Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Network Government Security IT

New NSA Report: This is How You Should Be Securing Your Network (zdnet.com) 62

America's National Security Agency (NSA) released a new report "that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks," writes ZDNet: NSA's report 'Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance' is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks. The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP).

The U.S. Cybersecurity and Infrastructure Security Agency is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations. The document, from NSA's cybersecurity directorate, encourages the adoption of 'zero trust' networks....

The new report follows NSA's guidance to help people and organizations choose virtual private networks (VPN). VPN hardware for securing connections between remote workers to corporate networks became a prime target during the pandemic.

Thanks to long-time Slashdot reader Klaxton for sharing the link!
This discussion has been archived. No new comments can be posted.

New NSA Report: This is How You Should Be Securing Your Network

Comments Filter:
  • by account_deleted ( 4530225 ) on Saturday March 05, 2022 @04:39PM (#62329777)
    Comment removed based on user account deletion
    • by kmoser ( 1469707 )
      Compared to *no* security, any security is a gold standard.
    • I'm not saying they don't know what they're doing, but acting as though their security principles should be some sort of gold standard makes me chuckle

      No, what they are trying to convey is that these are the minimum security measures you should be taking and that anything less exposes you to significant risk.

    • by gweihir ( 88907 )

      These are not "their" principles. This is just the standard stuff any competent IT security expert recommends these days anyways.

    • This paper is clearly intended as a single, unified, description of the absolute minimum standard needed.

  • Leave everything in their unopened boxes.

  • by account_deleted ( 4530225 ) on Saturday March 05, 2022 @05:24PM (#62329839)
    Comment removed based on user account deletion
    • Pretty much this.

      If your CSO doesn't know all this stuff already they need to be replaced.

      And by "CSO" I mean reasonably competent IT manager.

      • by Zocalo ( 252965 )
        All very true. However, non-IT literate CxOs and board members often don't know if they have a competent CSO (or even any reasonably competent IT managers) until it's too late and it turns out they did not, and even if they do it's still not a cast iron guarantee that a bad actor won't get lucky or exploit a zero day to get in. In my experience there are still an *awful* lot of companies and organizations that really ought to have staff that know better for whom this level of additional security would red
      • by gweihir ( 88907 )

        Do you mean "CISO"? A CSO usually cannot do IT security competently. Well, to be fair, there are many CISOs that cannot either, but usually a CSO is not even an IT role.

        • by Corbets ( 169101 )

          I, and several of my peers, am a CSO. I was CISO for a few years, then I added physical security to my domain, along with a few other bits and bobs.

          I have a degree in telecoms and networking, worked as a Unix admin for the first years of my career, and have done things as technical as malware decomposition.

          So yeah, I’d say your assertion is a little broad.

          • by gweihir ( 88907 )

            You seem to have a problem with your governance there...

            Yes, sure, _you_ may be fit to fill that slot in your specific situation. What happens when you get replaced? Amateurs at Governance always overlook that little problem.

        • If I was the CSO or CISO at a company that wasn't listening to me, I would push for an outside security audit. I would say it's been over 10 years since we had an outside audit, and just like a financial audit, it's designed to reveal new industry and best practices that we might be lacking.

          If the board doesn't see the value in that, I would start putting out feelers for a new job or counting months until retirement. Or at least make sure my request was listed in the board meeting minutes for the last six

          • by gweihir ( 88907 )

            If I was the CSO or CISO at a company that wasn't listening to me, I would push for an outside security audit. I would say it's been over 10 years since we had an outside audit, and just like a financial audit, it's designed to reveal new industry and best practices that we might be lacking.

            If the board doesn't see the value in that, I would start putting out feelers for a new job or counting months until retirement. Or at least make sure my request was listed in the board meeting minutes for the last six months.

            I know people that left a well-paying CISO slot exactly because of that. They usually hire somebody without a clue as a replacement in those cases. (See Equifax with their music-major. And then they screwed up pretty mich as expected.) The board typically never goes for an outside audit unless there is some personal liability involved and that is rare in non-regulated environments. Outside audits may show that some C-level or the board is not doing its job right. Cannot have that. That said, in the last hal

        • Most CSOs and CISOs I have met were capable of doing the job of the opposite specialty at need. And often did for one reason or another.

          But you are right, my comment was more appropriate for the CISO function.

    • by jonwil ( 467024 )

      Do Cisco ship their hardware with the most secure options enabled by default? If not why not?

      • by Zocalo ( 252965 )
        No. They do not. Putting a few basic rules on an out of the box Cisco firewall (which you'd expect to be even more "secure by default" than a switch, right?) and then running an audit against CIS Control or DISA STIG compliance will throw up an awful lot of warnings and errors. Suffice to say that switches and routers fare even worse than the firewalls.

