US federal agency warns that VPNs might not be secure enough for your business

Virtual Private Networks (VPNs) are hugely popular, both with consumers looking to enhance privacy and organisations wanting to give remote employees secure access to internal applications.

Perhaps unsurprisingly, VPNs are also much loved by cybercriminals and nation-state hackers.

So loved, in fact, that the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning.

It has “frequently identified” VPNs being involved in high-profile security incidents, adding more than 22 Common Vulnerabilities and Exposures (CVEs) to the Known Exploited Vulnerabilities (KEV) list.

These have led, the CISA says, “to broad access to victim networks” and are “prompting some to consider replacing their legacy VPN solutions with modern network access solutions”.

In the last few months alone we have seen:

• Chinese nation-state actors execute at least 85 attacks against Taiwan-based organisations, exploiting known VPN vulnerabilities
• Vulnerabilities in Cisco VPN web servers
• Vulnerabilities in Ivanti VPN appliances
• Vulnerabilities in the Pal Alto GlobalProtect VPN
• The arrest of a Chinese national involved in deploying malware via free VPN applications that created the world’s largest botnet, comprising more than 19 million unique IP addresses

Related: What are VPNs anyway?

How to make your business’ VPNs more secure

CISA says that “while some VPN solutions are inherently more secure than others — and not always the cause of major cyber incidents — current hybrid networks require adopting modern network access security solutions to help organisations protect corporate resources.”

The kind of Secure Access Service Edge (SASE) and Secure Service Edge (SSE) solutions that the CISA guidance references offer, according to Adam Maruyama, Field CTO at Garrison Technology, “more granular, context-sensitive controls” and so provide “additional layers of protection to organisations in the event of a breach”.

However, Maruyama warns that SASE and SSE software retains some residual risk.

“Just as attackers found vulnerabilities to exploit in the Internet-facing attack interfaces of VPNs,” Maruyama says, “so too will attackers find ways to subvert the software mechanisms enforcing the SSE and SASE controls.”

To counter these threats, Maruyama advises organisations to look toward verifiable, fixed-function security enforcement mechanisms “like those enforced by hardware security technologies” for critical security functions.