Unsafe Virtual Private Networks (VPN) are increasingly becoming a major concern for many organizations around the world, new research has found.
A report from Zscaler, found almost nine in ten (88%) were “deeply concerned” about potential breaches that come as a result of VPN vulnerabilities. These respondents were mostly concerned about phishing attacks (49%) and ransomware attacks (40%) as a result of regular business VPN usage.
Almost half of the polled organizations said they’d been targeted by crooks who were able to exploit a vulnerability in their VPN service of choice. Most of the time, the flaws included outdated protocols or data leaks. A fifth (20%) suffered at least one attack in the past 12 months, while a third (33%) suffered a ransomware attack on VPNs.
Supply chain attacks
There is also the threat of third-party vendors being exploited, resulting in a successful supply chain attack. Outside users, including contractors and vendors, have different security standards, and rarely offer proper visibility to their partners. Furthermore, managing external third-party access is an extremely complex problem, the researchers added.
To tackle the issue, businesses are increasingly adopting a Zero Trust architecture. Zero Trust is a security model in which users and devices are never trusted by default and always need to verify their identity, even when connected to a permissioned network such as a corporate LAN. Adopting Zero Trust means establishing strong identity verification, validating device compliance before granting access, and ensuring least privilege access.
But businesses should be careful when choosing their Zero Trust partner, warns Deepen Desai, Global CISO and Head of Security Research, Zscaler. He’s made some serious allegations towards legacy firewall and VPN vendors, claiming these organizations “spin virtual VPNs in the cloud and claiming that it is Zero Trust, and they go the extra length to hide the word “VPN”. Customers need to ask the right questions to make sure that they are not getting a false sense of security with these virtualized legacy offerings in the cloud. In order to safeguard against evolving ransomware attacks, it is critical for organizations to eliminate the use of VPNs, prioritize user-to-app segmentation, and implement an in-line contextual data loss prevention engine with full TLS inspection.”