Many financial institutions utilize VPNs (Virtual Private Networks) to allow employees to work remotely. While VPNs are normally thought to be secure methods of connecting to the office, recent vulnerabilities discovered by researchers have shown that some common VPN systems have critical vulnerabilities that can allow attackers to access the internal network without a username or password. Worse yet is that researchers are now seeing signs that these vulnerabilities are being attacked on a large scale. The Department of Homeland Security sent an alert on Monday urging companies to patch these VPNs.
Attackers know that many companies forget to patch their VPN systems, so they are beginning to focus on any vulnerabilities on these devices. While patches for the vulnerabilities currently being exploited have been available for months, there are still many who have yet to apply the patches. While IT departments have regular patching programs for servers and workstations, the frequency of VPN system patches is so low that they often are forgotten. It is important that institutions perform regular vulnerability scans and review the results to ensure that forgotten critical patches such as these are detected and remediated before they become a problem. Even if an institution does not have one of the currently identified vulnerable products, it is only a matter of time before a vulnerability will be found on any VPN.
Institutions that utilize VPNs from Fortinet, Pulse Secure, and Palo Alto are urged to immediately upgrade any vulnerable devices and are also urged to look for signs of a breach on any devices which are not patched against the vulnerabilities.
More information on these vulnerabilities can be found at the links below:
- Palo Alto GlobalProtect
- FortiGuard FortiOS SSL VPN
- Pulse Connect Secure and Pulse Policy Secure
If you'd like to have a security program that will help ensure vulnerabilities are detected BEFORE an attacker can find them, we can make it possible!