The VPN Security Crisis: A perspective on Why Traditional Remote Access Is Failing

Hello, Mauven here. I need to share some uncomfortable truths about VPN security based on recent threat intelligence and my experience at NCSC.

The Ingram Micro ransomware attack isn't just another breach story. It's a perfect case study in how traditional VPN architectures create systemic vulnerabilities that sophisticated threat actors are systematically exploiting. When a $48 billion technology distributor can be completely shut down through basic VPN security failures, we need to acknowledge that our fundamental approach to remote access is broken.

The Numbers Tell a Devastating Story

Let me start with the statistics that should keep every CISO awake at night. 56% of organizations experienced VPN-related cyberattacks in 2024, up from 45% in 2023. That's not just growth, that's acceleration toward a crisis.

The Verizon DBIR 2025 data reveals an 8-fold increase in edge and VPN device vulnerability exploitation. Even more concerning, zero-day exploits against VPN devices increased from 3% to 22% of all vulnerability exploitation incidents. We're not just seeing more attacks, we're seeing more sophisticated, previously unknown attack methods.

47% increase in VPN vulnerabilities from 2022 to 2023 (133 vulnerabilities versus 93) demonstrates that as organizations rushed to deploy VPN solutions during the pandemic, security considerations often took a backseat to operational necessity.

The Ingram Micro Attack: A Technical Post-Mortem

The SafePay ransomware group's attack on Ingram Micro reveals exactly how these statistics translate into real-world devastation. NCC Group's forensic analysis found that "the Threat Actor was able to gain access to a local account through a simple misconfiguration on the Fortigate firewall, allowing local accounts to be authenticated and bypass the MFA requirement on the VPN."

This is the critical insight: properly implemented MFA was bypassed due to a configuration error. It wasn't a zero-day exploit or sophisticated social engineering. It was basic configuration management failure that created a pathway around security controls.

The attack timeline is sobering:

  • Initial compromise: VPN access via credential attack

  • Lateral movement: Less than 24 hours to map critical systems

  • Ransomware deployment: ChaCha20 encryption across global infrastructure

  • Business impact: $136 million daily revenue losses

From a technical perspective, SafePay demonstrates the evolution of ransomware groups toward supply chain targeting. They understand that compromising infrastructure providers creates exponentially more damage than targeting individual organizations.

Why Traditional VPN Architecture Creates Systemic Risk

From my NCSC experience, I can tell you that traditional VPN architectures contain fundamental design flaws that make them incompatible with modern threat landscapes.

The Trust Boundary Problem: Traditional VPNs create an "inside" and "outside" network model. Once you're authenticated, you're trusted. This binary trust model doesn't reflect how modern attacks actually work. Compromised credentials or devices shouldn't automatically grant broad network access.

The Scalability Vulnerability: Most VPN deployments were designed for occasional remote access, not permanent hybrid working. The 124% increase in VPN usage during COVID-19 pushed these systems beyond their design parameters. Scalability solutions often involve reducing security controls or accepting broader attack surfaces.

The Visibility Gap: 24% of IT professionals report lack of user activity visibility once users connect via VPN. From a defensive perspective, this is catastrophic. You cannot defend what you cannot see.

The Complexity Multiplication: Each VPN endpoint becomes a potential attack vector. With hybrid working, organizations are managing hundreds or thousands of VPN connections simultaneously. The attack surface grows linearly with user count, but management complexity grows exponentially.

The Zero Trust Imperative: NCSC Perspective

The NCSC's Zero Trust Architecture guidance exists because we recognized that perimeter-based security models are fundamentally incompatible with modern working patterns and threat landscapes.

Our eight core principles directly address VPN vulnerabilities:

  1. Know your architecture: VPNs often create network access without comprehensive asset visibility

  2. Create single strong user identity: Traditional VPNs rely on device-based authentication rather than cryptographically strong user identity

  3. Assess user behavior and device health: VPNs typically perform authentication once rather than continuous assessment

  4. Use policies to authorize requests: VPN access is binary (connected/disconnected) rather than request-specific authorization

  5. Authenticate and authorize everywhere: VPNs create trusted network zones rather than authenticating every access request

  6. Focus monitoring on devices and services: VPN architecture obscures rather than enhances monitoring capabilities

  7. Don't trust any network: VPNs explicitly create trusted network segments

  8. Choose services designed for zero trust: Legacy VPN solutions were designed for perimeter security models

The psychological resistance to Zero Trust adoption often stems from familiarity bias. Organizations understand VPN concepts because they've used them for decades. Zero Trust requires fundamental rethinking of network security models, which creates cognitive load and organizational resistance.

Real-World Implementation: Microsoft's Secure Access Evolution

Microsoft's evolution from traditional VPN to Zero Trust Network Access provides a practical implementation roadmap. Microsoft Entra Private Access replaces VPN functionality with application-specific access controls that maintain zero trust principles.

Key advantages over traditional VPN:

  • Application-specific access: Users connect to specific applications rather than entire networks

  • Continuous authentication: Every access request is evaluated rather than relying on initial VPN authentication

  • Enhanced visibility: All access attempts are logged and monitored through the Entra ID platform

  • Reduced attack surface: No network-level access eliminates lateral movement opportunities

The implementation psychology is crucial: Organizations can maintain familiar authentication experiences while transitioning to fundamentally more secure architectures. This reduces change management resistance while improving security outcomes.

