Protecting payment data
As companies shift to incorporate more remote work, payment data security often comes into question. Employees are accessing enterprise data from a variety of environments. Companies need to understand how to implement tools and technology in these environments in a secure way that will protect data from threat actors. VPNs are a popular tool that can help businesses make sure outside users are authorized and that transmitted data is encrypted. This blog will explore the security considerations and threat trends associated with using a VPN and will help readers know what to look out for when choosing a VPN provider.
VPN cyber attacks in the news
Threat actors are hammering virtual private network (VPN) providers with attack after attack. In the first week of March 2021 alone, hackers stole the data of over 21 million mobile VPN app users and sold it online. And in July of last year, seven VPN services leaked the data of over 20 million users.
Horror stories like these riddle cybersecurity headlines and call the security of the entire VPN ecosystem into question. So-called “free” VPNs pose an enormous risk to users, and security researchers recently revealed that over 105 million users of free VPN apps in the Google Play Store could potentially be compromised. Many of these apps have been removed from the Google Play Store, but unfortunately, VPN breaches continue to escalate. As of now, there are nearly 500 known VPN vulnerabilities registered in the CVE database.
So, how secure are VPN providers? And how do you know what signs to look for when many providers are breaking the promises made in their privacy policies? This blog article will explore this issue as well as help you understand “no-log” or “zero-log” VPNs.
How do VPNs work?
When you install and use a VPN, it acts as an intermediary, rerouting your Internet data traffic onto a private server and through an encrypted, secure pipeline to and from your destination. Your data traffic will appear to come from the server, not your device’s IP address.
You can purchase a VPN directly from a VPN provider website, or through the Apple App Store or Google Play Store.
Due to the COVID pandemic, VPNs have exploded in popularity. They are a great tool to help employees work remotely or connect to a country outside of their geographic region. For companies that want to provide their employees with privacy, anonymity, and security, VPNs can help employees create a secure connection across public networks.
VPNs can be used in a variety of situations. For example, when companies want the confidence that their data is encrypted from end to end or when users work from public places like hotels, coffee shops, or in their cars and want to ensure their location is private and their connection is secure. Some people install VPNs at home so they can watch TV shows or sporting events that are restricted in their country.
VPN popularity matched by threats and attacks
Today, global VPN usage has increased to unprecedented levels. Between March 8 and 22, 2020, VPN provider Atlas reported a 124% surge. Threat actors have taken notice and are gravitating toward VPN-related attack opportunities.
The 2021 VPN Risk Report reveals the current state of VPNs; their vulnerabilities, risks, and the entire remote access environment. The report highlights some pretty remarkable stats, with 93% of companies reporting that they leverage VPN services in their environment, and 94% of all those surveyed indicating they are aware cybercriminals are targeting VPNs.
In short, threat actors know that with the global shift to remote work, businesses and individuals are using VPNs more than ever.
Here are some of the risks, vulnerabilities, and lessons learned about VPN security
1. Are there more up-to-date options?
- VPN technology is nearly 30 years old and can introduce risk to your business. There are many remote access options available beyond VPNs that can help you reduce your attack surface. Consider researching some of these remote access technologies as alternatives to a VPN.
2. Is your VPN connected?
- One of the major risks of using a VPN is that they can disconnect randomly–sometimes unbeknownst to employees. One of the more important features of a modern VPN is the “kill switch.” This feature will disconnect your device from the Internet should the VPN disconnect and will automatically prevent your information from being exposed. Keep in mind that not all kill switches are created equal. Many VPN providers have broken features which means they may NOT effectively block traffic or provide data leak protection. Remember, it only takes one leaked packet to expose your company's information, identity, or activities to third parties.
3. Is your VPN securing data as intended?
- Since there is a lack of visual cues, it can be challenging for employees to know if the VPN is securing data correctly after it’s connected. One study found 84% of Android VPN apps leaked the user’s IP address. In other words, not all VPN services maintain your privacy and security. The last thing you want is a leak of your IP address and/or DNS requests. Do your homework and find out which encryption standards a VPN service uses.
4. Do you know which standards your VPN uses?
- The entire VPN industry has a lack of encryption standards–which highlights your need to perform due diligence. This article does a great job explaining VPN standards by cutting through providers’ marketing claims. Bottom line, you want to do your homework to ensure strong end-to-end encryption.
5. Be sure you perform your own VPN tests and location checks. It’s always a good idea to “trust but verify” that your VPN is working as intended. There are basic tests and advanced tests:
- Basic VPN tests: You can check in a variety of ways–including visiting websites like these–which will determine your location. A second option to check if your VPN is working is to use the “find my location” feature on your device. This provides users with the accurate, true location based on a chosen geographic area. So if you connect your VPN through Great Britain, then you should see Great Britain as the VPN location.
- Advanced VPN tests: If you have a little more technical proficiency (such as using GitHub), then you may want to play around with some in-depth testing tools to find VPN leaks. You can find a great list of instructions and guidance here.
6. Be sure you understand “no-log” or “zero-log” VPNs.
- As we covered earlier in this blog article, VPNs are being breached, and their privacy policies should raise red flags for you. Breached VPN providers are facing consequences because they market the claim that they don’t keep your logs or data. Their website and apps, as well as their marketing and promotional materials, highlight this claim over and over, but they were keeping logs. Perform your own research of “no-log” or “zero-log” VPN services by visiting a website like this.
Should you use a free VPN?
No; avoid free VPNs. Free VPNs shouldn’t be considered for use to protect your business or users. They are very tempting because they are free; however, you must be aware that at some point the VPN–or any mobile app–is collecting user data to be sold to third parties. Oftentimes, the app is free because expenses are paid by third-party advertisers.
Trust and data security are priorities
Remember that you want security for your data and trust in your company–they are valuable to you, and they do come with a cost. Use these tips to confidently research and choose a VPN service for your business.
To learn more about protecting your business locations from cyberattacks, visit this website.
Matt Heffelfinger–"Heff" is preferred–is a Utah based cybersecurity professional and serves as SecurityMetrics Director of SIEM Operations. His primary wheelhouse includes leading the SecurityMetrics Security Operations Center (SOC) and Threat Intelligence Teams for multiple clients both in the USA and globally. With over 15 years of global cybersecurity experience, his career stops include Caesars Entertainment, TJX, Inc., General Electric, NBC Television and the Las Vegas Sands Corp.