IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
VPN and BYOD: what are the risks?
Tue, 9th Feb 2016
FYI, this story is more than a year old

As employees become more technologically savvy, organisations need to think about what risks there are as those employees access corporate networks.

According to NETSCOUT's Fluke Networks, the technology behind VPNs has become less expensive, and tech savvy employees are able to set up their own consumer-grade VPN. This creates security issues.

Virtual private networks (VPNs) began as a way for large companies to communicate with remote offices securely.

“The problem is, most workers and enterprises don't realise that the private, inexpensive VPN alternatives offered to most consumers are not adequate for business use,” says Amit Rao, APAC director, NETSCOUT's Fluke Networks Enterprise Solutions.

“If you have remote workers accessing your secure systems via a personal VPN and unsecure Wi-Fi, you have security issues you didn't even realise.

The reason many private VPNs are not secure is because of a vulnerability known as IPv6 (Internet Protocol version 6) leakage, Rao says.

This leakage can expose a user's information as they use the internet, including the websites they visit and the actual content of their private communications.

The vulnerability is evident in computers as well as mobile devices.

It occurs when network operators deploy IPv6 while VPN providers are only providing protection for IPv4 traffic.

“The vulnerability doesn't necessarily leak information unless there is an active attack,” says Rao.

“Plus, the information is not leaked as long as the user is accessing Internet content protected by HTTPS as opposed to non-secure pages, which only use HTTP.

Organisations can make sure this VPN vulnerability is not a threat to systems and networks by providing workers who need to use insecure public Wi-Fi with an enterprise-grade VPN. Business-level VPNs are not subject to this particular vulnerability.

“There are other steps that the IT department can take that will make workers' internet use and communications even more secure,” says Rao:

  • Consider switching to Linux operating systems on machines that access the most sensitive data and systems on your network. There are fewer instances of malware targeted at Linux systems, and some of the Linux distributions are designed to offer a high level of security, such as Ubuntu and Mint.
  • Avoid using Tor 'onion routing' for anonymity and privacy online. Tor comes with some serious risks that could outweigh any benefits of keeping data away from prying eyes.

“Privacy and security for remote workers is critical, so it is important that organisations consider all the alternatives to mitigate the risk,” says Rao.