The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released a joint guidance document to help businesses select and harden virtual private network (VPN) solutions.
“VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices,” observed the two agencies in the document.
The agencies add that threat actors often exploit these unpatched CVEs as a gateway to all sorts of campaigns against corporate networks, for everything from stealing credentials to exfiltrating sensitive data.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- These are the the best VPN services
- We’ve also rounded up the best business VPN services
- These are the best VPN services for Windows 10
The document lists directions for businesses to help them select the VPN solution that adheres to industry standards and follows the best practices to ensure the integrity of its infrastructure.
Gateway to larger attacks
The document suggests using tested and validated VPN products that are listed on the National Information Assurance Partnership (NIAP) Product Compliant List. It also suggests looking for solutions that employ strong authentication methods like multi-factor authentication (MFA).
At the same time, the service shouldn’t exhibit laxity in applying patches and updates, and ensures it reduces the surface area for attacks on VPN servers by disabling non-VPN-related features.
“Exploiting remote access VPNs can become a gateway to large-scale compromise,” said Rob Joyce, Director of Cybersecurity at NSA in an email to BleepingComputer.
Parsing through the document, BleepingComputer notes that the agencies suggest VPN service providers employ strong cryptography and authentication mechanisms on their servers, run the bare minimum number of features, while protecting and monitoring access to and from the VPN.
- Take a look at our collection of the best proxy services