Outdated VPN Remote Access: Putting CNI Organisations at Risk

When Virtual Private Networks (VPNs) were first developed back in the 1990s, the idea was to extend the LAN to employees’ home offices and hotels as they hit the road. This meant giving employees remote access to everything their company network had to offer, just as if they were working on the internal network, explains Paul Darby.

Then, when companies began outsourcing work and bringing ecosystem partners on to their networks, the remote access VPN was about the only tool at their disposal. The VPN became the default means to provide third parties with access into corporate networks and applications. Their use is still common today.

Fast forward to 2018 and, unfortunately, there are several security weaknesses that make the remote access VPN an unsuitable method. Today, attackers are looking to access an organisation’s most sensitive data and systems, often for financial gain or political disruption, and will leverage any weak point they can find in the perimeter to establish a foothold by which they might exploit valuable assets. Right now, this is particularly the case for organisations who work at the heart of the UK’s Critical National Infrastructure (CNI) – everything from healthcare and Government to the utilities, finance and the Emergency Services – and on whose systems, networks and processes the daily functioning of the country depends.

Recently, officials at the National Cyber Security Centre (NCSC) warned companies connected to the UK’s CNI that they were being targeted by hackers aiming to gain a position from which to disrupt public services or steal highly sensitive data pertaining to UK citizens and Government.

In fact, in today’s world, national security experts operate on the basis that it’s a matter of “When, not If” the UK becomes victim to a Category One cyber attack targeting critical network infrastructure, as reports from the NCSC warn that the supply chain of the CNI is under “sustained attack”.

Hackers first attack target computers indirectly connected to the target’s network to compromise workers who might have an advanced security process to access their immediate perimeter. Once compromised, they use this vulnerability to move laterally and attack mission-critical networks and/or data. A combination of human fallibility over password protection and an all-or-nothing approach towards network access via VPNs means that they are particularly vulnerable to this kind of attack.

Data breaches due to weak, default or stolen passwords

News headlines would have you believe that most security breaches are the result of very sophisticated attack methods. The reality of the situation is actually much more mundane: the biggest threat to security today stems from compromised credentials.

In fact, according to Verizon’s 2016 Data Breach Investigations Report, 63% of confirmed data breaches involve using weak, default or stolen passwords. On this point, the login credentials for remote access VPNs can be compromised in a variety of ways. For example, it’s possible that a contractor, vendor or service provider uses the same credentials for remote access VPNs as they do for their own social media account. Considering that people often use simple or default passwords, hackers can easily guess the login and password details.

On top of this, the VPN provides wide access to network resources (and often far more than the one or two applications that the user actually needs). This means that, once the attacker is in, they have practically unrestricted access to large areas of the network. That represents a huge potential attack surface.

That said, it’s staggering to read that almost half (48%) of UK IT professionals surveyed by OneLogin still require remote workers to use VPNs. However, with 30% receiving frequent complaints that the use of a VPN slows down remote network access, many organisations are struggling to find a balance between productivity and security. The survey also found that half of remote workers spend up to one day per week connected to unsecured networks in an effort to circumnavigate VPNs and carry on with their job, leaving organisations open to a host of cyber threats.

Awareness is growing that more needs to be done to protect our critical network infrastructure and, as a result, the concepts of Zero-Trust Networking and Trusted Access Control have come into the spotlight. The premise behind this approach is to provide identified legitimate users with secure access to the functionality that they need while mobile, without giving them – or any potential attackers – carte blanche to access the entire system.

Isolate, validate… and then allow

Paul Darby

Paul Darby

A system such as that described above is known as full spectrum protection. There’s one solution that implements transparent multi-factor authentication using the device itself as an additional factor for all authentication. What this means in terms of credential theft is that a bad actor cannot use stolen credentials to login to an application because credentials alone are not enough to satisfy the stringent authentication requirements. An attacker would have to have the credentials and access to the specific device that’s linked to the legitimate user.

Additionally, this solution uses application layer tunnels over existing network infrastructure to provide access to specific applications rather than the entire network and not even to the entire server, but only to the port of the server of the authorised application. This severely limits the potential attack surface, providing far higher security for critical infrastructure organisations and without compromising on productivity.

Threats are constantly evolving. Hacking and breaches are everyday occurrences and CNI is a prime target. Don’t let your organisation become the victim of a data breach through ineffective remote or third party access.

Paul Darby is Regional Director (EMEA) at Vidder

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts