DHS Urges VPN Cybersecurity Best Practices in Light of COVID-19

Given the increase in remote work due to the Coronavirus disease, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency is urging organizations to adopt heightened best practice cybersecurity for enterprise virtual private network (VPN) solutions.

VPNs provide secure remote access to internal networks and are often used in healthcare to remotely and securely connect to an organization’s network to easily access and electronically share health data.

However, a variety of VPN applications from Palo Alto Networks and others have vulnerabilities that could allow a hacker to take control of affected systems. Some patches have been released, but organizations should be sure they’ve updated to the latest system or employed workarounds.

Hackers have been targeting the VPN vulnerabilities in the US, UK, and other countries since the initial alert. Those attacks have continued through January, but many organizations have still failed to patch those known vulnerabilities.

Recent measures implemented by the Department of Health and Human Services and the Office for Civil Rights have expanded the use of telehealth. Combined with the increase in remote work, CISA is also warning organizations that hackers are finding and targeting vulnerable VPN connections with malicious cyberattacks.

Further, as VPNS are likely always in use, it’s not always possible to keep them updated with the latest security updates.

As a result, cybercriminals will likely increase the rate of phishing emails targeting teleworkers to steal credentials. And those organizations that have not implemented multi-factor authentication (MFA) for remote access will be more susceptible to phishing attacks.

“Organizations may have a limited number of VPN connections, after which point no other employee can telework,” CISA wrote. “With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.”

In response, organizations should update VPNs, network devices, and other devices being used in the remote environment with the latest software patches and security configurations. Employees should be made aware of the heightened risk of phishing attacks during the pandemic, as well.

IT security leaders must be prepared increased need for cybersecurity in light of remote access needs, including log review, detection and monitoring, and incident response and recovery. Organizations should lean on NIST guidance to ensure they’re reducing exposure.

CISA also recommends organizations implement MFA on all VPN connections, which Microsoft found blocks 99.9 percent of all automated cyberattacks. If not currently in use, employees must use strong passwords.

Lastly, organizations must make sure its IT staff test the limits of its VPN to ensure it can handle the increased traffic. Modifications may need to be implemented, like rate limiting, to prioritize users that may require higher bandwidths.

David Wolpoff, chief technology officer and co-founder of Randori told HealthITSecurity.com that organizations should also be sure to segment their networks, employ the standard of least privilege, and constantly monitor their network.

In that way, a hacker can’t move laterally throughout a network or access everything if it manages to get through the VPN connection. Wolpoff noted that the VPN should not be able to talk to every device, such as access to backend databases or infrastructure.

Further, IT teams should be prepared to look out for suspicious traffic and investigate those incidents. Ideally, someone would be tasked with monitoring alerts or suspicious activity. And if the VPN is talking to a device it shouldn’t, it should be immediately investigated.

“Don’t let users or systems have more access than they need. [For example,] your marketer most likely doesn’t need access to your infrastructure,” Wolpoff said. “Ensure you’ve put these rules in place. Your VPN should land into a ‘DMZ' that lets users have the minimum access.”

“Considering many organizations are asking employees to telecommute, hackers will likely prioritize breaking into VPNs,” he concluded. “Patching known bugs is step one (and absolutely critical), but it’s not enough. There are unpatchable weaknesses and non-public issues that hackers can exploit. To secure against these unknowns, companies need to look at the fundamentals.”