In recent years, there has been an uptick in concern regarding cyberattacks by nation-state actors, particularly from countries like China, Russia, Iran, and North Korea. In part, this comes down to heightened international tensions between these countries and the U.S. However, it’s also driven by the reality of attempted and successful large-scale attacks by these entities against critical infrastructure, governmental structures, and companies/technologies that form part of the federal supply chain.
According to the NSA (National Security Agency) and CISA (Cybersecurity and Infrastructure Security Agency), unsecured VPNs are a critical weak point in many of these systems, and an attractive point of entry for attackers. In fact, an old VPN password was one of the key factors in the Colonial Pipeline hack while unpatched SSL-VPNs led to the credentials of over 87,000 Fortinet customers being stolen.
By gaining unauthorized access to VPNs, hackers can quickly spread laterally throughout “protected” parts of the network. Or establish ATP (Advanced Threat Prevention), entrenching themselves deeply within connected systems and lying-in wait for the most opportune moment to strike.
The irony is that VPNs are meant to provide secure connections for users to remotely connect to a corporate network. They are typically used to enable secure access to services such as email portals, collaboration tools, and sensitive document repositories under the protections of perimeter firewalls and gateways. With remote work on the rise, the role of VPNs is more important than ever.
According to an advisory published by the NSA and CISA, exploiting CVEs associated with VPNs can allow a malicious actor “to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions and read sensitive data from the device.”
How can you secure your business VPNs?
To combat this threat, the NSA and CISA jointly issued guidance on Selecting and Hardening Remote Access VPNs on 28 September 2021. Part of this guidance is a Cybersecurity Information Sheet detailing factors to consider when choosing a virtual private network (VPN) and top configurations for deploying it securely.
The aim is to help all stakeholders, including leaders in the Department of Defense, National Security Systems and the Defense Industrial Base better understand the risks associated with VPNs and how to counteract them.
While you should study the entire sheet for an in-depth explanation, here are the key takeaways of how to select a secure VPN service:
- Avoid non-standard VPN solutions, including Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs.
- Study vendor documentation to ensure potential products support IKE/IPsec VPNs.
- If you’re unable to establish an IKE/IPsec VPN, identify whether the product uses SSL/TLS in a proprietary or non-standards-based VPN protocols.
- Determine product supports strong authentication credentials, protocols, and disables weak credentials and protocols by default. Regardless, you should impose strong credential practices and use best practices, such as SSO and MFA.
- Research and select a vendor with a proven track record of supporting products via regular software updates and quickly remediating known vulnerabilities.
You can refer to the National Information Assurance Partnership (NIAP) Product Compliant List (PCL) for validated VPNs.
The advisory asserts that, in general, the best approach to hardening a VPNs security is to reduce the total attack surface. In broad strokes, this can be achieved by following these three guidelines:
- Configure strong cryptography and authentication – don’t rely solely on default settings to be 100% secure in your networks.
- Running only strictly necessary features by deactivating underutilized/unused features that could contribute to the attack surface.
- Protecting and monitoring access to and from the VPN.
Of course, the document also re-emphasizes other common sense best practices and the importance of implementing proper security hygiene. This includes promptly patching any vulnerabilities or applying workarounds, restricting port/protocol access, or creating an allowlist, and deploying intrusion prevention systems, WAFs (Web Application Firewalls), and other dedicated security measures.