Since the WFH explosion, VPN usage has vastly increased. But has it inadvertently opened up an opportunity for cybercriminals?
A change of topic this week, as we shift our focus to cybercrime. In the recent Cloud for Business report by Raconteur, as distributed in The Sunday Times, Laurie Clark asked whether CIOs needed to rethink their security amid a vast increase in attack surface.
The explosion in the number of remote workers using virtual private networks since 2020 has vastly increased the attack surface for cybercriminals. This is prompting a security rethink among CIOs.
At the end of last year, network security giant Fortinet warned clients that zero-day vulnerabilities in its virtual private networks had been exploited by hackers in a way that could grant them control of vulnerable VPN servers. It said that this sophisticated attack seemed to be the work of a state-level group seeking to target other national governments. There was fevered bartering on the dark web for the hackers’ successful code. Other criminals used the exploit script in their attempts to infect a global investment firm and a Canadian college with ransomware.
Many firms used VPN technology at the start of the pandemic to share their data. The Covid crisis brought with it a steep rise in cybercrime in 2020, partly because the widespread move to remote working that started during the first lockdowns created so many more potential weak spots for criminals to probe. The kind of attack that affected Fortinet – the targeting of VPN vulnerabilities – has become far more common than it was before the pandemic. The VPN’s status as a secure solution has therefore declined significantly in the past couple of years. In the US, for instance, the FBI, the Cybersecurity and Infrastructure Security Agency and the National Security Agency have all warned businesses about the weaknesses of VPNs.
For the millions of companies that have adopted a hybrid working model over the same period, the need to give staff secure remote online access has outlived the lockdown era. With these security concerns in mind, firms are focused on exploring alternative approaches. Some industry insiders believe that VPNs are still workable in concert with other measures, while others favour a shift to an entirely new set of security protocols. J D Sherry, a partner in the consultancy practice at cybersecurity firm Istari, is in the first camp. “While VPNs can be effective tools for ensuring data security, companies can become overly reliant on them,” he argues, adding that their use can create a false sense of security, even though their defences can easily be bypassed if users don’t practise basic cybersecurity hygiene. “A VPN can encrypt data and protect against certain types of attack, but it isn’t a silver-bullet solution,” Sherry says.
Phil Robinson, principal consultant at cybersecurity consultancy Prism Infosec, is more cautious about the security offered by VPN servers and attached devices. These are susceptible to software vulnerabilities, including serious flaws that would allow attackers to gain access and even full control, he contends. Robinson points out that other big commercial VPN vendors, including Cisco and Juniper, have been found to have coding frailties or weak protocols for authentication or encryption.
In the recent Fortinet case, an authentication bypass vulnerability enabled unauthenticated users to access devices on the network. Such incidents have prompted many experts in the field to declare the imminent demise of VPNs. But Robinson – despite his criticisms of the technology – isn’t one of them. “Contrary to popular opinion, the VPN is not dead – yet,” he says. Indeed, companies may not need to discard VPNs at all. There are several ways in which a firm can make them more secure.
Number one is choosing a reputable provider that works to strong encryption standards. Moreover, two straightforward practices that will hugely improve security are using two-factor authentication and updating software regularly to obtain the latest patches. Paul Bischoff, editor and consumer privacy advocate at Comparitech.com, says of two-factor authentication: “Requiring a one-time PIN or passcode when logging into the VPN will prevent many attacks that would otherwise result from credential theft. Two-factor authentication may be an inconvenience for employees, but it is worth it.”
As for ensuring that the software is updated regularly, Bischoff points out that nearly every vulnerability, once discovered by the vendor, will be eliminated in the very next update. This means that “only businesses that refuse or ignore security updates” would remain at a high risk of getting hacked. Any company that’s slow to upgrade its VPN software for whatever reason is making itself a tempting target for ransomware gangs and other threat actors. This is why the US National Security Agency issued a cybersecurity advisory notice in October 2019 that strongly urged firms to pay attention to updates issued by their VPN providers and install the patches as soon as they became available.
Another straightforward safeguard that employers should implement is a so-called least privilege regime, meaning that a particular user has access only to networks and services that are crucial to their work. Such features are likely to be built into cloud-based VPNs. Some experts believe that the main weakness associated with VPNs is human rather than technological, with criminals using social engineering methods such as phishing to steal users’ credentials. This, they argue, means that providing cyber-security awareness training for all staff is one of the most effective ways for an employer to protect itself.
In his role as a director and solicitor-advocate at law firm Freeths, Will Richmond-Coggan specialises in group litigation arising from cybersecurity breaches. He contends that “something like a VPN – if properly understood and configured – can be an important part of a business’s armour. But it should be part of a wider jigsaw of protections that are assembled with a good understanding of the business, how it operates and the risks it faces.” But fast-developing trends in network tech and the emergence of new tools mean that the situation is changing, according to Robinson. “Realistically, the ‘deperimeterisation’ of the network and the demand for remote access mean that the days of the VPN are numbered,” he says.
The replacement for VPN is generally agreed to be the ‘zero-trust’ approach, which is more of a concept covering the interaction of products across identity verification, access management and network segmentation. The approach takes as a starting point the notion that no device or user seeking access to a network is to be trusted. With a VPN, on the other hand, once a user is authenticated, they can typically access the entire network. Traditional products won’t raise an alarm if that person logs in from a different location or in any way act suspiciously.
Instead, zero trust relies on a series of ID and access management tools, such as multi-factor authentication and device profiling, to grant access on a case-by-case basis. The concept has caught on: 80% of IT and security professionals responding to a 2022 survey by Cloud Security Alliance said that adopting zero-trust systems was a high priority for them.
But the move from VPNs to zero trust is likely to take years. Businesses tend to rely on legacy systems that are designed to work with VPNs, which means that many of them will probably need to be replaced too. “The network needs to be micro-segmented to limit access, which can be both complex and costly to achieve,” says Robinson who adds that zero trust is “very much a strategy with no one-size-fits-all solution. Projects are bespoke and will require a range of solutions.”
What, then, is the first big hurdle for IT chiefs to clear on the way towards a zero trust regime? Robinson suggests that persuading the rest of the C-suite – who may believe that the VPN is working just fine as it is – of the need for change could be quite the challenge. “Until they can convince those at board level that zero trust isn’t a passing fad but is essential in securing a distributed enterprise”, he says, “many zero-trust projects will struggle to get off the ground.”
As a long-standing proponent of business network security, M247 champions multi-factor authentication, cybersecurity training, least-privilege access and robust firewall policies as bare-minimum requirements for VPN protection. As long as these cybersecurity measures are being implemented, and tools are being patched with the latest updates, VPN can still offer a good networking solution for businesses with remote and hybrid workers.
For many business, however, the increasing complexity of the network, with the addition of IoT devices, BYOD policies, home working and increasing use of cloud technologies, means VPNs may be falling short in terms not only of security, but capabilities. For these businesses, where the network perimeter has been all but blown wide open, it’s simply no longer feasible for CIOs to maintain crystal-clear oversight of the attack surface. A flexible and robust zero-trust architecture can help secure the new ‘perimeter-less’ network, and makes good operational sense.
Getting buy-in at board level for the large-scale infrastructure changes necessary to facilitate this won’t be easy – but the potential cost of a successful cyber or ransomware attack cannot be dismissed out of hand. Businesses still using VPNs to connect remote teams with networks will need to ask themselves if the trade-off is worth it, or whether a financial outlay in the short term is worth the increased protection and a future-proofed network in the longer term.
To download your complete copy of 2023 Cloud for Business report and read more articles like this, click here