It’s unsurprising to see VPNs listed in the NCSC joint advisory as being some of the top, most targeted vulnerabilities of 2020 and 2021. It is also refreshing to see government agencies recognising the dangers VPNs bring to a company.
VPN appliances have always been a security concern, and in the past year, these concerns have escalated. The COVID-19 pandemic dramatically increased VPN usage, with more employees having access to it and more systems newly exposed to remote access. Attackers are aware of that, so we have naturally observed an increase in attacks on VPNs.
VPNs are inherently risky, based on their very nature of allowing remote users to access private resources. More importantly, they expose an open entry point to every malicious actor on the internet, inviting attacks with stolen or guessed credentials, or exploitation of the many vulnerabilities listed in this report.
Organisations need to recognise that VPNs are remote access tools, not information security tools. They need to shift to a Zero Trust approach where all network resources (including remote access entry points) are hidden from unauthorised users, multi-factor authentication is enforced, and limiting user access to what a person needs to do their job is used across the company. By assuming that any device or network can be compromised, organisations will adopt additional security measures to make them resilient to attacks, especially the use of dynamic and contextual access policies. We recommend replacing legacy VPNs with a Software-Defined Perimeter. This allows organisations to implement strong security policies for each system the employee tries to access, have different requirements depending on the employee’s role, the device used, and the system needed, and limits access to only what is needed to perform a job function.