The USA’s National Security Agency (NSA) has issued a cybersecurity advisory via its Cybersecurity Directorate, warning against unsecured VPNs. However, what has been skated over in most reports on this is that the warning is specifically about corporate VPNs.
In light of the home working trend caused by the COVID-19 pandemic, corporate VPNs have been established to allow private and encrypted connections from homes to corporate networks. The NSA believes this is a new attack vector for malicious cyber actors. A senior NSA official outlined:
“We certainly see adversaries focused on telework infrastructure… We’ve seen exploitation and as a result, have felt that this was a product that is particularly helpful now…. administrators should implement strict traffic filtering rules to limit the ports, protocols, and IP addresses of network traffic to VPN devices.”
This warning follows a previous VPN-based advisory from the NSA concerning nation-state actors targeting VPN devices (October) and a Russian military hacking team accessing widely used email software (May).
So, what can we learn from this? As an employee using a corporate VPN it is imperative that your employer’s IT team have updated the VPN server, and that your remote devices have had the latest operating system updates. As a system administrator, meanwhile, ensure updates are distributed, VPN access is monitored, and stakeholder directors are fully aware of the VPN’s status. Regular system audits would also be wise.