Every few weeks now, a government agency issues new advice on securing the VPN you and your organization use for secure communication.
During July 2019, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about VPNs.
The alert said hackers were aware of VPN vulnerabilities and actively exploiting them to launch remote code execution (RCE) attacks and to intercept or hijack encrypted traffic sessions. CISA singled out the following VPNs:
That was followed by guidance from the Canadian Centre for Cyber Security about mitigating vulnerabilities in the VPN.
Now, another government agency is sharing advice with the world. In this case, the insights are coming from the super secretive National Security Agency.
The NSA is following up on what the other agencies advise and taking it to the next step: what should you do if you use a VPN service that becomes compromised?
How do you restore secure encryption that a VPN is supposed to offer?
The National Security Agency says restoring confidence in your VPN product looks like this:
The NSA also offers a number of VPN hardening strategies and steps in its special advisory. Some are quite technical, and you can see them all here.
Some of the less technical suggestions on hardening VPNs include using multi-factor authentication to prevent attackers from authenticating with compromised passwords; and enabling logging to record and track VPN user activity, including authentication and access attempts, configuration
changes, and network traffic metadata.
Also, things such as deploying a web application firewall (WAF) that can detect and block web application attacks, like specially-crafted HTTP requests containing malformed strings that exploit VPN vulnerabilities, in front of the VPN web application.
Plus, disabling services (e.g. file share services) that could be leveraged for post-compromise activities like lateral movement, data exfiltration, and command and control.
And constantly analyzing log activity and subscribing to vendor patch alerts and patching any vulnerabilities immediately.
Because as the NSA notes in its advisory, hacking methods become readily and publicly available. That was the case for the most recent vulnerabilities:
"Exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code."