Are Corporate VPNs Secure?
Corporate VPNs are designed to provide a secure and encrypted connection for remote users to access a company's internal network or resources over the internet. Although corporate VPNs have been around for decades, deploying corporate VPNs is still a common practice even till today. That’s because it is still considered a secure way access to a company’s internet network and resources.
But in 2024, are corporate VPNs still secure? The answer is NO.
That’s because VPNs do not offer network security, cannot protect against social engineering attacks, lacks access authentication, and allows lateral movement once hackers gain entry, among other vulnerabilities listed here.
In this article, you’ll learn why corporate VPNs are not secure anymore and what the better option is when you want to secure corporate resources and remote access.
TABLE OF CONTENTS
7 Reasons Why Corporate VPNs are NOT Secure
No Cost, Big Protection.
Download Mamori Freemium and begin securing your jump servers with Mamori.io’s free, easy-to-use solution.
7 Reasons Why Corporate VPNs are NOT Secure
1. Vulnerable to Social Engineering Attacks
Just like in many aspects of cybersecurity, people are the weakest link when it comes to VPN security. VPNs primarily rely on things like unique usernames and single passwords for user authentication, and this authentication method is extremely vulnerable to social engineering attacks. In particular, users can fall victim to deceptive tactics, like phishing attempts delivered via company email, fraudulent websites that impersonate legitimate ones while requesting login details, malicious email attachments, or an attacker impersonating as an employee of the company, just like what happened in MGM’s ransomware attack.
2. Lateral Movement Across the Network
A corporate VPN is designed for use of all employees and third-party vendors. When they need to access company resources, their devices connect to a single IP address and VPN server. This setup ensures that the server is exclusively accessible to authorized business users. While this configuration is generally considered secure for business purposes, it also introduces potential vulnerabilities.
Business VPNs provide users with comprehensive access to all the data within the network. Oftentimes, that includes vendors, where they have an all-or-nothing access. They either have unrestricted access to the network (typically at the outset of a project) or no access at all (when access is revoked after the project concludes). This, in turn, heightens the risk of sensitive information being unintentionally exposed to those who don’t have authorized access to resources. Worse, if an attacker gains access to the network (via social engineering or other methods), the attacker can move laterally across the network to download, access, or encrypt all the resources he can find.
3. Not Tracking Network Activities
A business VPN is designed for secure access to network, which is why they do not have the ability to track network activities or network security features. That means corporate VPNs offer limited or minimal detailed audit logs, which means you cannot effectively track and document the activities of each third-party vendor utilizing the VPN, thereby creating security, data leak, and compliance issues.
Typically, corporate VPNs can log and record connection times and sometimes resources accessed, but that’s the extent of it. The logs are usually stored in a separate file or folder and is not being monitored in real-time. Because of these limitations, detecting and responding to security incidents will be extremely challenging.
4. Does Not Protect Against Network Scans
When a cyber-criminal successfully gains access to a network, the first thing he usually does is to scan the network so he can locate all resources connected to the network. VPNs are designed to secure communications, not network security, which is why VPNs are unable to stop and detect unauthorized port scanning or access attempts.
5. Vulnerable to Remote Code Execution (RCE)
In recent years, it is known that cyber-criminals have the capability to remotely run code on both VPN clients and server software, thereby gaining control of systems holding sensitive corporate data. This kind of security flaw is categorized as Remote Code Execution (RCE) and enables malicious actors to access and manipulate a device, regardless of its physical location.
In August 2021, the U.S. National Institute for Standards and Technology (NIST) issued a warning to the cybersecurity community that specific business VPN routers had been found to possess vulnerabilities that could allow attackers to execute code remotely, perform root-level commands, and trigger denial of service. Once in they can change configuration settings using RCE, they can move laterally across the network and connect deeper into their IT infrastructure. Here are the 6 known RCE vulnerabilities in enterprise VPN.
6. Does Not Protect Against the Negligent IT Professionals
Again, people are the weakest link when it comes to VPN security. IT professionals usually have a heightened sense of security are less likely to fall victim against social engineering attacks than the general employee. However, most IT professionals have multiple responsibilities and are over-worked, which leads the following unintentional negligence that compromises the corporate VPN security: unpatched VPN software, not changing default credentials, and weak authentication setup. All of these are vulnerabilities that an attacker can exploit and gain unauthorized access to a corporate network and its resources.
