Five percent of VPN solutions remain unpatched and vulnerable

No Comments
VPN tiles

In 2020 we saw a huge shift to remote working, with VPN often the technology of choice for keeping connections secure.

But a new Network Security Report from SpiderLabs at Trustwave reveals that this trend didn't go unnoticed by cybercriminals, with malicious actors targeting unpatched VPN vulnerabilities more frequently.

More worrying is that by the end of 2020 five percent of VPN solutions remained unpatched and were still vulnerable to several of the most prominent VPN common vulnerabilities and exposures (CVEs). Indeed some had yet to be patched for a two-year-old Fortinet FortiOS SSL VPN path traversal vulnerability that can allow attackers to steal login details.

Prutha Parikh, senior security research manager, says on the Trustwave SpiderLabs blog:

VPNs take what we call a 'perimeter-based' approach to security -- trusted users on the inside and untrusted users on the outside. This approach was somewhat sufficient pre-pandemic with firewalls and other security solutions protecting office workers.

But, when the dramatic shift to remote work happened a year ago, it highlighted some of the challenges that came with this perimeter-based model of security that VPNs relied on. Employees were connecting into corporate networks from multiple locations, sometimes through bring-your-own-devices (BYOD) and unmanaged devices while on their home networks. This de-centralized workforce created a very large enterprise attack surface for VPN solutions. The access-to-all-or-nothing motto is the reason a VPN compromise can be extremely dangerous. Once an attacker is on the corporate network, they have access to everything. So when an attack occurs, the damage could be significant.

The report also looks at the Solar Winds supply chain attack, which it terms, 'probably the most crippling and devastating breach of the decade'. It highlights that businesses need to have in place a defense in depth approach to deal with issues when prevention of an attack fails.

You can find out more and get the full report on the Trustwave blog.

Photo credit: Roobcio / Shutterstock

No Comments

Comments are closed.

Got News? Contact Us

Recent Headlines

TEAMGROUP unveils MP44Q M.2 PCIe 4.0 SSD

Cyberwarfare incidents reported by almost half of UK firms

Ransomware, meet DRaaS: The future of disaster mitigation

Get 'Modern DevOps Practices -- Second Edition' (worth $39.99) for FREE

Number of ransomware victims up 20 percent in first quarter of 2024

Low-code tools boost developer productivity

Cisco warns of serious CLI command injection vulnerability in its Integrated Management Controller

Most Commented Stories

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.4.0 'pl'

60 Comments

Windows 11 slammed for its 'comically bad' performance even on high-end hardware

18 Comments

Outrageous: Microsoft to charge $61 for Windows 10 updates -- consider switching to Linux!

17 Comments

Microsoft 'improves' Windows 11 by bringing ads to the Start menu in the US

16 Comments

Microsoft is up to its old tricks yet again -- Windows 10 users harassed with full-screen Windows 11 upgrade warnings

16 Comments

Easter giveaway! Get a licensed copy of 'VideoProc Converter for Windows/Mac' (worth $78.90) for FREE

10 Comments

EndeavourOS ARM discontinued: A huge loss for the Linux community

9 Comments

Install the KB5035942 update for Windows 11 to gain all of the Moment 5 features right now

8 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.