How businesses leverage attention to third-party SAAS continues to drastically change while organizations strive to keep operations up and running in these times.

VPNs are a necessary component to having a functioning remote work process. Black Kite selected some of the most widely used VPNs and non-intrusively traced their digital footprint from simply a domain name. Here you’ll find the results and findings of their security posture with the outbreak of COVID-19.

Online working tools on the rise

VPNs, video conferencing and project collaboration platforms keep businesses up and running, especially in these times of physical-distancing. Although remote work might be business-as-usual for some organizations, a “larger attack surface” is a new issue for almost every company working with vendors given the drastic increase in remote work worldwide.

What do VPN Cyber Ratings Tell Us?

Although a VPN vendor’s cyber rating may not mirror the security of its products and services, the rating provides many hints into the strength of security right off the bat. The score shows how the vendor handles cyber security starting with its digital domain.

Here are just a few answers a Cyber Rating service can give:  

– If the systems and services on the commercially facing domain are up-to-date

– If patch management is taken seriously

– If critical ports are left open, as hackers scan them continuously

– If web site/servers are vulnerable to DDoS attacks

In some particular cloud use-cases and browser-based models, the analysis can give us more than hints regarding the security of a VPN product. These categories include but are not limited to; website security, CDN security, and SSL/TLS strength.

Cyber Scores of Top Ten VPNs

Black Kite researchers made a list of Top Ten business VPN solutions based on the CNET, PCMag, and Tech Radar. Taking this list, we assessed the external security health of each company’s digital footprint based on their commercially exposed domain.

Our Methodology

Using the Black Kite Platform, researchers ran a passive non-intrusive comprehensive scan for each VPN on our list. We started the process by entering the domain names. Based on that domain name, we were able to derive a comprehensive digital footprint of the company including all the related domains, subdomains, IP addresses, services, emails, etc.

Black Kite’s platform aims to provide full visibility into a cyber ecosystem. It enables enterprises to continuously assess third-party risks, assigns a letter grade to each vendor, correlates findings with industry standards to inform compliance requirements, and determines probable financial impact if a third-party experiences a breach.

Black Kite’s 3D Vendor Risk @ Scale ℠ platform provides easy-to-understand letter grades in each risk category. Here, we see the average weighted cyber score of our Top Ten VPN list is “C+”.

Of the ten VPNs, six received “C” grades, while the remaining four received a grade of “B”.The Black Kite platform delivers the distribution of vendors according to their grades, which provides insight into the security posture.

Lowest Scored Categories

Of 19 categories analyzed, Patch Management (73.4) and Website Security (74.8) were the lowest scored categories on average. Not far behind were Fraudulent Domains & Apps.

For Patch Management, Black Kite’s risk scoring engine collects details related to the version number of the systems and software from internet-wide scanners like Censys, Shodan, Zoomeye, etc. Out-of-date systems accessible from the Internet may have vulnerabilities, either related to the application servers or the application framework. These vulnerabilities might enable attackers to compromise applications or potentially the entire system. 

How it applies to VPN platforms: This category is especially important when VPN access is delivered through the website of a VPN vendor.  Hackers particularly look for weak links in company cyber defenses, including one of the easiest targets – obsolete systems. Successful exploitation may result in loss of data, reputation, credibility, or cause financial problems.

Website Security is a special analysis of the company’s main website. The findings in this category are collected from the SSL/TLS Strength, Patch Management, Application Security, Web Ranking, and Brand Monitoring findings and blended together to give an overall score for the website related digital assets.

How it applies to VPN platforms: SSL/TLS strength is crucial when employee-specific and company-confidential data is transmitted back and forth from the platform’s website. 

Fraudulent, pirate mobile, or desktop applications are used to hack or phish employee or customer data. This category searches for possible fraudulent or pirate mobile or desktop apps on Google Play, App Store, and pirate app stores.

How it applies to VPN platforms: Fraudulent apps could be executed in email phishing campaigns (combined with the use of other vulnerabilities) and pretend to be from the IT desk seemingly providing an update to the user. The links in an email could direct the user to a fraudulent VPN app in an attempt to steal user credentials and other sensitive data.

Black Kite’s Findings: The Most Critical and Frequent

DNS Amplification

As the most common finding, this vulnerability spans most of the VPN vendors on our list. A domain name system (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publicly accessible open DNS servers to overwhelm a victim system with DNS response traffic. The attacker uses bots or a botnet to send DNS queries with a forged source address (targeted victim’s address) to a legitimate DNS  server. 

Steps to Remediate: 

– Tighten DNS server security 

– Block specific DNS servers or all open recursive relay servers

SSL/TLS  Issues

SSL/TLS related issues, including “invalid or expired certificates”, are by far the most frequent issue we discovered on the digital assets of VPNs. SSL protocol makes sure user information travels safely through the Internet in a secure manner if the certificate is trusted. This process helps prevent an ill-intentioned attacker from sniffing the network to steal confidential information, such as users’ credentials.

Especially in a cloud VPN architecture, lacking strong SSL and the related controls on servers puts a company’s assets such as corporate data, employee credentials, and other sensitive information at risk.

Steps to Remediate: 

– Check for SSL certificates and expiration dates (Renewal becomes available 30 days before its expiration)

– Stop using RC4,DES-like weak algorithms

– Disable support for export cipher suites

– Disable SSLv3

– Use TLS 1.2 and later versions

Publicly Available SMB Service

SMB port (Port 445) related vulnerabilities are the third most frequently found security issue on networks around the world. Over the years, there have been many security vulnerabilities in Microsoft’s implementation of the protocol or components on which it directly relies. Real-time attack tracking shows that SMB is one of the primary attack vectors for intrusion attempts, such as the 2014 Sony Pictures attack, and the WannaCry ransomware attack of 2017.

Steps to Remediate: 

– Block 445 at the external firewall. This is relatively easy and solves many problems.

– Disable SMBv1

– If possible, block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all external boundary devices.

Do’s and Don’ts

Relying on VPN for company security is a common mistake among employees. Human element is still the weakest link and thus the first line of defense in cyber security. With an increased number of phishing attacks targeting credentials these days, employees should be vigilant about their sensitive information when accessing company’s resources remotely.

– Do not assume VPN guarantees 100% security, as it increases the attack surface

– Use multi factor authentication (MFA)

– Check for vulnerabilities continuously 

– Review the log files for suspicious connections such as leaked credentials

– Check for connections and investigate unusual events

– Provide guidance and education to users on how to properly use VPN

How to rate your Cyber Ecosystem?

Black Kite’s platform aims to provide full visibility into a cyber ecosystem. It enables enterprises to continuously assess third-party risks, assigns a letter grade to each vendor, correlates findings with industry standards to inform compliance requirements, and determines probable financial impact if a third-party experiences a breach. 

The Black Kite Platform’s intuitive interface compiles reports and communicates risks in qualitative, quantitative, and easy to understand business terms for executives. The interface also allows IT-security teams to drill down to the technical details in each risk category. 

With the alerting mechanism, the users of the platform become aware of the security vulnerabilities within a cyber ecosystem promptly and can take immediate action.

Learn more at www.blackkite.com.

Featured image courtesy: Dan Nelson on Unsplash