Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/8/2020
02:00 PM
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

VPNs: The Cyber Elephant in the Room

While virtual private networks once boosted security, their current design doesn't fulfill the evolving requirements of today's modern enterprise.

The quest for security has shaped our species for thousands of years. Since the earliest traces of civilization, we find evidence of fortifications that were erected in order to protect one tribe from another. 

The desire for security persists in today's Information Age, though many of the measures we take to ensure security are often little more than window dressing. We purchase complex and expensive cyber defenses that prove so difficult to operate that misconfigurations continue to permit attackers unauthorized access to information. To deter employees from stealing, we see frugal business owners installing replica surveillance cameras. We enforce byzantine password policies for workers that are easily undone by a simple phishing campaign.

Do these actions actually make us more secure or do they simply make us feel more secure?

Security guru Bruce Schneier famously coined the phrase "Security Theater" to describe this paradox, noting that security is both a feeling and a reality. "The propensity for security theater comes from the interplay between the public and its leaders," Schneier wrote. "When people are scared, they need something done that will make them feel safe, even if it doesn't truly make them safer."

Enterprise security often falls prey to the same reflexive approach to new and unknown threats. There is perhaps no better example of this than the continued adoption of virtual private networks (VPNs), which, for a time did improve security, but whose design doesn’t meet the evolving requirements of today’s modern enterprise.

No Time for Complacency
Twenty-five years ago, VPNs were the cutting-edge technology of the day, providing users with a relatively straightforward way to securely access protected network resources. Despite the explosive  innovation these past two decades, VPNs remain synonymous with secure remote access for an outsized portion of today's populace.

The situation today has been exacerbated by a number of converging factors. The current pandemic has forced millions of workers to log in from home, making it incumbent on CISOs to provide remote access without compromising security. Meanwhile, cloud computing and massive mobility have shattered the perimeter paradigm. Their arrival created new demands to protect data regardless of where it resides.  

For too long, organizations looking to implement secure remote access solutions defaulted to installing and expanding their legacy VPN technology investment rather than pivoting toward a new generation of secure remote access solutions. Now’s the time to retire VPNs, and if you don't believe me, consider these three reasons why VPNs are indeed more theater than security.

VPNs Are Plagued With Vulnerabilities 
The warning signs of VPN vulnerabilities continue to flash bright red and it seems that every month a new advisory is released. In June, the NSA issued a fresh warning that VPNs could be vulnerable to attack if not correctly secured, urging organizations to patch a critical flaw which if exploited would allow attackers to take control of a device without a password and gain access to the rest of the network.

Even when a patch has been available for months, a stunningly low number of organizations deploy patches in an expeditious manner, with some industry surveys estimating that 70% of known vulnerabilities remain unpatched one month after discovery. 

VPNs Are Complex, Expensive, and Brittle
As any battle-tested CISO can attest, complexity is the enemy of security — even modern VPN systems require a considerable degree of manual intervention which are prone to configuration and other operator errors.

Compared to modern alternatives, VPNs remain expensive and require a significant amount of network and manpower resources to properly operate. For example, in .mil and .gov firewalls, approximately 80% of the tens of thousands of firewall rules are associated with VPN management. Managing and configuring these rules translates into significant costs (i.e., manpower, training, licensing, and hardware) and greater complexity for the end user and IT staff, leading to increased exposure to a host of potentially catastrophic risks. 

VPNs Have Become Highly Attractive Targets for Bad Actors and Nation States
While threat actors have been actively setting their sights on VPN-specific vulnerabilities, they have become especially attractive targets over the past couple of years as a successful exploit can provide unfettered, system-wide access and a foothold for threat actors in search of sensitive data.

Because of this, nation states have been especially keen to exploit these critical vulnerabilities that provide an easy stepping stone to commandeer a network. For example, in late 2019, suspected Iranian hackers successfully breached the VPN application of an unnamed organization that culminated in a "wiper attack" that erased data from most of the machines attached to the network. The group behind the REvil ransomware has also been busy extorting a variety of critical infrastructure organizations across the globe by targeting known Citrix and Pulse Secure VPN vulnerabilities

Towards a Software-Defined Future
While enterprises have invested heavily in VPNs over the past two decades, there comes a time when one needs to stop throwing good money after bad and look towards a software-defined future built around a Zero Trust framework.

Organizations using software defined perimeters (SDP) report a 50% to 75% reduction in secure remote access costs; significantly reduced training, manpower and overhead requirements; and acceleration of their Zero Trust security strategy implementation. Other key SDP attributes include the ability to enable network microsegmentation, enforce least-privilege user access, and apply comply-to-connect (C2C) rules to ensure that patches and hardened configurations are applied to devices before they ever connect to the network. All of this serves to not only reduce complexity for the user and operator but also makes it that much more difficult for the attacker to turn a small compromise into a full-fledged data breach.

Although we are living in a time of great uncertainty, CISOs who are championing digital transformation initiatives would be well-served to reframe this challenge as an opportunity to re-think their existing security paradigm and invest in frameworks that can meet the requirements of the modern enterprise.

While we all enjoy a good show, it's about time we demand less theater and better security.

Brigadier General (Ret) Gregory J. Touhill, CISSP, CISM, serves as President of AppGate's Federal Division, which offers AppGate's market-leading cybersecurity capabilities to federal agencies and departments.Prior to joining AppGate, Touhill was appointed by President Barack ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
greg_touhill
50%
50%
greg_touhill,
User Rank: Author
9/14/2020 | 8:36:52 AM
Re: Great post.
Thanks for the feedback and good luck with your article!
osiriscodex
50%
50%
osiriscodex,
User Rank: Apprentice
9/13/2020 | 6:06:28 PM
Great post.
Great post on VPNs, an important issue many people engage with, but few people understand. I will be featuring it in the next <a href="https://osiris.substack.com">OSIRIS Brief</a>, a newsletter informing decision makers of the major issues intersecting international relations and cybersecurity. I especially appreciate how your explanation addresses both how VPNs work, and the potential shortcomings VPN technology creates. In this age of telecommuting, VPNs will be central to many important decisions.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...