Are VPNs Secure? Insights on the Risks, and the Ivanti Breach

Speaker 1: 0:00

All right, welcome to the audit presented by it audit labs. My name is Joshua Schmidt. I'm the producer. We are joined today by Nick Melham and Eric Brown. We're going to be talking about VPNs and even diving into a little bit of a news article about the Avanti Breach and the exploitations around the VPNs VPNs there. So we're gonna get started out. Eric, can you give us kind of a background on VPNs how they're used, how they work, what are they good?

Speaker 2: 0:26

for yeah, absolutely yeah, josh. So VPN, virtual private network, it gets more complicated from there, but essentially what it does is it is a piece of software that interacts with the network, the internet, the network in your house and your computer to form a private tunnel, if you will. So to use maybe an analogy, a physical analogy. So you're going from your own, the highway, and you're going from one side of a mountain to the other and there's a tunnel that's blasted through the mountain. That tunnel you could perceive that as a VPN right, it's a point to point connection that the only way to get into the tunnel is to enter it on one side and then you exit on the other, and it's bi directional, so you could go either way. And the virtual piece is that means that it can be set up and taken down really from anywhere on the internet. So at home or at work, you can establish a VPN connection between two computers and then any traffic that passes along that tunnel should, in theory, be encrypted and not visible to anyone else. So any data that's entering the network from the PC side or the computer side goes through this virtual private tunnel and it exits somewhere else. But nothing has intercepted that traffic in between. So to take a step further, and why is that important? Well, when we're at home, for example, and sitting on the couch with our phone or our laptop and we're browsing the internet, that traffic is touching multiple networks. So it's going out from our computer, it's likely hitting our wireless access point, and that wireless access point is connected to our internet router and then from that router it connects to our internet service provider. Isp, connects to many devices on their network and then from that ISP, be it whoever you like. Comcast is a popular one in this area, but there are lots of internet service providers. So it goes from that Comcast or that Xfinity connection to another network and then potentially to three, four, five, dozens of other networks until it arrives at its destination.

Speaker 2: 3:23

So when the internet was developed, we kind of took physical aspects of the world around us and we made that into a virtual connection. So the way computers talk to each other is through through packets, packet of data. And just think of that as me mailing Nick a letter which, by the way, I did the other week and he still hasn't gotten it yet, even though it was set priority, nick, but anyway goes from me to the post office and then it's routed in trucks and buildings to, to. Finally it gets to its destination and those packets are what carry information across the internet. So if you think about the bringing it back to the VPN, sent Nick a package and at any point in time, as it's going from one post office into a van or a truck or an airplane, someone could open that package and look at the contents. Then you know, re tape it and move it along to its next destination. And Nick or I would not know that that had really occurred unless we had some sophisticated controls around that package. Then you add on top of that well, there's, maybe there's, a signature guarantee, maybe there's not. So the carrier says they left it off on his front doorstep, maybe they didn't, maybe they didn't unless we have some sort of secure signature guarantee.

Speaker 2: 5:05

So bringing that back to the VPN, the VPN creates that virtual tunnel that essentially allows me to ship a package or a letter to Nick without anybody else having access to open that package. So think of it as I put that package in a van, I locked that van, that door, put that package in a cage, locked it up. Nobody else has the key and it goes from me. Once it gets in that van, you know to the carrier on the other side where that destination is. They unlock it and then they hand it to Nick so that we create that virtual private network between us and we can we can send packets or we can send information along that tunnel.

Speaker 2: 6:00

And that's important because we want to in some cases ensure that the data that we're sending between our computer and, say, our work or office environment, is not visible to anyone else. And that's important because we have standards like sieges, for example, or criminal justice information. So the data that the, the, the BCA or the FBI collect and disseminate to law enforcement offices, it's protected information. We don't want that information being viewed by people who aren't supposed to view it. And that's just one example of information that we would want to keep private.

