Why It’s Still Time to Kill the VPN
Financial institutions aiming to implement a holistic security strategy must ensure that they focus not only on their external anti-fraud efforts, but also on their internal security. Strong protection is not just limited to an organization’s brand or end users: it extends inward to their employees, networks, and sensitive data. We previously wrote about the importance of moving away from VPNs to secure internal assets due to critical flaws in the antiquated technology. In this post, we’ll dive deeper into why it is more urgent than ever for financial institutions to make the shift to stronger security.
An Alarming Development
Recently, Carnegie Mellon University CERT Coordination Center issued a security alert warning that multiple Virtual Protection Network (VPN) applications have been found to authentication and session cookies in insecure memory and/or log files. What does this mean for financial institutions employing VPNs to protect their internal resources?
In traditional VPNs, cookies can be used to establish a VPN connection from a device not owned by the intended user. Essentially, any cybercriminal with access to – or running malware on – a computer connected to a VPN can retrieve a user’s credentials and use them to access the sensitive networks from a separate device. Put simply, a financial institution’s internal network, applications, and sensitive data are exposed. Four VPN applications from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure are impacted and named in the alert.
It’s 2019 – Why Are VPNs Still Vulnerable?
Traditional VPNs all function the same way at a basic level: once a user is authenticated, that ‘authorization’ is linked to the user’s computer, usually in the form of an unencrypted cookie. If no special precautions are taken, that cookie will also exist in the device’s memory – also unlikely to be unencrypted. Further, if a criminal has already deployed malware onto the user’s device, that authorization cookie can be easily accessed by the fraudster and used to spoof the user’s VPN authorization.
Once they obtain the authorization, the attacker can easily gain access to an organization’s internal networks. From there, the door is wide open to them to move laterally through sensitive servers that most likely lack private-user firewalls.
A Band-Aid, but Not a Cure
There is no doubt that the impacted VPN providers will fix these vulnerability issues. They will issue a patch (in some cases they already have) and change the way the authorization cookies are handled. This quick fix might include clearing the memory of the cookie, encrypting the cookie, storing it in a certificate store in the user’s operating system, etc. But is this really a long-term solution? No, because all of the other issues inherent to traditional VPNs are still there, and sensitive systems will still be completely vulnerable to infiltration by outside (or inside) invaders.
To navigate today’s dynamic and complex network landscape, financial institutions need to deploy a Zero Trust cybersecurity model in which users are never allowed access to a given network without first evaluating their identity and context.
This principle is supported by a Software-Defined Perimeter (SDP), which evolved from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative. SDP is designed around the user and addresses the shortcomings of VPNs. It is based on a need-to-know model, in which device context and identity are verified before access to a given network or application is granted. SDP reduces the attack surface in real-time by creating a discrete, encrypted network segment of one, making everything else invisible and inaccessible – in layman’s terms, even if a fraudster were to gain access to an institution’s networks, they would have no way to move around and wreak havoc. Finally, SDP is a holistic solution, providing a single secure-access control platform for both remote and on-premise users accessing remote and on-premise resources.
Day after day, the evidence continues to pile up: VPNs are no longer secure for any organization or financial institution looking to protect their internal resources. A Software-Defined Perimeter solution offers far more than the benefits of any VPN while providing infinitely more security.