Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Deployment of traffic-encrypting virtual private networks (VPNs) surged in March 2020, as companies sought ways to get employees working from home.
Now, malicious hackers are checking in on the devices and hoping they’ve been left unmanaged.
“These devices have to get configured properly on an ongoing basis,” Adam Tyra, general manager of security services at cyber insurance provider At-Bay, told IT Brew. “They have to get patched. They have to get maintained. It’s not a set-it-and-forget-it solution.”
A VPN is a remote-access software or hardware tool that offers companies:
- Two-way encryption of network communication (confidentiality!)
- Access to corporate resources
A May 2024 At-Bay study found that remote-access vulnerabilities led to 58% of direct ransomware events in 2023, and self-managed VPNs, or technology “implemented on-premises and maintained by in-house IT teams,” have considerably higher risk of security incidents compared to cloud-hosted VPNs; self-managed VPNs accounted for 63% of 2023’s remote-access ransomware events.
“Somebody has to stay on top of that device and make sure it stays secure. And a lot of these organizations that have adopted them in the self-managed mode…really just are not currently capable of maintaining them effectively,” Tyra said.
Effective maintenance may involve patch management or some multifactor authentication—and the configurations can compound and confound.
Let’s say you’re running a bunch of restaurants whose point-of-sale devices all connect through a virtual private network. A VPN patch requires an update to all machines connected to it as well, according to Elliott Franklin, VP and CISO at reinsurance company Fortitude Re. As a former IT infrastructure pro, Franklin has deployed more than a few VPNs and admits that maintaining them is complicated.
“The bad guys don’t have to worry about change management, they don’t have to go request access, they don’t have to go do a testing QA period. They just attack you,” Franklin said, adding that he prefers a cloud-based option that handles management and upgrade tasks.
VPN vulnerabilities and exploits have hit multiple vendors in 2024. In late February, CISA warned of attacks against Ivanti gateway devices.
On May 27, Check Point Software Technologies released an advisory that noted an increase in attacks on VPNs and “identified a small number of login attempts” on its Network Security Gateways “using old VPN local-accounts relying on unrecommended password-only authentication method.”
A recommended VPN best practice from Check Point’s Gil Messing, chief of staff and head of global corporate communications: “Don’t use old accounts if you don’t need them.” And if you do need them, add extra layers of security like certificates or multifactor authentication.
Once an attacker breaks a VPN or compromises VPN access, they “have visibility into the network,” Messing told IT Brew, and a VPN ends up being an attractive perk for cybercriminals.
“A VPN, to put it simply…is the door to the mansion,” he said.