Virtual private networks have been around for decades, but the past year forced many organizations to expand their use to keep up with growing telework trends. In response, criminal and state-backed hacking groups stepped up their own exploitation of the technology as well.
A recent report from Zscaler found that VPNs are still overwhelmingly popular: 93% of companies surveyed reported that they have used them in some capacity. The flip side of that coin is a similarly broad recognition of the dangers and tradeoffs involved, with 94% saying they are also aware of the security risks associated with using VPNs and two-thirds (67%) acknowledging that they are considering alternative options for secure remote access.
That concern may be warranted, as Digital Shadows research released last month found that criminal hackers who specialize in gaining and selling initial access into victim networks exploited the technological changes brought on by the global pandemic. Over the past year, the firm noted a substantial increase in the number of initial access listings for sale on the dark web in 2020, particularly those for VPN access which “flourished off the back of increased remote working trends.”
VPNs are also relatively cheap compared to other popular forms of access. Despite a similar number of advertised listings, the average price for VPN access sits at $2,871, compared to $8,187 for administrator accounts and $9,874 for Remote Desktop Protocol, though it should be noted that either of the latter would give an attacker considerably more control over an organization’s devices or accounts than the general network access often provided through a VPN.
Stefano DiBlasi, the report’s author, told SC Media in an interview that COVID-19, unsurprisingly, was one of the main drivers behind the increase in telework and focus on VPNs by initial access brokers. That said, other factors such as the “elite” network and data access the VPN often provides, as well as technical weaknesses around passwords and the authentication process, also played a part.
“When [organizations] had to move their workforce remotely, they had to do that quickly… because the market is going super fast all the time and you have to be present all the time,” said DiBlasi. “So when there’s a vulnerability reported in VPN products, the IT department is asked to focus on getting that software patched and ready to roll for the next day as soon as possible, and sometimes you can’t do that, or you prioritize other things.”
Hovering over top of those issues is a culture where many organizations emphasize business continuity at a time of great economic uncertainty, leading to rushed decision making or tradeoffs in their security posture.
When the shift to telework hit, “many companies ended up with a patchwork of security solutions that barely provided the protection needed,” said Timur Kovalev, chief technology officer at network security vendor Untangle. “At the same time, realizing the opportunity, cybercriminals took advantage of weaker security systems and increased attacks, specifically on VPNs.”
Indeed, chunks of industry appear to be in a transitionary period where there is widespread recognition about the the security shortcomings of enterprise-wide VPN usage, yet there is no clear alternative at the same price point. The global market for remote connectivity solutions is expected to grow significantly over the next decade, with some estimates pegging the total market value above $70 billion worldwide by 2027.
The lion’s share of the current market is owned by VPNs, but that has been slowly changing. The onset of the coronavirus acted as an accelerant and pushed the issue to the forefront at many businesses. And over the past few years, a number of startups focused on different technologies designed to facilitate secure remote access have popped up in recent years, sucking up millions of dollars from investors who sense a hunger for alternatives.
Josh Moulin, a senior vice president for operations and security services at the Center for Internet Security, told SC Media that while they still have value to many organizations, the “anywhere, anytime, on any device” work dynamic created by the pandemic “has highlighted the limitations and security vulnerabilities associated with VPNs.”
Since most organizations still treat a host connecting from VPNs as a trusted source, it allows them the kind of broad network access that can be used to facilitate lateral movement, infect corporate hosts or encrypt data. The reality is that while they fulfill a desperately needed business function, few have the resources and knowhow to implement VPNs safely at scale across their employees.
Many of these risks can be mitigated through common security practices, such as multi-factor authentication, access control policies, checking the patching levels of hosts, keeping an eye out for agents or applications that may be piggybacking in, scanning for endpoint vulnerabilities, and segmenting corporate networks (although even this last approach can be circumvented by skilled hackers).
However, for some businesses the problem is largely about a lack of resources, said Moulin.
“Many lack the skilled cybersecurity workforce and tools required to properly implement VPNs and to continuously monitor activities for threats."
But there are also larger information technology dynamics at play that are making VPNs less relevant, particularly the move to leverage hybrid clouds that mix on- and off-premise data centers.
According to a global survey of 3,400 IT decision-makers commissioned by Nutanix, 86% of respondents view a hybrid cloud environment as their ideal operating model, with many enterprises taking the initial key steps, like adopting hyperconverged infrastructure and phasing out non-cloud enabled data centers, that would facilitate such a shift. Nearly half of respondents said they have increased their investment in hybrid cloud technologies as a direct response to the pandemic.
Moulin said VPNs generally make for a poor fit in such environments, since they require all users to connect to a central corporate network first before connecting to their ultimate destination. This can create bottlenecks and decrease the overall user experience. As a result CIS is seeing a shift by some organizations toward alternatives.
“For the security implications…and the poor user experience that is common with VPNs, we are seeing more organizations move to virtual desktop infrastructure and secure access service edge offerings such as zero trust network architecture and cloud access security broker solutions,” Moulin said.
Indeed, market research firm Omdia noted last year that “because VPN technology is struggling to meet the need for access to cloud-based applications, there is an opportunity for [alternatives options] to take market share with secure and easy to-use alternatives.”
However, some of the same sources who laid out the security problems facing VPNs also stopped well short of consigning them to the dustbin of history. For starters, the fact that VPNs are already largely entrenched at many organizations is a huge advantage, and allows them to rely on inertia and the high costs of switching over to new technologies as roadblocks inhibiting competing technologies from taking hold.
“Obstacles to deploying any completely new technologies are the disruption that it causes to overhaul a network infrastructure completely, as well as the costs involved,” said Dirk Schrader, global vice president of security research at New Net Technologies. “If the existing infrastructure and existing technologies can be enhanced and augmented instead, then it is easier to stick within budget constraints without causing too much disruption to employee productivity."
Additionally, while VPNs suffer from technical flaws like nearly every other technology, the right care and attention from IT and security teams can mitigate many of those problems.
“VPN technology isn’t outdated or obsolete. Required are additional considerations on the security architecture and workflows used by an organization,” said Schrader. “Potential options [for secure access] are driven by company size and existing server infrastructure, but will always have to include training the security consciousness of the remote worker.”
DeBlasi largely endorsed that view as well. Despite their increasing popularity with initial access brokers, he attributes many of the security problems associated with rising VPN use to human error and sloppiness brought on by a swift and unprecedented health crisis that can be corrected as organizations reevaluate their long-term technology needs. Organizations with the right security posture and mindset are capable of addressing those issues, while those without will fail regardless of the technology or tool leveraged.
“As long as VPN software is properly used and maintained by the IT security team there should be no big issue in using it that differentiates it from other kinds of properly patched software,” he said.