VPN risks: What the joint cybersecurity alert means for Australian CISOs

VPNs have emerged as a new vulnerability as remote work surges, as security centres struggle with patching software and identifying weaknesses, warn the Australian, UK, and US security agencies.

VPN security vulnerabilities  >  VPN alert / warning / network servers
Funtap / 200Degrees / Getty Images

Remote work, VPNs, cloud-based technologies—some of the most targeted vulnerabilities in 2020, according to the recent joint cybersecurity advisory from the Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the UK’s National Cyber Security Centre (NCSC).

It stands as yet another warning on the complex makeup of risks that CISOs are dealing with: widely known, dated vulnerabilities, and weaknesses embedded in organisation-wide software that continues to be targeted against broad target sets in 2021.

There have been more of these joint advisories in the last 12 months and, as these three countries are the majority of the Five Eyes alliance, the intelligence-sharing arrangement that includes Canada and New Zealand, it speaks to the significance of these wide-scale threats, says professor Vijay Varadharajan, director of the advanced cybersecurity engineering research centre at the University of Newcastle, who also spent many years in industry at Microsoft and SAP.

In particular, the rapid uptake of remote work through the pandemic has hampered regular, but critical, security updates such as rigorous patch management. Varadharajan says administrators need to ensure those patches are installed automatically.

While VPNs have been in use for years, they were largely left untouched by hackers, mostly because they weren’t in widespread use. “People did not attack the software. But now it has become an attractive target for attackers; that’s the difference,” Varadharajan tells CSO Australia. “Attackers went after VPN software, in particular, in the first few months of the pandemic in 2020.”

To continue reading this article register now

22 cybersecurity myths organizations need to stop believing in 2022