Despite Network Segmentation in Banks and Telcos, Why They Are Still Vulnerable to Cyberattack

Overview

Network segmentation is one of the cornerstones of modern cybersecurity. It's a strategy that divides a large network into smaller, isolated subnetworks or "segments," with the aim of restricting movement within the network and protecting sensitive data. In this article, we'll explore what network segmentation is, why companies use it, why it's not foolproof, how it differs from VPNs, and how attackers have found ways to bypass it.

What is Network Segmentation?

Network segmentation is the process of splitting a computer network into smaller, controlled sections based on business needs, risk levels, and sensitivity of data. Each segment restricts communication to only what's necessary. This ensures that even if one part of the network is breached, the damage can be contained and the attacker can't easily spread to other parts.

Imagine a castle: without segmentation, it would be a wide-open courtyard where invaders roam freely once they breach the gate. With segmentation, the castle has locked rooms and towers. An intruder may enter one area, but each new room requires overcoming another barrier.

In real-world corporate networks, finance departments are separated from development teams. Employee Wi-Fi cannot reach internal database servers. Critical infrastructure systems like SCADA networks remain isolated from day-to-day office activities. This isolation dramatically improves security, monitoring, and compliance.

Why Companies Implement Network Segmentation

There are several strategic reasons why companies embrace network segmentation. First and foremost, it limits the damage caused by an attack. If an attacker breaches one segment, they're contained. The "blast radius" is minimized. Segmentation also helps companies meet regulatory standards like PCI-DSS (Payment Card Industry Data Security Standard) for payment security and HIPAA (Health Insurance Portability and Accountability Act) for healthcare data protection.

Moreover, segmentation protects critical assets like customer databases, financial systems, and intellectual property. Finally, it enhances monitoring; traffic between segments is easier to watch and control, enabling faster detection of suspicious behavior.

Why Network Segmentation Isn’t Foolproof

Despite its advantages, network segmentation is not invincible. It has several critical vulnerabilities that attackers can and do exploit.

One major weakness is human error and credential theft. If an attacker steals administrator credentials—through phishing, malware, or buying them on dark web markets—they inherit trusted access across segments. Suddenly, the walls segmentation built are meaningless.

Misconfigurations are another danger. Poorly set firewall rules or forgotten access lists can unintentionally open pathways between segments. For example, an engineering workstation might retain access to HR servers because of an old rule no one removed.

Trusted systems themselves can become threats. Jump servers and update servers often bridge multiple segments for operational reasons. If attackers compromise one of these servers, they can move across segments almost undetected.

VPN access can also act as a bridge. If remote users are granted overly broad access through VPNs, and their devices are compromised, attackers can effectively "ride" those VPN connections into multiple segments.

Lastly, attackers often "live off the land." They use legitimate tools like PowerShell (a command-line tool for automating tasks), WMI (Windows Management Instrumentation, used to manage systems), PsExec (a tool to remotely run commands on other computers), and RDP (Remote Desktop Protocol, which lets users control another computer)—which are often allowed for business operations—to move laterally without triggering alarms. Malware isn't even needed; just a clever use of trusted admin tools.

The key takeaway: segmentation is a strong defense, but it relies heavily on proper configuration, secure credentials, and vigilant monitoring.

Network Segmentation vs. VPN: What's the Difference?

A common misconception is that if a company has segmentation, it must be using a VPN. That's not necessarily true. They are two distinct technologies.

Network segmentation focuses on dividing and controlling internal access. It’s about isolating different parts of a company's private network based on sensitivity and risk.

A VPN, on the other hand, creates a secure, encrypted tunnel from a remote user's device into the corporate network, over the public internet. It ensures that outsiders can securely access the network.

Often, they work together: a VPN gets you into the building; segmentation determines which rooms you can enter.

Segmentation without a VPN is common for purely internal environments. VPNs without segmentation are risky because once inside, an attacker could move freely. Together, they form a layered defense.

How Attackers Exploit VPNs and Jump Servers to Bypass Segmentation

Attackers frequently exploit VPNs and jump servers to break through segmented defenses. Here's their typical playbook.

First, they breach the VPN. They might steal login credentials using phishing attacks, infostealer malware, or simply buying them online. Alternatively, they might exploit known vulnerabilities in VPN software, like the notorious CVE-2019-11510 in Pulse Secure VPNs. With compromised credentials, they appear as legitimate remote users.

Next, they target jump servers. These bastions are critical points that connect to different network segments. With stolen VPN access, attackers log into the jump server. If they don’t already have enough privileges, they use tools like Mimikatz to dump credentials and escalate their access.

From the jump server, attackers begin lateral movement. They use standard admin tools like RDP, WMI, and PSExec, blending in with normal operations. Even with segmentation, attackers can hop from segment to segment, because once they're on the jump server, many firewalls and restrictions are effectively behind them.

Once inside, they escalate privileges further by dumping LSASS (Local Security Authority Subsystem Service, a part of Windows that stores user credentials in memory) memory to extract more credentials, seeking domain admin access. With full privileges, they own the network.

Finally, they execute their attack. They exfiltrate sensitive data, deploy ransomware, disable security systems, and cause massive disruption. Ryuk ransomware groups, for example, are known to spend weeks silently escalating and moving laterally before finally detonating ransomware.

Real-World Cases

The Colonial Pipeline attack in 2021 began when attackers gained access using leaked VPN credentials that had no multi-factor authentication (MFA) protection. This allowed them to enter the network undetected and deploy ransomware, leading to major fuel supply disruptions across the eastern United States.

The Target breach of 2013 was initiated through a compromised HVAC vendor’s VPN access. Attackers used this foothold to move laterally through Target’s internal network, eventually reaching and stealing customer payment card data from point-of-sale systems.

In the Norsk Hydro ransomware attack of 2019, attackers compromised the company's remote access infrastructure. They used this access to spread the LockerGoga ransomware across global operations, disrupting production at multiple sites and causing significant financial damage.

The Kaseya 2021 incident involved attackers exploiting vulnerabilities in Kaseya’s remote management software. This allowed them to distribute ransomware to hundreds of Kaseya’s downstream customers simultaneously, demonstrating how supply chain attacks can bypass even well-segmented networks.

Tentative Thought

Network segmentation is a vital defense strategy. It slows attackers, contains breaches, and aids compliance. However, it’s not a magic shield. Stolen credentials, poor configurations, and trusted systems like VPNs and jump servers can all be exploited to bypass segmentation entirely.

To truly protect segmented networks, companies must

• Secure credentials with strong MFA and strict privilege separation.
• Harden jump servers and monitor their activity relentlessly.
• Pair segmentation with powerful detection and rapid response capabilities.

Segmentation is not a wall—it's a maze designed to slow attackers. But if the guards (credentials, monitoring) are asleep, the maze is easily navigated. Security must be layered, proactive, and constantly verified to be effective.