Speaker 2: 6:52

So we wouldn't want that inner that, that traffic going over the internet unencrypted, I see, and unprotected. So we use that virtual private connection to essentially guarantee that the computer that I'm using it's going to be talking to the computer on the other end of the criminal justice information network is that traffic is encrypted and no one else can intercept that traffic. We're able to do that in our personal lives as well, and there are lots of VPN clients that we can use and install on our computers to make sure that the traffic that's coming out of our computers is private, and the only people who are able to see that traffic are ones that have access that that that we allow to, by either letting them participate on the other end of that tunnel or we're aware that they're on, say you know, our home network. Example of that is that you might have seen in everyday life is if you're overseas and you want to watch a Netflix show in the US you go to Netflix from your hotel room in Frankfurt, for example.

Speaker 2: 8:21

You may not be able to access the same shows on Netflix because you're outside of the country. But if you establish a VPN tunnel back to the US and you can pick hundreds of different points where you can hop off of that VPN tunnel, all of the traffic coming out of your computer is going to go over that VPN tunnel and come out at, say, a server in St Louis. So now Netflix thinks that you're coming from St Louis and then you can watch that. That show.

Speaker 2: 8:56

And I should say I'm speaking in generalizations that's against the agreement that that that Netflix has with its end users and they do filter that traffic.

Speaker 2: 9:11

So there are subscriptions that companies can purchase that acquire IP addresses from VPN providers that make it known that this is a VPN IP address, that that is connecting to the Netflix server, and they disallow that. They've been because people were doing that. They've been getting more sophisticated in their controls to prevent that from happening. But that's just an example of how it might work. The other way and, unfortunately, a more malicious use of a VPN tunnel that we see is malicious actors from other countries connecting through VPN, say, from Russia into the US, getting that US IP address from a VPN provider and then working to attack US based companies, US based servers, and it appears that or server they don't have to be US based, but servers that could be anywhere but the servers then think that the person is coming from the US rather than coming from Russia, Because, let's say, by default, traffic from Russia, Iran, China, for example, might just be automatically blocked. Well, a way around that would be for that threat actor to establish a VPN connection in the US and then start their work.

Speaker 1: 10:55

So it sounds like on a personal level, VPNs are really useful for securing your online data, maybe some your shopping habits, keeping your data from being leaked to malicious actors, or even just two companies that you might not want to have access to your information. That will regurgitate that as a marketing effort or something of that nature. Is that correct?

Speaker 2: 11:19

It's a. It's a good point that you bring up Josh, and VPNs shouldn't necessarily give a false sense of security. Yes, if you establish a VPN connection from your computer in your house, that VPN connection to the, the terminating VPN server is going to be encrypted, so your ISP can't see that traffic right, all they see is the tunnel connection that's going out to that VPN service provider. There are other ways to protect your traffic. You can use a tour browser, which is a separate conversation around operating on the dark web, the dark net, and routing traffic anonymously through the onion network. And I'll put anonymously in quotes because it should be anonymous. But it's not always anonymous because of the way in which exit nodes can be built and brought online. Anything coming out of that exit node could potentially be analyzed to determine where that machine was coming from. But that's a more in depth conversation. From a VPN perspective, we get into privacy, but we also have companies that set what they call super cookies in our browsers and those super cookies persist beyond the browsing session. And the reason why that's important and dangerous is it allows companies to fingerprint our computer. So it doesn't matter if we set up that VPN tunnel and surf over that VPN tunnel, the, the super cookie, is going to report out our information so that, regardless of yes, the traffic wasn't intercepted between point A and B, from point B it's going out. It's going out to xyzcom and xyzcom is subscribing to a advertising or a marketing service that's doing analysis of people that use their websites and they're able to get that super cookie information, essentially of more detailed information about who is visiting their site, based on the, the, the data coming from that super cookie on that computer. I know you have a question, but I'm going to finish the thought, and that is around a while ago and this is going back, I want to say, seven years ish.

