Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report

The Double-Edged Sword of Using Boundary Devices

The Double-Edged Sword of Boundary Devices

Modern businesses rely on boundary devices to protect their networks and data against cyber threats. These devices (VPNs, firewalls, routers, etc.) serve as the gatekeepers of business networks, monitoring the flow of inbound and outbound traffic. But as the first line of defense, boundary devices are also prime targets for cyber attacks.

In the first quarter of 2024, we witnessed the emergence of new critical vulnerabilities impacting virtual private network (VPN) devices from Ivanti and Fortinet, along with previously disclosed vulnerabilities impacting SonicWall firewall devices. Vulnerabilities in boundary devices can lead to unauthorized access, data breaches, and service disruptions.

Boundary devices are a double-edged sword for businesses: The technology that helps mitigate the risk of cyber threats and enables things like secure remote access, data protection, and regulatory compliance can also be specifically targeted in cyber attacks.

Most businesses use some sort of boundary device, which means brokers have an opportunity to educate their clients on how this technology can create cyber risk. To help guide conversations, we asked our experts about the pros and cons of boundary devices, strategies for addressing vulnerabilities in these devices, configuration tips, technology alternatives, and more.

Reimagining the modern network

When you picture a network, do you see an office with computers linked together by routers, connected to a data center, and protected with firewalls? This was once the standard, but advancements in cloud and mobile computing, alongside the rise of remote work, have forced us to reimagine what a computer network means to most businesses. 

Many modern businesses operate in a hybrid model with a mix of on-premise resources, cloud and mobile applications, and third-party infrastructure. In fact, some businesses were “born in the cloud” with little to no on-premise technology. 

This new reality can increase productivity and efficiency. When done correctly, it can even improve security. Yet, many businesses continue to rely on traditional networking boundary devices for remote access, connectivity, and security, making them critically important.

Benefits afforded by boundary devices

Acknowledging that boundary devices come with tradeoffs, let’s start with the positives. Here are some of the clear benefits afforded by VPNs, firewalls, and other comparable technologies.

  • Remote work and global operations: Boundary devices are essential for distributed workforces. VPNs enable secure remote access, allowing employees to work from anywhere while ensuring data is encrypted and protected from interception.

  • Data security and privacy: Businesses that transmit sensitive data over the internet need strong security controls to protect them from cyber threats. VPNs encrypt data in transit, making it unreadable to unauthorized users, while firewalls act as a barrier between secure internal networks and untrusted external networks by monitoring and controlling traffic.

  • Regulatory compliance: Businesses in select industries may be subject to strict regulatory requirements regarding data protection and privacy. Boundary devices can help ensure compliance with these regulations by securing data and mitigating the risk of breaches.

Furthermore, boundary devices are usually more cost-effective than physical security measures because they leverage existing internet infrastructure to create secure, private networks. They can also optimize network performance and provide administrators with tools to manage traffic and bandwidth effectively.

“Businesses view boundary devices as a way to enable productivity, while threat actors see them as a portal to unfettered access.” — Scott Walsh, Principal Security Researcher

Associated risks of boundary devices

The benefits of boundary devices are undeniable, but they come at a cost. The vulnerabilities within the devices can create gateways for threat actors to bypass authentication checks, run arbitrary code or commands, trigger denial-of-service (DoS) attacks, carry out cyber extortion, or use the client network to perpetrate more attacks.

“The value of boundary devices is well-understood, but we all think about them in different ways,” said Scott Walsh, Principal Security Researcher at Coalition. “Businesses view these devices as a way to enable productivity, while threat actors see them as a portal to unfettered access. As a cyber insurance provider, we consider them in terms of overall cyber risk, especially devices with a history of critical vulnerabilities.”

Zero-day vulnerabilities in boundary devices are particularly concerning because they can be exploited before developers have the opportunity to release a fix, as we saw with the Ivanti VPN zero-day vulnerability in January. Coalition honeypot data showed a spike in traffic scanning for Ivanti devices seven days before the vulnerability was disclosed.

Coalition Honeypot Activity — Ivanti

“Exploitation of boundary devices is not a new phenomenon, but these exploits seem to be happening more frequently,” said Jason Vitale, Incident Response Lead at Coalition Incident Response* (CIR). “The devices that are being targeted are very popular, which makes sense because threat actors tend to gravitate toward those with higher usage.”

The critical vulnerabilities targeting these devices aren’t necessarily new, either. In January, security researchers discovered two previously disclosed vulnerabilities impacting more than 178,000 SonicWall firewall devices. The vulnerabilities, which enable a DoS attack, date as far back as March 2022 and require firmware patching for remediation — a crucial yet complicated component of every cyber risk mitigation strategy.

