Firms let hackers in through their VPNs

Almost a third of companies tested in a recent survey had left their networks open to attack by installing virtual private...

Almost a third of companies tested in a recent survey had left their networks open to attack by installing virtual private network equipment with default settings or failing to adopt best practice security principles.

NTA Monitor's annual security audit of 350 blue-chip companies found that the number of security risks in corporate firewalls has risen by about 17% since 2000.

Roy Hills, technical director at NTA Monitor, said, "If an intruder can get in by this means they can potentially get straight into a company's internal systems."

VPNs allow firms to route communications from remote workers through encrypted "tunnels" in the internet. They are seen as a cheap, secure alternative to leased lines, but NTA's test results indicate that user oversights are leading to a large number of security vulnerabilities where VPNs can be located, profiled and used as a means of gaining entry to corporate networks.

Hills said the problem arises because while out-of-the-box rules are sufficient to get the VPN going, some users are unaware that they leave vulnerabilities.

By interrogating a device, a hacker can identify the type of firewall and target it for known exploits. Hills advised keeping firewalls and remote connections hidden except to authorised IP addresses and not having sequential IP address ranges that are easily predicted.

He said, "You quite often get reports of web servers being attacked - the results are obvious because of defacement. But when someone gets in via VPN or wireless and gains access to the file server it is almost never reported. I have seen system logs where it is recorded that access has occurred but it was impossible to know exactly what happened."

Is your VPN secure? NTA's advice         

Test the firewall. Ensure that you only have the features that you use switched on. Some could provide a route in for a hacker  

Restrict services to authorised IP addresses. This effectively hides their presence to the internet while allowing the service to be used by those authorised 

Apply patches. Attackers can profile the VPN location and type based on the default ports in use. NTA recommends a disciplined approach to patch management, although this has become complex in larger organisations with a number of platforms 

Log and alert suspected attacks. Log and alert failed port scans and attempted connections to build up information that can help detect potential attacks 

Spring clean the firewall. Test for default ports and organise a "spring clean" to ensure there are no hidden errors from default installations 

Limit authentication attempts. Lock out accounts and raise an alert after a set number of failed authentication attempts

Read more on IT risk management