Virtual private networks have been used by individuals and organizations for the better part of two decades. A VPN creates a secure tunnel that allows encrypted information to be transferred from one point to another. In the business world, it makes it possible for employees to connect to their organization’s network and securely send and receive information. VPNs have taken on a greater role considering the work from the home environment we are in.
It is not clear how long people will work from home. Some organizations have already shown that even after the pandemic has passed, they will have a portion of their workforce working remotely. The fact that more people are working from home has caught the attention of cybercriminals. They see the work from the home environment as creating vulnerabilities that they can exploit.
Cyber Attacks Directed at VPNs
Quoting from the experts, Will Ellis from Privacy Australia has seen that one of the primary ways cybercriminals are perpetrating their attacks is by attempting to penetrate VPNs. As he mentioned, “Unfortunately, in many cases, they have been successful in recent months. This has led businesses and government institutions to tighten security measures.”
As soon as cybercriminals break through the VPN and gain access to an organization’s network, they are like kids in a candy store. They can rifle through the network and services. At their leisure, they can look for vulnerabilities, misconfigurations, and weaknesses. There is no limit to the damage criminals can cause once they have access to manipulate data, destroy systems, or interrupt sensitive data in transit.
Recommended for you: VPN vs Proxy: What are the Differences? Which One is Better?
More than just basic Security Measures are needed
Most organizations are already using the recommended basic steps for improving their VPN security. This includes requiring strong passwords that are complex, unique, and change periodically. Provisioning or role-based control access means limiting resources by groups. Multi-factor authentication is also being used for privileged users or those who need to access sensitive data and software.
The importance of these steps should not be minimized. An organization would fool itself if it believed that these basic steps were all that was required to protect themselves against cybersecurity attacks that are constantly growing in sophistication.
Sophisticated attacks require a sophisticated solution, such as a Security Information and Event Management platform. SIEMs are tools responsible for collecting and correlating the data from the security tools an organization uses, including their VPN.
SIEMs allow the information gathered by separate security tools to be compiled together to give insight into security threats that might not be easy to garner from looking at the data separately. These platforms can help an organization identify what are truly high-risk events and separate them from the noise.
For example, an employee might connect to a VPN from New York City. Forty-five minutes later, that same employee connects to the organization’s VPN from Minneapolis, MN. A SIEM platform should be able to tell that this is physically impossible and then flag this as suspicious behavior that needs to be investigated.
How a SIEM Platform can benefit your organization?
SIEM solutions offer real-time threat detection. They increase efficiency, reduce costs, minimize potential threats, improve reporting and log analysis, and drive IT compliance. Since SIEM solutions can connect event logs from various devices and applications, IT staff can identify, respond to, and review potential security breaches quickly. The quicker a cybersecurity threat is identified, the less of an impact it can have. Sometimes, the damage can be prevented entirely.
SIEM platforms allow an IT team to have a big picture view of all the threats an organization’s security tools are protecting it from. A single alert from a malware or antivirus filter might not be that big of a deal, or it might not raise the alarm. However, if there is an alert from the firewall, antivirus filter, and VPN simultaneously, this might show that a serious breach is in progress. SIEM will collect alerts from different places and then display them on a centralized console, maximizing response times.
You may like: VPN vs RDS vs VDI: What to Choose for a Secure Remote Access?
How SIEM is helping mitigate security risks in a work-from-home environment?
The coronavirus pandemic has forced organizations to transition from on-site staff to a fully remote workforce quicker than many organizations were repaired to do. This meant that they had to strike a balance and possibly compromise between providing a consistent service to their customers and maintaining a high level of cybersecurity.
Manually configuring rules and defenses that could successfully handle this change is time-consuming. Organizations that were not already using SIEM platforms played a frustrating, dangerous, and costly game of catch up in the first few weeks of stay-at-home orders.
Organizations that were already using SIEM could transition easier. Because they had a comprehensive system that took advantage of behavior analytics and machine learning, they could automatically adapt to the changes in the work environment. This takes a lot of stress off of their IT teams.
One of the major benefits of behavior analytics is the ability to look at a baseline normal activity for an organization and its users and then automatically detect and sound the alarm when there are deviations from that normal activity. This way, an organization’s security controls are flexible and can change as the business environment changes. They automatically adjust as new things, such as how employees working from home has become the new normal.
Using SIEM to detect and mitigate the damage caused by CEO Fraud
The work-at-home environment has made email communication more important than ever before. This is because the face-to-face interaction that was a part of working in an office is gone. Unfortunately, because a flurry of emails is being sent back and forth, there exists the possibility of fraudulent emails being sent in the name of management, directors, or other responsible individuals.
CEO fraud is a relatively novel form of cybercrime. Social engineering attacks are used to trick a person in the organization to send money or confidential information to the individual or individuals perpetrating fraud.
CEO fraud existed before COVID-19. It is estimated that in just three years it could produce more than $2.3 billion in losses. When people were working in an office environment where they had one-on-one contact with management, many organizations mistakenly thought it was easy for them to identify email scams on their own.
However, in reviewing cases of CEO fraud, it’s clear that multiple emails were communicated back and forth between the fraudsters and the victim without the victim being the wiser. CEO fraud is a sophisticated and virtually impossible type of fraud to catch without the proper tools. If it was difficult to catch in the relatively safe office environment, imagine catching it now with employees being dispersed and the amount of face-to-face contact reduced.
CEO fraud presents itself in two ways. One is where a senior manager’s email account is hacked. The other is where an email is sent from a domain that is similar to the legitimate business domain. In the first instance, fraudsters will compromise the email accounts of senior employees. In the second instance, typosquatting is used to trick employees into believing they have received information from individuals in positions of oversight.
A SIEM solution can help. It allows an organization to get ahead of compromised credential risks. If a CEO, manager, or another individual in a responsible position has their email account compromised, SIEM solutions can help identify and stop the breach before it happens. This is because SIEM solutions are monitoring data across your network. This includes active directory services, O365, firewalls, storage units, Salesforce, and more.
Once all the information has been posted into the SIEM, data will be collected and correlated and examined by advanced analytics. The goal is finding indicators of compromise or finding patterns that show if suspicious behavior is happening. This information can be recorded and immediately sent to an organization’s security team.
Since this happens in real-time, many attacks can be prevented before they have a damaging effect. Advanced machine learning can be trained to identify slow attacks that sneak their way into the network. Unusual patterns of activity can be detected, and they can mitigate threats before they happen. They can use these same approaches in identifying other types of email threats, like spear-phishing scams. Here again, we see the power that a SIEM solution has to add value not offered from a VPN.
You may also like: NordVPN vs SiteLock VPN – Which One is Best for You?
Using information garnered from SIEM to improve cybersecurity
When anomalies are detected, organizations can put protections in place to prevent future compromises. One step may be educating employees on the cybersecurity threats they are facing. By showing employees the different attacks that were attempted, employees are encouraged to mitigate risky behavior.
Some prevention tips that might seem like common sense to an IT team might get overlooked by employees. For example, employees should be reminded to ignore unprompted emails that demand an immediate response. They should be encouraged to frequently check the sender’s email addresses and domains and compare those against genuine email addresses and domains. Employees should be reminded not to open attachments that are unexpected and to use additional caution when emails are received from unrecognized senders.
One thing that is certain is that cybercriminals will not stop searching for vulnerabilities. Organizations need to protect themselves, their data, and their employees by using security features like VPNs, antivirus tools, and malware protection and then backing these up with SIEM platforms.