02.01.24 Update: CISA issues a supplementary emergency directive to government agencies requiring they rapidly disconnect the vulnerable products: "As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks." |
Emergency Directive Reveals It’s Time to Replace VPNs
01.30.24 Update: CISA issues additional guidance related to threat hunting: "If an organization has been running Ivanti Connect Secure (9.x and 22.x) and Policy Secure gateways over the last several weeks and/or continues to run these products, CISA recommends continuous threat hunting on any systems connected to — or recently connected to — the Ivanti device. Additionally, organizations should monitor authentication, account usage, and identity management services that could be exposed and isolate the system(s) from any enterprise resources as much as possible. "After applying patches, when these become available, CISA recommends that organizations continue to hunt their network in order to detect any compromise that may have occurred before patches were implemented." |
VPNs are the long-time workhorse of secure remote access, but increasingly, these virtual private networks are coming under attack by threat actors seeking the unfettered network access VPNs provide. Many VPN providers have been affected by vulnerabilities during the past year.
In the most recent example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for a specific VPN vulnerability, giving federal agencies little more than a weekend to uncover and install a time-consuming — and only temporary — fix.
“CISA has observed widespread and active exploitation of vulnerabilities in Ivanti Connect Secure (VPN) and Ivanti Policy Secure solutions,” the directive says. The statement goes on to describe the magnitude of the threat: “Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and establish persistent system access, resulting in full compromise of target information systems.”
VPN Vulnerability Risk in the Private Sector
While the emergency directive is aimed at U.S. government agencies, CISA has a specific warning for the private sector, as well.
CISA Director Jen Easterly strongly urged all organizations to take mitigating actions immediately.
“Even as federal agencies take urgent action in response to this directive, we know that these risks extend to every organization and sector using these products. We strongly urge all organizations to adopt the actions outlined in this directive," Easterly said.
New Offer: VPN Replacement Made Easy (and Secure). Start your FREE TRIAL of CylanceEDGE® |
VPN Security Risks
Remote access tools like VPNs helped organizations survive COVID and empowered today's “work from anywhere” expectation. However, a growing number of announced VPN vulnerabilities reveal the risks of deep network access these tools provide for cyber threat actors, who are leveraging them to achieve the same access VPNs grant your employees and approved third parties.
The core functionality of VPNs has changed little since the technology was invented in 1996. A VPN grants a user access to a corporate network by extending it — and by association, your security perimeter — to remote users.
The main security issue with this approach is that VPNs operate on the “trust but verify model,” implicitly granting trust to anyone inside a perimeter. A prime example of how this can go wrong is the Colonial Pipeline ransomware attack, which investigators determined was directly tied to the company’s legacy VPN. The FBI issued a subsequent advisory explaining that ransomware attacks often focus on unsecured VPN servers, and such incidents have been steadily rising in frequency since June 2022.
Alternatives to VPNs
If VPNs are a legacy technology with frequently exploited vulnerabilities, then what is the alternative? A growing number of organizations are implementing ZTNA (zero trust network access) as a VPN replacement method. And while CISOs love it because the approach mitigates risk, CIOs appreciate the fact ZTNA also leads to happier users, by speeding up connectivity, streamlining authentication, and normalizing the user experience across devices from anywhere.
VPN Replacement with Zero Trust Network Access
Instead of trusting entities by default, or verifying their access via a one-time authentication through a VPN, users in a zero-trust environment are vetted continuously, by ascertaining their current security posture. No user on the network is automatically considered “trusted,” and neither are the networks, applications or devices they use. The “zero trust” approach applies, regardless of whether the access is requested by a staff member or by an external user, such as a contractor, customer, or partner.
With ZTNA, organizations strengthen their security by minimizing the attack surface (such as by micro-segmentation), while simultaneously centralizing and simplifying their resource and access management, and improving scalability and flexibility.
Research firm Gartner Inc. suggests in a recent report that zero trust network access and network micro-segmentation are two primary factors for organizations of any size to consider when framing a VPN replacement strategy.
And a recent fireside chat with Enterprise Strategy Group (ESG) explores why organizations are choosing ZTNA as a VPN replacement, and how this is advancing digital transformation and hardening security.
Concluding Thoughts
CISA’s latest emergency directive is among many examples that underscore the need to modernize security models by replacing vulnerability-laden VPNs with a zero-trust architecture. ZTNA directly addresses the growing sophistication of cyber threats, and makes it easy for organizations of any size to implement dynamic context- and identity-aware security measures.
In short, ZTNA helps organizations achieve cyber-resilience by taking a transformative step toward a more secure, efficient, and agile digital infrastructure.