“If a critical patch comes out on a Tuesday, but the patch schedule isn’t planned until Friday after hours, don’t risk it.” — Jason Vitale, Incident Response Lead

Strategies for vendor advisories and patching

Whether a vulnerability impacts a boundary device or another technology, the most important thing we stress to policyholders is that they need to be highly responsive to security alerts. In this case, that means proactively engaging with their technology vendors. 

“If a business has a SonicWall device, they should be on the SonicWall email list,” said Vitale. “These vendors publish advisories and share important information, so it’s critical that businesses pay attention when they receive an alert.”

As a best practice, Coalition recommends that all businesses sign up for alerts from their technology vendors, given the critical role boundary devices play in perimeter defense. However, staying informed about new vulnerabilities is only half the battle — businesses must also be quick to act.

Timely patching of all software and firmware can help businesses significantly reduce the likelihood of an attack. In fact, policyholders with one unresolved critical vulnerability of any kind were found to be 33% more likely to experience a cyber claim.

Establishing a regular patch cadence is a smart risk management strategy, though businesses must also get comfortable deviating from that cadence in certain situations.

“If a critical patch comes out on a Tuesday, but the patch schedule isn’t planned until Friday after hours, don’t risk it,” said Vitale. “We’ve seen instances where businesses knew of a vulnerability and were planning to patch but experienced an attack because they waited until it was most convenient.”

Configuration tips for boundary devices

In addition to promptly patching technologies with known vulnerabilities, businesses can configure their boundary devices to reduce the chances of a cyber attack. Here are five simple configuration tips from CIR:

  1. Enable multi-factor authentication (MFA): Reinforcing a VPN with extra authentication helps ensure only the right people have access. Most boundary devices have the option to enable MFA directly in the account. 

  2. Limit access privileges: VPN access may not be necessary for every employee. Businesses should perform regular audits and look for ways to implement least-privilege access, which limits user access based on job function and necessity.

  3. Avoid shared accounts: Every administrator should have their own account with privileges based on their individual responsibilities. Try to avoid sharing user accounts, especially if it’s an admin account.

  4. Set up geolocation: If your client operates in Kansas, why is someone able to log in to its VPN from Germany? Geolocation restricts access to users outside of a predetermined area, which is particularly appropriate for small, regional businesses. 

  5. Enforce lockout policies: This can help minimize credential stuffing attempts and other unauthorized access. Businesses can set up rules that lock out users for a certain amount of time or even require an administrator to reset the account.

Remember: These configuration tips may seem disruptive or inconvenient, but that’s often the price to pay for stronger cybersecurity controls and greater peace of mind.

“In a perfect world, we would recommend that businesses move to a SASE technology model due to the level of security it provides." — Amy Cohagan, Senior Incident Response Analyst

Alternatives to boundary devices

Businesses looking to elevate their approach to remote access and network security should consider the secure access service edge (SASE) model. It’s an emerging cloud-based architecture that integrates security into applications and networking functions to help businesses avoid critical vulnerabilities, especially those affecting boundary devices.

SASE uses a software-defined wide-area network (SD-WAN) to connect offices and remote users to software resources. It bypasses many of the reasons why a business would use a firewall or VPN, centralizing network access to a unified platform and making it easier to implement security policies and manage security controls. 

“In a perfect world, we would recommend that businesses move to a SASE technology model due to the level of security it provides,” said Amy Cohagan, Senior Incident Response Analyst at CIR. “That said, SASE does come with an upfront investment in time and resources, so we know not every business can afford to do that.”

Talking to your clients about boundary devices 

Truth be told, boundary devices aren’t going away anytime soon. While we expect the technology to get phased out and eventually move to the cloud, boundary devices remain indispensable in our remote-first world. Coalition recommends using these key insights to guide conversations with your clients:

  1. Be vigilant when selecting a boundary device. As we’ve seen this year, certain technologies are targeted more frequently than others. Encourage your clients to weigh both the history of vulnerabilities and the vendor response for every device under consideration.

  2. Sign up for vendor advisories. We recommend businesses take this action at the time of implementation, but it’s never too late. And if your client is using a boundary device with a known critical vulnerability, confirm that they’ve taken the necessary steps to address the risk.

  3. Establish a regular patch cadence and be responsive. The repetition of patching is a good habit to form for cyber hygiene. Your clients can patch sooner, when necessary, but establishing a cadence ensures critical vulnerabilities are always on their radar.

  4. Confirm that all boundary devices are configured properly. Follow the above tips for boundary device configuration and encourage your clients to review these settings semi-regularly, especially if their businesses undergo a significant change.

Interested in diving deeper into boundary devices and cyber risk? Join us on Wednesday, April 24, at 10 a.m. PT / 1 p.m. ET for Coalition's live 2024 Cyber Claims Report webinar. Get a first look at the latest cyber trends and discover which popular boundary devices are more likely to lead a cyber claim.

This article originally appeared in the April 2024 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

*Coalition Incident Response is an affiliate firm made available to all policyholders via panel selection.
This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.