Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
Connect Directly
E-Mail vvv

VPNs: The Cyber Elephant in the Room

While virtual private networks once boosted security, their current design doesn't fulfill the evolving requirements of today's modern enterprise.

The quest for security has shaped our species for thousands of years. Since the earliest traces of civilization, we find evidence of fortifications that were erected in order to protect one tribe from another. 

The desire for security persists in today's Information Age, though many of the measures we take to ensure security are often little more than window dressing. We purchase complex and expensive cyber defenses that prove so difficult to operate that misconfigurations continue to permit attackers unauthorized access to information. To deter employees from stealing, we see frugal business owners installing replica surveillance cameras. We enforce byzantine password policies for workers that are easily undone by a simple phishing campaign.

Do these actions actually make us more secure or do they simply make us feel more secure?

Security guru Bruce Schneier famously coined the phrase "Security Theater" to describe this paradox, noting that security is both a feeling and a reality. "The propensity for security theater comes from the interplay between the public and its leaders," Schneier wrote. "When people are scared, they need something done that will make them feel safe, even if it doesn't truly make them safer."

Enterprise security often falls prey to the same reflexive approach to new and unknown threats. There is perhaps no better example of this than the continued adoption of virtual private networks (VPNs), which, for a time did improve security, but whose design doesn’t meet the evolving requirements of today’s modern enterprise.

No Time for Complacency
Twenty-five years ago, VPNs were the cutting-edge technology of the day, providing users with a relatively straightforward way to securely access protected network resources. Despite the explosive  innovation these past two decades, VPNs remain synonymous with secure remote access for an outsized portion of today's populace.

The situation today has been exacerbated by a number of converging factors. The current pandemic has forced millions of workers to log in from home, making it incumbent on CISOs to provide remote access without compromising security. Meanwhile, cloud computing and massive mobility have shattered the perimeter paradigm. Their arrival created new demands to protect data regardless of where it resides.  

For too long, organizations looking to implement secure remote access solutions defaulted to installing and expanding their legacy VPN technology investment rather than pivoting toward a new generation of secure remote access solutions. Now’s the time to retire VPNs, and if you don't believe me, consider these three reasons why VPNs are indeed more theater than security.

VPNs Are Plagued With Vulnerabilities 
The warning signs of VPN vulnerabilities continue to flash bright red and it seems that every month a new advisory is released. In June, the NSA issued a fresh warning that VPNs could be vulnerable to attack if not correctly secured, urging organizations to patch a critical flaw which if exploited would allow attackers to take control of a device without a password and gain access to the rest of the network.

Even when a patch has been available for months, a stunningly low number of organizations deploy patches in an expeditious manner, with some industry surveys estimating that 70% of known vulnerabilities remain unpatched one month after discovery. 

VPNs Are Complex, Expensive, and Brittle
As any battle-tested CISO can attest, complexity is the enemy of security — even modern VPN systems require a considerable degree of manual intervention which are prone to configuration and other operator errors.

Compared to modern alternatives, VPNs remain expensive and require a significant amount of network and manpower resources to properly operate. For example, in .mil and .gov firewalls, approximately 80% of the tens of thousands of firewall rules are associated with VPN management. Managing and configuring these rules translates into significant costs (i.e., manpower, training, licensing, and hardware) and greater complexity for the end user and IT staff, leading to increased exposure to a host of potentially catastrophic risks. 

VPNs Have Become Highly Attractive Targets for Bad Actors and Nation States
While threat actors have been actively setting their sights on VPN-specific vulnerabilities, they have become especially attractive targets over the past couple of years as a successful exploit can provide unfettered, system-wide access and a foothold for threat actors in search of sensitive data.

Because of this, nation states have been especially keen to exploit these critical vulnerabilities that provide an easy stepping stone to commandeer a network. For example, in late 2019, suspected Iranian hackers successfully breached the VPN application of an unnamed organization that culminated in a "wiper attack" that erased data from most of the machines attached to the network. The group behind the REvil ransomware has also been busy extorting a variety of critical infrastructure organizations across the globe by targeting known Citrix and Pulse Secure VPN vulnerabilities

Towards a Software-Defined Future
While enterprises have invested heavily in VPNs over the past two decades, there comes a time when one needs to stop throwing good money after bad and look towards a software-defined future built around a Zero Trust framework.

Organizations using software defined perimeters (SDP) report a 50% to 75% reduction in secure remote access costs; significantly reduced training, manpower and overhead requirements; and acceleration of their Zero Trust security strategy implementation. Other key SDP attributes include the ability to enable network microsegmentation, enforce least-privilege user access, and apply comply-to-connect (C2C) rules to ensure that patches and hardened configurations are applied to devices before they ever connect to the network. All of this serves to not only reduce complexity for the user and operator but also makes it that much more difficult for the attacker to turn a small compromise into a full-fledged data breach.

Although we are living in a time of great uncertainty, CISOs who are championing digital transformation initiatives would be well-served to reframe this challenge as an opportunity to re-think their existing security paradigm and invest in frameworks that can meet the requirements of the modern enterprise.

While we all enjoy a good show, it's about time we demand less theater and better security.

Brigadier General (Ret) Gregory J. Touhill, CISSP, CISM, serves as President of AppGate's Federal Division, which offers AppGate's market-leading cybersecurity capabilities to federal agencies and departments.Prior to joining AppGate, Touhill was appointed by President Barack ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
9/14/2020 | 8:36:52 AM
Re: Great post.
Thanks for the feedback and good luck with your article!
User Rank: Apprentice
9/13/2020 | 6:06:28 PM
Great post.
Great post on VPNs, an important issue many people engage with, but few people understand. I will be featuring it in the next <a href="https://osiris.substack.com">OSIRIS Brief</a>, a newsletter informing decision makers of the major issues intersecting international relations and cybersecurity. I especially appreciate how your explanation addresses both how VPNs work, and the potential shortcomings VPN technology creates. In this age of telecommuting, VPNs will be central to many important decisions.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in &quot;upload tftp syslog&quot; and &quot;upload tftp configuration&quot; in the CLI via a crafted filename...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.