Using Personal VPN Services Safely

A Virtual Private Network (VPN) is a technology that allows the user to establish a secure and protected network connection over the Internet, ensuring the confidentiality and integrity of the data being transmitted. It is used by organisations to provide remote access to corporate services for their employees. In non-business environments, individuals use VPN services to protect their online privacy or circumvent geo-locked content restrictions on various websites. A secure and protected network connection through a VPN service can be achieved through two phases. In the first phase, data is encrypted and transmitted via a secure VPN tunnel, between a user's device and a remote VPN server hosted by the VPN service provider. In the second phase, the remote VPN server acts as a proxy for data transmission between the user's device and the Internet and hides the user's IP address. 

However, while using a VPN service might provide the above-mentioned security features, user data transmission is still routed to the Internet via the VPN server, presenting a potential single point of failure. If an attacker successfully compromises the VPN server through brute force attacks or by exploiting vulnerabilities or misconfiguration, the confidentiality and integrity of the user's data being transmitted to the Internet can still be affected.

Threat actors have also been observed to distribute their malware by masquerading it as a free VPN service. When an unsuspecting victim installs this malware, a residential proxy is created, allowing threat actors to funnel Internet traffic through the IP addresses of these infected devices to anonymise the source of malicious activities. These residential proxies may even be rented out to other threat actors for a fee to perpetrate cyber-attacks.

The purpose of this advisory is to provide users with key considerations that should be contemplated when choosing a VPN service and the steps that can be taken to configure and test the selected VPN service.

How to Choose an Appropriate VPN Service Provider

With the widespread availability of both paid and free VPN services, the following conditions should be considered when selecting the most appropriate VPN service provider that best suits your requirements:

Reputation of VPN service provider

Always use a VPN service provided by a reputable service provider and download the VPN software from official sources such as the service provider's website, Google Play Store or Apple App store. Established service providers with a good reputation would typically have a good track record of quickly remediating known vulnerabilities and following best practices such as enforcing strong authentication credentials. This minimises the chances of a successful attack through a VPN service. Additionally, the likelihood of malware being distributed through a reputable service provider would be much lower compared to an unknown brand. As such, users are strongly advised to review feedback from various online sources on any prospective VPN service provider before selecting one that suits their requirements best.

User privacy policies

Depending on their user privacy policies, VPN service providers may log users' activities. Some free service providers may also collect and sell user information to third parties such as advertising companies for profits. Hence, you should always review the user privacy policy for the following (minimally):

• The purpose of collection of data, if any.

• The use of the data collected.

• The security measures in place to safeguard the data.

Configuring Personal VPN Software

The configuration for VPN software may vary for each vendor. Hence, it is imperative that you review any configuration documentation provided by your VPN service provider. Nonetheless, the common features that are applicable to most VPN software are provided below:

Use strong passphrases for authentication and enable Multi-Factor Authentication (MFA), if applicable. By using strong passphrases which are passwords, but longer and made up of a string of words, this would make it difficult for attackers to perform successful brute force attacks into your VPN account. Additionally, having MFA enabled, whenever possible, provides an additional layer of security should your passphrase be compromised. You may refer to our article here for more details on the usage of strong passphrases and MFA.

Update VPN software regularly. By keeping your VPN software up-to-date, you can greatly reduce the risks posed by known vulnerabilities and bugs, reducing the attack surface that attackers have to exploit.

Select an appropriate encryption strength. Most VPN services provide different levels of encryption, typically between 128-bit and 256-bit encryption. A higher encryption strength (e.g. 256-bit) may provide better security but the connection speed will be diminished. Hence, depending on your security needs, you may wish to select the encryption strength that provides the best balance between security and performance.

VPN Security Test

After you have selected a VPN service provider, you may wish to perform the following tests to ensure that there are no hidden security risks inherited from your VPN service provider:

Domain Name System (DNS) Leak Test. A DNS leak test determines if any DNS queries are sent outside of the secure VPN tunnel. You may wish to perform this test here.

IP Address Leak Test. An IP address leak test is used to determine if your source IP has been hidden correctly. You may wish to perform this test here.

Users are reminded to select a reputable VPN service provider and to configure your VPN properly as it is extremely important to ensure the cybersecurity of your devices and data transmitted between your device and the Internet to ensure the confidentiality and integrity of your data.

References

https://bluegoatcyber.com/blog/vpn-setup-best-practices-guide/

https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn