Travelex Hack Raises A Red Flag On VPN Security

Foreign exchange firm gets hacked via its VPN provider.

The New Year’s Eve ransomware attack on foreign exchange firm Travelex, which forced the company to shut down its computer systems to stop the spread of the Sodinokibi virus, was still unresolved two weeks after the breach. Travelex had failed to patch its vulnerable Pulse Secure VPN (virtual private network) servers.

The news raised questions about legacy VPNs’ ability to cope with the scale and complexity of protections required for applications migrating to the cloud, and for fast-growing remote users.

Replacing legacy VPNs isn’t as important as keeping them up to date and patching them, argues Stuart Reed, vice president of cybersecurity at Nominet, guardian of the .uk domain name registry. “Organizations need to understand what assets they have and what they need to protect, and benchmark an acceptable level of trust,” says Reed. “As trends such as cloud computing and Bring Your Own Device become more common, this can be a challenge, as they need to ensure that only trusted devices and users can access the company assets.”

Gartner predicts that by 2023, 60% of enterprises will have phased out most of their remote-access VPNs in favor of zero-trust network access (ZTNA), and Reed agrees it’s a good way to reduce an organization’s attack surface. “By reducing the number of operating systems, versions, software and hardware types that can access your sensitive data or applications, you get a better view of what you need to protect and can react to potential vulnerabilities much quicker,” he says. 

Like any security solution, ZTNA is not a silver bullet. For example, users may still open a malicious attachment in a phishing email. ZTNA needs to be combined with other security layers, such as a network detection-and-response solution that allows normal activity in a ZTNA scenario to be benchmarked, making it easier to spot abnormal activity.