Report finds numerous holes in UK corporate VPNs
Large numbers of vulnerabilities were found in UK corporate VPNs by UK-based security testing and audit company NTA Monitor, according to their VPN security report for 2007. The good news is that most of them were relatively low risk and no high risk vulnerabilities were discovered by the researchers.
But every VPN tested exhibited multiple vulnerabilities: 55 per cent showed more than eleven vulnerabilities each. Two specific flaws dominated the field and together represented twenty per cent of all vulnerabilities. These were the VPN server responding to any IP address, thereby declaring the presence of a VPN to outsiders, and susceptibility to UDP backoff analysis, which can permit an attacker to identify the VPN server product.
The researchers have analysed their findings by industry sector and found that the leisure and pharmaceuticals industries came off worst for number of holes at well above average for the whole sample, with government, non-profit and utilities following behind at around the average. IT and telecoms, not surprisingly, scored best.
Nevertheless, although interesting, the report should be read with caution. The sample size is not disclosed "for confidentiality reasons" but Sarah Turner, marketing manager at NTA Monitor told heise Security that it was "in the order of 100", which is rather small to be truly representative.
- UK organisations' IT security improving, comment page from NTA Monitor with report request contact