Skip to main content

CISA, NSA: Here's how to bolster VPN security

A laptop screen displaying a VPN logo
(Image credit: Shutterstock)

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released a joint guidance document to help businesses select and harden virtual private network (VPN) solutions.

“VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices,” observed the two agencies in the document. 

The agencies add that threat actors often exploit these unpatched CVEs as a gateway to all sorts of campaigns against corporate networks, for everything from stealing credentials to exfiltrating sensitive data.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The document lists directions for businesses to help them select the VPN solution that adheres to industry standards and follows the best practices to ensure the integrity of its infrastructure.

Gateway to larger attacks

The document suggests using tested and validated VPN products that are listed on the National Information Assurance Partnership (NIAP) Product Compliant List. It also suggests looking for solutions that employ strong authentication methods like multi-factor authentication (MFA).

At the same time, the service shouldn’t exhibit laxity in applying patches and updates, and ensures it reduces the surface area for attacks on VPN servers by disabling non-VPN-related features.

“Exploiting remote access VPNs can become a gateway to large-scale compromise,” said Rob Joyce, Director of Cybersecurity at NSA in an email to BleepingComputer.

Parsing through the document, BleepingComputer notes that the agencies suggest VPN service providers employ strong cryptography and authentication mechanisms on their servers, run the bare minimum number of features, while protecting and monitoring access to and from the VPN.

Via BleepingComputer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.