Virtual Pwnd Network – What VPN Should Really Stand For

As a first responder to a majority of the largest security events of this century I can say with great confidence that 3rd party relationships and VPN tunnels into your private network are a high risk venture.  What policies and governance do you have to address this high risk component of your network?  Do you audit your VPN solutions?  Do you audit your third party providers – even before you decide to take them on in a contractual manner?  Every company should consider their business partners and solution providers one of their most important allies and risks – they’re inside the walls of your network, they are trusted, and you don’t have full control or visibility into their network, security risk practices, or people.

In 2004 when Sven Jaschan launched the Sasser worm it made world news as a worm fully automated to spread throughout networks globally.  What many people don’t know is that the worm contained a special condition related to Internet connectivity.  If it found that it had no external Internet connection it would immediately implode, attack the internal network instead.  This is exactly what happened in one case where an infected laptop from a 3rd party vendor remote VPN’d into a secure network that had no external Internet access.  The result was a complete disruption of the entire facility as Sasser wreaked havoc in seconds.  Super secure network – super easy to take down via the VPN connection.

In a recent case involving anomalies over the network a 4D5A Security employee said that VPN is “…like a straw in a drink”.  You don’t have much visibility and can often run into visibility issues dependent upon the architecture and security solutions that are put into place over your VPN connection.  The employee further elaborated saying “What if the ‘drink’ on the other end of the VPN is battery acid?  That will not go well for you.”

We all know insider risk is what will often hurt the most, but often is overlooked because we tend to trust the people we hire and work within inside of our own company.  I suggest that we re-evaluate the way we look at insider risk, rating our trusted 3rd partner vendors and partners our HIGHEST insider risk that must show compliance, good security practices and so forth.  More important, ensure that you have visibility into physical and virtual access to your networks to ensure you have visibility into possible data leakage issues, risk related to tangential malware threats, and similar vectors all too common in breaches of this century.