When it comes to finding news about virtual private network (VPN) security shortcomings, you don’t have to look far. One of the latest and most disturbing accounts of hackers succeeding where VPNs failed appeared in February, when it was reported that Iranian cybercrooks targeted organizations around the globe in several industries, including information technology, security, telecom, government, oil and gas, and aviation.
The hackers were backed by the Iranian government, with a mission of infiltrating their targeted companies worldwide and paving the way for a future planting of backdoors into them—a goal that was made imminently easier by VPN weaknesses that the hackers immediately exploited once the bugs were publicized.
While some media and industry reports have previously suggested that Iranian hackers lack the sophistication and talent of other groups for wreaking havoc through their cyberattacks, the latest exposure of VPN flaws—and the hackers’ ability to leverage them—suggests otherwise. It took the Iranian groups only hours in some cases to hack into the VPN servers, weaponizing the vulnerabilities in a continuation of attacks that started in the summer of 2019. The hackers reportedly took a two-phase approach to their attacks against VPNs, beginning with breaching and moving into lateral movement.
Learn More: Why Businesses Resort to VPNs During COVID-19 CrisisOpens a new window
The security problems were found in not just one enterprise VPN server, but several, with well-known names like Fortinet, Citrix, Palo Alto Networks, and Pulse Secure on the list.
Any organization that relies on a VPN server should be worried. The fact is that reports on the Iranian hacking incidents revealed that these groups are now teaming up rather than operating alone, which means double or triple trouble for the victims. The latest worldwide attacks on VPN servers suggest that a minimum of three such Iranian groups were in fact working in concert.
And while the current mission of the hackers was to plant backdoors for information gathering, there’s a lot more to fear once your network has been infiltrated by unauthorized parties like these, from data theft and data wiping to entire networks being held hostage and business operations grinding to a halt.
What’s more, novel VPN flaws are continuously coming to light that are also ripe for exploitation. Based on what we’ve seen from the speed at which the Iranian hackers were able to go to town based on VPN bugs once these holes in the proverbial fabric were made public, we can no doubt expect more of the same each time new vulnerabilities come to light, such as with the recent disclosures of flaws in SonicWall SRA and SMA VPN servers.
Learn More: 3 Tips to Protect Remote Employees During a PandemicOpens a new window
The Known Culprit
We know what the problem behind this problem is—VPN servers lack the security needed to keep enterprise networks safe and private. Designed only for traditional perimeter enterprise security like opening up firewalls with a direct-link approach, they’re entering obsolescence in today’s cloud environment. In a hybrid cloud and multi-cloud world of public and private clouds—a world that involves distributed clients and applications that are no longer just on-premise—organizations have much higher chances to get hacked through a data-exposing VPN backdoor when they depend on VPN for infrastructure access.
The trouble with VPNs begins with an unprotected attack surface. Instead of giving individual users access just to the specific applications and information required to do business, they instead reveal a “slice of the network.†Other VPN problems come from the inability to segment at the app level—they segment at the level of the entire network instead, leaving the network unprotected. What’s more, inbound connections create other attack surfaces.
And when we get down to brass tacks, VPNs are simply complex to configure. VPN remote access requires dedicated routers, access control lists (ACLs), firewall policies, and more, all of which cause potential security issues. Oh, and did I mention that VPNs are also expensive to maintain due to these complexities, particularly compared with the cost of more modern solutions?
But what’s the alternative?
SDPs Help Close the Backdoor
A software-defined perimeter (SDP) approach is an alternative to unreliable VPN security. SDP in essence achieves “zero trust†security even in cloud-based environments, offering “micro-perimeters†(or micro-tunnels) that permit application-level segmentation. If you’re worried about backdoor access—and you should be if you’re on a VPN server—an SDP solves that problem by making applications and services invisible to untrusted access eliminating the risk of lateral network attacks that have become synonymous with VPNs.
SDP solutions offer much better security than VPNs when it comes to remote users accessing the network. With SDP solutions, third parties are segmented to specific, applications. It’s like being in an application specific ‘escape room’ with no way out, which means there’s no need for headache-producing ACLs or firewall policies.
An SDP solution can also help organizations reduce risk in the event of an outage, moving operations among different clouds and create secure communication links between IoT edge devices and IoT hubs. Specific types of SDP software rely on an “always-on†application infrastructure, empowering the micro-tunnels to find their best execution path.
VPNs have become ill-equipped to keep today’s continuously more innovative hackers at bay, which means companies in any industry are vulnerable to VPN backdoor exploitation. To keep networks secure in a multi-cloud world, it has become imperative to deploy SDP software that creates secure perimeters between trusted users/devices and just the services they need to access, and keeps the backdoor closed to hackers.
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!