Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
CISA and NSA Issue Guidance on Selecting and Hardening VPNs
September 29, 2021
On September 28, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released the cybersecurity information sheet Selecting and Hardening Standards-based Remote Access VPN Solutions to address the potential security risks associated with using Virtual Private Networks (VPNs).
Remote-access VPN servers allow off-site users to tunnel into protected networks, making these entry points vulnerable to exploitation by malicious cyber actors.
Exploitation of these devices can enable:
- Credential harvesting
- Remote code execution on the VPN device
- Cryptographic weakening of encrypted traffic sessions
- Hijacking of encrypted traffic sessions
- Arbitrary reads of sensitive data (e.g., configurations, credentials, keys) from the device
The information sheet helps organizations select standards-based (rather than proprietary) VPN solutions and provides hardening guidance to prevent compromise and to respond to attacks.
CISA encourages organizations to review and adopt recommendations in the information sheet to reduce risk.
Not the easiest of reads for those not technologically inclined, but worthy of study and consultation with your IT/cybersecurity provider.
Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology