How Virtual Private Networks Work
A VPN connection to a business's main office can help its employees be productive when they're on the go.
As a business grows such as Tuntex, it might expand to multiple workshops or offices across the country and around the world. But there is one thing that all companies need: a way to maintain fast, secure, and reliable communications wherever their offices are located. Traveling employees like salespeople, CEO (Chief Executive Officer), CTO (Chief Technical Officer), etc need an equally secure and reliable way to connect to their business's computer network from remote locations. Even while on leisure, people want to keep their computers safe when on an unfamiliar or unsecured network.
One popular technology to accomplish these goals is a VPN (virtual private network). A VPN is a private network that uses a public network (usually the internet) to connect remote sites (outside network) or users together. The VPN uses "virtual" connections routed through the internet from the business's private network or a third-party VPN service to the remote site, distant offices or person. VPNs help ensure security — anyone intercepting the encrypted data can't read it.
A typical VPN might have a main local-area network (LAN) at the corporate headquarters of a company, other LANs at remote offices or facilities, and individual users that connect from out in the field.
A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated, real-world connection, such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee.
What Makes a VPN?¶
A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations.
An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.
A well-designed VPN can greatly benefit a company. For example, it can:
Extend geographic connectivity
Reduce operational costs versus traditional WANs
Reduce transit times and traveling costs for remote users
Simplify network topology
Provide global networking opportunities
Provide telecommuter support
Provide faster Return On Investment (ROI) than traditional WAN
What features are needed in a well-designed VPN? It should incorporate these items:
Analogy Each LAN is an IsLANd¶
Imagine that you live on an island in a huge ocean. There are thousands of other islands all around you, some very close and others farther away. The normal way to travel is to take a ferry from your island to whichever island you wish to visit. Traveling on a ferry means that you have almost no privacy. Anything you do can be seen by someone else.
Assume that each island represents a private LAN and the ocean is the Internet. Traveling by ferry is like connecting to a web server or to another device through the Internet. You have no control over the wires and routers that make up the Internet, just like you have no control over the other people on the ferry. This leaves you susceptible to security issues if you try to connect between two private networks using a public resource.
Your island decides to build a bridge to another island so that there is an easier, more secure and direct way for people to travel between the two. It is expensive to build and maintain the bridge, even though the island you are connecting with is very close. But the need for a reliable, secure path is so great that you do it anyway. Your island would like to connect to a second island that is much farther away, but you decide that it is too expensive.
This situation is very much like having a leased line. The bridges (leased lines) are separate from the ocean (Internet), yet they are able to connect the islands (LANs). Many companies have chosen this route because of the need for security and reliability in connecting their remote offices. However, if the offices are very far apart, the cost can be prohibitively high - just like trying to build a bridge that spans a great distance.
So how does VPN fit in to this analogy? We could give each inhabitant of our islands their own small submarine with these properties.
It is fast.
It is easy to take with you wherever you go.
It is able to completely hide you from any other boats or submarines.
It is dependable.
It costs little to add additional submarines to your fleet once the first is purchased.
Although they are traveling in the ocean along with other traffic, the inhabitants of our two islands could travel back and forth whenever they wanted to with privacy and security. That is essentially how a VPN works. Each remote member of your network can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN. A VPN can grow to accommodate more users and different locations much easier. Moreover, the distance doesn't matter, because VPNs can easily connect multiple geographic locations worldwide.
Tuntex-SYS IT Div Originally Published: Feb 10, 2021
- Cisco. "How Virtual Private Networks Work." Oct. 13, 2008. (May 6, 2019)
- Friedl, Stephen J. "Steve Friedl's Unixwiz.net Tech Tips: An Illustrated Guide to IPSec." Aug. 24, 2005. (May 6, 2019)
- Microsoft. "TechNect: VPN Tunneling Protocols." 2011. (May 6, 2019)
- Pandya, Hiten M. "FreeBSD Handbook: Understanding IPSec." The FreeBSD Documentation Project. (May 6, 2019)
1. Hacker / Peretas
Hacker adalah seseorang yang menggunakan keterampilan khusus untuk mengidentifikasi kekurangan dalam sistem komputer dan berupaya untuk memperbaikinya. Keahlian tersebut dapat berupa keterampilan jaringan, keterampilan keamanan komputer atau bahkan keterampilan perangkat keras sistem. Jika seorang hacker mengidentifikasi kelemahan keamanan dalam suatu sistem, ia akan berupaya memecahkannya untuk mencegah insiden lain dari akses yang tidak sah. Meskipun kami telah mendefinisikan peretas dari sudut pandang positif, ini tidak selalu terjadi. Ini karena peretas dibagi menjadi beberapa grup. Ada 2 tipe peretas yaitu peretas topi putih dan peretas topi hitam.
