By: Etay Bogner
The traditional way that IT approached securing the enterprise was via perimeter security—hence the popularity of virtual private networks (VPNs), which were designed expressly for this purpose. Yet while VPNs could effectively enable and secure remote access in the past when most work was done onsite within company walls, their use has become increasingly risky in a world that includes a preponderance of virtual workers. While corporate VPNs gave remote workers network access to retrieve company data and applications needed to do their work, other network data also became vulnerable.
The fact is that local area network users can’t always be “trusted,” as is evident by the large number of data breaches affecting organizations of all sizes around the globe. By giving remote users the run of the network, so to speak, a sizable attack surface remains open for exploitation by hackers and attackers.
In 2019, the DHS Cybersecurity and Infrastructure Security Agency (CISA) and the CERT Coordination Center released information on a vulnerability affecting Virtual Private Networks (VPNs). An attacker could exploit this vulnerability to take control of an affected system. There have been instances where VPNs may improperly secure tokens and cookies, allowing malicious actors with the ability to invade and take over control of an end user’s system. CISA, the Cybersecurity and Infrastructure Security Agency, encourages users and administrators to review CERT/CC’s Vulnerability Notes for more information and refer to vendors for appropriate updates when available. The DHS/CERT warning follows a previous notice from Carnegie Mellon on a CERT that VPNs deployed by some of the world’s largest and most well-regarded vendors that authentication or session cookies were insecurely available in memory or log files.
The problem is that any exploit based on extracting keys or cookies and transferring them to another machine means that the VPN implementation on the gateway side does lack some additional countermeasures that should have been implemented. But which countermeasures or additional security measures should the victims have put into place? What is proposed by industry experts is a cloud-based solution that follows the user and their devices wherever they are, rather than a solution relying on traditional VPN infrastructure at the office or data center.
Until more effective, identity-based remote access solutions such as software-defined perimeters (SDPs) are commonly deployed, below are five of the most typical types of security threats that VPNs are no longer well-equipped to protect against.
In a security breach known as “man in the middle” or MITM, a cyberthief enters a communication channel between an application and a user. The hacker may pretend to be the other party or may “listen in” to the conversation without permission. The user may have no idea that anything untoward is happening, since the MITM can make it appear to be a normal information exchange. While a VPN can offer some shelter from this type of subterfuge through encryption, what often happens is that the VPN sends traffic out via a split encrypted tunnel in the name of cost savings, which means endpoints are left unprotected. SDPs avoid this problem by securing open endpoints, which can protect web traffic while safeguarding network access.
Many remote workers rely on public WIFI to get business done—but security is a huge issue on these open networks when using a VPN solution, in particular through the possibility of DNS hijacking. In this type of attack, perpetrators infiltrate the Domain Name System and reroute victims away from the site they wanted, directing them into a malicious site instead. If a hacker gets his or her hooks into the DNS, this can cause ongoing trouble as the hacker directs users to pages with ads or malware. SDPs, on the other hand, are structured as Network-as-a-Service to prevent DNS hijackers from having their way.