Speaker 2: 14:34

Companies were using information on people's browsers and computer types to charge different prices for services. An example was a hotel chain, and I don't remember which one it was. If an entity was coming to that hotel chain from a Mac computer, it was inferred that that customer may be willing to spend more money on a hotel room, so therefore the prices were inflated. And that was all done through fingerprinting, being able to get information from that particular browser. So that then came about the era of browsers, of being able to browse more anonymously, not being able to set super cookies.

Speaker 2: 15:40

That yes and no, because it also happens at the ISP level. So if you always connect through a VPN, awesome, but that one time that you don't, now your ISP is gathering information about you. You have their device in your home. It's gathering information about your browsing habits. Might not be your browsing habits on your computer, but somebody else in your home that's not using a VPN, getting information coming from that particular location and their browsing habits. There's billions of dollars, if not trillions, in advertising and getting as much information as they can about us to market specifically to us.

Speaker 1: 16:29

So, just to be clear, your ISP is collecting that data, whether it's CenturyLink or what have you. They're collecting and selling that information. Is there a sense of what the ratio is of how much they're taking in membership fees or internet access fees compared to what they're making on selling your information? Is that become kind of? The MO at this point Is to gather that information. Is that become more valuable than, say, your $75 a month CenturyLink bill?

Speaker 2: 17:00

We could go off the deep end here on this one, nick, I think, where ISPs are collecting this information, government entities are collecting this information off of the network layer and profiling and indexing everything about us. We could probably go down that rabbit hole too at some point, but yes, they are collecting it. These aren't beneficial organizations. They're not doing this out of the goodness of their hearts, so to speak. When you look at Google photos, google years ago started Google photos like hey, upload all your photos for free, we're going to store all your photos at no cost. Well, I mean, if we realistically think about that, google is not a benevolent uncle. It's a trillion dollar organization and they took all of that information that they collected from Google photos and they made relationship information.

Speaker 2: 18:15

Am I in a photo? Am I holding a Coke can? Who am I with in the photo? Where am I in the photo? Collecting all of that metadata, collecting all of that visible data and building relationships and algorithms to better sell to us as an individual. If you want to test that and you have some photos in Google photos if you have a photo that has some words in it, well, just type in a word like Pizza Hut and it'll find photos that you are in. If you're in Pizza Hut and there's that word there in the picture, it'll index that. So that's pretty interesting I mean interesting might not be the right word for it, but it's pretty interesting the sophistication of that image reading component that they're doing on trillions of pictures that they've amassed over the years and how they're analyzing them. So I'll pause here, nick, because you probably have some things to add to it too.

Speaker 3: 19:31

I was going to say we can definitely tell that how passionate Eric is about this and privacy, and I think it's safe to say that Eric doesn't back up his photos to Google for safety. I was just going to bring up earlier about being able to watch Netflix all over the world, checking what you want to see, but I did want to bring up or ask Eric another question, if I can. I was just curious Eric, are you running a VPN at home on your personal devices and, if so, just which one are you using?

Speaker 2: 20:04

Yeah, so I do use a VPN, but I use it selectively, like I don't always have it turned on, and I've used it at the router level before.

Speaker 3: 20:21

Is it the Eero network?

Speaker 2: 20:23

Oh, so Eero devices? Yeah, product owned by purchase by Amazon. But you can essentially take a Linksys router and you install a different operating system on it that will allow you to essentially set up a VPN with your VPN provider of choice so that everything that comes out of your house is, or out of your network is, going over that VPN Pros and cons to that. Of course, if everything is going over that tunnel, there may be certain sites that restrict access to you, but it's kind of a personal choice of how far down the rabbit hole you want to go on either side. The one thing I would point out is that if you are using a VPN connection that's not provided to you from your organization, make sure that you're not using a free VPN client, so that free VPN client is going to. I mean, again, nobody's giving anything away for free. It's not charity organizations. They're going to be collecting information about you and now they have access to all of your browsing habits based on you going through their pipe to the network or wherever you're going to the internet or wherever you're going.

