Investigations into the devastating Colonial Pipeline ransomware attack have revealed that cybercriminals accessed the network by compromising a dormant, “legacy” virtual private network (VPN) account that didn’t support multifactor authentication (MFA).
This wasn’t the first time a compromised VPN played a role in a ransomware attack. In April, a VPN vulnerability enabled cybercriminals to deploy ransomware in two production facilities belonging to a European manufacturer, forcing the plants to temporarily shutter. Recently, network device maker Zyxel warned customers of ongoing attacks on certain types of security devices that have remote management or SSL VPN enabled.
This begs the question: Are VPNs helping fuel the epidemic of ransomware attacks? If so, what can organizations do about it?
Answer: It’s time to ditch VPNs and implement zero-trust network access (ZTNA) solutions.
All VPNs Are Legacy Equipment
Colonial Pipeline took pains to note that its compromised VPN was “legacy” equipment. In reality, all VPNs are legacy equipment. They were designed to be used in a wildly different world. How different? When VPNs were first introduced, Bill Clinton was the U.S. President, The X-Files was in first-run on network television, and in the overwhelming majority of enterprises, both employees and computer equipment were located on-prem.
VPNs have evolved, of course, but they haven’t deviated far from their original use case: to provide secure remote access under a security architecture called “castle-and-moat.” A castle-and-moat setup assumes that threats to the network come only from the outside; all users, devices, and apps inside the network perimeter are implicitly trusted by default.
There are two big problems with this:
- Castle-and-moat ignores threats originating from inside the organization. This includes not only negligent or malicious insiders, but also external cybercriminals who use compromised credentials to access the network, as in the Colonial Pipeline case.
- Castle-and-moat depends on a very clearly defined network perimeter. In today’s cloud-based environments, there is no “network perimeter.” Systems, apps, data, hardware, and even employees are distributed. Further, network access is no longer restricted to employees. Freelancers and other contractors, vendors, and business partners must be able to remotely access certain areas of the network.
Zero Trust Killed the VPN Star
For these reasons, organizations have been moving toward zero-trust security architectures for years, a transition that’s accelerated since COVID-19 ushered in a new era of remote work. A Forrester study conducted post-pandemic found that 82% of organizations are “committed” to migrating to a zero-trust architecture.
Instead of implicitly trusting all users within the network perimeter, zero trust doesn’t trust anyone by default. In a zero-trust environment, all users, devices, and apps must be strongly authenticated, authorized according to least-privilege access constraints, and inspected for anomalies before they’re permitted to access network resources. Role-based access control (RBAC), least-privilege access, and MFA are indispensable to achieving zero trust.