IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

NSA and CISA offer new security guidance for VPNs

Multiple nation-state threat actors using known flaws to access systems

VPN software displayed on a laptop

The NSA and CISA have published new advice for organizations on securing their VPNs against hacking.

The new Cybersecurity Information Sheet warned multiple nation-state hackers have exploited common vulnerabilities to gain access to VPN devices to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device.

“These effects usually lead to further malicious access through the VPN, resulting in large-scale compromise of the corporate network or identity infrastructure and sometimes of separate services as well,” the guidance read.

The agencies advised against using non-standard VPN solutions, including security products, such as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs. 

“Using custom or non-standard features creates additional risk exposure, even when the TLS parameters used by the products are secure,” the guidance said.

Instead, organizations should use standardized Internet Key Exchange/Internet Protocol Security (IKE/IPsec) VPNs validated against standardized security requirements for VPNs.

Organizations should also use products from a vendor with a proven track record of supporting products. VPN products should also be hardened using “only strong, approved cryptographic protocols, algorithms, and authentication credentials.”

Other ways to reduce the attack surface of a VPN is to immediately apply patches and updates to mitigate known vulnerabilities and restricting external access to the VPN device by port and protocol.

Related Resource

How to secure workloads in hybrid clouds

Cloud workload protection

Whitepaper front coverFree download

Organizations should also disable non-VPN-related functionality and advanced features that are more likely to have vulnerabilities. “Features such as web administration, Remote Desktop Protocol, Secure Shell, and file sharing are convenient, but not necessary for the operation of remote access VPNs,” the guidance said.

Firms were also urged to restrict management interface access via the VPN. “Malicious cyber actors that manage to compromise administrator credentials could try to authenticate into management interfaces and maliciously perform privileged operations,” said the agencies’ guidance.

“Remote access VPNs are entryways into corporate networks and all the sensitive data and services they have. This direct access makes them prized targets for malicious actors. Keep malicious actors out by selecting a secure, standards-based VPN and hardening its attack surface. This is essential for ensuring a network’s cybersecurity,” the advice concluded.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022