The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued an information sheet meant to help organizations understand the risks and considerations for selecting a virtual private network (VPN).
NSA said Tuesday that U.S. adversaries can target VPN servers since they can be used as entry points into protected networks and can access VPN devices by weaponizing common vulnerabilities and exposures.
“Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device,” the NSA notice reads.
The document offers guidance on choosing standards-based VPNs from reputable companies and hardening the VPN against breach by minimizing the VPN server’s attack surface through running strictly necessary features, monitoring and safeguarding access to and from the VPN and configuring strong authentication and cryptography.
NSA and CISA are advising organizations to refer to the National Information Assurance Partnership Product Compliant List for validated VPNs, ensure that products use FIPS-validated cryptographic modules and request and validate a product’s software bill of materials, among other recommendations.
ExecutiveBiz, sister site of GovConDaily and part of the Executive Mosaic digital media umbrella, will host a virtual event about securing the supply chain on Oct. 26th. Visit ExecutiveBiz.com to sign up for the “Supply Chain Cybersecurity: Revelations and Innovations” event.