A False Sense of Security: Why VPNs Are Not a Silver Bullet

virtual private network security, VPN safety, VPN risks, cybersecurity strategies, VPN breaches, VPN security measures

In a world of hybrid organizations and a rising number of remote employees, virtual private networks (VPNs) are rapidly growing as a solution for secure access between enterprise networks and external endpoints. In 2022, the global VPN market was valued at $44.6 billion, with experts projecting a $93.1 billion increase by 2030.

But while VPNs play an important role in today’s enterprise security stack, the growth in adoption may represent overconfidence in a technology with distinct risks and limitations. Misconceptions surrounding VPNs abound and with VPN-directed attacks on the rise, those who depend on them as a silver bullet for cybersecurity are in for a rude awakening.

VPN Breaches

In June, cybersecurity researchers reported that 360 million user data records were leaked in a breach affecting SuperVPN, a free VPN service operating in China.

While users of the application had expected it to protect their personal data and identities, instead it exposed both of them – including email addresses, location and online activities – to the open Web.

This story would be less concerning if security flaws were limited to free and consumer-facing VPN services. Unfortunately, they are not – they affect VPN products used by major companies, including federal agencies, local governments, and critical infrastructure operators.

To protect themselves from these risks, organizations must understand the limited role that VPNs play in a comprehensive cybersecurity strategy, the risks they can introduce to an IT ecosystem, and best practices for utilizing them effectively.

What VPNs Really Do

According to a study from the University of Maryland, VPN ads directed at consumers through social media include “overpromises and exaggerations that could negatively influence viewers’ mental models of internet safety”. But overpromising and exaggerations only work because viewers don’t know what a VPN really does.

In an enterprise configuration, a VPN creates an encrypted connection between a VPN client installed on a device outside your organization, and a VPN server hosted on-site or at an off-site data center. Once there, traffic is directed either to the open Web, to cloud services, or to internal resources.

When a VPN works properly, the encrypted connection between client and server forms a secure “tunnel” that provides protection against snooping from attackers: it masks the identity of remote endpoints connecting to your organization, their external destinations, and any data sent between them.

What VPNs Don’t Do

Unfortunately, VPNs do not always work properly. And even when they do, there are many risks they don’t protect against. For instance:

  • VPNs do not protect software as a service (SaaS) apps which reside outside your organization. While employees can use your VPN to connect with them, they will often choose not to since VPNs can be slow and cumbersome. This compounds the growing risk of Shadow IT that organizations already suffer from, with data scattered across unmanaged and poorly protected external services.
  • While a VPN can prevent attackers from intercepting or decrypting traffic as it travels through the VPN tunnel, it does not protect data at ingress or egress. If attackers have already compromised devices inside or outside your network – which they can do through malware, phishing or social engineering attacks – they can still spy on data sent both ways.
  • VPNs do not always prevent devices from broadcasting their real IP addresses or the destination of their traffic. Weaknesses in the VPN client – or non-VPN software – can tip watchful adversaries off to the identity of protected endpoints.

VPN-Associated Risks

Aside from the fact that VPNs do not protect against all cyber risks, they often introduce new ones, including:

  • Keys to the Kingdom – enterprise VPNs are typically deployed without layered controls, network segmentation or principles of least access to ensure that users are limited to certain resources. In this case, all a cyber actor needs is one set of VPN credentials or one trusted device to access everything on your network, making VPN-connected devices a valuable target.
  • Expanded Attack Surface – according to a report by Cybersecurity Insiders and Zscaler, 61% of organizations have three or more VPN gateways – with public IP addresses – and many have more than five. Together with the countless devices connected to your company via those gateways, this represents a significant increase in the attack surface for cyber actors.
  • Vulnerabilities – vulnerabilities affecting VPN servers or clients are often discovered, requiring patches to prevent exploitation. In 2020, one vulnerability affecting the SonicWall VPN rendered nearly 800,000 devices vulnerable to denial of service attacks and remote code execution exploits.
  • Weak Encryption – while decrypting traffic between a VPN client and server is usually an unrealistic attack vector, servers will sometimes default to weaker encryption standards in an effort to communicate with obsolete clients. In this case, interception and decryption of traffic is a genuine risk.

Best Practices for Enterprise VPNs

As with enterprise cloud solutions, some of the risks associated with business VPNs are attributable to misconfiguration or poor maintenance by the customer. There are key practices to help organizations enhance VPN security and protect against attacks. In 2020, the National Security Agency (NSA) published a few:

  1. Reduce VPN gateway attack surfaces – this means minimizing the number of VPN gateways, and also implementing traffic rules to “limit the ports, protocols and IP addresses of network traffic to VPN devices.” In general, arbitrary devices should not be able to connect with a VPN gateway.
  2. Verify that cryptographic algorithms are CNSSP 15-compliant – the Committee on National Security Systems Policy (CNSSP) 15 specifies safe encryption standards. At a minimum, the NSA recommends VPN configurations that include the Internet Security Association and Key Management Internet Key Exchange (IKE) policy and the IPsec policy.
  3. Avoid using default VPN settings – sticking with default VPN settings may enable weaker cryptographic standards. As a best practice, the NSA recommends that all settings for VPNs are manually configured.
  4. Apply vendor-provided updates/patches – as with any business-critical software, organizations should apply patches to their server-side software and devices as soon as they are issued, and enforce patches to VPN clients.

But while these recommendations will make your enterprise VPN configurations safer, they will not protect against complacency in other domains, such as a lack of multifactor authentication (MFA) or regular password updates – an absence of network segmentation or zero trust policies for internal resources – or a lack of cyber training to prevent phishing/social engineering attacks or improper handling of trusted devices.

Secure VPNs Are Downstream from Secure Organizations

While many businesses are planning to move away from VPNs to alternative solutions for remote access (such as SASE and ZTN), realistically they will still have a place in hybrid work environments for many years to come. This won’t be a problem for organizations who understand that VPNs play a small part in a larger cybersecurity strategy, and work with the right partners to eliminate security gaps that affect VPN safety.

With a team comprised of veterans from the U.S security community – including DoD, DHS and the U.S Cyber Command – Securicon is equipped protect remote access solutions (including VPNs) and harden your security position with gap analysis, compliance consulting, assessment support, audit preparation and more. To learn how we can help you, contact us today.