DefenseArk #ThreatIntelThursday | VPNs — Rewards and Risks — Part 2

Week 38: VPNs part 2!

This article is the second in a 2-part series about VPNs — Rewards v. Risks. Last week, we discussed how VPNs work and why they’re helpful to organizations. This week, we delve into the risks associated with VPNs and how those risks can be mitigated.

Risk Mitigation, Risk Avoidance

In a previous article about risk management, due diligence and due care, we discussed risks and how to handle them. In that article, we outlined four ways of handling risks. For VPNs specifically, we discuss mitigating and avoiding risks:

Mitigating risk is “to select, implement, and ensure that controls either reduce the probability or decrease the impact (or both) of a risk occurring.” In the case of VPN risks, organizations can mitigate those risks by hardening (that is, making as secure as possible) all VPN-connected systems, by ensuring:

1. - that systems have the most recent service packs and critical patches;

2. — that all VPN-connected systems have up-to-date and effective endpoint protection;

3. — that all unnecessary services and protocols have been removed, and

4. — that systems have implemented and enforced least privilege (that is, providing individuals or system services with only those privileges needed to perform their required functions).

To accomplish this, organizations can implement a few possible solutions, including:

1. Only allowing organization-provided systems (that follow the organization’s system security policy) to access the network via VPN; or
2. Deploying a Network Access Control (NAC) system, which, as part of the VPN solution, enforces the organizational system security policy.

Avoiding risks, in the case of a VPN, would mean not taking on the technology, thereby not taking on the risks introduced by that technology.

To do this, organizations can select to use other remote access technologies. For example, remote control software like Citrix or Microsoft’s remote desktop (RDP) allow remote users to remotely control a (typically virtual) system residing on the local network. Remote control merely sends keystrokes, mouse clicks and screen shots over the network, therefore malware is very unlikely to spread using these communications. Using alternative technologies is an example of avoiding risk.

As with all risk management, we must first assess risk to determine what they are. Then we must deal with that risk by either mitigating it, transferring it, avoiding it or accepting it.

A crucial step in digital risk mitigation is a solid and reliable endpoint protection platform. BrightScan is a cloud-based, blockchain-powered endpoint protection platform that can be customized to fit your needs and is user-friendly enough for the home office and powerful enough to protect large enterprises.

Contact our Head of Sales, Jourdan Parkinson, to schedule a free demo of our cloud-based EPP, BrightScan, or just to chat about how our products can work for you.

For more of the latest in cybersecurity, subscribe to DefenseArk’s blog right here on Medium. In addition to Threat-Intel Thursdays, we also write about breaking news, thought leadership, and deep-dives into cyber intel.

About the Author: Ted Udelson, PMP, CISSP, Security+, Network+, A+ is the chief learning officer and cofounder of Succinctive Training, LLC. Ted is also the author of “The Complete, Compact CISSP Study Program: How to Pass the Damn Exam!” Ted brings his over 35 years of experience in information security and technology to inform his writing for #threatintelthursday.