Remote Access VPN, also known as Professional VPN, is an important technology that has been around for decades. Allows remote workers to connect their devices to the corporate network via the public Internet; allowing them to operate as if they were inside the corporate network. In this sense, the professional VPN differs from the personal VPN used to create anonymity when browsing the web. About the Author Peter Ayedun is the CEO of TruGrid. The problem with remote access VPNs is that they are no longer well-suited for a mobile workforce with rampant and incessant cybersecurity threats. To highlight this issue, a June 2019 Gartner analysis predicts that by 2023, 60% of businesses will phase out their dial-up VPN in favor of zero-trust network access. Fast-forward to June 2020, and it's clear that the transition to working from home following the COVID-19 pandemic has further exposed the VPN's weaknesses, and thus may hasten its demise faster than Gartner had anticipated. According to the US DHS from April 8, 2020, "The increase in telecommuting has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), increasing the threat to individuals and organizations." The problems encountered by VPN can be broadly divided into END USER vulnerabilities and GATEWAY vulnerabilities.
VPN end user vulnerabilities
The original flaw of the VPN is that it builds too much trust between the remote device and the corporate network. Although the VPN tunnel between a remote worker and the corporate network is cryptographically secure, the trust between the two is easily exploited. As a result, threats (including ransomware) that affect the remote worker's device or network can travel and infect the corporate network. Segmenting a corporate network to limit access via VPN is a daunting task and does not guarantee security against moving lateral threats. Using company-provided devices with corporate security measures can minimize, but not eliminate, threats. Allowing remote workers to use personal devices to connect to corporate networks via VPN greatly increases the risk to the business because personal devices often do not have the protections installed on enterprise devices. When a remote worker is away from the corporate network, threats like email phishing, malware attacks, and data exfiltration are more likely to succeed. The problem became so serious that NASA released a bulletin on April 6, 2020, encouraging employees and contractors who work remotely via VPN to "refrain from opening their personal email or unrelated social media in the work on your NASA computing systems/devices. Also, be careful before clicking on links in SMS and social media." NASA issued the warnings after witnessing a doubling of email phishing attempts, an exponential increase in malware attacks, and a doubling of websites blocked by NASA's mitigation systems. Essentially, using a corporate VPN is like putting a remote device on the corporate network, without all the guarantees of the corporate network. Successful attacks on a remote device or network can easily go to the corporate network.
VPN gateway vulnerabilities
In the corporate network where VPN gateways are often hosted, there are still multiple vulnerabilities. Like all technologies, VPN gateways need to be constantly patched to improve security. However, because they are exposed to the entire world, they are much more specific than most systems. Therefore, the VPN needs to be updated more often. The challenge is that many companies rely on their VPNs running around the clock to provide access for employees and contractors working remotely. This often means that VPN gateway devices remain unpatched for months or years and are therefore more vulnerable to new attacks. The scale of attacks on VPN gateways is best illustrated by the numerous security advisories issued by the US NSA and the UK NSC over several months. The vulnerabilities are so widespread that new bulletins were released by government agencies shortly after new patches were released. The reported issues were so severe that some were pre-authentications, meaning multiple affected VPN systems could be granted access without a successful connection. Among the many organizations that have succumbed to VPN gateway vulnerabilities, one of the most notable is UK's Travelex. Travelex is the world leader in currency transactions with a presence in 30 countries where it exchanges currencies for 40 million customers each year. Due to a VPN vulnerability that has not been patched, the entire Travelex operation was halted for more than two weeks, starting December 31, 2019. It was reported on April 9, 2020 that Travelex had paid €2.3 million in rescue from cyber attacks to restore operations. The hack is said to have cost its first-quarter financials more than €30 million. On April 22, Travelex goes on sale! Take a moment to think about this... the world's largest travel exchange company may go out of business due to a successful attack on their VPN system!
Untrusted network access
The solution to the enormous problems exposed by the weaknesses of the VPN is a system that does not create trust between the telecommuting devices and the corporate network; and that authenticates remote workers in the cloud or far from the corporate network before granting access only to authorized systems. Systems that fall into this category are often referred to as zero-trust network access. An effective zero trust system will support any remote device (personal or company issued). It will allow remote devices to connect to a cloud broker or gateway for initial authentication that requires a multi-factor system. Only when this independent authentication is successful will the remote worker have access to the specific system for which they are authorized. An effective zero-trust system will not allow any threats on the remote worker's device or network to pass through the corporate network and will automatically update itself against new threats.