VPN’s and how They Actually Work

by | Sep 8, 2025 | Security

A VPN is not a security tool.  It is a remote access tool.  The two are not the same.  The VPN only provides a connection to the remote network that on the outside is secure, but inside that tunnel it can be as insecure as putting your critical data directly onto the Internet with no protections.  The remote machine now a direct line into your business network and the consequences can be dire.   All a VPN does is create an encrypted connection between your computer and a remote network…that’s it.  Larger companies can literally afford a breach, what if you are a small business that suffers a catastrophic disclosure of private information?  Two of the biggest breaches in the past decade were facilitated by the presence of an active VPN connection.  Why are these technologies able to be so problematic?

Let’s see how a VPN actually works.  What a VPN does is it allows a remote machine to access a network resource.  Sounds simple right?  However it represents quite a bit more due to the times we find ourselves in.  What the VPN allows is the remote device to tunnel over the internet directly into the network you wish to access.  This means you bypass all of the firewalls, and other edge security that exists.  This means the remote machine needs to have as much, if not more, security on it than the remote network it is accessing.  I am leaving out some details for brevity here but full details of the breach can be seen with a simple Google search.

The first one was the Target breach.  This was caused by one of their HVAC vendors having malware on their machine that was used to connect to Target’s network.  The malware travelled along that connection into Target’s network and the rest is history.  Here’s what could have been done differently:

  1. Target did not have proper network controls.  This would have meant that the HVAC contractor only had access to the HVAC systems, not the entire internal network.
  2. Target should have ensured the machine being used to access Target’s network was covered by the same network security policies as they had internally.
  3. The remote vendor should have been vetted properly by Target’s security team to make sure proper security controls were present on the machines.
  4. The Remote vendor was compromised was phishing,  The remote vendor should have had proper training, policies, and regular security audits to ensure their network was secure.
  5. Target’s internal security did detect the breech but failed to react in time to mitigate the intrusion.

The second prime example is what cause LastPass to literally loose every single one of the encrypted password vaults of their clients.  What were the issues in this breach?

  1.  Lastpass allowed a high level developer to have remote access to their core backend.  They DID provide the developer with a company owned and secured laptop.
  2. The problem first started by compromising the developers account at LastPass.
  3. The home network had bad actors already inside of it.  The developer had Plex running on his home network and exposed to the internet for remote media access.  The plex software had a security weakness and bad actors had already found the plex server and were now inside the developers network.
  4. when the developer connected his work laptop to his home network, the bad actors detected the machine and went to work.  The corporate machine was compromised and then the VPN was used to go directly into the LastPass backend.

The result is all of the password vaults for all of the LastPass customers were stolen=./  How could this breach hav3e been quickly mitigated?

  1. The company should have had the developers home network outfitted with a proper firewall that segments the work laptop away form the home network at a minimum.  modern router, Like the Unifi UDR7 can easily accomplish this for a small cost of a few hundred dollars.
  2. Ideally LastPass should have setup a second, totally independent internet connection at the home for the exclusive use of the work laptop.
  3. LastPass also needed to have better network segmentation internally.  The source code repository should have been segmented away from the vaults to prevent the lateral movement that was enabled.

A VPN can be used but it requires much more security at the endpoint than something like Splashtop or ScreenConnect.  Proper remote setup is still crucial but other layers like Multi-0factor authentication, a firewall between the remote terminal and the remote network is preserved, and other advantages make using those technologies less risky than a VPN.  A VPN does have advantages against things like Splashtop to be honest.  ETC Maryland has both VPN and other remote technologies deployed.  For a no cost initial evaluation of your remote access security please contact us.

Secret Link
Skip to content