NSA, CISA release VPN guidance
On September 28, the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Information Sheet detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely. “Selecting and Hardening Remote Access VPN Solutions” also will help leaders in the Department of Defense, National Security Systems and the Defense Industrial Base better understand the risks associated with VPNs.
VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices. Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device. If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.
The Information Sheet details considerations for selecting a remote access VPN, as well as actions to harden the VPN from compromise. Top hardening recommendations include using tested and validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant List, employing strong authentication methods like multifactor authentication, promptly applying patches and updates, and reducing the VPN’s attack surface by disabling non-VPN-related features.
For more details on how to select a secure VPN and further harden your network, read the full Information Sheet here.
Stay in the know with breaking news from across the IC and IC contracting landscape by becoming a paid subscriber to IC News. Your support makes our work possible.