The Cybersecurity and Infrastructure Security Agency (CISA) and the NSA jointly released an in-depth guide describing how organizations should choose virtual private networks (VPN), especially as VPN-focused cyber attacks continue to proliferate. Reports indicate that nation-states and other cyber criminal gangs have significantly increased VPN exploitation attempts.
The guidelines also describe how organizations can deploy VPN securely. The NSA advocated for leaders within the Department of Defense, National Security Systems, and the Defense Industrial Base to explore the guide so that everyone has a clear sense of the risks and the benefits of VPNs.
Is a VPN worth it?
Multiple nation-state advanced persistent threat (APT) actors allegedly weaponized certain types of vulnerabilities for the purpose of exploiting VPNs. Once in systems, hackers can potentially perform remote code execution, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions and more.
NSA director Rob Joyce described how a variety of nation-state threat actors are using bugs and vulnerabilities to disrupt organizational functions. He noted that VPN servers represent key entry points into secured networks. In turn, organizations may wish to consider how to “shrink” the attack surface. “Invest in your own protection!” Joyce concluded.
Additional perspectives: VPN worth it?
Created by CISA and the NSA, a new National Information Assurance Partnership Product Compliant list provides insights into reliable VPN and security providers. The list is intended to offer reliable, trustworthy information devoid of vendor advertising. The recommendations mirror that provided to US defense contractors and similar groups.
One critique of the National Information Assurance Partnership Product Compliance list is that the information is complex and difficult to decipher for the majority of commercial entities. Organizations may or may not have the resources and tools to follow the recommendations.
Experts state that businesses would do well to select vendors that remediate vulnerabilities quickly and follow best practices.
Setting up and deploying VPNs correctly is tough, but VPNs are essential, as demonstrated via a VPN exploit earlier this year that compromised federal agencies across the United States and Europe.
VPN technology is continually evolving. Newer VPN technologies may include certain types of cryptography, ensuring the integrity of information shared through virtual platforms.
To secure your perimeter, pursue an advanced approach to VPN security. Ensure that your VPN provider offers privacy and data integrity protection via:
- Multi-factor authentication
- Endpoint system compliance scanning
- Encryption of all transmitted data
CISA and the NSA also note that VPN administrators should not be permitted to access the management interface within the remote access VPN. Rather, organizations must limit administrative permissions to dedicated internal management networks and investigate any event involving use of admin access credentials for the purpose of accessing VPNs.
Millions of VPNs exist on the internet, giving hackers a large volume of opportunities to break into internal networks. Reduce your attack surface. Offer your users secure access to corporate networks and resources. Protect the integrity of your organization’s information. Learn more about VPN solutions here.
For further insights into remote access and network security, see Cyber Talk’s past coverage. Lastly, to receive executive-level cyber security insights, cutting-edge analysis, and robust resources in your inbox each week, sign up for the Cyber Talk newsletter.