The National Security Agency (NSA) has issued an advisory warning organizations that virtual private networks (VPNs) are vulnerable to attacks if not properly secured. Specifically, the advisory notes VPNs are “prone to network scanning, brute force attacks, and zero-day vulnerabilities.”
The NSA advisory doesn’t call for replacing VPNs, but it does advise network administrators to implement strict traffic filtering rules to limit the ports, protocols, and IP addresses of network traffic to VPN devices.
VPNs have been employed by organizations to provide an encrypted tunnel through which remote users can access servers. In the wake of the COVID-19 pandemic, organizations are relying on VPNs more than ever to enable employees to work from home. The trouble is that from a cybersecurity perspective there are known VPN issues. Cybercriminals can use stolen credentials to connect to the VPN and change configuration settings or connect or access additional infrastructure. Vulnerabilities also exist in VPNs that rely on secure socket layer (SSL) protocols through which cybercriminals can retrieve arbitrary files, including those containing authentication credentials, or exploit administrator privileges to embed malware that can be activated at a later time.
The NSA advisory reminds organizations to:
- Reduce the VPN gateway attack surface
- Verify that cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliant
- Avoid using default VPN settings
- Remove unused or non-compliant cryptography suites
- Apply vendor-provided updates (i.e. patches) for VPN gateways and clients
A recent survey of 519 IT professionals finds that during the pandemic about a third of respondents (30%) said they experienced VPN issues. In the wake of the pandemic, many organizations are revaluating their entire approach remote access. Rather than relying on VPNs, many organizations are evaluating software-defined wide area networks (SD-WANs) that are accessed via software-defined perimeter (SDP) software remotely installed on endpoints. The SD-WAN, accessed either via a service or through a gateway deployed by an internal IT team, ideally should include a built-in firewall.
The goal is to create a true zero-trust network environment. Rather than relying on traditional passwords, SDP software makes it possible to assign identities to specific users in a way that reduces the likelihood credentials will be stolen.
Interest in zero-trust architectures was on the rise prior to the pandemic. Like many emerging technology trends, the pandemic may simply accelerate the rate at which organizations make that transition.
Cyberattacks aimed at end users working from home are on the rise. It’s only a matter of time before organizations reevaluate their approach to endpoint security. The rate at which that transition will occur will depend heavily on both budget dollars and the expertise available to implement a zero-trust architecture.
In the meantime, cybersecurity teams need to be wary of complacency. Many have done a terrific job responding to the initial emergency. However, now that it appears that working from home more often is the new normal, it’s also apparent that cybersecurity as organizations once knew it will never be the same again.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.