endpoint protection is one of the core tenants of ransomware defense, and it’s essential to quickly identify infected endpoints and isolate them to stop ransomware attacks. But endpoint protection systems have their limits, and often, an attacker with compromised credentials can bypass this defense layer. One such way is to impersonate a legitimate user and access systems via their VPN. This unauthorized access can result in access to internal sensitive information and internet traffic and give access to weakly protected internal systems where the attacker can launch cyber attacks.
In this week’s blog, let’s explore Virtual Private Networks and the best practices for using them securely. VPNs provide a secure connection between remote users and corporate networks. VPNs establish a private and encrypted tunnel that ensures the confidentiality and integrity of data transmitted over the network. This secure remote access helps prevent unauthorized access to critical systems and reduces the risk of ransomware attacks. Banks, financial services, healthcare companies, schools, and government agencies commonly use VPNs. They all use VPNs to secure sensitive data, especially when employees are working remotely.
As discussed above, in specific scenarios, including VPN software vulnerabilities and misconfigurations, compromised accounts utilizing a VPN to access the network, or attackers successfully targeting the VPN servers, VPNs can be exploited in a ransomware attack.
To mitigate the risks associated with VPN exploitation, follow these security best practices:
- Keep VPN software updated and patched to address any security vulnerabilities. Regularly updating your VPN software ensures you have the latest security features, encryption algorithms, and patches, which can help protect your online privacy and security.
- Implement strong authentication measures, such as multi-factor authentication, to protect VPN accounts from unauthorized access. Enable Multi-Factor Authentication (MFA) for all user accounts if possible, and choose multiple authentication methods that include One-Time temporary Passwords, authenticator apps, hardware tokens, or biometric authentication—more on MFA in a future blog.
- Regularly review and update VPN configurations to ensure proper access controls and security settings. Review the access controls defined within your VPN configuration. Ensure that only authorized users have access and that privileges are assigned appropriately based on job roles and responsibilities. Regularly remove access for users who no longer require VPN connectivity.
- Use encryption protocols known to be secure and robust, such as OpenVPN or IPsec. These protocols provide encryption and authentication mechanisms to protect data in transit. Avoid using outdated or vulnerable protocols like PPTP.
- Monitor all VPN log activity for abnormal changes in volume, locations, and “out of hours” activity, all signs of a ransomware attack. Use systems like CyGlass to continuously monitor your VPN activity to identify suspicious events or unauthorized access attempts. Use AI systems to search for patterns or anomalies that could indicate a security breach and utilize procedures that include alerting mechanisms to notify you of any unusual events.
Endpoints, VPNs, and MFA are all interlocking strategies in ransomware defense. Next week we will look at another critical part of ransomware defense – what some analysts call the “source of truth” when it comes to cyber attack defense – protecting your network and network defenses. Stay tuned.
To learn more, reach out to CyGlass:
www.cyglass.com/solutions-ransomware-defense
Bill Munroe
VP of Marketing, CyGlass
