5

I work in a small company and we have recently invested in a new server that provides VPN services.

I contacted the IT company in charge today in order to connect my laptop so I can work from home. I asked for the protocol the VPN was using and they told me PPTP.

I know that this is a very old protocol and that its security is slightly compromised (by CloudCracker for example).

Now we don't deal with highly sensitive information and it seems hard to imagine someone who would invest time and money to compromise our data. But this is a threat that should be avoided I think.

My boss is quite an anxious person and I am hesitant to tell him about it to save him from going through all possible scenarios.

We are likely to change IT company soon.

What should I do?

Jacques Gaudin
  • 153
  • 1
  • 7
  • 2
    This is a very subjective question. The infosec answer of course is, you know about a vulnerability, you report it always no matter how small. But the human answer can differ, specially if this is not your job. I would probably try middle of the road, tell the boss that the PPTP protocol is old and not up to modern standards, so you should migrate away from it, but maybe don't mention there are exploits available. – Peter Harmann Apr 26 '18 at 23:11
  • 1
    Even the wikipedia article says it is "obsolete." Maybe you can get a discount from your current IT company ;) [Ref: https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol[ – hft Apr 26 '18 at 23:25
  • 1
    If nobody is interested in your data you might as well use a plaintext connection. That's kind of a straw man argument. They should switch the server to one that supports something based on a more modern protocol such as TLS 1.2 or SSH2. You're paying a lot of money for something that's crappy. But keep your report light, positive, without emotion and show that you're doing it for the company. And if they don't follow up, well, that's their decision, you can't win them all. You've already indicated that this isn't mission critical or against your morale I suppose, no need for drastic decisions – Maarten Bodewes Apr 27 '18 at 00:02
  • 2
    This question seems more suitable to the to the workplace exchange https://workplace.stackexchange.com/ as your question relates to how you deal with your boss rather than details about the security and how likely to get breached. – user1605665 Apr 27 '18 at 00:41
  • @user1605665 I thought of this but I thought the technical aspect was more important to me. – Jacques Gaudin Apr 27 '18 at 07:16
  • @hft Are you serious? My stingy-self thought of that too... – Jacques Gaudin Apr 27 '18 at 07:51
  • Unfortunately this question is off-topic here. If you are asking about the security implications of using a VPN with PPTP, a lot of people here can tell you (and already told you) that it is horribly insecure. How you deal with your manager is an issue for [workplace.se]. – Tom K. Apr 27 '18 at 08:32
  • @tomk I'm happy to move it – Jacques Gaudin Apr 27 '18 at 08:42
  • 1
    @JacquesGaudin not really serious, more of a tongue in cheek comment, I forgot that doesn't translate very well over the internet. – hft Apr 27 '18 at 22:38
  • I don't believe the question is off-topic. The question is perfectly valid. Too many people define this forum in too narrow terms, and one of my long term goals here is to expand the definition of "on topic" – Steve Sether Apr 27 '18 at 23:36

2 Answers2

5

This is a good question, and the answer to this precise question- "should I tell X that Y is not secure" is almost always "No." It's best to not give statements in a vacuum to a superior- provide context and explanations.

A boss needs actionable information and a framing to make a decision. No actionable information is conveyed in that particular choice of language, and no decision is presented. Furthermore, the terms "secure" and "not secure" have a useful meaning really only to security engineers, who understand that nothing is actually secure, and most things that are not-secure are may still be only rarely compromised, because there are so many not-secure things out there.

A better way to frame issues like this is to work through the implications and to convey the state of play as a decision that could be made. The decision here is whether to invest in changing to another protocol, perhaps through the change in IT providers.

A useful but not only way to frame a security investment decision is in terms of dollar spend on a form of insurance. There are many, many other consideration domains particularly in the context of security- regulatory and compliance, customer trust concerns that cannot be expressed in terms of dollars, and others. But in the same way that ROI is a useful common language to look at the investment and growth side of a business, insurance cost is a useful way to look at the risk side of a business.

Here, on the one side, one wants to look at the costs in dollars and time of doing an upgrade or transition, and the impact on the workflow.

On the other side, one wants to make an estimate of the costs of a breach. The basic process is to identify the potential outcomes of a breach, estimate the range of costs of dealing with them, and estimate the likelihood of them occurring within a particular timeframe.

This may seem like a lot to estimate, but all you want is a very, very rough ballpark of potential bad case scenarios, and for a small company with a small number of assets/customers/implications, one should be able to do that pretty quickly. All you really need to determine is if you talking about an expected loss of $1,000, $10,000, $100,000 or $1,000,000.

The cost of the upgrade is the insurance against the potential loss. A boss will be able to decide whether to get that insurance. If they do, great. If they don't, that's ok, too. If after the process you realize that some of the costs or risks were misunderestimated, as the saying goes, welcome to the club! Just continue the dialogue. The boss will appreciate it.

Good luck.

Jonah Benton
  • 3,359
  • 12
  • 20
  • 2
    Lots of excellent points in here. Since it was noted they are also likely to change their IT company soon, it might be worth framing the information as requirements for the selection of the new service provider. – nbering Apr 27 '18 at 03:50
  • @jonah thanks that sounds like a good approach to me. I'll advise for the change of IT company which is already in the air and mention that when the change happens. – Jacques Gaudin Apr 27 '18 at 06:48
  • 2
    I think you should really rephrase that first sentence. IMO a better wording would be "Don't give statements in a vacuum to a superior, explain them.". I also strongly disagree with the statement that the "best way to frame a decision is in terms of dollars". Compliance with laws and regulations or the satisfaction of your customers and your employees is a very important foundation for deliberations like this as well. These things are not easily measured in money, but are vital for any company. – Tom K. Apr 27 '18 at 09:08
2

I think it's important to think in terms for threats, and I'd encourage you to perhaps dial back some of your concerns. Security isn't about yes no, it's normally about "secure enough". Too often we try to eliminate all the flaws in a system rather than trying to find solutions that are "good enough". From what you say your current solution is "good enough".

Yes, PPTP isn't perhaps the most secure VPN technology out there. But it's important to think in terms of what threat are you protecting against, and what you're protecting. Exploiting a VPN vulnerability means an attacker has to be somewhere between the two endpoints of the tunnel. That means that the attacker either has to be close the the endpoint (coffee shop, your house, etc), or have some form of sophisticated attack to direct traffic through them. The former threat is limited in scope and duration, and the latter is only achievable by formidable adversaries.

You also say that nobody is likely to crack the VPN protocol because you don't have anything of value worth stealing. All of this points to recommending you say little or nothing about the security issue, because it sounds like it's largely irrelevant.

More at issue would likely be that the IT provider you're using doesn't sound particularly tech-savy if they're still using such an insecure technology. I'd store this away somewhere in your own brain for future reference. It's worth mentioning if you ever choose a different company.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • Thanks, that sounds very reasonable. The current situation is tolerable but not great. I'll be on the lookout for an opportunity to improve this. – Jacques Gaudin Apr 27 '18 at 14:36