Arlette HartFebruary 5, 2024
CISO Perspectives: Ivanti VPN CVEs and Zero-day Exploits Reinforce Top Reasons to Move to Universal Zero Trust Network Access
Four Ivanti CVEs … wow, what a hard place to be. But these are just the latest zero-day critical infrastructure exploits to underscore the inherent security flaws of VPNs. Last Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an unprecedented emergency directive mandating all federal agencies disconnect Ivanti appliances in 48 hours. So, how many more critical VPN CVEs will it take for IT and security teams to scrap open port, risky VPNs in favor of cloaking infrastructure with proven universal Zero Trust Network Access (ZTNA)?
Initially, Ivanti Connect Secure and Policy Secure flaws surfaced in mid-January. They were actively being exploited by Chinese-backed hackers. The flaws were a command injection bug (CVE-2024-21887) and an authentication bypass flaw (CVE-2023-46805). Two more vulnerabilities (CVE-2024-21888 and CVE-2024-21893) were reported by Ivanti last week.
These Ivanti CVEs (Common Vulnerabilities and Exposures) serve as a stark reminder of VPN weaknesses and the dangers of exposed infrastructure. Despite the urgency to fix the issues—not just for government agencies, but for all Ivanti customers—Ivanti’s challenges have been compounded by delays in a staggered patch release schedule currently projected to end the week of Feb. 19.
Cloak your infrastructure with universal Zero Trust Network Access
Let’s face it, those very devices meant to keep you safe can shift and become the source of the attack ... what happens when the cybersecurity appliances ARE the attack vector? Cybersecurity 101: make sure your protection devices are not the path for exploitation.
During my career, including serving six years as FBI CISO, I became keenly aware that we must find a different way. The answer isn’t waiting on an exploit to be discovered so a vendor can issue a patch. The answer is for federal agencies and private enterprises to cloak their infrastructure with universal Zero Trust Network Access (ZTNA) so hackers can’t see the infrastructure ... if they can’t find it, they can’t attack it.
And Appgate SDP—our industry-leading ZTNA solution trusted by the DoD, other federal agencies and global enterprises—does just that with proprietary single packet authorization (SPA) technology. This means even if your authorized users are compromised, threat actors can’t scan for additional systems to move laterally, because those systems are cloaked and the infrastructure itself is invisible. This whitepaper is a SPA primer and includes a full list of what makes the SPA implementation in Appgate SDP unique.
What’s next?
The Ivanti vulnerabilities are a clarion call that highlights a trend we’ve been tracking here at Appgate ... advanced persistent threat tactics used by adversaries have shifted from targeting endpoints to targeting exposed infrastructure. We need a sense of urgency when it comes to protecting our enterprise house because most organizations will never be as fast as the adversary, especially state-sponsored efforts that employ vast resources.
We can’t pretend that legacy solutions, like internet-facing VPNs, are secure and that castle and moat strategies still work. It’s simply not enough. CISOs and their teams must take the next step to cloak enterprise infrastructure with the only universal ZTNA solution with SPA built in ... and that’s Appgate SDP.
Want to learn more? Register to join our monthly ZTNA Table Talks learning sessions or visit our Zero Trust access Demo Hub.
Additional ZTNA resources
Comparison Guide: Cloud-routed vs. Direct-routed ZTNA: What’s the Difference?
Analyst report: 2023 Nemertes Real Economic Value of Appgate SDP
Blog: Universal ZTNA Advances Enterprise Innovation, Reduces OpEx and Simplifies Security
eBook: Zero Trust Maturity Model Roadmap