7. Does Not Protect Against “Trusted” Access
When thinking of security, most of us naturally think about protecting against outsiders. However, insider threats sometimes pose a more significant threat than external threats. Employees or contractors with legitimate access to the corporate VPN can misuse their privileges intentionally or unintentionally, posing a threat to the network's security. This is a result from VPNs all-or-nothing access and its inability to track network activities.
How to Secure Corporate Network and Remote Access Using Mamori.io
At Mamori.io, we understand the vulnerabilities of corporate VPNs. That is why we have created our solution to fill the security gaps of corporate networks and remote access. Listed below is a glimpse of what we can do:
1. Prevent Lateral Movements
Problem: When an attacker has access to the corporate network, the attacker can move laterally across the network to find vulnerabilities and escalate privileges so they can reach their ultimate target.
Solution:
Microsegmentation – Mamori.io enables you to microsegment a network into smaller, isolated and secure zones with unique security controls over each zone’s access. Not only does this prevent an attacker’s lateral movement by reducing the attack surface, it also helps enable more granular security controls, improve regulatory compliance, and improve network performance.
2. Block Unauthorized Network Scans
Problem: After gaining access to a corporate network, the first thing a cyber-criminal does is to scan the network to see what resources are connected to the network.
Solution:
Intrusion Detection - Any unsolicited attempts of a network scan will be detected and blocked. At the same time, the device making the unsolicited access will be locked, and the administrator and the device owner will be notified immediately of the unsolicited access.
3. 2FA on Every Resource Access
Problem: Once someone has access to the network, he can begin downloading and interacting with all the resources on the network.
Solution:
2FA on Every Resource Access: When we say 2FA everything, we mean it. Mamori.io can apply 2FA not only on network access, but also on access to specific resources, from those within an application to those in the database.
4. Identity and Role-based IP & Port Access Controls
Problem: In corporate VPNs, users sometimes share passwords with co-workers for convenient access to resources. Not only is this a huge risk to security, these passwords are also typically easy to crack by cyber-criminals. Thus, employees might be sharing the same user password with an attacker without knowing.
Solution:
Identity & Role-Based IP & Port Access Controls – Mamori.io enables organizations to set access control policies based on a person’s identity, role, IP address, and port. Not only will this eliminate the security risk of password sharing, it also creates multiple barriers to protect against cyber-criminals.
Access Management – Mamori.io’s access to resources is governed by least-privilege access policies, thereby blocking any unauthorized or unnecessary access to certain resources.
5. Protect Against Attacks from Within the “Trusted” Network
Problem: An attacker can lay hidden within your network and download small amounts of data each day. The same can also be done by a disgruntled employee who is potentially going rogue.
Solution:
Access Management – Mamori.io’s access to resources is governed by least-privilege access policies, thereby blocking any unauthorized or unnecessary access to certain resources.
Intrusion Detection – Any unsolicited access to resource will be identified. At the same time, the device making the unsolicited access will be locked, and the administrator and the device owner will be notified immediately of the unsolicited access.
Conclusion
While VPNs have been used and are known for secure remote access, it is no longer safe anymore. They do not offer network security, cannot protect against social engineering attacks, lacks access authentication, and allows lateral movement once hackers gain entry.
A better approach is to use Mamori.io. Not only can you secure your network using Zero Trust Network Access (ZTNA), intrusion detection, and microsegmentation, you can also apply 2FA to all access to your resources and apply more granular access controls.
Mamori.io is an all-in-one solution that prevent ransomware by offering multiple layers of security – from the network, servers, all the way down to the database. The same system can also help organizations comply with privacy regulations, reduce cyber insurance premiums, and automate ISO 27001.
For small businesses, Mamori.io has all the features to completely secure their data. For large businesses, Mamori.io covers security gaps, secures external vendor access, and provides access controls to the database.
Schedule a demo with Mamori.io or request your free trial. If you’re a small business with fewer than 20 users, you can use Mamori.io for free.