VPN (Virtual Private Network) access is a critical component of enterprise networks. But, if not properly managed, lack of security controls around this type of access can become a company’s most critical security exposure.
Multiple prolific ransomware groups continue to successfully compromise US-based companies across all industry verticals by targeting SSL VPN login sites through unsophisticated, well-established techniques. Easily accessible brute-forcing tools, and previously compromised credentials are being leveraged at-scale to target detectable VPN login pages.
VPN accounts lacking MFA (Multi-Factor Authentication) protection now constitute the leading RPOC (Root Point of Compromise) of successful ransomware attacks. Some of the most publicized ransomware compromises of the last year were the result of VPN account credentials not protected by MFA, and while often not part of the news cycle, smaller organizations have also been widely targeted. The ransomware threat is not exclusive to large enterprise networks.
Brute-forcing, password spraying, and credential stuffing attacks can be prevented through the comprehensive deployment of an MFA solution. MFA can also prevent threat actors from successfully leveraging valid credentials exfiltrated by InfoStealers, or previous malware infections. It is critical that MFA is configured for all VPN user accounts.
It is critical organizations implement multiple security controls to protect their VPN from ransomware attacks:
- Regularly audit VPN security groups to ensure access is provisioned only to accounts requiring VPN access, including local users on the VPN appliance.
- Ensure every user account (including vendors and service providers) is protected by MFA, including test accounts.
- Deny IP connection and authentication from anonymizing software like TOR (The Onion Router), and unauthorized VPN services and proxies.
- Important: Geolocation blocking alone is not effective. Ransomware operators easily circumvent this mitigation by using US-based proxies and VPN services.
- Ensure you have account lockout policies configured, to prevent repeated brute-forcing attempts from succeeding.
- Implement “Impossible Travel” rules to deny consecutive login attempts to the same account from different IP ranges.
- Implement policies that enforce password complexity.
- Ensure default accounts are disabled, and default passwords are reset.
- Consider creating an IP allow list to limit VPN access to specific IPs.
- Require a signed certificate for all SSL VPN connections.
- VPN servers require thorough monitoring, patching and auditing, consider a managed cloud solution, and ensure MFA is enabled on all accounts.
Cybersecurity Resources for LAMMICO Insureds
TMHCC CyberNET®
In partnership with our cyber risk experts, Tokio Marine HCC – Cyber & Professional Lines Group (TMHCC), LAMMICO provides policyholders complimentary access to TMHCC CyberNET®. CyberNET® helps you and your organization understand the cyber risks you face with access to expert cyber risk advisors when you need them, plus 24/7 online training courses, best practices, compliance and incident response guidelines, sample policies, and vendor agreement templates. Registered lammico.com Members are encouraged to log in to access the TMHCC CyberNET® portal.
MEDEFENSE® Plus/Cyber Liability Insurance Coverage and Higher Limits
LAMMICO includes $10,000 of MEDEFENSE® Plus/Cyber Liability coverage in most provider policies at no additional charge to the insured. We also offer higher limits of protection through our subsidiary agency, Elatas Risk Partners, subject to underwriting which will include questions regarding on multi-factor authentication and backup processes and procedures. Please contact Carly Thames, Elatas Account Executive, at cthames@lammico.com or 225.906.2062, for information on higher limits of Cyber Liability insurance.