Speaker 2: 22:03

So if you are interested in going down the personal VPN routes, you want to look at a few things, depending again on your level of interest in privacy. One of the things you might consider is a VPN that does not log activity. So there are some VPN providers that don't store any logs of your activity. So presumably you're connecting to the internet through them, you can imagine all of the data that's logged. If you don't want that data logged, go with a provider that guarantees that they don't log access, even with a government subpoena. And there are organizations that don't log because they don't even have the technical or they've disabled the technical capabilities to log. Another one might be a VPN like Proton VPN. That's a good one. Yeah, they don't even log. Their servers are not in the US, they're in Switzerland, so the US has no ability to extradite data from that environment. They're in stored, encrypted, et cetera, et cetera. But, nick, since you use them, anything else that you want to advocate for Proton?

Speaker 3: 23:34

Well, the biggest thing you said there was that the servers are not here. They don't have a cap. I think it's 10 gig bandwidth and that's a big piece for me. I have a 10 gig dedicated line running to my house and we have the Euro network or Euro, however you say it, but you can't put your own VPN on the router level there. You have to use their built-in and, like you said, I don't want to use it. It's free. It's a free service. Well, it's part of the package you can buy with them.

Speaker 3: 24:05

But either way, I like the Proton service because of all the items we were just discussing. But equally is not logging and the data is not in the United States. The bandwidth is one of the bigger pieces for me and it is relatively inexpensive. I think you can get a lifetime subscription and it's $40, $50 a year Don't quote me on that Just never had a problem with it. I also use their email service as well. Quick plug for them. If you're not using Proton Mail, who knows what's happening with that data? But as far as VPNs go, I would definitely recommend checking out the Proton one, especially because I've used other services and for some reason, I feel like I would always run into issues with connectivity or getting flagged with something, or it was just a clunky experience, and maybe that was just my own experience. Josh, are you furrowed using a VPN or do you have any experience with it?

Speaker 1: 25:06

Yeah, so I'm using ExpressVPN. I'm not sure how that stacks up against the other ones. Proton sounds really interesting. The other thing I've been considering is using the password manager or looking for one that offers ad blocker services, so it's an all-in-one security tool. I'd love to hear what you guys think about that. The other thing I would like to point out is I've used the VPN doing my browsing and shopping online, but I have noticed when I try to buy tickets on Ticketmaster that's one spot where I really have to shut off my VPN it will not let me buy the tickets to the Excel Energy Center or wherever I want to be going Pretty frustrating. But yeah, looking for an all-in-one package, proton sounds great, but if you guys have any more insights on how to choose one that's good for personal use, then also thinking about when you're working with an organization how do we choose a VPN if you're working with a client for IT audit labs, for example?

Speaker 3: 26:10

That's funny that you brought up the shopping thing, josh, because I was going to bring that up as well. We, through the Euro network, you're able to block malicious content, websites, anything you can think of. Every now and again, my wife will yell up and she can't get to a specific website to buy something. Maybe that's a good thing, maybe it's by design, but I have to implement that on our Amazon account.

Speaker 1: 26:34

Put a blur on that.

Speaker 3: 26:37

I was going to. Just you asked one of your other questions for organizations, I think, personally for me, the conversation we've been using VPN for years, but especially after 2020 with COVID organizations were sending everybody home. Not only everybody home, but then we had an influx of users figure out wow, this is going to stick, I don't need to stay in my home state where my organization is I'm one of them as well and but people started leaving, people started going on vacations, they started going out of the country, not only leaving the state, but whether that's okay with the organization is not up for us to debate. It was happening either way.

Speaker 3: 27:21

And one way to seamlessly make this a possibility is a VPN right. It still allows you to give that flexibility to your employees where they could. They could even print something back to a specific room that they're working on or what have you access those files in a safe manner from wherever they are. And then to Eric's point you might have a playbook on your firewall or wherever, and it's blocking traffic from a specific country. If you're traveling in or out with a VPN, you're able to trick that, whether you use that for malicious or not. We're talking about it as in an ethical way that we would use it. So lots there, but really for me, I probably started paying more attention to the reasons for how strong VPNs are during COVID, just because there was so much movement and there was a lot all at once.

