VPN risks: What the joint cybersecurity alert means for Australian CISOs

Remote work, VPNs, cloud-based technologies—some of the most targeted vulnerabilities in 2020, according to the recent joint cybersecurity advisory from the Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the UK’s National Cyber Security Centre (NCSC).

It stands as yet another warning on the complex makeup of risks that CISOs are dealing with: widely known, dated vulnerabilities, and weaknesses embedded in organisation-wide software that continues to be targeted against broad target sets in 2021.

There have been more of these joint advisories in the last 12 months and, as these three countries are the majority of the Five Eyes alliance, the intelligence-sharing arrangement that includes Canada and New Zealand, it speaks to the significance of these wide-scale threats, says professor Vijay Varadharajan, director of the advanced cybersecurity engineering research centre at the University of Newcastle, who also spent many years in industry at Microsoft and SAP.

In particular, the rapid uptake of remote work through the pandemic has hampered regular, but critical, security updates such as rigorous patch management. Varadharajan says administrators need to ensure those patches are installed automatically.

While VPNs have been in use for years, they were largely left untouched by hackers, mostly because they weren’t in widespread use. “People did not attack the software. But now it has become an attractive target for attackers; that’s the difference,” Varadharajan tells CSO Australia. “Attackers went after VPN software, in particular, in the first few months of the pandemic in 2020.”

It’s the timeliness of patching that is critical, particularly with the now-more-relied-upon VPN software. ““Attackers went after VPN software, in particular, in the first few months of the pandemic in 2020, Varadharajan says. “This has been a problem with VPNs, and the software does change, just like any software. So, it is important to update VPN software for the patches and also to go through a reputable VPN.”

The problem of patchy patching

Acting quickly, however, isn’t always easy, with so many potential vulnerabilities creating a long list of patches. “Security admins often find it tough to make a case for patching urgently when there are more critical and high-severity bugs being announced every other day,” says Brett Winterford, who spent many years in industry at Symantec and CommBank and is now overseeing cybersecurity strategy at identity management specialist Okta.

He says while the information in these patch lists might not be new, they are useful to help make a stronger case for when bugs with similar characteristics come around again. “And it helps security teams recalibrate their assessment of risk,” he tells CSO Australia.

However, despite the warnings, patching is still not being carried out in a uniform, regular routine in many organisations. Troy Heland, who heads up security engineering at the Verizon APAC security operationscentre, which has government-cleared specialists undertaking continual security monitoring, says its latest data breach report reveals “patching performance in organisations has not been stellar”.

“The rise in use of VPNs for remote working will mean this attack surface is now bigger, so we would expect to see an increase of these types of attacks,” Heland says.

Beyond patches: Focus on vulnerabilities and frustrating hackers

But while patching might be the common fix, discovering the vulnerabilities is where the organisations need to focus—outside of the usual scanning method. “A relatively small percentage of [vulnerabilities] are used in breaches,” Heland says. “An attacker would try a vulnerability exploitation as a low-hanging fruit, but using gathered valid credentials is the preferred access method,” he says.

Heland advises organisations to consider vulnerabilities found in uncatalogued and noninventoried assets that they don’t know exist. “This means that the vulnerabilities are likely not the result of consistent vulnerability management applied slowly but a lack of asset management instead.”

Two-factor authentication is identified in the advisory as still not deployed sufficiently. If implememnted, it can work to frustrate attackers, creating security hurdles. “Attackers prefer short paths and rarely attemptlong paths,” he says.

“Anything you can easily throw in their way to increase the number of actions they have to take is likely to significantly decrease their chance of absconding with the data. It’s imperfect but does help by adding anadditional step,” Heland says.

Budget is a security vulnerability

Security experts agree, and all CISOs are well aware, that organisations need to adopt the Essential Eightas the organisation-wide security standards. But budget and labour force restrictions can make this a challenge, even for the most committed CISO.

Verizon’s Heland says CISOs should follow the lead of the joint government advisory and focus on VPNs, identified in four of the most targeted vulnerabilities, and focus on any obstacles to securing these now widely used tools. “There are many reasons why these actions have not been taken to secure networks. It might be limited budget and investment in security measures, which are often reactionary rather than proactive,” he says.

However, finding cybersecurity professionals is increasingly difficult in Australia. It’s also and more expensive, with growing demand and a shrinking pool of cybersecurity talent, thanks to border closures.

Heland says CISOs can use the spate of recent attacks as examples, along with the joint advisory, to make their case. “To drive access to funding and resources required for hardening security into design when developing network infrastructure to support the ways businesses need to work.”

Security devils in the coding and architecture details

When it comes to understanding vulnerabilities at a technical level, there are about four or five common errors in the lines of code in much widely used software, the University of Newcastle’s Varadharajan says. “So when you have software written like this, you’re bound to find the bugs or flaws or logical errors that need patches all the time.”

To avoid making these errors when you have 100 million lines of code is difficult. Then there’s the problem of privilege- escalation errors. “With so many programs interacting with each other in a distributed world, [the software] may give it an ability or a privilege to do something that was not intended,” he says.

In some cases, state-backed actors have been first to exploit some of these common vulnerabilities identified in the advisory, only to cede it to a broader set of noisier actors once it’s been detected and disclosed, says Okta’s Winterford.

And detecting and patching, while essential, are only part of the picture. If the defences are breached, the question becomes how far attackers can venture. Winterford says in some cases very little will stand in the way of attackers once a networking device is compromised.

If attack and breach is a given, anticipating the attacker’s next move needs to be part of the CISO playbook. “We create opportunities for detection when we remove the implicit trust relationships that provide for easy lateral movement or privilege escalation once a device or a set of credentials are compromised,” he says. “In a better architected environment, you would have contextual, step-up authentication for access to applications or other computing resources.”

Emerging attack vectors

It might be standard in many large organisations and federal government departments, but smaller organisations and even local governments and councils don’t necessarily have the security capability or administrators to address new potential lines of attack. In particular, Varadharajan sees healthcare as a key area of concern. The healthcare industry has the largest number of reported cases in the latest Australian data breach report. ”It’s in GP practices, small practices, and smaller hospitals,” he says.

The advisory says cloud-based technologies were one of the most targeted vulnerabilities in 2020. Looking ahead, Varadharajan points to industrial internet of things as a growing attack vector. Where once organisations could define and identify network boundaries and network devices, the growth in industrial IoT is seeing the number of devices multiply—and without the necessary level of security protections, it is cause for concern.

If the devices are connected to services, such as those providing electricity or water, then attackers can cause disruption—with far greater consequences. “If an attacker can breach a device where devices are connected, it can create this amplification effect,” he says.