Are the virtual private network’s days numbered?
At the end of last year, network security giant Fortinet warned clients that zero-day vulnerabilities in its virtual private networks had been exploited by hackers in a way that could grant them control of vulnerable VPN servers. It said that this sophisticated attack seemed to be the work of a state-level group seeking to target other national governments.
There was fevered bartering on the dark web for the hackers’ successful code. Other criminals used the exploit script in their attempts to infect a global investment firm and a Canadian college with ransomware.
Many firms used VPN technology at the start of the pandemic to share their data. The Covid crisis brought with it a steep rise in cybercrime in 2020, partly because the widespread move to remote working that started during the first lockdowns created so many more potential weak spots for criminals to probe.
The kind of attack that affected Fortinet – the targeting of VPN vulnerabilities – has become far more common than it was before the pandemic. The VPN’s status as a secure solution has therefore declined significantly in the past couple of years. In the US, for instance, the FBI, the Cybersecurity and Infrastructure Security Agency and the National Security Agency have all warned businesses about the weaknesses of VPNs.
For the millions of companies that have adopted a hybrid working model over the same period, the need to give staff secure remote online access has outlived the lockdown era. With these security concerns in mind, many firms are exploring alternative approaches.
Some industry insiders believe that VPNs are still workable in concert with other measures, while others favour a shift to an entirely new set of security protocols. J D Sherry, a partner in the consultancy practice at cybersecurity firm Istari, is in the first camp.
“While VPNs can be effective tools for ensuring data security, it is possible for companies to become overly reliant on them,” he argues, adding that their use can create a false sense of security, even though their defences can easily be bypassed if users don’t practise basic cybersecurity hygiene.
“A VPN can encrypt data and protect against certain types of attack, but it isn’t a silver-bullet solution,” Sherry says.
Phil Robinson, principal consultant at cybersecurity consultancy Prism Infosec, is more cautious about the security offered by VPN servers and attached devices. These are susceptible to software vulnerabilities, including serious flaws that would allow attackers to gain access and even full control, he contends.
Robinson points out that other big commercial VPN vendors, including Cisco and Juniper, have been found to have coding frailties or weak protocols for authentication or encryption. In the recent Fortinet case, an authentication bypass vulnerability enabled unauthenticated users to access devices on the network.
The importance of updates and maintenance
Such incidents have prompted many experts in the field to declare the imminent demise of VPNs. But Robinson – despite his criticisms of the technology – is not one of them.
“Contrary to popular opinion, the VPN is not dead – yet,” Robinson says.
Indeed, companies may not need to discard VPNs at all. There are several ways in which a firm can make them more secure. Number one is choosing a reputable provider that works to strong encryption standards, such as AES-256. Moreover, two straightforward practices that will hugely improve security are using two-factor authentication and updating software regularly to obtain the latest patches.
Paul Bischoff, editor and consumer privacy advocate at Comparitech.com, says of two-factor authentication: “Requiring a one-time PIN or passcode when logging into the VPN will prevent many attacks that would otherwise result from credential theft. Two-factor authentication may be an inconvenience for employees, but it is worth it.”
As for ensuring that the software is updated regularly, Bischoff points out that nearly every vulnerability, once discovered by the vendor, will be eliminated in the very next update. This means that “only businesses that refuse or ignore security updates” would remain at a high risk of getting hacked.
Any company that’s slow to upgrade its VPN software for whatever reason is making itself a tempting target for ransomware gangs and other threat actors. This is why the US National Security Agency issued a cybersecurity advisory notice in October 2019 that urged firms to pay attention to updates issued by their VPN providers and install the patches as soon as they became available.
Another straightforward safeguard that employers should implement is a ‘least privilege’ regime, meaning that a particular user has access only to networks and services that are crucial to their work. Such features are likely to be built into cloud-based VPNs.
Some experts believe that the main weakness associated with VPNs is human rather than technological, with criminals using social engineering methods such as phishing to steal users’ credentials. This, they argue, means that providing cybersecurity awareness training for all staff is one of the most effective ways for an employer to protect itself.
In his role as a director and solicitor-advocate at law firm Freeths, Will Richmond-Coggan specialises in group litigation arising from cybersecurity breaches. He contends that “something like a VPN – if properly understood and configured – can be an important part of a business’s armour. But it should be part of a wider jigsaw of protections that are assembled with a good understanding of the business, how it operates and the risks it faces.”
From VPN to zero trust
But fast-developing trends in network tech and the emergence of new tools mean that the situation is changing, according to Robinson.
“Realistically, the ‘deperimeterisation’ of the network and the demand for remote access mean that the days of the VPN are numbered,” he says.
The replacement for VPN is generally agreed to be the ‘zero-trust’ approach, which is more of a concept covering the interaction of products across identity verification, access management and network segmentation. The approach takes as a starting point the notion that no device or user seeking access to a network is to be trusted.
With a VPN, once a user is authenticated, they can typically access the entire network. Traditional products won’t raise an alarm if that person logs in from a different location or acts suspiciously. Instead, zero trust relies on a series of ID and access management tools, such as multi-factor authentication and device profiling, to grant access on a case-by-case basis. The concept has caught on: 80% of IT and security professionals responding to a 2022 survey by Cloud Security Alliance said that adopting zero-trust systems was a high priority for them.
But the move from VPNs to zero trust is likely to take years. Businesses tend to rely on legacy systems that are designed to work with VPNs, which means that many of them will probably need to be replaced too.
“The network needs to be micro-segmented to limit access, which can be both complex and costly to achieve,” says Robinson who adds that zero trust is “very much a strategy with no one-size-fits-all solution. Projects are bespoke and will require a range of solutions.”
What is the first big hurdle for IT chiefs to clear on the way towards a zero-trust regime? Robinson suggests that persuading the rest of the C-suite – who may believe that the VPN is working just fine as it is – of the need for change could be quite the challenge.
“Until they can convince those at board level that zero trust isn’t a passing fad but is essential in securing a distributed enterprise”, he says, “many zero-trust projects will struggle to get off the ground.”