Speaker 1: 28:16

So, eric, in your opinion, are VPNs a pretty good tool to keep things secure? I mean, we've seen some recent exploitations in the news. Are VPNs secure?

Speaker 2: 28:27

Well, that's an interesting question, Josh, and I think again, it depends on how they're used. They can be secure, and Nick gave some examples of how that might work. Things when we work with an organization that we would talk about are what's their use case for the VPN? What countries are they gonna be operating from? Some countries have encryption standards that don't allow devices to be encrypted or would unencrypt traffic at the network level. So that's part of the conversation that we'd have around the use case for the VPN.

Speaker 2: 29:07

But the way in which a lot of companies leverage cloud services now and the distribution of technology across their networks VPNing in from or connecting from different places around the country is becoming the standard of way of doing business. With cloud hosted services, it's pretty easy to get to those services from just about anywhere. So on the customer side on the corporate side, I think it's a little more complicated Most companies use VPNs. There are other ways to encrypt traffic without using a VPN. On the consumer side of things, vpns do add a level of security. The area to be cautious about is that it's not a false sense of security, and we talked about a couple of ways where it could be a false sense of security right when you see there's XYZ VPN company is a free VPN service and you install that.

Speaker 2: 30:16

You think you're good to go, but they're logging everything that you're doing and you might not be aware that that's happening, or there's other things, other technologies that are profiling you. Even if you do have a VPN service like Proton, there are other services that are logging what you're doing. So I think just about with everything, it comes with a multifaceted approach. In general, If you wanna be a little bit more secure and you wanna have that VPN in place to secure some of the network connections that you have, it's not a bad idea. Just know why you're doing it.

Speaker 1: 30:56

You guys are out there in the field working with organizations to mitigate their risk. Are you helping them select the appropriate VPN for their business, or what are some of your key considerations in choosing a VPN?

Speaker 2: 31:11

Sure, josh, we do. Some of the considerations that we have is what are they using today and is it working? Five years ago, I'd say, the VPN technologies were a little bit different and the way in which devices connected to the network were a little bit different. We've worked in municipalities that have a police force with computers in their cars that are always on and always connected through a VPN service, and, at the time, some of those the services that the law enforcement officers needed in those cars required a consistent IP address, so a VPN connection was a way with certain VPN services was a way to provide that consistent IP address, no matter where that vehicle was in the city.

Speaker 2: 32:05

The things that we're talking about now, though, are adaptability to service, so if we have organizations that use cloud for connectivity, it's all about speed. How are we getting consistent speed to that cloud rather than VPNing and this is going back a couple of years, right, this is still kind of the standard where people, employees, staff, what have you would VPN back into the central office or a satellite office, and then those satellite offices would connect into the central office, and then that central office would have the connection out to the cloud service provider. So you're doing a little bit of routing of traffic where everything is kind of funneling through one or more single points of failure. Now we're seeing more diversification to the cloud entities where you're working with an enterprise VPN type of service that you're riding over their network and you're, as a company, able to control policies through virtual firewalls on their network to get to your services. So if I need to get to Azure services at a company that I'm working with, rather than go through that kind of daisy chain of connecting VPNing into their corporate environment, bouncing around 16 hops later to get into that cloud, I'm now connecting into a point of presence east west or maybe central from the VPN provider that then has direct connections, say, into Azure, and I'm terminating off of that environment into the corporate Azure environment. All of that controlled through corporate firewall policy.

Speaker 2: 34:03

But I've gone from 16 hops to four. As an example. Long story short, you can tune enterprise VPNs to be able to provide better access to remote employees where in some cases Nick had mentioned, he's got a really high speed connection at his house it's probably higher than some company's internet connection, so he's not gonna be throttled by speed getting into Azure services if he's going through that VPN type of connection that I'm describing, versus VPNing back into a corporate network and then fighting with other users to get that bandwidth in a centralized pipe. I probably went down the rabbit hole on that, but, nick, I'll let you clean it up.

