The National Security Agency and Cybersecurity and Infrastructure Security Agency recommended on Tuesday that companies when choosing a virtual private network avoid choosing non-standard VPN solutions, carefully read vendor documentation and check that a product supports strong credentials and protocols and disable those are weak.
These were among the recommendations of the two agencies in an information sheet, Selecting and Hardening Remote Access VPN Solutions, to manage security risks associated with the use of VPNs.
"VPN servers are gateways to secure networks, making them attractive targets," the agencies said in a statement. "Several national statistics' advanced persistent threat actors have armed common vulnerabilities and exposures to gain access to vulnerable VPN devices." Utilizing these exposures "may allow a malicious actor to steal credentials, remotely code, weaken encrypted traffic cryptography, hijack encrypted traffic sessions, and read sensitive device from the device," it said.
"If successful, these effects usually lead to additional malicious access and may result in large-scale compromises with corporate networks."