Have you also noticed the aggressive advertising campaigns for VPN providers, promoted by social media influencers and YouTube creators ?
As a security analyst, it’s incredibly annoying to hear them spread the lies they’re paid to tell their audience, especially when some of them are already aware that they’re spreading lies.
This blog is more of a rant than the usual technical articles I write; its main purpose is to make the average person aware but I’ll also discuss the presence of VPNs within enterprises.
Myths
Protection Against Hackers, Governments and Viruses
VPN providers claim to protect you from hackers and viruses, both in their own advertising and through thousands of content creators reciting the scripted lines they’ve been given.
Reality
How these VPN providers works
When you use a VPN, all your data, including potentially sensitive information, is sent through the VPN company’s network.
A VPN provider doesn’t offer protection against malware, hackers, phishing, or other social engineering attacks. Their infrastructure is not necessarily more secure than other networks, they can be hacked and already have been.
Don’t be fooled; they log, use, and sell your data, even if they advertise otherwise. You’re essentially shifting your trust from your actual Internet Service Provider to the VPN company.
VPN providers do have their uses: they can mask your real IP address and location. However, the risks associated with trusting a third-party service with all your data is not worth it for the average person.
Who really needs to use a VPN provider ?
The average person simply wants to watch content from Netflix or other streaming platforms that lack the rights to air specific content in various countries. VPN providers advertise that you can bypass these restrictions, and while sometimes you can, it’s against the terms of service of these streaming platforms and can get you banned. Advertising it as a legal workaround by these VPN providers is false advertising.
If you’re using a VPN mainly to access streaming content, there might be alternative options🏴☠️to consider rather than taking the risk of using a VPN provider.
When you’re connected to a public Wi-Fi, opting to trust a VPN provider’s network over the public network could be a sensible choice. However, it’s crucial to remember that neither option is ideal, and neither guarantees protection against hackers and malwares.
VPN Providers in your Enterprise
Security Bypass and Data Exfiltration Threat
The use of third-party VPNs on corporate workstations poses a significant risk for data exfiltration and should be taken seriously. By connecting to an external VPN, users create a tunnel to a third-party server, effectively bypassing your organization’s network security protocols. This raises concerns about data loss, compliance violations, and the general integrity of your network.
Detection
It’s important to implement detection measures for the use of external VPN providers. These measures can include identifying specific executable names, installed locations, VPN-related browser extensions, windows applocker detection, or traffic to known VPN IP addresses and domains used for the VPN connection (can be hard to maintain).
If you identify a user using these VPN providers, inform them about the risks involved and the company’s policy regarding VPN usage. While VPNs may offer the allure of encrypted traffic and ‘enhanced’ privacy, this is a double-edged sword in a corporate setting where data governance and compliance are paramount. By using a VPN, they’re not just evading company security measures but potentially jeopardizing sensitive data by transmitting it through a network that you don’t control, and whose data handling practices you cannot verify.
The only VPN that should be trusted for use is your organization’s own VPN.
Conclusion
In summary, don’t underestimate the risks associated with allowing third-party VPNs on your corporate network or your personal computer. The stakes are too high when it comes to the security and integrity of your business-critical data or your personal information. In enterprise, implementing simple detection measures, coupled with staff education, can go a long way in mitigating these risks.