Speaker 3: 34:50

Yeah, no, you squeezed a lot of the juice there. The one portion I was gonna bring up something that I love and I think we do really well at IT Outlabs here is when we're providing those services, of what Eric's talking about curating a VPN. Another avenue that doesn't get talked about a whole lot and it's not quite as cool is the policy and procedure protection. How are you implementing after the implementation of the hardware? How are you following up with policies and procedure and drafting those and training staff? Let's say, every time you're gonna go to the Starbucks coffee shop, caribou, whatever your favorite coffee house is, the policy says you have to be connected to a VPN. Maybe you travel a lot for work. You have to be here in the airport.

Speaker 3: 35:31

I hope that nobody's connecting just directly, without a VPN, to that network. That's alarming. That would be scary to do that, especially at a coffee shop or an airport, even a hotel for the organization you know, eric. Eric talks so much about how we can tune the VPNs, but tuning a procedure, policies, training documents for a specific organization, to train staff and protect them for do's and don'ts for a VPN, I think as equally as important. We don't want to just install or bring a technology into the organization and throw our hands up and walk away. We want to. You know, hear it. I tell you, we see how important is to follow through and walk the whole step with, with those organizations.

Speaker 2: 36:15

Nick brings up a great point. On the policy side, some organizations choose to do what's called a split tunnel. So, nick, at home, you know he's on his laptop, his corporate laptop, doing work, but then, uh, oh, you know he wants to hit that cat video. Right, what's that new cat's name that you got? Is it General Mao or something? General Mao, general Mao. But you know he's got to hit that cat video.

Speaker 2: 36:46

The corporation's policy is going to split that traffic off. So he's going out his ISP, not over the VPN, to get that cat video. But then the corporate traffic is going over the VPN to get back to the company file share, for example. So we've seen all flavors of the above where companies will split off all Microsoft traffic because it's encrypted, so they'll just, they'll split it at the at the device. So that's going out over the ISP directly. It's all going over the ISP, of course, but it's going right from the ISP to um Microsoft. Or they might say well, we want all corporate traffic. If we're going to hit the file share, the intranet, whatever it is, that's going to come back to headquarters, so to speak, and then it's going to have access. That traffic will have access. So what we saw that happen with COVIDs, where people were going home, tons of people going home, all of a sudden, and then now everybody's hitting the corporate network.

Speaker 2: 37:59

Corporate network wasn't necessarily designed to have a majority of the workforce remote at the same time hitting internet services. So you know, you got 20 people hitting those cat videos, 200, 2000 people hitting those cat videos. Mixed in with business traffic is no bueno. So they would cut that off at the end point at the laptop, at the desktop on the remote network, send that over the internet and then just keep the important business traffic coming over the VPN. There are pros and cons to both approaches. One of the cons is if you're sending non work traffic directly out the ISP, the home internet ISP, how do you know if someone is clicking on a malicious link? Now their browser, they clicked on some garbage, their browser is now hijacked and that browser now is writing both networks, the dirty network to the ISP and the clean network to the VPN. So there's, these things have to be discussed, whiteboarded things have to be put in place to protect for that. You know there are ways to deal with that type of traffic, but I bring it up because it is an important consideration.

Speaker 3: 39:28

Let's really take a step and shout out the help desk people during the COVID they were the ones getting drug over the coals, all the phone calls that the VPNs weren't working or whatever. So quickly wanted to shout those guys and gals out on song heroes. Yeah, absolutely the front lines for it.

Speaker 1: 39:46

We could get a yard sign. You know they have the. You know first responders, the police, we just the help desk. Thank you sign. Yeah, so it sounds like there are some potential security risks associated with using a VPN in an organization.

