The NSA and CISA have released joint guidance to help organizations select their Virtual Private Network (VPN) solution and harden it against compromise. Vulnerable VPN servers are attractive targets for threat actors, as they provide great opportunities for infiltrating the victims’ systems and networks.
“Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices. Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device,” said the NSA in its press release. The NSA pointed out that a threat actor who establishes a foothold in a system or network can go on and wreak all sorts of havoc on an organization.
Dubbed “Selecting and Hardening Remote Access VPN Solutions”, the guidance sets out rules, or rather recommendations, that organizations and companies should follow when choosing a remote access VPN that will grant entry to their systems. This includes adhering to tried-and-tested solutions that are compliant with industry standards and can be found on product compliance lists, and VPN services that have clearly identified standards and technologies that they use to establish VPN connections.
Other advice also includes relying on reputable vendors with proven track records in remediating any vulnerabilities promptly, following cybersecurity best practices, and using strong authentication credentials.
Meanwhile, when it comes to hardening VPNs, the NSA-CISA information sheet recommends that organizations should:
- configure strong cryptography and authentication
- run only the most necessary features and so help reduce the attack surface
- protect and monitor access to and from their VPN connections
Naturally, the sheet goes into greater detail and includes advice long echoed by cybersecurity professionals, such as using multi-factor authentication and applying patches and security updates as soon as possible to mitigate any known vulnerabilities.
While the advice is aimed at improving the security of the Department of Defense, National Security systems and the Defense Industrial Base, following these recommendations would benefit any organization or company, public or governmental, that uses a VPN solution to access its systems.