This week the National Security Agency will offer general guidance on virtual private network security practices as companies begin to adjust to the telework boom after the advent of the coronavirus pandemic.
According to a senior intelligence officer who spoke to reporters on the background, the advisory will come in two parts: an overview for executives that offers "timely and easily understandable" recommendations for security-enhancing VPNs to perform safe telework, and a more comprehensive technical document that provides signatures for network administrators to monitor vulnerabilities in their VPN infrastructure.
"Over the last 5-10 years, network owners, companies, and agencies had made a lot of progress in hardening network security, and then when COVID hit, we all essentially left that environment and moved to a telework environment that in some cases existed before but was used one-off, not at the scale, scope and constancy it's used now,” the official said.
The advisory is the Agency's new attempt to better connect with federal and private sector stakeholders.
A previous NSA advisory released in May on an emerging weakness in Exim Mail Transfer Agent software resulted in a measurable uptick in patch rates for the bug. It contributed to useful follow-up analysis of Russian cyber capabilities by private threat intelligence firms.
Since the advent of the pandemic, VPNs have become a focal point for agencies' cybersecurity issues, with many feds using the software to log into their work systems remotely. However, such devices can also be vulnerable to attack or compromise, mainly when employees log on from unsafe home networks.
In May, the Cyber Security and Infrastructure Security Agency issued its guidance urging organizations to keep their VPNs up-to-date, introduce multi-factor authentication, improve log reviews, identify threats, respond to incidents and recoveries, and prepare their employees for a surge in phishing attacks. The Government Accountability Office is also reviewing how federal agencies have adopted telework technology, with officials suggesting that VPN security would be one of their main concerns.
The need for safe connections is even greater for organizations such as the NSA that manage classified information daily. The Organization has "certainly seeing both criminals and nation-states targeting that telework infrastructure" since the start of the pandemic. Still, it can be difficult to quantify whether and how much this crime has escalated across various threat categories.
Another program called Commercial Solutions for Classified Systems configures commercially available software to enable workers to perform classified work remotely on their laptops and phones up to Secret Stage. The software predates the virus and has usually been used for "late-night calls" relating to sensitive information. Still, in the past few months, the NSA and the Defense Information Systems Agency have sought to scale up to thousands of employees and computers around the Department of Defense components.
Like other organizations, sending their workers home during the crisis has also taught the NSA leadership that many of its employees can do their jobs remotely without compromising productivity or security. The Department has undertaken various telework use cases led by the Cyber Security Directorate, and experience has opened the eyes to the advantages of providing more flexibility to workers outside the pandemic.
"I think all of us have learned…that when missions can be done remotely, [even unclassified], you can achieve a better work-life balance for our folks," the official said.