5 strategies suggested by NSA to improve your VPN security
The U.S. National Security Agency has noted an increase in cyberattacks targeting VPNs since COVID-19 pandemics forced more people to work from home.
The United States National Security Agency (NSA) warns remote workers, whose numbers have skyrocketed as a result of the COVID-19 outbreak, that Virtual Private Networks (VPNs) are increasingly becoming a target of cybercriminals. Speaking to reporters last week, NSA chief executives said telework infrastructure such as VPNs have become a focus for malicious actors, prompting the NSA to release formal advice on how to get VPNs from cyberattacks.
Security risks due to an increase in remote work have been well documented, and TechRepublic has also made recommendations to counter these threats.
SEE: Addressing data privacy (ZDNet / TechRepublic special feature) | Download the free PDF version (TechRepublic)
This latest set of five tips may look familiar to cybersecurity professionals and those familiar with getting remote connections, but the information reappears, especially with many more VPN connections use them and report that cybersecurity does not keep up with the work from home conversion that quarantines have inflicted on businesses.
1. Reduce the attack surface of VPN gateways
"VPN gateways tend to be directly accessible from the Internet and are prone to network scans, brute force attacks, and zero-day vulnerabilities," NSA magazine said. introducing the implementation of strict traffic filtering rules to block ports, protocols, and IP addresses that can navigate VPNs, and the use of an intrusive blocking system in front of a VPN gateway that can monitor traffic.
2. Use only cryptographic algorithms that comply with CNSSP 15
The Committee on National Security Systems Policy 15 (PDF) specifies what encryption protocols can be used on secure government systems, and if it is good enough for the NSA (at least until it replaces CNSSP 15 for CNSA in 2018), it seems to be good enough for your organization.
15-compliant CNSSP encryption falls into two categories: Enough encryption to protect confidential level information (256-bit elliptic loop, SHA-256, and AES-128) and sufficient encryption to protect highly confidential information ( 384-bit elliptic loop, SHA -384, and AES-256).
SEE: Zero Trust Security: False Page (Free PDF) (TechRepublic)
"As the computing environment grows and new weaknesses in algorithms are identified, administrators should prepare for cryptographic flexibility: Periodically review CNSSP and NIST guidance for requirements, standards, and recommendations latest cryptographic, "the NSA said.
3. Do not use default VPN settings
Regulating VPN usage can be difficult, forcing many organizations to leave default settings in place, the NSA said. The NSA specifically states that administrators should avoid autocomplete devices or GUI wizards as they can leave unwanted cryptographic chambers behind, giving an attacker more opportunities to hack break-in.
4. Remove any unused or non-compliant encryption chambers
The particular problem here comes in the form of the Internet Security and Protocol Protocol (ISAKMP) and Internet Key Exchange (IKE) security policies, many of which fail to comply with CNSSP 15. As stated above, automated machines often leave residual crypto settings behind after installation, leaving VPNs vulnerable to decryption encryption attacks.
“By ensuring that only ISAKMP / IKE and IPsec compliant policies are configured and all unused or non-compliant policies are explicitly removed from the configuration this risk, "the NSA said.
SEE: Best VPN service for 2020 (CNET)
5. Keep updating VPNs
"Over the past several years, a number of vulnerabilities have been leaked related to IPsec VPNs. Many of these vulnerabilities have been mitigated by deploying pieces of vendor vendors to gateways and VPN clients on a regular basis, "the NSA said.
Good capture practices are a standard part of best security practices and the same happens for VPNs - keep up with them and subscribe to security alert emails to make sure you are aware of any threats recently discovered.