NSA, CISA share guidelines for securing VPNs as hacking groups keep busy

"VPN servers are entry points into protected networks, making them attractive targets," said an NSA official.
A sign for the National Security Agency (NSA), U.S. Cyber Command and Central Security Service, is seen near the visitor's entrance to the headquarters of the NSA at the entrance in Fort Meade, Maryland, February 14, 2018. (Photo by SAUL LOEB/AFP via Getty Images)

Cautioning that foreign government-backed hackers are actively exploiting vulnerabilities in virtual private network devices, the National Security Agency and the Department of Homeland Security’s cyber wing on Tuesday published guidelines for securing VPNs.

While the advice is broad, the NSA and DHS’ Cybersecurity and Infrastructure Security Agency specifically said it would help protect the Defense Department, national security systems and defense contractors against such advanced persistent threat groups, a term that typically refers to state-sponsored hacking groups. The NSA has specifically warned in the past about Chinese hackers exploiting VPN vulnerabilities, as has CISA, but the history of advanced groups seizing on VPN vulnerabilities is far broader and lengthier.

“VPN servers are entry points into protected networks, making them attractive targets,” Rob Joyce, director of cybersecurity at the NSA, said on Twitter. “APT actors have and will exploit VPNs.”

In one case, the FBI warned in May about hackers leveraging VPN technology made by Fortinet to target a municipal government. VPN technology typically promises a secure connection to a protected server, meaning many subjects may be operating with an inflated sense of security.


NSA said there are many dangers that accompany not fortifying VPNs against attacks from groups that exploit publicly exposed information security flaws in the Common Vulnerabilities and Exposures (CVE) database.

“Exploitation of these CVEs can enable a malicious actor to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions, and read sensitive data from the device,” an NSA news release explained. “If successful, these effects usually lead to further malicious access and could result in a large-scale compromise to the corporate network.”

The guidance continues as NSA and CISA focus on recommending defenses against threats to federal agency employees, especially since the COVID-19 pandemic accelerated vulnerabilities as federal agency personnel have shifted toward working from home. That work-from-home trend is set to continue.

It also reflects the latest NSA guidelines on protecting VPNs.

The latest recommendations include selecting VPNs from reputable vendors, patching known vulnerabilities and running features that are “only strictly necessary.”

Latest Podcasts