The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI, New Zealand’s Government Communications Security Bureau (GCSB), New Zealand’s Computer Emergency Response Team (CERT-NZ), and the Canadian Centre for Cyber Security (CCCS), has published a comprehensive report on modern network access security approaches. This report, released on June 18, 2024, addresses the vulnerabilities and risks associated with traditional VPN solutions and advocates for more secure alternatives.
Overview
CISA has frequently identified incidents involving the compromise of virtual private network (VPN) solutions, often exploited by cybercriminals and nation-state actors. With over 22 Known Exploited Vulnerabilities (KEVs) associated with VPNs, there is a pressing need to transition to modern network access security solutions. The increasing shift of services to the cloud further emphasizes the importance of adopting Secure Access Service Edge (SASE) over traditional on-premises security stacks. This report aims to guide organizations in enhancing their security postures by integrating more secure, cloud-based solutions that align with zero trust (ZT) principles.
Remote Access and VPN Limitations
While VPNs provide encrypted tunnels for remote access to corporate networks, they pose several security risks. These include vulnerabilities inherent in network design, such as IP address spoofing and DNS spoofing, as well as the complexity of implementation and misconfiguration issues. Additionally, the integration of third-party access and poor cyber hygiene practices can further expose networks to threats. Traditional VPNs often lack the granular access control required to enforce zero trust principles effectively.
Impact
Exploited vulnerabilities in VPN systems can lead to widespread access across enterprise networks, resulting in significant operational disruptions and data breaches. Recent examples include:
- CVE-2023-46805 and CVE-2024-21887: Affecting Ivanti Connect Secure (ICS) VPNs, these vulnerabilities allowed attackers to reverse tunnel from the ICS VPN appliance, modify JavaScript files used by the Web SSL VPN component, and compromise credentials.
- CVE-2023-4966 (Citrix Bleed): Affecting Citrix NetScaler web application delivery controllers and NetScaler Gateway appliances, this vulnerability allowed threat actors to bypass password requirements and multifactor authentication (MFA), leading to the hijacking of legitimate user sessions and subsequent credential harvesting.
These vulnerabilities underscore the critical need for organizations to move beyond traditional VPN solutions to more advanced, secure access technologies.
Solutions
To address these challenges, CISA recommends several modern network access security solutions:
- Zero Trust (ZT): Defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-207, zero trust is a security model that requires continuous verification of user, device, and application authenticity. It enforces least privilege access and continuous reauthentication, operating under the assumption that no user or asset should be implicitly trusted.
- Secure Service Edge (SSE): A collection of cloud security capabilities that enable safe browsing, secure access to software as a service (SaaS) applications, and validation of users accessing network data. SSE integrates security and access control into a single platform, encompassing Zero Trust Network Access (ZTNA), Cloud Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Firewall-as-a-Service (FWaaS).
- Secure Access Service Edge (SASE): A cloud architecture that combines network and security as a service capabilities, including software-defined wide area networking (SD-WAN), SWG, CASB, next-generation firewall (NGFW), and ZTNA. SASE provides comprehensive security and network management from a unified cloud-based platform.
- Hardware-Enforced Network Segmentation: Adds a layer of hardware protection to enhance defense-in-depth strategies, using technologies like unidirectional gateways and data diodes to ensure robust network segmentation.
Best Practices
To effectively transition to modern network access security solutions, CISA and its partner organizations recommend the following best practices:
- Implement Centralized Management Solutions: Centralized management allows system administrators to control remote access to applications and servers, manage privileged access, and simplify network control. This approach is critical for modern network defenses due to the underlying issue that no VPN can guarantee absolute security.
- Enforce Network Segmentation: Implement strict network segmentation, denying all connections to operational technology (OT) networks by default unless explicitly allowed. Use unidirectional technologies for the most consequential systems to ensure strong protection against cyber threats.
- Automate Security Orchestration, Automation, and Response (SOAR): Implement automated responses to certain security events to enhance incident detection and response capabilities.
- Maintain and Regularly Drill Cybersecurity Incident Response Plans: Develop, update, and regularly drill IT and OT cybersecurity incident response plans for both common and organizationally specific scenarios. Update these plans based on lessons learned from exercises and drills.
- Automate and Validate Vulnerability Scans: Conduct automated vulnerability scans on all public-facing enterprise assets, implement appropriate compensatory controls, and disable unnecessary OS applications and network protocols.
- Use Well-Tested Cybersecurity Solutions: Deploy high-performing cybersecurity solutions to automate the detection of unsuccessful login attempts and integrate incident detection systems to prioritize incidents and disconnect compromised devices.
- Deploy Security.txt Files: Ensure all public-facing web domains have a security.txt file conforming to the recommendations in RFC 9116 to allow security researchers to submit discovered weaknesses or vulnerabilities promptly.
- Regularly Back Up Critical Systems: Store backups separately from the source systems and test them on a recurring basis to ensure data recovery capabilities.
- Conduct Annual Security Training: Provide mandatory annual training on basic security concepts, such as phishing, business email compromise, and password security, for all employees and contractors.
- Implement Strong Identity and Access Management Solutions: Use phishing-resistant MFA and ensure strict identity verification for each access request.
- Adopt Hardware-Enforced Unidirectional Technologies: Use hardware-enforced unidirectional technologies to push forensic, audit, and other security data from sensitive networks to IT-based or cloud-based SOAR systems.
- Establish a SASE Adoption Roadmap: Develop a flexible SASE adoption roadmap, combining IT and business-oriented goals, and test collaboration strategies, technologies, and applications in a testing environment before full deployment.
- Implement Technical Security Measures: Use measures like Mail Transfer Agent Strict Transport Security (MTA-STS) and DNS-based authentication of named entities (DANE) to enhance mail traffic security.
Conclusion
By transitioning from traditional VPN solutions to modern network access security approaches like zero trust, SSE, and SASE, organizations can significantly enhance their cybersecurity postures. These solutions offer improved security, better user experiences, and reduced complexities, aligning with zero trust principles and ensuring robust protection for critical infrastructure. Organizations are encouraged to carefully assess their security needs and adopt these best practices to mitigate risks and strengthen their defenses against cyber threats.
For more detailed information, readers are encouraged to review the full CISA report and the associated references and resources.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact