Why You Should Be, and What You Can Do About It
With the Coronavirus pandemic, certain previously nice-to-have-items have become crucial: Endless squirts of hand sanitizer, a steady supply of breathable masks, and a good VPN to remotely connect to work.
Although perhaps less obvious basic equipment than Purell, VPNs were (and still are) responsible for enabling entire workforces to remain productive despite distancing regulations. VPN usage grew 124% in the initial weeks of the pandemic and in the weeks since, the US has seen a 44% increase in reliance on VPNs, the UK a 35% jump, and a whopping 80% jump in France. One might posit that VPNs were indeed the heroes of the day (after health workers, of course), allowing large swaths of the economy to continue working despite challenges of lockdowns and closures.
This reliance comes at a cost, though; while VPN tunnels and concentrators get the job done in terms of connecting remote users to networks, they are frequently the target of cybercriminals looking for ways to enter a network. This is one of the reasons that many organizations are looking for ways to bolster the security of their remote access infrastructure. To illustrate, in 2019, Gartner predicted that by 2023, 60% of organizations would begin to add capabilities – known as Zero Trust Network Access (ZTNA) – to better secure access to critical applications and IT resources. Obviously, even Gartner’s professional seers couldn't have predicted COVID-19 and the massive impact it would have on pretty much everything, VPN market included. As mentioned earlier, organizations have doubled down on using VPNs, but the question remains, what is the best way to secure the networks to which they are connected?
It’s Not the Just VPN, It’s the Network
The networks which VPNs connect are at the heart of the most problematic security risks that are commonly attributed to VPNs.
For starters, in the rush to support “shelter-in-place,” many organizations set up work-at-home deployments far faster and with much less planning than was ideal. They quickly leveraged VPNs to enable connections from home networks, but in many instances, improperly configured settings exposed corporate networks to risk from vulnerabilities existing on users' private networks.
Then there's the flat structure of corporate networks, which are virtual candy stores for hackers, with all the goodies laid out for all to see. And, no surprise, like the shoplifters that store owners struggle to keep out, hackers look for ways to slip in to get to the sweets. One network access option they target is VPNs.
VPNs typically lack granular controls, enabling users to connect into “flat” unsegmented networks that enable user and IP address visibility, and access to way too many applications and resources. That’s a huge problem with many facets; even pre-COVID-19, organizations had significant numbers of external users, such as third-party vendors, freelancers, and flex workers, all using the VPN to access resources. And now, with essentially entire teams relying on this flat topology, the lack of granular permissions is especially troubling as it creates a sprawling attack surface.
In August 2019, researchers revealed that they had found vulnerabilities in a number of popular corporate VPN services. The research team alerted the VPN providers about the potential bugs as soon as they were found so they could convey the importance of immediately deploying patches to their customer base. Unfortunately, since some customers lack robust patch-management processes, vulnerabilities like those found can linger for many months or even for years. And then, if hackers do manage to successfully compromise a VPN and enter a typical flat network, they are off to the races, freely moving laterally to encrypt systems, steal data, and more.
With the pandemic likely to remain active for months – perhaps years – to come, attackers are making the most of the opportunities it's created, exploiting remote access technologies like VPNs and RDP to deploy devastating ransomware attacks such as REvil (Sodinokibi). Mainly focusing on hospitals, this variant scans the internet, searching for vulnerable VPN deployments. Once it finds one, according to researchers at Microsoft, “attackers steal credentials, elevate their privileges and move laterally across compromised networks to ensure persistence before installing ransomware or other malware payloads.'' While an unpatched VPN vulnerability may provide a way in, it is the flat network design that gives hacker free access to sensitive systems and data.
Ever since the disclosure of the vulnerabilities last summer, the NSA and the UK’s GCHQ have been urging users to employ caution when using VPNs to enable remote network access. An alert from the NSA states, “Multiple nation-state advanced persistent threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices''.
Making the Best of What You’ve Got – Best Practices for Better Network and VPN Security
Organizations that doubled down on VPNs to quickly enable remote work environments during the Covid-19 pandemic remain pleased to have their VPNs in place and working, allowing employees to stay productive and permitting businesses to move forward. Given the current uncertain economic climate, what can organizations do to address the network security vulnerabilities we’ve highlighted above? Surely, ripping out working solutions in which they only recently invested, and trying to deploy a new solution in its place, isn’t the smartest idea at this time.
There are, however a few key steps organizations can take to protect their valuable data and resources even in the event that a hacker somehow gets in. So if your organization relies on a VPN connection to remotely access your corporate network, be sure to follow these best-practices to establish better network and VPN security:
- Keep your VPN patched with the latest patches at all times; in the case of the vulnerability mentioned above, patches were released almost a year ago and companies are still to this day falling prey because they have yet to take the necessary actions.
- Prevent lateral movement by eliminating flat networks. If attackers do make their way inside, it’s essential to keep them from making their way to critical assets. This can be done by implementing an application isolation solution that cloaks apps from unauthorized users, so attackers cannot see even see which apps are there, much less attack them.
- Microsegmenting access for users via least privilege permissions protects networks from insider threats, as well as hackers who gain access through brute force attacks.
VPNs are great tools, but they need to be used in the correct way. Make sure they, and the network they connect to, are designed with security in mind and deployed properly. VPNs will continue to play a critical role in enabling business continuity for many years to come, and your best bet is to ensure that they’re as secure as can be.