You may have heard about a VPN or Virtual Private Network. If it has been explained before, I will just give a brief definition of what it is. It is basically a secure network that provides an encrypted data channel that safely allows you to transmit and receive information. It makes your connection on a public data network like the Internet more secure because its purpose is to protect the user from eavesdropping and tampering of data. If you are going to make online payments or share sensitive information over a public network like in an Internet cafe or library, using a VPN can be very important.
A VPN has 2 major benefits, information security and privacy. A secure data channel means it is encrypted, making it more difficult for anyone to try to steal your data while you are online. It is feasible to decrypt your data channel, but it is a sophisticated process. Privacy is probably the most important benefit and the feature that many people need. VPN connections are initiated by random servers that can be located around the world. Once connected, your VPN connection is made anonymous to servers you connect to on the Internet. Even the Internet Service Provider (ISP) will not be able to directly track down a user connected to a VPN. Since it connects to a server that handles connections for you, it will appear that you are initiating communications from that server. This allows users to circumvent restrictions on their Internet connection for more privacy.
Is a VPN connection really secure?
That would depend on the infrastructure of the VPN network. With enterprise configurations, the company VPN connection is provided by a server behind the firewall. In the past, users would need a dongle that generates random numbers. They will then need to input that into their VPN client software which is installed on their laptop or remote machine to initiate a VPN connection to the company’s enterprise network. This solution arose because of the need for many companies to have their employees work remotely and securely connect to the office’s servers to do work. This was an example of an end-to-end VPN connection.
Today you don’t need a dongle to connect to a VPN network. Instead you open a web browser to launch a website to login. Just like logging into your social media account or your public e-mail address. It is simple, but many VPN connections require the use of Two Factor Authentication which is similar to how the dongle works. Using an authenticator service, you will have to enter a random string or number generated by the VPN network. It will only work on the device you registered for the VPN connection and not on all devices. This is a security measure that prevents intruders from accessing the VPN from any machine.
On public VPN providers that require a subscription, it is similar but not exactly the same. With a company VPN you are connecting to a trusted server that is within your organization. Public VPN are hosted not in one location, but from all over the world. If there is any vulnerable server on the VPN provider’s network, that can be a serious problem for data breach. In that case, if your data is also not encrypted, then it can be stolen by bad actors. This is because a VPN only secures the data channel. The actual data itself, if not encrypted, is susceptible to theft. For documents that contain sensitive information like social security numbers or financial records, it is best to password protect the document or encrypt it first before sending over a public VPN. Likewise on a company VPN, it is usually the best practice when allowing their employees to connect from the Internet just to make sure that if the connection between the employee and the VPN server were hacked, then the data in transit is encrypted as well. That makes it more difficult to get the information.
VPN users should always make sure they are connecting to the correct server. An MITM (Man-In-The-Middle Attack) can be initiated that will trick a user to connecting to a fake VPN server. This usually happens when the VPN access is via a webpage. Unsuspecting users can be redirected to what they think is their VPN provider’s login page, but the truth is otherwise. Such incidents have happened before with grave consequences. To make sure this doesn’t happen verify that the VPN provider’s website has a digital certificate that is valid. You can check this if the URL begins with “https” e.g. “https://myprovider.com”. You can also check from your browser if the certificate is valid. On Chrome you just need to click the padlock icon to the left of the website address bar. If you see “Connection Secure” along with details about the certificate’s authenticity then it should be valid.
The good thing about company VPN is that administrator’s have more control on how they manage the connection. For example a systems administrator can lock down the VPN to use only authenticated user accounts on the company’s domain server. Then they can also force another authentication process that requires a number generator or a code sent via text or e-mail. It is already suspicious if a user connects to a server that doesn’t require further authentication if that was what the administrator configured.
Another way a VPN connection can be hacked is if a hacker is able to steal what is called a user’s private key. This is generated during the initial VPN configuration. If the VPN client requires this, it must be stored securely in a safe place. Otherwise, most VPN providers will not require creating a private key since they use scripts that can automate the process online. The problem is if it is stolen or carelessly exposed, a user’s VPN connection can be used to access a network and lead to data breaches. Phishing attacks are one way hackers gain access to VPN networks. In this case, rather than try to exploit a vulnerability in the network, hackers use social engineering techniques to try to trick their intended victim to give them any information regarding their VPN network. Avoid replying to e-mail that is not verified, clicking suspicious links and talking to people who don’t have any business with your organization.
A VPN for the most part is secure. Never share the private key of your VPN connection and always make sure you are connecting to the proper VPN network. If a VPN connection over a public network is just too risky, then don’t connect. Perhaps it can wait until you are home or at another office branch. There is more peace of mind to saving your data and privacy than losing it.