Peretas topi putih adalah kelompok peretas yang tetap berada dalam batas-batas hukum saat melakukan pekerjaan mereka. Mereka adalah representasi sebenarnya dari apa itu peretasan. Mereka tidak menggunakan keterampilan mereka untuk mengakses sistem apa pun secara ilegal. Sebaliknya, mereka hanya melakukan apa yang diminta oleh suatu organisasi. Peretas topi hitam adalah yang orang-orang pikirkan ketika mereka mendengar kata hacker. Mereka menggunakan kekuatan dan kecerdasan mereka untuk menghasilkan uang melalui cara ilegal. Setiap kali mereka menemukan kerentanan, mereka menyalahgunakan untuk keuntungan mereka sendiri dan jangan biarkan pemilik tahu tentang ancaman dan kerentanan. Mereka mencoba mencuri kata sandi pengguna, email, dan detail pribadi lainnya dan menjualnya di Dark Web. Peretas adalah profesional dan mereka biasanya disewa oleh perusahaan untuk menguji sistem keamanan. Mereka menyoroti titik-titik lemah dalam suatu sistem atau jaringan dan merekomendasikan langkah-langkah keamanan yang tepat untuk diambil.
Tujuan Seorang Peretas
Peretas, cracker, dan scammers dapat dibedakan berdasarkan tujuan yang mereka miliki. Peretas terutama tertarik mempelajari cara kerja sistem komputer dan jaringan. Mereka akrab dengan semua alat yang diperlukan yang dibutuhkan untuk masuk ke suatu sistem. Seorang hacker juga mengetahui teknik-teknik yang akan digunakan cracker untuk masuk ke sistem dengan tujuan melakukan aktivitas jahat. Mereka merancang berbagai langkah untuk mencegah aktivitas kerupuk. Tujuan keseluruhan seorang peretas adalah meningkatkan sistem dengan membuatnya lebih aman.
Cracker dan peretas hampir merujuk pada orang yang sama. Namun, ada beberapa perbedaan dalam cara mereka melakukan pekerjaan mereka. Sementara peretas bertindak dengan cara yang ada dalam kerangka hukum, para cracker sangat ingin melanggar hukum yang ada. Mereka menggunakan pengetahuan dan keterampilan mereka untuk menembus keamanan sistem dan jaringan komputer. Cracker mendapatkan akses ke data pribadi orang atau organisasi dan melakukan beberapa tingkat kerusakan. Kerusakan yang disebabkan dapat bervariasi. Yang paling umum termasuk mencuri informasi kartu kredit, mencuri detail pribadi dan informasi yang akan mereka jual, menghancurkan atau mengenkripsi file penting, membuat sistem tidak dapat diakses oleh orang lain di antara banyak kegiatan berbahaya lainnya.
Tujuan Seorang Cracker
Cracker dimotivasi oleh berbagai faktor. Utamanya adalah keuntungan finansial. Mereka dapat menyerang sistem dengan tujuan mendapatkan informasi keuangan. Beberapa dibayar oleh pesaing bisnis untuk tujuan mendapatkan informasi sensitif tentang suatu organisasi. Beberapa cracker melakukan gerakan mereka demi mendapatkan publisitas atau menunjukkan betapa kuatnya mereka.
3. Scammer / Penipu
Scammer adalah orang yang menggunakan trik dan skema penipuan untuk mendapatkan bantuan dari seseorang. Seorang scammer akan selalu berpura-pura menjadi orang lain dan akan selalu bertindak dengan cara yang akan memenangkan kepercayaanmu. Kebanyakan scammer menggunakan internet untuk memikat korban mereka melakukan sesuatu. Dalam kebanyakan kasus, scammers tidak memiliki keterampilan pemrograman yang unik. Sebaliknya, mereka mengandalkan penggunaan permainan pikiran. Mereka bermain dengan pikiran calon korban sampai korban akhirnya menyerah pada tuntutan mereka.
Tuntex-SYS IT Div Updated 8/6/2020
WHAT IS DISPLAY NAME SPOOFING?
Display name spoofing is a tactic used by phishers where the email being sent looks like it's coming from a trusted source, like your boss or a co-worker.... A common tactic employed by cyber-criminals when they go on phishing expeditions is to impersonate someone you know or a source that you trust. Their goal is to get personal data, passwords, money transfers or gift cards, just to name a few. In fact, billions of dollars have been lost because of simple emails that impersonate your bosses and co-workers and ask for wire‐transfers or credibly request that other sensitive data be sent back to the impersonator. Display Name Spoofing can be dangerous, because the sender’s email address is not forged per se, so it is difficult to block emails with forged display names.
HERE’S HOW IT WORKS:
For illustrative purposes, let us say our person in a position of authority at your company we wish to impersonate is J. Piers Rawling, and his real email address is PRawling@FSU.edu
Cybercriminals simply register a new email address with a free email provider, we will use g-mail for this example. Using the same name above, J. Piers Rawling our person of authority at your company, the hacker creates an email on a g-mail account (e.g. J. Piers Rawling <email@example.com>) Technically, the email address is valid, so emails sent from these accounts will slip through anti-spam filtering. No e-mail program will not block these phishing emails, because the email address is not forged.
The hope is that the recipient won’t look at the sending address (firstname.lastname@example.org), and instead just look at the sending display name (J. Piers Rawling.) Some recipients may even assume that the sending email is the personal email of the executive and believe it to be real. But beware.
