When VPNs were first developed back in the 1990s, the idea was to extend the LAN to employees' home offices and hotels as they hit the road. This meant giving employees remote access to everything their company network had to offer—just as if they were working on the internal network. Then, when companies began outsourcing work and bringing ecosystem partners onto their networks, the remote access VPN was about the only tool at their disposal. The VPN became the default means to provide third parties access into corporate networks and applications, and its use is still common today.
An insecure method in today's cyber-climate - especially in critical national infrastructure
Fast forward to 2018 and unfortunately there are several security weaknesses that make the remote access VPN an unsuitable method. Today, attackers are looking to access an organisation's most sensitive data and systems, often for financial gain or political disruption, and will leverage any weak point they can find in the perimeter to establish a foothold to exploit valuable assets. And right now, this is particularly the case for organisations who work at the heart of the UK's critical infrastructure - everything from healthcare and government to utilities, finance and emergency services - on whose systems, networks and processes the daily functioning of the country depends.
Recently, the National Cyber Security Centre (NCSC) warned companies connected to the UK's critical national infrastructure that they were being targeted by hackers aiming to gain a position from which to disrupt public services or steal highly sensitive data pertaining to UK citizens and government. In fact, today national security experts operate on the basis that it is a matter of "when, not if" the UK becomes a victim to a category one cyber attack targeting critical network infrastructure, as reports from the NCSC warn that the supply chain of the critical national infrastructure is under “sustained attack”.
Hackers first attack target computers indirectly connected to the target's network to compromise workers who might have an advanced security process to access their immediate perimeter. Once compromised, they use this vulnerability to move laterally and attack mission-critical networks and/or data. A combination of human fallibility over password protection and an all-or-nothing approach to network access via VPNs means that they are particularly vulnerable to this kind of attack.
Data breaches as a result of weak, default or stolen passwords.
News headlines would have you believe that most security breaches are the result of very sophisticated attack methods. Reality is actually much more mundane: the biggest threat to security today stems from compromised credentials. In fact, according to the 2016 Verizon Data Breach Investigations Report, 63 percent of confirmed data breaches involve using weak, default or stolen passwords. On this point the login credentials for remote access VPNs can be compromised in a variety of ways. For example, it is very possible that a contractor, vendor or service provider uses the same credentials for remote access VPNs as the passwords they use for their own social media account. Considering that people often use simple or default passwords, hackers can easily guess the login and password details.
On top of this, the VPN provides wide access to network resources – often far more than the one or two applications that the user actually needs. This means that once the attacker is in, they have practically unrestricted access to large areas of the network – a huge potential attack surface.
With that said it is staggering to read that almost half (48 percent) of UK IT professionals surveyed by OneLogin still require remote workers to use VPNs. However, with 30 percent receiving frequent complaints that the use of a VPN slows down remote network access, many organisations are struggling to find a balance between productivity and security. The survey also found that half of remote workers spend up to one day per week connected to unsecured networks in an effort to circumnavigate VPNs and get on with their job, leaving organisations open to a host of cyber-threats.#
Awareness is growing that more needs to be done to protect our critical network infrastructure and as a result the concept of Zero-Trust Networking and Trusted Access Control has come into the spotlight. The premise behind this approach is to provide identified legitimate users with secure access to the functionality that they need while mobile, without giving them – or any potential attackers – carte blanche to access the entire system.
Isolate, validate and then allow
A system such as that described above is known as full spectrum protection. Solutions are available that implement transparent multi-factor authentication using the device itself as an additional factor for all authentication. What this means in terms of credential theft is that a bad actor can't use stolen credentials to simply login to an application because credentials alone aren't enough to satisfy the stringent authentication requirements. An attacker would have to have the credentials and access to the specific device that is linked to the legitimate user.
These solutions can also use application layer tunnels over existing network infrastructure to provide access to specific applications, not to the entire network and not even to the entire server—just to the port of the server of the authorised application. This severely limits the potential attack surface, providing far higher security for critical infrastructure organisations, without compromising on productivity.
Today threats are constantly evolving, hacking and breaches are everyday occurrences and critical national infrastructure is a prime target, so don't let your organisation be a victim of a data breach through ineffective remote or third party access!
Contributed by Paul Darby, regional director - EMEA, Vidder.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.