Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

NSA Releases Guidance On Securing IPSec Virtual Private Networks

NSA Releases Guidance On Securing IPSec Virtual Private Networks

The US National Security Agency (NSA) has published guidance on how to properly secure IP Security (IPsec) Virtual Private Networks (VPNs) against potential attacks.

Besides providing organizations with recommendations on how to secure IPsec tunnels, NSA’s VPN guidance also highlights the importance of using strong cryptography to protect sensitive info contained within traffic while traversing untrusted networks when connecting to remote servers.

Following these recommendations is especially important for organizations that moved the majority of their workforce to telework since the start of the pandemic.

“VPNs are essential for enabling remote access and securely connecting remote sites, but without proper configuration, patch management, and hardening, VPNs are vulnerable to attack,” the NSA explains.

Among the measures network admins need to take to ensure a VPN’s security, the NSA underlines the need to reduce the attack surface, to always customize the VPN’s default settings, and to apply any security updates as soon as they’re issued by vendors.

How to secure a Virtual Private Network

NSA’s full list of recommendations for a secure VPN:

• Reduce the VPN gateway attack surface
• Verify that cryptographic algorithms are Committee on National Security Systems Policy (CNSSP) 15-compliant
• Avoid using default VPN settings
• Remove unused or non-compliant cryptography suites
• Apply vendor-provided updates (i.e. patches) for VPN gateways and clients

First of all, administrators are advised to implement strict traffic filtering rules designed to limit the ports, protocols, and IP addresses that can be used to connect to VPN devices. If this is not possible, an Intrusion Prevention System (IPS) can help “monitor for undesiredIPsec traffic and inspect IPsec session negotiations.”

Admins also need to make sure that ISAKMP/IKE and IPsec policies don’t allow obsolete cryptographic algorithms to avoid compromising data confidentiality.

When it comes to default VPN settings, NSA recommends avoiding the use of wizards, scripts, or vendor-provided defaults as they might configure non-compliant ISAKMP/IKE and IPsec policies.

Removing non-compliant and unused cryptography suites is another measure recommended to defend against downgrade attacks where the VPN endpoints are forced to negotiate non-compliant and insecure cryptography suites, exposing encrypted VPN traffic to decryption attempts.

Last but not least, making sure that the latest vendor-provided patches are applied as soon as possible will mitigate newly discovered security vulnerabilities affecting both VPN gateways and clients.

The NSA also issued guidance providing administrators with example IPsec VPN configurations and specific instructions on how to implement the above measures and ensure the most secure VPN configurations.

Also read: Things to Know about the Spam Control Act (Singapore)

The importance of securing VPNs

In October 2019, the NSA warned about multiple state-backed Advanced Persistent Threat (APT) actors who were actively weaponizing the CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 vulnerabilities to compromise vulnerable VPN devices.

As part of the same security advisory, NSA also issued mitigation for Pulse Secure, Palo Alto, and Fortinet VPN clients, as well as recommendations on how to harden VPN security configurations.

In January 2020, CISA warned organizations to patch their Pulse Secure VPN servers to defend against ongoing attacks trying to exploit a remote code execution (RCE) vulnerability tracked as CVE-2019-11510, a warning that followed another alert issued by CISA in October 2019, and others coming from the National Security Agency (NSA), UK’s National Cyber Security Center (NCSC), and the Canadian Centre for Cyber Security.

The same month, an FBI flash security alert stated that state-backed hackers breached the networks of a US financial entity and a US municipal government’s network after exploiting servers left vulnerable to CVE-2019-11510 exploits.

Three months later, CISA said that threat actors successfully deployed ransomware on the systems of U.S. hospitals and government entities with the help of stolen Active Directory credentials months after exploiting Pulse Secure VPN servers unpatched against the CVE-2019-11510 vulnerability.

In March, CISA also shared a series of tips designed to help orgs who implemented work from home programs to correctly secure their enterprise VPNs as malicious actors were expected to focus their attacks on teleworkers.

Also read: 7 Key Principles of Privacy by Design that Businesses should adopt



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us