Back in 1996, a Microsoft employee developed peer-to-peer (also referred to as point-to-point) tunnelling protocol (PPTP) to provide a more secure and private connection between a computer and the internet. This is the precursor to today’s virtual private networks (VPN).
Not so secure
Are VPNs as secure as advertised? The privacy of VPNs was put into two on two occasions.
Edward Snowden, former National Security Officer (NSA) whistleblower and privacy advocate, says a VPN is a one-hop, single point of failure. He claims that both the service provider and the NSA can see a user’s activity.
In 2015, researchers Alex Halderman and Nadia Heninger wrote that breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.
With security high on the agenda of corporate leaders and their boards, should CIOs and CISOs rethink the use of VPNs, particularly with hybrid work a mainstay of everyday corporate life?
Threat Intelligence Cisco Talos Intelligence Group reported that on 24 May 2022, Cisco became aware of a potential compromise after an attacker gained control of the personal Google account of a Cisco employee.
“The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organisations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.”
Cisco Talos
In February 2021, 21 million mobile VPN app users were swiped and advertised for sale. The data included email addresses, randomly generated password strings, payment information, and device IDs belonging to users of three VPN apps—SuperVPN, GeckoVPN, and ChatVPN.
So, despite these data points, why are VPNs still in use today?
Perhaps due to lack of awareness or lack of interest, VPN service remains a robust business with Researchandmarkets estimating US$44.6 billion in revenue in 2022 and reaching $S77.1 billion by 2026.
“While there were a few notable breaches, I won't consider those to be systemic and those were mostly due to human error, not technology. My opinion is the pandemic pushed many people to work from home (WFH), and the immense VPN usage made public VPN providers a natural and statistically skewed target,” said Clement Lee, APAC solution architect for Check Point Software Technologies.
"Some VPN providers had been hit hard in recent events, and while we can understand the pandemic is trying for everyone, all providers need exceptional vigilance, especially where private and confidential data is involved."
Clement Lee
Ian Lim, field chief security officer for Asia-Pacific at Palo Alto Networks acknowledged that the pandemic pushed VPN architecture to its limits.
“Scaling on-premises hardware solutions became an issue. Backhauling was a performance nightmare, especially for global companies. And most importantly, the security efficacy of hardware VPN solutions cannot meet the demands of a borderless workforce that wants to access any application from anywhere – be it on-premises, cloud, or SaaS,” he continued.
Are VPNs still relevant in 2022 in the context of hybrid/remote work?
Lee believes that as many organisations pivot into cloud technologies, VPN will continue to be relevant as it provides secure communications between a remote computing device to private infrastructures, regardless if it may be on a physical or cloud infrastructure.
For his part, Lim concedes that these (vulnerability) issues are not trivial for any organisation, especially given the fact that advanced attackers are capitalising on the weaknesses of this legacy architecture.
“Several ransomware and supply chain attacks took advantage of remote access vulnerabilities to gain a foothold in major companies causing significant downtime and reputational damage,” he added.
For the CIO/CISO/CTO, given the heightened risks associated with remote work, what is the appropriate strategy, including the use of tools like VPN, to ensure a secure connection between the workers and the enterprise network?
According to Lee, many solutions have proliferated through the pandemic.
“For example, Secure Access Service Edge (SASE) solutions aim to limit the risk involved with remote work and inadequate physical infrastructure capacities," he pointed out.
He is quick to point out, however, adoption of the zero-trust concept may be central to enhancing an organisation’s security posture. “Many organisations do not exercise strong endpoint controls and/or strong access control management,” he lamented.
While agreeing that zero trust holds the future to secure connectivity, Lim says early iterations of Zero Trust Network Access (ZTNA) have proven to be not well aligned to the zero trust principles of “scrutinise explicitly and continuous validation.”
After the connection is established, the ZTNA 1.0 access broker does an interesting thing; it gets out of the way of that user interacting with that application. In other words, it is not deeply inspecting the traffic, nor is it continuously validating that the interaction is still legitimate.
Lim says the premise of Zero Trust is that implicit trust in your environment is a security risk. To mitigate this risk, you must scrutinise and continually validate digital interactions to ensure that they can still be trusted.
He believes that ZTNA 2.0 overcomes the limitations of ZTNA 1.0.
“ZTNA 2.0 connects all users to all applications through a centralised security mechanism that provides deep inspection and continually checks for suspicious behaviour within the digital interaction between the user and the application."
Ian Lim
The strategy going forward
Asked what it would take to achieve industrial-grade remote access? Check Point’s Lee interprets industrial grade as a robust and resilient system that can handle major data traffic and incursion attempts and are suited for critical infrastructure level or military use.
“The good thing is that established VPN technologies today are already field and battle proven through decades of refinement and industry collaboration. The newer frontier, beyond VPN, is all about areas such as access management, attestation, surveillance, and control. On an individual level, I recommend adding 2FA to your VPN accounts,” he opined.
Palo Alto Network’s Lim suggests that a security practitioner start adopting Zero Trust not only in remote access architecture but across the entire IT estate.
“Assume breach, scrutinise explicitly and continually validate digital interactions within your users, applications, and infrastructure. Establishing Zero Trust is an opportunity for CIOs to evolve their security posture to match the borderless workforce and advanced attackers of today,” he concluded.