A penetration test of U.K. corporate VPNs has offered decidedly mixed news on security.
The bad news is that all companies looked at showed multiple vulnerabilities on their IPsec VPNs, a situation that has actually deteriorated slightly from the same tests conducted a year ago. More positively, none of these ranked higher than 'medium' in severity.
The tests were carried out by security testing firm NTA Monitor, finding that the average number of vulnerabilities across a range of sectors had risen from nine to 11 in a year. Overall, 73 percent of organizations showed one or more medium-level flaw, defined as those issues likely to "allow external users to disrupt services, permitting users to obtain unauthorized access or provide access to unauthorized external users if incorrectly configured."
That said, the ten commonest flaws were all described as 'low' risk or 'informational', meaning they would not allow a hacker the ability to directly disrupt a VPN. Companies were still being tripped up by basic problems, the report said, but these would be easy to fix with better housekeeping.
Taking the results by sector, the finance sector turned in a good performance, with only one medium-risk vulnerability found on average. By contrast, the least secure sectors were pharmaceuticals, leisure and government, which had between two and three medium-level risks, as well as a markedly greater number of low-risk issues.
The top two vulnerabilities across all companies were that the VPN server was responding to any source IP address, and the server could be 'fingerprinted,' that is the fact that the VPN server was residing on a firewall risked making the latter's existence easier to detect for attackers.
NTA Monitor offers an important caveat to the results. Because the companies tested were all customers of company, it could be argued that they represented the conscientious end of the business world. Any company paying to test its VPN security is accepting the idea that security is an issue, something that might not hold true for companies generally. VPNs in the wider world might show more serious problems.
The full report, and its recommendations, is due to be made available on NTA's website in the coming days.