Palo Alto Networks: Personal VPNs pose risks to enterprises
Researchers from Palo Alto Networks published a new report detailing the risks that personal VPNs pose to enterprise networks, including evasion tactics to bypass firewalls.
The rise in remote work continues to expose network security concerns within the enterprise environment, and a new report by Palo Alto Networks highlights yet another risk -- the use of personal VPNs.
In the report published Monday, Saeed Abbasi, senior staff researcher at Palo Alto, and Kirti Parekh, staff software engineer, discuss how personal VPNs pose a threat to network visibility within organizations. Network visibility is important because it improves security by policy enforcement, reduces shadow IT risks and contributes to quicker detection of malicious or suspicious activities. Additionally, the report says it can aid in well-informed decision-making.
However, personal VPN applications and services can obscure that visibility by evading firewalls to bypass security and policy enforcement.
One example the report provided referenced Hotspot Shield, which uses a phony self-signed certificate to evade firewalls with its traffic. "Some VPN companies design their proprietary protocols precisely for circumventing organization or government blocks," Abbasi and Parekh wrote in the report.
Other evasion techniques include mimicking common protocols and sending traffic that appears to be simple HTTP traffic. The researchers identified SetupVPN, which has over two million users. According to the report, the application uses the HTTP proxy-authorization header to authenticate users to its server.
Evading firewalls poses an even bigger concern given that VPNs introduce vulnerabilities into an organization's network. According to the report, VPNs are often targeted by advanced persistent threats (APTs) due to their vulnerabilities. Cybercriminals find ways to exploit known and patched vulnerabilities, "banking on not all users having kept their patches up to date." Patching critical flaws in a timely manner has been a longtime issue for organizations, especially lately, as they continue to get attacked through known VPN bugs with patches available.
For example, in April a joint government advisory detailed ongoing attacks that exploited flaws in Fortinet's FortiGate VPN and Pulse Secure's Pulse Connect Secure VPN, as well as VMware's Workspace One Access and Citrix's Application Delivery Controller and Gateway. Out of the five vulnerabilities included in the advisory, most were over two years old with patches available.
For the Palo Alto report, Abbasi and Parekh examined a list of the best VPN products of 2021 according to PC Magazine. The researchers counted the number of known vulnerabilities discovered over the past few years, most of which ranked high or critical on the common vulnerability scoring system (CVSS). For example, Private Internet Access VPN had 12 vulnerabilities while Nord VPN and IVPN had three.
The risks have become so alarming that Abbasi and Parekh determined that insider threats pose almost as significant a risk to enterprise security as external intruders.
"Private or personal VPNs allow employees to bypass security measures and permissions that the infosec team put in place," Abbasi and Parekh wrote in the report.
While VPNs were developed to allow companies in different locations to connect their internal networks via encrypted channels through the internet, they are commonly used in workplaces to provide access for devices operated by users who are not physically connected to a corporate network, such as remote workers. Following the pandemic, new workforce models have required an increased use of VPNs, a trend which does not appear to be declining.
With an increase in the remote workforce comes new concerns. Palo Alto said employees may choose to download a personal VPN to hide activities, bypass internet censorship and traffic policy enforcement. According to the report, personal VPN services promise to enable secure, encrypted tunnels for user traffic, but in practice they "obscure organizations' visibility into networks."
In an email to SearchSecurity, Abbasi said rapid shift to remote work created low-hanging fruit for threat actors, especially in organizations that weren't able to adjust their security policies accordingly. "However, remote work is not the only cause of increased risk -- not having a proper setup for protection boundaries, policies, and controls of data to/from the cloud, as well as excessive unauthorized access, may also have contributed," he said.
Now, personal VPNs are readily available to everyone and in some cases cost nothing, so new risks arise in the average users who "often don't consider the risks" of using personal VPNs on company devices. Data and privacy concerns top that list. In most cases, users must simply trust their VPN providers, but data such as which websites the user visits and the frequency of visits can be stored. More importantly, some of it can be valuable.
"VPN providers could double-dip users and businesses by taking subscription money for users and selling users' web consumption data to the advertising industry," Abbasi and Parekh wrote in the report. "In more extreme cases, they might even supply user data to government authorities."
Abbasi told SearchSecurity there's no hard evidence that companies that provide free VPN apps or services sell users' data more or less than companies that offer paid VPNs.
UPDATE 8/18: In a statement to SearchSecurity, Daniel Markuson, digital privacy expert at NordVPN, encouraged customers to use VPNs together with other security tools such as firewalls and antivirus programs. He also said recent NordVPN research shows nearly two-thirds of users mix work and personal devices, and that the two should remain separate.
"Corporate VPNs and personal VPNs have completely different use cases. Corporate VPNs help employees to reach internal servers, and other enterprise resources, while personal VPNs help to protect the privacy and security of an individual. Both tools are important in the world, where cybercrime is rising and digital security needs special attention," Markuson said. "At NordVPN, we always encourage people not to use work devices for personal purposes. Company-owned devices are usually more vulnerable to hacker attacks. Thus, using a corporate device for personal purposes can lead to a leak of personal employee data in case of a data breach."
As remote work becomes more common, Palo Alto said there are steps organizations can take to protect against personal VPN threats. The report advises network security teams to recognize the potential threats and adjust security policies accordingly.
Tools to securely enable applications through policies that allow or deny applications contextually can be beneficial in helping to keep the attack surface as small as possible. Additionally, reviewing and releasing updates for the latest versions of VPN applications is important as its traffic changes frequently to evade firewalls.