NSA/CISA Publish Guidance on Choosing Secure VPN Solutions and Toughening Security

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released new guidanceĀ 
about choosing and enhancing the security of Virtual Private Networks (VPN) solutions.

VPN solutions enable remote workers to safely be connected to business sites. Data traffic is sent through a virtual tunnel that is encrypted to avoid the theft of sensitive information and to prohibit external attacks. Hackers like to target VPNs. Several Advanced Persistent Threat (APT) groups have already targeted the vulnerabilities in VPN solutions. APT actors were seen taking advantage of vulnerabilities in VPN solutions to get access to business sites, collect credentials, remotely implement code on the VPN devices, seize encrypted traffic sessions, and acquire sensitive information stored in the devices.

A number of common vulnerabilities and exposures (CVEs) were used to get access to the unsecured devices, such as Fortinet FortiOS SSL VPN (CVE-2018-13379), Pulse Connect Secure SSL VPN (CVE-2019-11510), and Palo Alto Networks PAN-OS (CVE_2020-2050). In certain instances, threat actors have exploited vulnerabilities in VPN solutions in just 24 hours after the patches become available.

At the beginning of this year, the NSA and CISA gave a notice that APT groups connected to the Russian Foreign Intelligence Service (SVR) had succeeded in exploiting the vulnerabilities in Fortinet and Pulse Secure VPN solutions to obtain access to the networks of American firms and government bureaus. It is believed that Chinese nation-state threat actors have taken advantage of a Pulse Connect Secure vulnerability to acquire access to the systems of the U.S. Defense Industrial Base Sector. Ransomware groups are also targeting vulnerabilities in VPNs to get preliminary access to networks to perform extortion ransomware attacks.

The guidance document is designed to assist companies in selecting safe VPN solutions from respected vendors that follow industry security specifications who have a tested reputation of remediating identified vulnerabilities immediately. The guidance advises only utilizing VPN products that are proven, validated and listed in the National Information Assurance Partnership (NIAP) Product Compliant List. It is recommended not to use Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs, because they utilize non-standard functions to tunnel traffic through TLS, which creates further exposure to risk.

The guidance document likewise gives recommendations for toughening security and lowering the attack surface, for example setting up strong cryptography and authentication, solely initiating features that are absolutely needed, safeguarding and tracking access to and from the VPN, employing multi-factor authentication, and making sure to use patches and implement updates immediately.