Categories
Remote access

Why VPNs make remote access less secure and what to do about it – BetaNews

Virtual private networks (VPNs) were introduced roughly a quarter of a century ago. The premise at the time was solid: Create an encrypted tunnel from a computer to a network so remote users could have secure access to company resources and communications. Although they were slow and time consuming for IT to administer, VPNs gained traction becaus…….

Virtual private networks (VPNs) were introduced roughly a quarter of a century ago. The premise at the time was solid: Create an encrypted tunnel from a computer to a network so remote users could have secure access to company resources and communications. Although they were slow and time consuming for IT to administer, VPNs gained traction because they met the primary objective — the connections were secure…or at least secure enough.

Today, it’s a different story. Where VPNs were uncommon 20 years ago, now they’re ubiquitous. But they were  never intended to handle the scale of a massive remote migration, and the weaknesses are showing. Last spring, a report from Digital Shadows on Q1 vulnerability activity had cyber criminals targeting VPNs more than most other attack avenues to get into enterprise networks. Even prior to COVID-19, the National Security Agency (NSA) released a Cybersecurity Advisory about “malicious cyber actors leveraging VPN vulnerabilities.”

But companies can be slow to make VPN upgrades, patches are sometimes missed, and the attacks continue — nabbing even the savviest. Recently, credentials stolen from 87,000 unpatched Fortinet SSL-VPNs were posted online, an event that was confirmed by the cybersecurity company.

VPNs remain a useful tool for unifying networks, but they were never created with massive remote workforces or modern cyber threats in mind — clientless solutions were. The following are just three areas where VPNs can hamper security, whereas the clientless approach shines.

Trust issues

Analysts from IDC noted that more than 40 percent of security breaches come from authorized users. It’s a broad group covering employees to vendors, which is a problem because most VPNs lack granular control over permissions.

In some cases, when a remote user is authenticated, they become effectively “trusted,” and that could provide them access to more of the network than you’d like. According to the Ponemon Institute, insider threats grew nearly 50% from 2018 to 2020, so there’s real reason to be concerned.  

What’s more, because VPN performance can be painfully slow, employees may seek even less secure workarounds. There’s no malice intended — they’re just trying to get their jobs done but get bogged down by the VPN. Regardless, it can introduce more vulnerabilities and increase the likelihood of attacks.

Confusion and mistakes

Keeping tabs on users can be difficult. If your company is in the cloud and has a distributed network, remote workers may end up requiring secure access to dozens of servers. That means every employee, and each VPN appliance, will have a policy that needs to be synced and maintained. 

This entails a long list of tasks. For IT leaders, the only means of seeing who has access and their specific policies is often with confusing dashboards. With this snowballing complexity, it’s understandably easy for admins to lose track of where things stand and make mistakes, introducing security holes that can be exploited.

Patch it up

Patches are often needed with software and credible vendors release timely ones, often accompanied by an announcement to alert customers and users. It’s the right thing to do, particularly in an area like security. However, this can also alert cyber criminals to targetable vulnerabilities, and VPN providers have released many software patches over the past year, driven by the increase in remote workforces.

Companies need to get to these patches to keep hackers from getting to them — and it’s …….

Source: https://betanews.com/2021/10/13/vpns-make-remote-access-less-secure/

Leave a Reply

Your email address will not be published. Required fields are marked *