Best Practices to Strengthen VPN Security

Improving-VPN-Security

Virtual private networks (VPNs) form a staple of the modern work environment. VPNs provide an essential layer of protection for employees working remotely or across multiple office locations, encrypting data traffic to stop hackers from intercepting and stealing information. Usage of VPNs skyrocketed in the wake of the COVID-19 pandemic and remains high — 77% of employees use VPN for their work nearly every day, according to the 2023 VPN Risk Report by Zscaler.

Their widespread popularity has put VPNs squarely in the crosshairs of malicious actors. The recent ransomware attack on UnitedHealth Group, which disrupted payments to U.S. doctors and healthcare facilities nationwide for a month, has now been linked to compromised credentials on a remote system access application. This follows on the heels of a large-scale brute force attack campaign against multiple remote access VPN services, reported by Cisco Talos.

Unfortunately, these attacks are not an anomaly. The VPN Risk Report found that 45% of organizations experienced at least one attack that exploited VPN vulnerabilities in the last 12 months. So what can organizations do to protect this vulnerable gateway? Here we’ll cover the top VPN security best practices every organization should follow.

How Does a VPN Work?

A VPN creates an encrypted connection between a user’s device and the organization’s network via the internet. Using a VPN, companies can grant remote employees access to internal applications and systems, or establish a unified network across multiple office sites or environments.

An employee typically initiates a VPN connection through a client application installed on their device, connecting to a VPN server hosted within the organization. This connection creates a secure "tunnel" that encrypts all data transmitted between the employee's device and the corporate network. With the VPN connection established, the user's device is virtually part of the organization's internal network and the employee can access internal applications, databases, file shares, and other resources that are typically only accessible within the corporate network. Authentication between VPN clients and servers occurs through the exchange of digital certificates and credentials, with multi-factor authentication (MFA) a means to provide an additional layer of security.

While VPNs provide some measure of remote access security, they also make a soft target for attackers. Moreover, VPN attacks pose an outsized risk — once attackers gain entry through a VPN, they often get direct access to  a broad swath of an organization's networks and data.   

Common VPN Attack Vectors

Before we explore VPN security best practices, it’s important to understand how attackers exploit system vulnerabilities to gain access.

Authentication-Related Attacks

Attacks on VPNs often revolve around authentication and credential-related weaknesses. These include:

  • Credential Theft and Brute Force Attacks: Attackers target VPN credentials through phishing, keylogging malware, or brute force techniques to gain unauthorized access.
  • Session Hijacking: Hijacking active VPN sessions by stealing session cookies or exploiting session management vulnerabilities allows attackers to impersonate users and access VPN-protected resources.
  • Man-in-the-Middle (MitM) Attacks: Exploiting weak authentication or compromised certificates, attackers intercept and manipulate VPN traffic to eavesdrop or modify data.

Vulnerability Exploits

Security flaws in VPN solutions themselves are another common route of attack. A recent analysis by Securin showed that the number of vulnerabilities discovered in VPN products increased 875% between 2020 and 2024. Hackers exploit vulnerabilities in VPN client software or server-side VPN components to gain unauthorized access to VPN endpoints. This can lead to complete compromise of the endpoint or enable attackers to intercept VPN traffic. In fact, the Cybersecurity Infrastructure and Security Agency (CISA) itself was recently breached by hackers exploiting vulnerabilities in the agency’s VPN systems.

Five VPN Security Best Practices

With the growing assault on VPNs, organizations must adopt proactive security strategies to protect this major point of vulnerability. The following measures are recommended best practices to strengthen your VPN security posture.

Regularly Update VPN Software and Components

Patch management is crucial for maintaining a secure VPN infrastructure. Regularly update VPN client software, servers, gateways, and routers with the latest security patches and firmware to mitigate vulnerabilities and defend against emerging threats. Establish procedures for emergency patching to promptly address critical vulnerabilities and ensure the ongoing security of your VPN environment.

Deploy Multi-Factor Authentication

As one of the primary avenues of attacks on VPN, strong authentication protocols are critical. The remote access application that was breached In the UHG attack lacked multi-factor authentication controls. Massive leaks of stolen credentials, and crude but effective techniques such as password spraying and credential stuffing, make it trivial for attackers to gain entry to VPN when only a username and password stand in the way. Organizations should deploy, at the very least, multi-factor authentication (MFA). MFA challenges users to provide something they own (OTP, device, security key) or something they are (face scan, fingerprint) in addition to or instead of something they know (password, PIN). 

Make It Phishing-Resistant MFA

VPN security is vastly improved by using phishing-resistant MFA and passwordless authentication methods that completely remove shared secrets. This makes it impossible for attackers to guess or steal authentication factors and much harder to spoof identity. Specifically, passwordless authentication based on FIDO standards provides robust defense against phishing, man-in-the-middle (MitM) attacks and hacking attempts by eliminating insecure methods like SMS or OTPs. Moreover, since it’s based on public-key cryptography, it ensures there are no server-side shared secrets vulnerable to theft in case of a breach.

Implement Access Control and Least Privilege:

Apply granular access control policies to restrict VPN access based on user roles, groups, or individual permissions. Ensure that users have access only to the resources necessary for their job functions (principle of least privilege), reducing the impact of potential insider threats or compromised credentials.

Regularly Monitor and Audit VPN Traffic

Enable logging and monitoring of VPN traffic to detect suspicious activities, anomalies, or potential security incidents. Regularly review VPN logs and conduct security audits to identify unauthorized access attempts, unusual patterns, or compliance deviations. This proactive approach helps maintain visibility into VPN usage and ensures prompt response to security incidents.

Leverage known IOCs, shared with the community as well by other vendors. VPN-oriented IOCs usually contain source IPs and Hosting providers which you can block. 

Monitor logs for employee login behavior changes such as location changes (outside of normal locations for your business), login attempts outside regular business hours, as well as attempts with invalid username and password combinations.

Strengthen Your VPN Security With HYPR

Despite the security concerns, VPNs are not going away any time soon. Adhering to VPN security best practices mitigates the technology’s vulnerabilities to safeguard your employees, systems and data. The most essential defense step is to deploy strong authentication systems. And the most robust systems completely remove passwords and all shared secrets from their VPN authentication.

HYPR’s leading passwordless MFA solution allows your workers to securely log into remote access systems, including VPNs, with a friction-free user experience. To find out how HYPR helps secure your networks and users against attacks targeting your VPN, get in touch with our team.

New call-to-action

Related Content