The U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint “Cybersecurity Information Sheet” in which they detailed considerations regarding selecting and securely configuring a virtual private network (VPN).
The “Selecting and Hardening Remote Access VPN Solutions” document also serves to outline common VPN risks for the U.S. Department of Defense, National Security Systems and the Defense Industrial Base, among other organizations.
“VPN servers are entry points into protected networks, making them attractive targets,” said the agencies in a statement. “Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices. Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.”
Top recommendations include:
- Using tested and validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant List.
- Employing strong authentication methods such as multi-factor authentication (MFA).
- Promptly applying patches and updates
- Reducing VPN attack surface by disabling non-VPN-related features.