Suffice to say, retail is among the numerous industries rocked by COVID-19. And while countless retail employees are finding themselves without employment, there are some in the industry that are extremely fortunate in that they are able to transition their responsibilities to a work from home (WFH) scenario. This transition has been made possible thanks to innovative technology solutions. And, while technology presents virtually limitless possibilities and benefits, woe to the retail organization that doesn’t remain vigilant and protect itself from the dangers it presents as well. Virtual Private Networks (VPNs) currently hold the top position on this danger list, as many are learning (some the hard way).
The Unknown Frequency of Attacks
If you are looking for news about the inherent vulnerabilities of VPNs, you don’t need to look far. One of the many alarming reports of hackers succeeding where VPNs failed was last year when Iranian cybercrooks targeted organizations around the globe across numerous industries, such as information technology, security, telecom, government, oil and gas, and aviation.
The hackers, who it was reported were backed by the government of Iran, had a mission to infiltrate targeted business organizations in order to pave the way for a future planting of backdoors—a goal that was made possible by VPN weaknesses that the hackers instantaneously exploited once the bugs were publicized.
Although some naysayers have previously suggested that Iranian hackers lack the sophistication and talent of other groups for inflicting such mass attacks and destruction via cyberattacks, the most recent exposure of VPN failings—and the hackers’ ability to leverage them—implies otherwise. It took just hours for this group of Iranian hackers to infiltrate the VPN servers, weaponizing the vulnerabilities in a prolongation of attacks that commenced in the summer of 2019. It was reported that the hackers underwent a two-prong approach with their attacks against VPNs, starting with breaching and then progressing rather easily into lateral movement.
The security glitches were found in not just one enterprise VPN server, but numerous, with well-known names like Fortinet, Citrix, Palo Alto Networks, and Pulse Secure headlining the list.
The moral of the story? If you are an organization that depends upon a VPN server, you should rightfully be concerned. The truth is that reports on the Iranian hacking events exposed that these factions are now teaming up rather than working alone, which means double or triple suffering for the victims. The global attacks on VPN servers demonstrate that a minimum of three such Iranian groups were in fact working in partnership.
Although the mission of the hackers was to plant backdoors for information gathering, there’s a great deal more to fear once your network has been infiltrated by unauthorized parties like these, from data theft and data wiping to entire networks being held hostage and business operations grinding to a halt.
There seems no end to the novel VPN flaws being brought to light, which appears to be primed and ready for exploitation. And, if we use recent history as our guide, it seems rather clear that based on the speed at which the Iranian hackers were able to infiltrate and exploit previous VPN flaws and weaknesses, we can no doubt expect more of the same each time new vulnerabilities come to light, like the latest exposures of weaknesses in SonicWall SRA and SMA VPN servers.
VPNs – Unable to Support The Way We Work Today
Let’s take a step back and look at why VPNs are unable to support the way we work today, and why VPN servers lack the security needed to keep enterprise networks safe and private. Engineered for traditional perimeter enterprise security such as opening up firewalls with a direct-link method, they’re becoming obsolete in today’s cloud environment. In a hybrid cloud and multi-cloud world of public and private clouds—a world that involves distributed clients and applications that are no longer just on-premise—organizations have much greater chances of getting hacked via a data-exposing VPN backdoor when they rely on VPN for infrastructure access.
The problems originate from the fact that by their very nature, VPNs are built on an unprotected attack surface. Instead of giving different users access just to the specific applications and information needed to do business, VPNs instead expose a “slice of the network.” Additional VPN issues stem from their inability to segment at the app level—they segment at the level of the entire network instead – leaving the network unprotected. Moreover, inbound connections generate other attack surfaces.
And when we get right down to it, VPNs are also a complex headache to configure (highly prone to virtually invisible misconfigurations – you don’t realize it until it’s too late). VPN remote access requires dedicated routers, access control lists (ACLs), firewall policies, and the list goes on. As if this wasn’t enough, VPNs are also expensive and time-consuming to manage and maintain as a result of these complexities, particularly compared with the cost of more modern solutions.
But, what’s a retail organization to do?
SDPs Slam that Backdoor Shut, and Bolt IT
A software-defined perimeter (SDP) approach is an alternative to untrustworthy VPN security. SDP delivers “zero trust” security even in cloud-based environments, offering “micro-perimeters” (or micro-tunnels) that allow application-level segmentation. If you’re concerned about backdoor access—and you should be if you’re on a VPN server—an SDP solves that problem by making applications and services invisible to untrusted access eliminating the risk of lateral network attacks that have become synonymous with VPNs.
SDP solutions ensure much better security than VPNs when it comes to remote users accessing the network. This is a critical note, given how many of us are working today. With SDP solutions, outside parties are segmented to specific applications. It’s like being in an application-specific ‘escape room’ with no way out, which means there’s no need for headache-producing ACLs or firewall policies.
An SDP solution also enables organizations to virtually eliminate risk in the event of an outage, as they are adept at moving operations between various clouds and then creating secure communication links between IoT edge devices and IoT hubs. Specific types of SDP software can leverage “always-on” application infrastructures, further empowering the micro-tunnels to find their best execution path.
As the retail world continues to experience dramatic transformation – some of it temporary, some of which will likely endure – it demands a data access and security solution that can support the way it works today, and tomorrow. Like many technologies that preceded them, VPNs were at one time truly cutting-edge unrivaled technology. However, over time as the world’s IT and business climate has progressed, VPNs have remained almost completely unchanged. Consequently, VPNs are now not only unable to keep hackers at bay, but they may also actually make their jobs easier for them.
To keep your corporate and customer data secure in today’s IT reality, it has become imperative to deploy SDP software that enforces secure perimeters between trusted users/devices and just the services they need to access – virtually slamming the backdoor in the face of would-be hackers, and bolting it tight.
Don Boxley is CEO and Co-Founder, DH2i, a provider of multi-platform Software Defined Perimeter and Smart Availability software for Windows and Linux. DH2i software products DxOdyssey and DxEnterprise enable customers to create an entire IT infrastructure that is “always-secure and always-on.”