New CISA guideline on personal VPN

The US Cybersecurity & Infrastructure Security Agency (CISA) recently issued an advise to "highly targeted" individuals, such as senior officials, to avoid using personal VPNs following the "Salt Typhoon" hacks by Chinese state-sponsored attackers. They recommend assuming all mobile communications are at risk of interception and suggest using end-to-end encrypted messaging apps like Signal. Upgrading multi-factor authentication (MFA) to phishing-resistant methods, such as hardware security keys, is advised, along with avoiding text-message MFA and securing wireless accounts with a secondary PIN. CISA highlights the questionable security and privacy policies of many VPN providers and endorses using password managers, promptly installing software updates, and opting for newer smartphones with advanced security features. They explain that personal VPNs shift risks from ISPs to potentially insecure VPN providers, urging the adoption of more secure practices and tools to protect sensitive information.

At Srity we complete this advise by proposing a migration from traditional VPN to Zero Trust Network Access solutions.

Do not hesitate to contact us for details about replacing your traditional VPN by Zero Trust solution.

https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf