Time and again virtual private networks (VPNs) are shown to be inadequate for today’s security landscape.
Earlier this year, it was revealed that government-backed Iranian hackers were exploiting VPN vulnerabilities in an attempt to establish long-lasting backdoors into large corporations. Attacks that were highly reminiscent of activity by other state hackers, demonstrating VPN exploitation is in no way a one-off. To compound VPN security woes, we’re seeing a rise in targeted malware that will cause an increasing number of corporate VPNs to be infiltrated by malicious parties this year. If nation-state attacks and the rise in malware weren’t reason enough to leave VPNs in 2020, many VPN users struggle with network management challenges brought about through the difficulty of keeping track of multiple access rules.
With all of this in mind, it’s time businesses stopped to consider the risks VPNs are posing to data security, as well as the threat they pose to their reputation and finances. An alternative must be sought so organisations can move into 2021 with a more robust security posture that acts as a business enabler.
Nation-state attacks are on the rise
In February it became common knowledge that Iranian hacking groups APT33, APT34 and APT39 had been targeting VPN vulnerabilities with the apparent aim of planting backdoors into organisations’ networks. Worryingly, their activity involved successfully targeting a large number of market leading VPN providers; notably, Fortinet, Citrix, Palo Alto and Pulse Secure. These companies supply VPNs to numerous government agencies and Fortune 500 businesses. This put a significant number of high-value organisations, with highly sensitive information, at risk.
According to ClearSky – the company who discovered the attacks – the primary aim of the operations was to use the backdoors for future surveillance operations. However, they could hypothetically have also been exploited for the deployment of data-wiping malware. After all, attacks of this type have increased significantly in the past year – with NASA recently reporting that it had seen an “exponential increase in attacks as more of its staff work from home due to the Covid-19 outbreak. These attacks could cripple businesses by disrupting their networks and overall operations, or even been used to carry out supply chain attacks against the companies’ clients.
The potential damage the attacks on VPNs could cause is alarming, but it’s not the only worrying factor. There’s evidence to suggest the groups were collaborating for the first time in their history, which may be how they were capable of moving so quickly – they exploited 1-day vulnerabilities in short timeframes. This raises the question of how their sophistication will continue to evolve and what they’ll be capable of exploiting VPNs for in the future. What’s more, this isn’t the first time VPNs have been exploited by nation-state attackers. Last year, APT5 – a group of Chinese state-sponsored hackers – targeted Pulse Secure and Fortinet VPNs in attacks that enabled them to steal password and session data with the potential for devices to be taken over. The repetition of attacks of this type suggest the exploitation of VPN vulnerabilities will continue. In the absence of a permanent solution to preventing VPN vulnerabilities, businesses must look to alternate solutions – with improved security postures – that cannot be manipulated in the same way.
Malware is evolving to become more deadly
VPNs were not designed to withstand the complex security landscape they now find themselves in. A landscape where attacks are becoming increasingly targeted and sophisticated, bolstering the likelihood of ‘out-of-depth’ VPNs falling prey to hackers.
These corporate attacks provide access to bank accounts. What’s more, unlike consumer attacks, they can also damage the company’s financial resources through employee exposure, increasing their appeal to malicious parties.
The rise in targeted attacks on VPNs is being enabled by the advent of malware as a service. This puts highly sophisticated cyber-abilities in the hands of local criminal organisations who would previously have been incapable of launching an attack against corporations in their area. The only way for businesses to maximise security in this environment is to take a more nuanced approach to their defensive network. In other words, adopting a zero-trust solution that micro-segments network access to minimise the attack surface in the event of a security incident.
Managing access is unnecessarily complex on VPNs
Targeted malware attacks aren’t the only security vulnerability with VPNs’; their approach to network access rules also creates significant network management problems and associated security challenges. This is because VPNs allow numerous access rules to be created and don’t come with built-in auditing capabilities. As such, many companies struggle to keep track of how many rules they’ve created, who they relate to, and who created them. This not only means businesses may find themselves with more rules than their limit allows, but creates security gaps that increase cyber-vulnerability. The same issues do not apply to Software-Defined Perimeters (SDP).
Trust software-defined perimeters to keep data secure
SDPs simplify network access rules by automatically generating them for short term use and then deleting them when they’re no longer required. As a result, the number of rules needed is reduced and network access control is restricted. This makes it easier for network access managers to have both visibility and control over the whole network. What’s more, the limited number of rules makes the technology much easier to manage when it comes to auditing. In fact a full list of rules can be produced within minutes rather than days.
Improved access management isn’t the only way SDPs offer superior control and security over VPNs. A serious security challenge with VPNs is that once a user enters one part of the network they have visibility over all data in the network, regardless of whether it’s relevant to them or if they can access it. In the event of an attack – similar to those launched by Iranian and Chinese state hackers over the past year – the large attack surface means hackers can easily gain access to the entire network if a single user is compromised. By contrast, SDPs form one-to-one network connections between users and the specific resources they’re authorised to use, while all other data remains invisible.
This enables SDPs to offer a zero-trust model which reduces the attack surface, making it far more challenging for a hacker to spread across the network. In the event that a device or user becomes compromised they can be sectioned from the rest of the business, without other users or business functions being affected. And, with the introduction of Single Packet Authorisation (SPA) – which is an advanced implementation of port knocking – your SDP entry points on the internet will be invisible, which provides an additional protection layer against unknown and even known vulnerabilities.
Prepare for a 2021 future without VPNs now
VPNs were fit for purpose when the security landscape was simplistic but this is no longer the case. Nation-state hackers present an ongoing and persistent threat, the democratisation of malware has seen the number of high-impact, targeted attacks rise and access management has become unnecessarily complex on VPNs.
Companies need to start thinking about adopting a different solution if they want to keep theirs and their customers’ data secure. SDPs present a viable alternative thanks to their robust security posture. With this in mind, it’s time for businesses to consider how they can begin transitioning away from VPNs now for a more technically and financially secure 2021.
Kurt Glazemakers, SVP, Engineering, AppGate