A concept like regulation and compliance has a lot more facets to it than most people realize. Even though it is supposed to be universal in nature, everyone’s interpretation of the concept seems to vary by some degree at the least. Now, it’s more about how your organization is set-up and what kind of compliance obligations you have to deal with, but at the same time, our perception of compliance is also hugely influenced by external forces. For instance, the reputation of compliance industry in the olden times wasn’t necessarily positive amongst the companies due to its lack of consideration for their operations. Nevertheless, this changed big time after technology entered the fold. On a granular level, this change of heart was orchestrated by many things, but mainly it was being able to use compliance tools for adding value to your business that did the job, except all of it came at an expense. The inclusion of technology brought its vulnerabilities with it, and that alone laid the foundations for many problems along the way. It’s hard to quantify the level on which these problems affected the companies, but if we have to take a reference point, the fact that regulators had to foray into cybersecurity compliance conveys the picture sufficiently. Lately, however, our efforts for securing the cyberspace have faced bigger questions than ever before. As a result of it, the regulatory bodies are now extensively focusing on this frontier, and they have just made another step towards making it better.
NSA along with Cybersecurity and Infrastructure Security Agency (CISA) have recently issued fresh guidelines for VPN technology, as the authorities ramp up their attention to helping companies in becoming more cyber resilient. The Cybersecurity Information Sheet presents the companies with concrete methods through which they can secure their VPNs, thus reducing the potential surface for attack.
Using loopholes-ridden VPNs has long been observed as a dangerously easy way to steal credentials, execute arbitrary code remotely on devices, and weaken or hijack the encrypted communications. However, with concern about digital space’s reliability growing by the second, the need to fix this issue has never looked greater.
“These effects usually lead to further malicious access through the VPN, resulting in large-scale compromise of the corporate network or identity infrastructure and sometimes of separate services as well,” the agencies claimed in their statement.
To mitigate these vulnerabilities, the regulatory advice is to enlist standards-based (IKE/ IPSec) VPNs from vendors that are well-established as the facilitators of a secure experience and also mandate the use of strong authentication credentials. Apart from that, the companies were also encouraged to keep an eye on the access to and from their VPN. This can, of course, be done through intrusion prevention (IPS), web application firewalls (WAFs), network segmentation, and remote, as well as local logging.
The cybersecurity crisis has sent out a much-needed wakeup call to everyone, hence if we are to take away something positive from it, let it be a lesson of better protecting our tech systems.