Speaker 3: 40:01

Quickly, josh. Just want to comment on the last bit there. I think the best way to go about using a VPN is know that just because you flip the switch doesn't mean you're safe. I still would you know level of caution, treated as if you really have almost the same level of vulnerability. You have that anonymity right, you're protected, you're secure right, but still, just because you turn it on doesn't mean that nothing can happen to you or you can do whatever you want. Still, exercise caution when using a VPN, that you know things can still happen. But oftentimes, more than not, you're going to be much better off utilizing VPN technology, especially in a vulnerable place like an airport, hotel or coffee shop?

Speaker 2: 40:43

Absolutely, and I'm glad you brought that up, nick, because you know Josh, you said you used a VPN, nick, you used a VPN on your personal device when you are traveling. An episode on man in the middle attacks, which is what it's called when when a malicious wireless access point impersonates a real access point. So if you're in a coffee shop and you're connected to Starbucks, you think you're connected to Starbucks, but really you're connected to the dude in the hoodie sitting in the corner and he's grabbing all, or she is grabbing all of your traffic.

Speaker 3: 41:23

Pineapple.

Speaker 1: 41:24

It sounds like there are still some risks when using a VPN, whether it's personally or in your organization. We've seen some recent news articles about exploitation. Our technical articles been circling circling around the IT audit labs team this last week and caught my attention as well. It says a mass exploitation of a Vante VPN is infecting networks around the globe. Orbs that haven't acted yet should, even if it means suspending VPN services. Hackers suspected of working for the Chinese government are mass exploiting a pair of critical vulnerabilities that give them complete control over virtual private network appliances sold by a Vante. Researchers said Since we were circling this around, I wanted to bring it to the today's discussion around VPNs and kind of get your guys's take on this. How would you approach the situation? Sounds like they should just turn them off.

Speaker 3: 42:17

Yeah, I mean, turning off these VPNs is probably the best bet right away. Paul, the plug pivot to another technology if you've got people working off site. But those are just quick thoughts, eric, what was your first thought? What would you want to do in that situation? What would you want to do in that situation?

Speaker 2: 42:36

I was digressing on the attestation to the Chinese agency. I thought it actually was attributed to cozy bear, the Russian agency nation-state actor that was involved in some of the Microsoft breach that the Microsoft breach back in November. But anyway, you neither here nor there about the attestation of who was doing it. It was. It was a nation-state actor, chinese, russian I think that the new information is Russian. But, yeah, they exploit it and then they just hung out and and waited and Got very deep into into the, their environments, but specifically the, the exploits on this particular breach. It was two exploits. One of the exploits is what allowed them to have that Access, root access or or administrative access on a unauthenticated administrator, access to the device, which is is pretty concerning, and the the. The other one was an authentication bypass, but in, in non technical speak, essentially those devices are sitting out on the internet and the attacker with the right know-how Could exploit those devices and gain it an administrative foothold on them to then further move either into the organization or or laterally.

Speaker 2: 44:21

And I believe your question was what should organizations do? And you know, I think you know Nick had had one option there, just you know, do you pull the plug? I Think you have to Depends on the organization and what services they're offering. If they're offering critical services and and the only way into the organization is through that VPN you can, can you really shut that down? I don't know. It would be up to that organization's procedures on on how they're going to react to a Threat such as as this, especially in a known breach case. But that's what makes our work interesting, right?

Speaker 1: 45:08

there's a lot of different scenarios For for these types of things it sounds like, depending on the organization, the amount of data they contain and just the nature of their business, it could be several different answers to that question. How do you in general, address the challenges of managing and monitoring monitoring VPN usage and a large Workforce or a large organization?

Speaker 2: 45:36

So that's an interesting one, josh, because the VPN is essentially, it's just like another network. Large organizations will have many networks and this is just one type of connectivity, and I think the way in which to best monitor it is to log the, the traffic, have security tools in place that analyze the traffic, have a way to report on anomalies that are detected, and have some some form of human intervention In. In this particular case, the, you know they. The zero day was open for a while, it sounds like, and in quite a few endpoints, I think like 1700 of these VPN servers were or impacted. It's really tough to have sophisticated enough tools in your environment that can detect the, the slow and deep approach that a that a nation state actor is is going to have. Right, you're dealing with an adversary that has unlimited resources and these, these nation state actors, are successful in attacking companies like Microsoft, who has Resources that amount to more more than some small countries, right? So it's. I don't think there's a magic bullet or a silver bullet, however you want to call it, to Protect your organization. I think it comes down to having a great security discipline across the board of how you approach data on your network and Access to your network.

