Story image

VPN and BYOD: what are the risks?

09 Feb 2016

As employees become more technologically savvy, organisations need to think about what risks there are as those employees access corporate networks.

According to NETSCOUT’s Fluke Networks, the technology behind VPNs has become less expensive, and tech savvy employees are able to set up their own consumer-grade VPN. This creates security issues.

Virtual private networks (VPNs) began as a way for large companies to communicate with remote offices securely.

“The problem is, most workers and enterprises don’t realise that the private, inexpensive VPN alternatives offered to most consumers are not adequate for business use,” says Amit Rao, APAC director, NETSCOUT’s Fluke Networks Enterprise Solutions.

“If you have remote workers accessing your secure systems via a personal VPN and unsecure Wi-Fi, you have security issues you didn't even realise.”

The reason many private VPNs are not secure is because of a vulnerability known as IPv6 (Internet Protocol version 6) leakage, Rao says.

This leakage can expose a user's information as they use the internet, including the websites they visit and the actual content of their private communications.

The vulnerability is evident in computers as well as mobile devices.

It occurs when network operators deploy IPv6 while VPN providers are only providing protection for IPv4 traffic.

“The vulnerability doesn't necessarily leak information unless there is an active attack,” says Rao.

“Plus, the information is not leaked as long as the user is accessing Internet content protected by HTTPS as opposed to non-secure pages, which only use HTTP.”

Organisations can make sure this VPN vulnerability is not a threat to systems and networks by providing workers who need to use insecure public Wi-Fi with an enterprise-grade VPN. Business-level VPNs are not subject to this particular vulnerability.

“There are other steps that the IT department can take that will make workers’ internet use and communications even more secure,” says Rao: 

  • Consider switching to Linux operating systems on machines that access the most sensitive data and systems on your network. There are fewer instances of malware targeted at Linux systems, and some of the Linux distributions are designed to offer a high level of security, such as Ubuntu and Mint.
  • Avoid using Tor 'onion routing' for anonymity and privacy online. Tor comes with some serious risks that could outweigh any benefits of keeping data away from prying eyes.

“Privacy and security for remote workers is critical, so it is important that organisations consider all the alternatives to mitigate the risk,” says Rao.

What the future of fibre looks like in NZ
The Commerce Commission has released its emerging views paper on the rules, requirements and processes which will underpin the new regulatory regime for New Zealand’s fibre networks.
Gen Z confidence in the economy is on the decline
Businesses need to work hard to improve their reputations.
Why NZ businesses have less than two years to adopt digital before disruption hits
Research found that digital disruption is already impacting two-thirds of New Zealand organisations.
Dell EMC launches interactive AI Experience Zones
The AI Experience Zones are designed to educate visitors about how to start, identify, and implement an AI project.
What NZ can learn from the Baltimore cyberattack
“Businesses must control physical access to their computers and secure their networks."
Infratil seeks clearance to acquire up to 50% stake in Vodafone NZ
The commission will give clearance to a proposed merger if they are satisfied that the merger is unlikely to have the effect of substantially lessening competition in a market.
Hands-on review: MiniTool Power Data Recovery Software
I came across a wee gem of advice when researching the world of data recovery. As soon as you get that sinking feeling and realise you’ve lost a file, stop using your computer.
Deepfakes the 'next wave of concern' - but can law really stomp it out?
Enforcing the existing law will be difficult enough, and it is not clear that any new law would be able to do better. Overseas attempts to draft law for deepfakes have been seriously criticised.