The National Security Agency (NSA) has issued a new cybersecurity advisory warning that virtual private networks (VPNs) could be vulnerable to attacks if not properly secured. The agency's warning comes amid a surge in remote work as organizations adapt to coronavirus-related office closures and other constraints.

"Many organizations currently utilize IP Security (IPsec) Virtual Private Networks (VPNs) to connect remote sites and enable telework capabilities. These connections use cryptography to protect sensitive information that traverses untrusted networks. To protect this traffic and ensure data confidentiality, it is critical that these VPNs use strong cryptography. This guidance identifies common VPN misconfigurations and vulnerabilities," says the NSA. 

According to the NSA, to maintain a secure VPN, network administrators should perform the following tasks on a regular basis:

1. Reduce the VPN gateway attack surface
2. Verify that cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliant
3. Avoid using default VPN settings
4. Remove unused or non-compliant cryptography suites
5. Apply vendor-provided updates (i.e. patches) for VPN gateways and clients 

Fausto Oliveira, Principal Security Architect at Acceptto, a Portland, Oregon-based provider of Continuous Behavioral Authentication, says. “Like all security controls, VPNs by themselves are not a panacea and if poorly configured or managed, VPNs can become a threat surface. The best approach is to think that all of your security controls can be breached and as such perform a risk analysis of what an attacker can do if he is able to breach your VPN."

"Without a comprehensive strategy that includes aggressive patching, Multi-Factor Authentication (MFA) and network traffic control, attackers can easily gain a foothold inside the organization using what is believed (erroneously) to be a secure channel. Organizations that do not adopt change management that allows for aggressive patching sometimes argue that the cost of patching is greater than the risk," Oliveira explains. "The same argument has been used to defer the adoption of MFA and keep passwords as the default authentication mechanism for VPNs. In reality, year over year attackers have proven that this mindset is erroneous and cost organizations millions of dollars. There is a need for this mentality to change."

Oliveira adds, "Passwords and outdated change management processes need to go away and be replaced with authentication mechanisms that address the new threat landscape and change management processes that are agile and cater for the change of pace caused by the ever evolving threat landscape. To do otherwise is to undermine the value of the organization for their stakeholders, waste unnecessary resources solving breaches and incurring financial and reputational damages unnecessarily.”