Cybersecurity News that Matters

Cybersecurity News that Matters

Zero trust framework is still vulnerable with existing VPN, security researchers disclose

by Dain Oh, Areum Hwang

Sep. 04, 2023
10:45 AM GMT+9

As the shift toward a zero trust security model gains momentum in the United States and beyond, South Korean researchers have found that even existing network safeguards, like virtual private networks (VPNs), still pose a security risk to this emerging framework.

In a series of experiments using configurations of current VPN technology, the researchers successfully breached a zero trust security environment, gaining administrative access that enabled them to remotely infiltrate systems.

Kim Eunyoung, a Principal Researcher at the National Security Research Institute’s (NSR) Cyber Security Research Division, unveiled her latest findings at the World Conference on Information Security Applications (WISA). The conference was held from August 23 to 25 on Jeju Island, South Korea. Collaborating with her on this research was Sohn Kiwook, a Computer Science and Engineering professor at Seoul National University of Science and Technology, who previously served as a director at NSR.

Kim Eunyoung, a Principal Researcher at the National Security Research Institute’s (NSR) Cyber Security Research Division, is sharing her research findings at the World Conference on Information Security Applications (WISA) on August 23. Photo by Dain Oh, The Readable

In a research paper published through WISA, titled “Research on Security Threats Using VPN in Zero Trust Environments,” the two researchers carried out a series of experiments and firmware analyses. Their goal was to pinpoint security vulnerabilities in Zero Trust Network Access (ZTNA) systems, with a particular focus on current network equipment.

“Despite the adoption of zero trust in many network environments, existing firewall or VPN devices are still in use,” said Kim while introducing the research. “We attempted to examine potential security threats that zero trust environments may encounter due to vulnerabilities in these existing network devices and propose countermeasures to mitigate such threats,” she elaborated.

Security threat scenario in zero trust environment using VPN. Source: Research on Security Threats Using VPN in Zero Trust Environments

The U.S. National Institute of Standards and Technology (NIST) defines zero trust as “the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” Interest in the security framework has surged within global tech circles ever since the Biden administration signaled its intention to adopt zero trust policies through an executive order aimed at bolstering the nation’s cybersecurity in May 2021.

According to the researchers, the zero trust maturity model consists of five pillars: identity, device, network and environment, application workload, and data. “Although the five pillars provide a solid foundation for organizations to improve their security posture, there is no one-size-fits-all approach,” explained Kim. The researcher went on, adding that “most of the proposed models for zero trust have primarily focused on access control for end devices and access data by strengthening user authentication.”

Starting with the premise that security threats could still arise even under a zero trust framework, Kim and Sohn conducted simulations based on vulnerability-focused attack scenarios. They compared Google’s Beyond Corp with Netflix’s Location Independent Security Access (LISA). To validate their findings, the researchers zeroed in on models similar to Netflix’s LISA, which they suspected could inherit either undisclosed or publicly disclosed vulnerabilities from existing network devices. This focus contrasted with Google’s Beyond Corp approach, which eliminates VPNs and firewalls from the equation.

Additionally, the researchers put one company’s VPN equipment under the microscope and discovered a flaw that “allows an attacker to obtain a reverse shell by executing a command that connects to it” even within a zero trust framework. A reverse shell is a hacking technique that exploits a system’s vulnerabilities, ultimately granting threat-actors unauthorized access to the targeted device.

“Although ordinary users may not have a significant impact on the system as a whole, even if they are subject to hacking attacks from external sources in a zero trust environment, vulnerability attacks on users with administrator privileges can cause many problems throughout the system,” warned Kim. “When introducing the new zero trust framework, real-time monitoring of abnormal user behavior and security measures should be reviewed for all network equipment rather than simply strengthening user authentication with a more robust policy.”

Subscription

Subscribe to our newsletter for the latest insights and trends. Tailor your subscription to fit your interests:

By subscribing, you agree to our Privacy Policy. We respect your privacy and are committed to protecting your personal data. Your email address will only be used to send you the information you have requested, and you can unsubscribe at any time through the link provided in our emails.

  • Dain Oh
    : Author

    Dain Oh is a distinguished journalist based in South Korea, recognized for her exceptional contributions to the field. As the founder and editor-in-chief of The Readable, she has demonstrated her expe...

    View all posts
  • Areum Hwang
Authors: ,
Stay Ahead with The Readable's Cybersecurity Insights