Lateral movement — it’s one of bad actors’ favorite methods for finding high value targets they can exploit, once they are in your network. Tracking your servers, reading your mail, eating your snacks — pretty much causing havoc that could have very significant consequences.
I was speaking at a recent sales conference about network security and decided it would be fun to ask a generative AI assistant the best way to combat lateral movement, one of the main attack vectors in an IoT environment. The platform we used responded with some of the usual suspects when it comes to security methods, e.g. firewalls and virtual private network (VPN) configurations. However, as we dug into these options it became clear that there were deficiencies in these methods that would not combat lateral movement.
Of the options many enterprises can choose for stopping lateral movement, a zero-trust network approach tops the list. This is especially important in protecting IoT devices such as sensors or security cameras. However, many enterprises still rely heavily on VPNs and private APNs (access point nodes — carrier private networks). It’s time for enterprises to level up their security approach, replace their VPNs and lean further into the benefits zero-trust has to offer.
Why might organizations still use VPNs and private APNs?
The answer to this question could be as simple as, “That’s what enterprises are used to.” Although zero-trust has been gaining popularity for the last decade, VPNs are still the legacy network security option for many organizations. As with most legacy technology, even if enterprises recognize the newest tech is better, it can be difficult to commit time, manpower and finances to upgrading to whatever the cutting edge is at that moment.
In the case of private APNs, the reason for popularity may be a little different. It’s common for network providers to offer private APNs in tandem with the network connectivity the organizations are already purchasing. Also, from a sales perspective, there are network providers who may offer discounts on the private APN as an incentive for purchasing connectivity from them.
Enterprises acknowledge the benefits of zero-trust and the vulnerability in VPNs
Data from ZScaler suggests an increasing number of enterprises are beginning to realize VPN vulnerabilities. In their most recent VPN report, 92% of respondents said they recognize the importance of adopting a zero-trust architecture, which is up 12% from last year’s report. Multiple respondents in the report recalled attacks on their network and concerns about how third-party vendors are securing their network.
Recognizing the risks associated with VPNs is an important first step to changing your security architecture. VPNs are widely known for being complex to configure and manage and, therefore, they add to the workload on your over-worked IT department. As a result, VPNs are not equipped to stop lateral movement once a bad actor is already inside.
Let me share an analogy: I recently checked into a hotel where they issued me a key card for my room. When I got on the elevator, I had to scan the key card to take the elevator to my floor. I learned, though, that I could press any button on the elevator, once I had used my key card, so I could go to any floor in the hotel. This is similar to a traditional VPN – With high risk of lateral movement.
Compare this to a newer elevator security system that I used a week later. When I scanned my key card, I was given access only to the floor that I was authorized for. I could not press any other buttons to gain access to other floors. This is similar to a zero-trust network.
There are multiple ways a bad actor could roam around your “hotel” or network architecture. Lateral movement could occur because the default password on an IoT device never got changed. When attackers move laterally, once they’re inside they may be able to compromise the network. They can use lateral movement to discover your network architecture, gain credentials and access the most sensitive information.
The stakes are too high for enterprises to not trust a zero-trust security solution.
What can Zero-trust do for you?
This is the question enterprises must answer if they want to transition from traditional VPN architecture to zero-trust network. To be honest, making the switch won’t be easy for every enterprise. In fact, not every enterprise has a well-staffed IT team. This is why it’s extremely important to select a solution that will minimize the complexity that may come with the configuration and management of your zero-trust network.
As enterprises look to deploy a zero-trust solution, there are several key capabilities to look for. For example, a good zero-trust network doesn’t broadcast IP addresses. This is especially important because IP scanning is a common hacker method used to discover IP addresses of vulnerable devices to use as an entry point. The best zero-trust solutions leverage a name-based routing approach for the devices on your network. This further enables easy configuration without spending hours resolving IP addressing scheme issues.
Take back control of your network
Attacks from bad actors may come from the least expected sources in your network. Some may recall the cyberattack in a Las Vegas casino where hackers gained access to sensitive information through a fish tank thermometer! (Read more about that here.) With the various, unexpected ways your network could fall victim to attacks, it’s time to stop relying solely on traditional security measures from VPNs, and instead turn to zero-trust solutions that provide the most stringent network security. Only then will you have more control over how you protect your network and how you avoid common mistakes that bad actors can leverage.