Speaker 2: 47:37

I, if I'm recalling this particular case, it was the original exploit May have been through a Device that was maybe an unpatched device on a network and I'm I apologize, I'm drawing a blank on exactly how they got In initially. I know, I know these devices are exploited because they have an unpatched vulnerability or a zero-day vulnerability On the internet, which is which is very bad. But I think it comes down to Going through scenarios of if this happened, how would we know? Right there, there's going to be Something different happening, almost a needle in a haystack, something different that's happening on on the network that is different than normal traffic and that malicious actor they're gonna try to blend their traffic in With everybody else, but at some point in time they're going to be doing something that they shouldn't be doing. That is a bit of an anomaly in in some cases, because it this is really complicated, but it's having tools that are able to operate at that level of sophistication.

Speaker 3: 48:57

Yeah, I'll follow up on that. There's there's a lot here, a lot of thoughts that I have on what organizations can do, and I'm probably not even gonna touch on them all now. I think one thing, a couple things that are overlooked. I know I bring up policies and procedures all the time. I think it's really important that organizations have an app owner, have somebody that owns these functionalities, that's constantly honing their craft here, practice what happens in this situation. This should not be tribal knowledge. This should be well known throughout the IT department. What are we gonna do in this situation? Draft a policy and procedure. This is a living and breathing document that's always evolving. Have those conversations with you younger, junior staff and then, you know, make sure that you're training your organization.

Speaker 3: 49:43

Cyber security, it work, all right, this isn't stopping the IT department, doesn't? You know? It's not just for for us to talk about. You know, we rely on people outside of the IT department to. You know, be cognizant of what's happening, to understand what's going on, to listen to the IT staff as well.

Speaker 3: 50:02

Another good thing would be for organizations and I'm digressing, but it's all comes back to protecting ourselves. You know, get a newsletter out. You know, don't be afraid to share these kinds of articles with your staff getting on it an update, patch management. Make sure that's happening. Have a third-party organization come in and audit these for best practices. This is not to point fingers or you know you've been doing this incorrectly To make anybody look bad. This is this is what we do every day. We keep up to date on best practices and we want to make sure that you're protected. So, having somebody come in, do a left seat, right seat to it. Not only educate yourself, but make sure you're doing things. You know from what we see. You cross many different organizations over over many years of work. You know, but summing it all up, you know it's, it's education, that's policies and procedures. We don't want anything to be tribal knowledge right, if I know it, eric and Josh should know it, or know where to find that information if I'm not there and this happens, or vice versa.

Speaker 3: 51:07

So there's a lot here, a lot to talk about. You know, the main things that people are gonna start with is making sure your software is up to date. Well, right, that's a given, but I think it's really overlooked is the training aspect and the auditing aspect, and then also policies and procedures to protect your organization. Now, I know the policies and procedures not gonna protect you from that. You know a Chinese nation-state actor. But you know, if you practice, you know you do those wrong tabletop exercises and you have these policies and procedures. Everything works in conjunction. Conjunction, you know, to protect your small organization or your large organization. And we could just keep going on this. But you know, those are just some of my quick-hitting thoughts that I think any organization Could implement and be and be much more secure right off the bat.

Speaker 1: 51:59

Well, you guys are very much experts on this topic. I've learned a lot today. Yeah, I would just encourage anyone that's Facing these issues or concerned about it to reach out to it. Audit labs we got the pros right here and I hope they informed you today and gave you a little bit to think about as we look to mitigate organizational risk, moving forward and Also to keep ourselves secure when we're browsing and doing our online business. Definitely think we'll bring this topic back up, so Thanks for your time today, nick and Eric. I hope to see you guys soon, and that will be it for today.