According to research from Stanford University, 42 percent of working adults in the US have been working remotely since the pandemic struck. Remarkably, 29 percent of employees claim they would quit their jobs if asked to go back into the office once the pandemic subsides. In other words, things are never returning to “normal” when it comes to US office culture.
For IT administrators, this means that for the near future, VPNs and other encrypted remote access methods are going to be a primary way to ensure secure connectivity between users, on-premises applications, sensitive data stores, and more. Unfortunately, attackers know this too—which means that the same tools that provide connectivity and productivity for your workforce are also under constant threat of exploitation.
VPNs’ Well Known Security Challenges
The history of information security is rife with relatively minor vulnerabilities that have turned into major security risks due to organizations’ inability to patch known issues in a timely manner. VPNs are no exception, with many companies—at least 50,000 of them—now under threat because of a failure to patch a years-old vulnerability.
Back in 2018, security researchers discovered CVE-2018-13379, a vulnerability affecting Fortinet VPN devices that could allow attackers to craft malign HTTP requests and use them to gain access to system files. Fortinet promptly released a patch for the offending security flaw, and the matter should have ended there, with VPN owners promptly applying the patch.
Unfortunately, many organizations —almost 50,000 of them–appear to have avoided applying this particular patch. Not long before this article was written, an attacker released a list of single-line exploits, which would allow bad actors to easily steal login credentials, compromise full networks, drop malware, and exfiltrate data from these organizations. These companies, representing verticals ranging from major banks to government organizations, must now move quickly to patch their vulnerabilities—and for safety’s sake, they should also conduct in-depth audits to ensure that no bad actors already took advantage of these publicly available exploits.
Why Aren’t VPN Operators Patching Their Systems?
It comes down to two things.
If your company is small, until the pandemic hit, only a few users needed the VPN at any one time, mostly business travelers. Understaffed and over-stretched IT departments have higher priority items aligned with key business initiatives that need their attention. A system without many simultaneous users is not highest priority in terms of patching and maintenance, and so the VPN gradually drifts out of date.
Larger companies had people using the VPN all the time—not just during business travel but also at branch offices in other time zones, countries, and even continents. No matter what time of day or night it is, someone was probably using your VPN, even before the pandemic sent employees home. This means that it’s very difficult to take the VPN offline for maintenance. As a result, as in small businesses, the VPN gradually drifts out of date.
Lastly, it can be very hard to bring systems up to date once they’re a couple of releases behind the curve. Your applications might gladly cooperate with VPN version 1.1x but break when confronted with VPN version 1.1xx. As time goes on, more applications will begin rejecting the VPN updates. Therefore, patching even one out-of-date application might lead to months of effort to custom code dependent applications to accommodate the new version. Meanwhile, the original unpatched application remains insecure.
Providing a Backstop for Insecure Applications
Because it can be so difficult for organizations to patch their VPN applications in a timely fashion—and because many applications can go unpatched by mistake—organizations need a way to protect their critical data that doesn’t fully depend on the security of their VPN solution.
In other words, administrators need a way to protect critical data even if the VPN is breached. After all, even if a VPN is patched perfectly up to date, it can still be exploited by other methods such as brute-force or MITM attacks.
In order to understand how this might work, you also have to understand a bit about how most VPNs work. After authenticating into a VPN, a user is able to access the corporate network. They can see all the applications and data that are available to all users. If they try to click on a resource that they can’t use, they’ll still be denied entry. But for an attacker, being able to see these resources—even without being able to access them—is still a valuable source of information. For example, they could see which other applications are out-of-date, and then use that information to craft an additional exploit.
To prevent this from happening, you need a Zero Trust network access security tool known as an application isolator. Effectively, this tool assumes that even if a user logs in with valid credentials, they should not be trusted, since the credentials themselves may have been stolen.
To address this possibility, the application isolator hides all applications and resources that the specific user is not authorized to access. Using a least-privilege approach combined with precise microsegmentation, it allows users to see only the applications and databases that they’re authorized to use. Even network scanning and mapping tools will be unable to detect what’s on the network, severely compromising an attacker’s ability to perform reconnaissance and move laterally.
VPNs are still an important tool when it comes to protecting your organization—but they can’t be relied on to fully protect your remote workers. Go with a Zero Trust solution that provides reliable backup security for your VPN.
Mendy Newman is the Group CTO, APAC and ROW at Ericom Software. Mendy’s team focuses on delivering implementation and architecture solutions to our customers worldwide.