US federal agency warns that VPNs might not be secure enough for your business
Virtual Private Networks (VPNs) are hugely popular, both with consumers looking to enhance privacy and organisations wanting to give remote employees secure access to internal applications.
Perhaps unsurprisingly, VPNs are also much loved by cybercriminals and nation-state hackers.
So loved, in fact, that the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning.
It has “frequently identified” VPNs being involved in high-profile security incidents, adding more than 22 Common Vulnerabilities and Exposures (CVEs) to the Known Exploited Vulnerabilities (KEV) list.
These have led, the CISA says, “to broad access to victim networks” and are “prompting some to consider replacing their legacy VPN solutions with modern network access solutions”.
In the last few months alone we have seen:
- Chinese nation-state actors execute at least 85 attacks against Taiwan-based organisations, exploiting known VPN vulnerabilities
- Vulnerabilities in Cisco VPN web servers
- Vulnerabilities in Ivanti VPN appliances
- Vulnerabilities in the Pal Alto GlobalProtect VPN
- The arrest of a Chinese national involved in deploying malware via free VPN applications that created the world’s largest botnet, comprising more than 19 million unique IP addresses
Related: What are VPNs anyway?
How to make your business’ VPNs more secure
CISA says that “while some VPN solutions are inherently more secure than others — and not always the cause of major cyber incidents — current hybrid networks require adopting modern network access security solutions to help organisations protect corporate resources.”
The kind of Secure Access Service Edge (SASE) and Secure Service Edge (SSE) solutions that the CISA guidance references offer, according to Adam Maruyama, Field CTO at Garrison Technology, “more granular, context-sensitive controls” and so provide “additional layers of protection to organisations in the event of a breach”.
However, Maruyama warns that SASE and SSE software retains some residual risk.
“Just as attackers found vulnerabilities to exploit in the Internet-facing attack interfaces of VPNs,” Maruyama says, “so too will attackers find ways to subvert the software mechanisms enforcing the SSE and SASE controls.”
To counter these threats, Maruyama advises organisations to look toward verifiable, fixed-function security enforcement mechanisms “like those enforced by hardware security technologies” for critical security functions.
NEXT UP
Why Rotterdam is a tech haven: a love letter from a startup
We reached out to Kees Wolters asking for a comment on Rotterdam as one of the best cities in Europe for tech workers – he sent us what amounted to a love letter to the city, which we decided to publish in full (with his consent), below.
Verizon and Skylo launch direct-to-device messaging using satellites
Verizon and Skylo partnered to launch a direct-to-device messaging service for customers and Internet of Things (IoT) enthusiasts.
IBM pushes for EU to make AI open and collaborative
If the EU wants to remain a global digital leader then it needs to make AI open and trusted. So says IBM in its new digital policy agenda for Europe.