The US Cybersecurity (opens in new tab) and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released a joint guidance document to help businesses select and harden virtual private network (VPN (opens in new tab)) solutions.
“VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices,” observed (opens in new tab) the two agencies in the document.
The agencies add that threat actors often exploit these unpatched CVEs as a gateway to all sorts of campaigns against corporate networks, for everything from stealing credentials to exfiltrating sensitive data.
- These are the the best VPN services (opens in new tab)
- We’ve also rounded up the best business VPN services (opens in new tab)
- These are the best VPN services for Windows 10 (opens in new tab)
The document lists directions for businesses to help them select the VPN solution that adheres to industry standards and follows the best practices to ensure the integrity of its infrastructure.
Gateway to larger attacks
The document suggests using tested and validated VPN products that are listed on the National Information Assurance Partnership (NIAP) Product Compliant List. It also suggests looking for solutions that employ strong authentication methods like multi-factor authentication (MFA (opens in new tab)).
At the same time, the service shouldn’t exhibit laxity in applying patches (opens in new tab) and updates, and ensures it reduces the surface area for attacks on VPN servers by disabling non-VPN-related features.
“Exploiting remote access VPNs can become a gateway to large-scale compromise,” said Rob Joyce, Director of Cybersecurity at NSA in an email to BleepingComputer.
Parsing through the document, BleepingComputer notes that the agencies suggest VPN service providers employ strong cryptography and authentication mechanisms on their servers, run the bare minimum number of features, while protecting and monitoring access to and from the VPN.
- Take a look at our collection of the best proxy services (opens in new tab)
Via BleepingComputer (opens in new tab)