Also, employees may believe that because the email looks like it has come from someone they are familiar with and with the standard company email signature signoff from that person, that the email is legitimate. Unfortunately, attackers can also use the same email signatures at the bottom of emails sign-offs as legitimate senders.
To add insult to injury, many email clients – especially smartphone email clients – only display the sender’s name by default, but not the email address. For example, the Mail app on the iPhone requires you to tap on the sender’s name to reveal an email address.
HOW TO PREVENT THIS?
Well, you can’t. As a result, the first and last line of defense is your employees. everyone needs to be vigilant and be prepared to identify emails using the Display Name Spoofing technique. Sadly, this is prone to human error as employees may not verify the full details of every single incoming email under certain circumstances – like in stressful situations such as fast-approaching deadlines or lack of attention to detail. Employees should be trained to identify deceptive emails with forged “display names.”
The first step to not being a victim is awareness, and for organizations, employee awareness training.
Know the who, what, where, when, and why of every email you receive.
Here are some things to look and think about:
When you receive an email, look at both the name and the sender's email address. Is it correct?
Look for red flags, such as does my boss normally send me emails about wire transfers or gift cards.
Look to see if there are misspellings.
Ask yourself, would your boss ask me this?
Why would your boss ask for your personal passwords or personal information?
Don't post the email address of employees and leaders at your company on your website.
Never click blindly on an attachment/link.
Beware messages that seem too good to be true or too urgent.
Hover over the display name to see the sender’s email address.
Check not only the email address but all email header information.
If using a mobile device and unsure of a message, open it on a computer as well.
If suspicious of an email, contact the sender another way.
If you are not sure about the email you received, CALL THEM. Do not email, as the cyber-criminal will be the one to respond.
There is no way to prevent these types of emails from coming through. Staying vigilant and looking for the signs of these hackers is the only way to stay safe
Cybersecurity has had to evolve drastically over the past few decades as tools and methods used by hackers have gotten more and more sophisticated.
Even the best cybersecurity strategy, however, isn’t foolproof without proper employee training.
Fraud Watch International states that 95% of breaches are due to human error or what is known as the “human factor.” Without preparation, awareness, and enforcement, the best laid security plan can fall flat, leaving you and your employees vulnerable to hacking.
Why are employees the weakest link in the security chain?¶
Employees, rather than computer systems, are the easiest to compromise of any business. This is even more so today with the proliferation of smart or IoT (Internet of Things) devices for personal and business-related purposes.
Individuals can easily be exploited through phishing, social engineering, and related efforts. These tactics are used to exploit human weaknesses and vulnerabilities by deceiving or misleading people.
One of the most popular tactics is display name spoofing attacks, where the cyber criminal changes the display name of the malicious emails sent to one the recipient may trust – often C-level executives for large organizations.
The result is blind clicks and downloads by employees thinking they are just following orders from their boss.
Employees that lack training and awareness, therefore, must be a top concern.
What is cybersecurity training?¶
Cybersecurity training defines what is needed from each employee and increases readiness to face and block cyber attacks. Employees will be able to recognize and halt attacks before they cause damage.
Having a good cybersecurity training program in place means Management have:
- identified all requirements for training
- determined the best method for Management and employees
- set expectations at the beginning and followed through
- covered such topics as current threats and defensive procedures
- ensured that your employees know who to contact if a breach does occur
- looked for feedback and re-evaluated IT/Management program as needed
- repeated as necessary
Good cybersecurity training is repetitive, always up-to-date, and constantly tested.
Where can Management start?
Begin by revisit/make polices to tailor a cybersecurity and employee training program to safeguard Management data. Along with email encryption and inbound security, employee awareness is crucial to strengthening Management security program as a whole.
Investing Management time and effort from the beginning will help to turn the “human factor” from a weak link into a strong one.
Tuntex Information and Technology Services Office is the Office of Business Operations provides administrative support to the Office and Efficiency. The mission is to provide a foundation of information technology and business management systems to support development and deployment of innovative, efficiency and renewable technologies and practices.
Tuntex SYS has IT division that support this mission: Information Technology and Business Management Systems. These teams lead the development and implementation of information and business management systems that improve the efficiency and effectiveness of business processes and operations.
This includes the following:
Conducting assessments programs and management approaches and formulating findings, recommendations, and action plans to improve the effectiveness and efficiency of management of programs.
Implementing and adhering to program and project management best business practices to enhance Tuntex's ability to implement research, development, demonstration, and deployment projects by accelerating commercialization and maximizing deployment.
Developing and maintaining information technology systems, hardware, software, and associated policies that support the mission requirements in a cost-effective manner.
Streamlining and standardizing processes and procedures and providing more systematic management of program and project data, resulting in the technology offices requiring less time to reinvent new requirements or reports for management requests.
Ensuring the security of information and information systems.
Maintaining compliance with the Federal Information Security Management Act of Standards and Technology guidance, Office of Management and Budget, and DOE cyber security directives. Note: Department of Energy (DOE) released its cybersecurity strategy.
Tuntex-SYS IT Div Updated 1/24/2020
Also available in: Atom