Risk Assessment Framework for Current VPN Deployments

Based on NCSC guidance and recent threat intelligence, organizations should assess their VPN risks across multiple dimensions:

Technical Risk Factors:

  • Legacy VPN appliances without regular security updates

  • Shared local accounts that bypass MFA requirements

  • Broad network access rather than application-specific permissions

  • Insufficient logging and monitoring of VPN activities

  • Inadequate network segmentation post-VPN authentication

Operational Risk Factors:

  • Limited incident response capabilities for VPN-based attacks

  • Inadequate visibility into user activities post-authentication

  • Complex change management processes that delay security updates

  • Over-reliance on VPN for business continuity

Strategic Risk Factors:

  • Vendor dependency on VPN appliance manufacturers

  • Skills gaps in Zero Trust architecture implementation

  • Budget constraints limiting security architecture modernization

  • Regulatory compliance challenges with enhanced monitoring requirements

Behavioral Considerations for VPN-to-Zero Trust Migration

From a psychological perspective, VPN migration requires careful change management. Users often perceive VPN connections as "secure" because they create familiar network access patterns. Zero Trust architectures may feel less secure because users must authenticate for specific applications rather than gaining broad network access.

Successful migration strategies address these perceptions:

  • Gradual transition: Maintain VPN for non-critical applications while piloting Zero Trust for critical systems

  • Enhanced user experience: Demonstrate improved performance and reliability of Zero Trust solutions

  • Clear communication: Explain security benefits in terms of business risk reduction rather than technical features

  • Training and support: Provide comprehensive guidance for new authentication workflows

Recommendations for UK SMBs and Enterprises

Immediate Actions (0-3 months):

  • Audit all VPN configurations for MFA bypass vulnerabilities similar to the Ingram Micro attack

  • Implement comprehensive VPN activity logging and monitoring

  • Deploy endpoint detection and response solutions for all VPN-connected devices

  • Conduct tabletop exercises for VPN-based incident response

Medium-term Strategy (3-12 months):

  • Pilot Zero Trust Network Access solutions for critical applications

  • Begin migration from network-level to application-level access controls

  • Implement conditional access policies based on device compliance and risk assessment

  • Develop vendor risk management programs that include VPN security requirements

Long-term Architecture (12+ months):

  • Complete transition to Zero Trust architecture aligned with NCSC guidance

  • Deploy comprehensive Security Service Edge (SSE) solutions

  • Implement AI-powered threat detection across all access points

  • Establish continuous security posture management with real-time risk assessment

The Uncomfortable Truth About VPN Security

The fundamental reality is that traditional VPN architectures were designed for a threat landscape that no longer exists. They assume trusted devices, reliable authentication, and limited attack sophistication. Modern threats invalidate all of these assumptions.

SafePay's success against Ingram Micro demonstrates that even well-funded, security-conscious organizations cannot adequately secure traditional VPN architectures against determined attackers. The group's ability to move from initial access to complete infrastructure compromise in under 24 hours reflects the inherent vulnerabilities in network-level access models.

From an NCSC perspective, the solution isn't better VPN security. It's fundamentally different security architectures that eliminate the VPN attack surface entirely. Zero Trust implementations that authenticate every access request, authorize based on risk assessment, and monitor all activities provide demonstrably superior security outcomes.

The choice facing organizations isn't whether to improve VPN security or implement Zero Trust. The choice is whether to proactively manage the transition to Zero Trust architectures or reactively respond to VPN-based security incidents that could destroy their operations.

The threat intelligence is clear, the attack trends are accelerating, and the alternative solutions are available. What's required now is the organizational commitment to prioritize security architecture modernization over the comfort of familiar but fundamentally insecure legacy solutions.

Source Article
NCC Group DFIR Report: Weak Passwords Led to SafePay Ransomware Yet Again
Verizon 2025 Data Breach Investigations Report (DBIR)
NCSC Zero Trust Architecture Design Principles Version 1.0
NCSC Remote Access Security for Critical National Infrastructure
IBM X-Force Threat Intelligence Index 2025
IBM Cost of a Data Breach Report 2024
Zscaler ThreatLabz 2024 VPN Risk Report
CISA Known Exploited Vulnerabilities (KEV) Catalog
CISA Zero Trust Maturity Model Version 2.0
Okta 2024 Secure Sign-in Trends Report
CrowdStrike 2025 Global Threat Report
Mandiant M-Trends 2025 Report
Microsoft Microsoft Entra Private Access Documentation
Microsoft Conditional Access Policy Framework
NIST SP 800-207: Zero Trust Architecture
NIST SP 800-46 Rev. 2: Guide to Enterprise Telework and Remote Access Security
ENISA NIS2 Directive Zero Trust Implementation Guidance
BSI Germany Zero Trust Architecture Position Paper
BleepingComputer Ingram Micro outage caused by SafePay ransomware attack
The Register Ingram Micro confirms ransomware behind multi-day outage
Cyber Readiness Institute 2024 Global MFA Survey
Security.org 2023 VPN Usage and Security Survey
EY Global Global Information Security Survey 2024
Gallup State of the Global Workplace: Remote Work Trends
Palo Alto Networks Security Advisory for CVE-2024-3400
Fortinet FortiOS Security Advisory CVE-2024-23113
SonicWall SSL VPN Security Advisory CVE-2024-53704
Ivanti Connect Secure Vulnerability Disclosure

Additional Technical References

Source Article
FIDO Alliance FIDO2 Implementation Guidelines
Microsoft Azure AD Identity Protection Risk Assessment
Gartner ZTNA vs Traditional VPN Comparative Analysis
SecurityScorecard 2025 Supply Chain Cybersecurity Trends Survey
DNV Critical Infrastructure Cybersecurity Research 2024
Channel Futures Ingram Micro Ransomware Impact Analysis
Constellation Research Ingram Micro Supply Chain Disruption Analysis
Rescana SafePay Ransomware Technical Analysis
Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous
Previous

The Hidden Apps Undermining Your Business Security

Next
Next

Shadow IT: The Digital Squatters in Your Business