Chris ScheelsAugust 5, 2020
Russian Hacker Exposes Pulse Secure VPN Passwords
It’s Past Time to Replace This Antiquated Technology
VPNs continue to create unnecessary risk. There are more effective ways to secure network access implementing the principles of Zero Trust.
We’ve advocated for quite some time that VPNs are insecure and need to be retired. Our blog is full of the reasons why, including a recent post, “Why is Your Network’s Front Door Still Unlocked?” Recent news that a Russian hacker leaked the passwords for more than 900 enterprise Pulse Secure VPNs intensifies the urgency. The problem is serious on multiple levels:
- These enterprises are at immediate risk, since their private networks are now effectively exposed to attackers
- Chances are, these users have re-used passwords for other accounts, which are now also at risk
VPN vulnerabilities are common knowledge. The most recent USCERT Top Ten Routinely Exploited Vulnerabilities (USCERT AA20-133A) highlights that malicious cyber actors are increasingly targeting VPN vulnerabilities.
Major technical flaws of VPNs include:
- Too much network visibility, inviting attackers to their front door
- Default level of access for all when connecting users to the network, exposing a massive attack surface
Along with being inherently insecure, VPNs are expensive to maintain and manage. They gobble up costly network bandwidth, create bottlenecks and slow down data-related operations. They also create an administrative quagmire by requiring tens of thousands of firewall rules to enforce access controls, and the need to apply patches to fix firmware vulnerabilities, like in the case of the Pulse Secure VPNs. A recent study shows that unpatched vulnerabilities are the cause of 60% of breaches. To address patch management effectively costs enterprises an average of $650,000 annually.
Amid the deafening sound of alarm bells, many enterprises have not replaced VPNs with modern technology. We urge them to take the first step today. There are better and more secure ways to provide users with remote access, without putting your entire organization at risk.
The Software-Defined Perimeter uses a simple cryptographic technique (Single-Packet Authorization) to cloak network entry points. With SDP, broad surface attacks associated with VPNs can’t happen.
With VPNs, access is all or nothing. Once connecting, you can see everything on the network. Conversely, SDP uses the principles of Zero Trust to reduce the attack surface. Unauthorized users will be unable to even see the network entry point, and therefore be unable to connect to it or attack it. SDP achieves this by:
- Building a multi-dimensional profile of a user and device that is authorized before network access is granted
- Dynamically adjusting entitlements based on policy and real-time conditions
- Leveraging micro-segmentation to reduce the attack surface and eliminate lateral movement to all network resources.
Forward-looking enterprises have embraced SDP as a more secure way to secure network access. The fierce urgency of now is evident with the latest news of the Russian hack on Pulse Secure VPNs. You can start now by learning more about SDP.