One significant aspect of the change to the work environment in recent years has been the emergence of the road warrior, the mobile worker. In essence, the difference between the main office worker using a desktop PC connected to the corporate network and the remote worker using a smart device has been removed.
This has been helped by the major improvements in connectivity in both the smart devices themselves, and the ability to use wireless networks in public and private spaces to make the connection with the corporate network.
As with all things, there is a downside to this new arrangement. If your staff can connect, then so can anyone else with access to Wifi. The need for security is clear.
At first, keeping the ability to connect secret was deemed sufficient, but not for long.
A simple challenge/response with a password control scenario to be able to use the connection was quickly added, but that was fairly easily cracked, and something new was needed.
Encryption became the Holy Grail and was added to the connection requirements. This morphed into a Virtual Private Network, (“VPN”) a dedicated tunnel connection between the staff member’s smart device and the corporate network supporting the encrypted data transfer. A VPN uses the Internet, but only as a carrier.
In the current incarnation, a user initiates a connection using VPN client software on their smart device, the remote client. The client then takes over, contacting the corporate network over the Wifi or cellular connection to the Internet and negotiating a session between the two with one-off credentials and encryption keys. Sometimes the user is asked to provide credentials to be able to use the remote client.
This should provide sufficient security to protect online privacy and prevent data theft.
However, that will always not always be the case, and the savvy IT Head needs to make sure that the VPN environment they use has not been breached and cannot easily be breached. This means testing, and Penetration Testing is one way of trying to breach the VPN security.
Penetration Testing often called pen testing, is a technique to simulate an attack on your VPN to see if a hacker can enter your systems by breaking into it. If the Penetration Test is successful, IT can see what they need to automatically detect an attack and the countermeasures that are needed
The first level of testing is the White test, where the attacker has access to full information, including the VPN client to be used and the various IP addresses and site addresses. All the hacker then needs are the various credentials to the VPN client and the remote systems. A current or recently former employee may have access to this information.
A black-box test is probably more likely to be that employed by a hacker. In this case, the hacker has access to only the publicly available information and will need to carry out some research to find out more. A phishing email might be one way to try.
A third variant is the grey box test as a mixture of the two. The amount of information supplied is tailored to the type of test to be carried out.
While a VPN is considered as one of the most secure methods of remote connection, the 100,000 dollar question is “Does Pen Testing work?”. To answer that, we must ask, why and when should we carry out the testing?
Your systems are at their most vulnerable during and just after systems upgrades, both hardware, and software. Upgrades might introduce new vulnerabilities and compatibility issues between different software versions. Carry out a PEN test as part of the upgrade project.
The results are a good indicator of any revisions to your counter-measure programme that might be needed. You may need to revise software configurations and perhaps retrain your network security staff in the new features.
Malware and hack attacks are not a static environment. You should have a regular pen test to tell you the defensive status of your network environment and the effectiveness of your countermeasures.
As to pen tests themselves, you should have one test specifically designed to stress your VPN. Often a VPN, because it is carried on the Internet, potentially through several different supplier systems, can acquire new vulnerabilities without you necessarily being aware of them. So it is essential to check the security of the VPN regularly.
As an example, a common threat is the so-called middle-man exploit, where your traffic is intercepted as it passes through the Internet. While a VPN goes a long way to protecting against this threat, a change en-route could unwittingly allow a middle-man exploit to be carried out. That is why regular penetration testing is essential.
Overall, a VPN is the best and most efficient way to protect your online privacy and security of your information, b yr needs regular checking.