        Admittedly, quite a few of those findings are for things like logging to a remote syslog host, NTP configurations, and other options that can't be defau
      • by ecalkin ( 468811 )

        On classic IOS, somewhat...

        there is no default username and/or password. you have to have a serial connection (don't forget physical site security) to enable ports and assign ips. The only plug and play on their big devices is switches will switch as soon as you power them on, but you don't have management until you console in and activate systems and assign an address.

        if you remote into an IOS switch/router via telnet/ssh, you can't get to privileged mode if you haven't put an enable password on the remo

      • by gweihir ( 88907 )

        Do Cisco ship their hardware with the most secure options enabled by default? If not why not?

        Simple: Saving on customer support. Traditionally professional gear was "default off/closed" and amateur gear was "default on/open". Cisco apparently found it saves them some money to ship what is supposedly professional gear with the amateur defaults. Insecure configs do not cause support calls, but "it does not work" do with network "admins" that cannot read documentation and think you just need to plug in the right box.

    • "There are much better design, best practices, and hardening documents that can be found out there. "

      Would anyone care to make some suggestions (URLs)? - thanks

    • by gweihir ( 88907 )

      Indeed. On the other hand, available catalogs are somewhat unwieldy. For example, both ISO and BSI are monsters that need the help of an expert to just sort through them and you find language in there that is borderline incomprehensible. A positive exception is the CIS Controls, but they still need the help of an expert to supply details. The are a good starting point though and much more pragmatic and less bureaucratic than ISO or BSI.

      The NSA may have tried here to supply something that does not require th

      • >For example, both ISO and BSI are monsters

        And very expensive monsters. Try costing out ISO 19790 and all it's references. That cost is per-engineer.

      • I think this is the best comment yet. This is something simple that a typical IT Admin or even a CIO can read and understand. And it's pretty comprehensive. And in one place, making it easy to find/use.
        • by gweihir ( 88907 )

          I think this is the best comment yet. This is something simple that a typical IT Admin or even a CIO can read and understand. And it's pretty comprehensive. And in one place, making it easy to find/use.

          Thanks! I assume your refer to me referencing the CIS Controls? I really like the CIS catalog. A rare instance of people with a real clue behind it. And it has three severity/maturity levels which provides you a _path_ to where you eventually want to get. Neither BSI nor ISO has anything comparable.

    • I read through this and the related NIST stuff that came out recently.

      They are pushing what they call a "zero trust" model, which is just a minimized trust model and I have already witnessed it cause confusion with zero trust vs zero knowledge protocols which are something completely different. So the NIST+NSA habit of coming up with replacement names for things is still alive and well and causing confusion.

      It seemed rather high level and the detail was in documents that are already part of the usual canon

    • by JBMcB ( 73720 )

      There are a *lot* of old, outdated systems out there where it isn't feasible to implement a lot of this stuff because it simply isn't supported. This document is ammo for an IT guy to go to whomever and demand funding for old stuff to get replaced.

    • by AmiMoJo ( 196126 )

      The NSA loves Cisco gear because they have an extensive catalogue of exploits for Cisco systems. The Snowden leaks show how they intercept Cisco gear during shipping, install their own hardware that makes it impossible to remove or detect the malware, and then send them on to the customer.

      The NSA recommends you use the hardware they can most easily exploit so that they have access to your internal networks.

    • by jd ( 1658 )

      I agree, though would point out that many businesses rip out the out-the-box security because it's expensive to maintain and inconvenient to managers. Mandating an absolute minimum standard that managers shouldn't be allowed to go beyond makes some sense.

      There are indeed better papers. It would be great if they could be centralised, perhaps they already are. But you can be sure managers won't accept those recommendations at all.

  • They fail to mention email other than in the context of "... emailing network device configurations or storing them in unprotected file shares could constitute a compromise ...". One of the most common and all-to-often successful methods to compromise a company is to email an exploit-laden resume to HR in reference to an IT job opening. The HR person opens it, sees that the candidate sounds perfect and forwards it to the director, the director forwards it to some of his team for review. External files sh
    • by gweihir ( 88907 )

      Probably because if they did that they would have to mention the elephant in the email room, namely Outlook. Other than user awareness, it is next to impossible to really secure Outlook.

      You are perfectly right on that document attack vector. But people do not want to hear it. It is just too much effort for most to follow secure practices.

  • Is it overly cynical of me to wonder at this - I mean, Isn't part of their work figuring out ways to break into things? Or is that just the CIA etc?

    • Is it overly cynical of me to wonder at this - I mean, Isn't part of their work figuring out ways to break into things? Or is that just the CIA etc?

      This is the most basic/bare minimum to protect Enterprises big and small from script kiddies, ransomware gangs, becoming part of botnets, etc, while leaving them wide open to 3 letter agencies, 5 eyes nations and other state actors.

      If there are enterprises that (in the opinion of the NSA) need protection from state actors and 3 letter agencies, they probably have private guide(lines)s that they will share with those enterprises only, under NDA.

    • They are tasked with both breaking into things and with securing things. Honestly they should be split into two separate agencies.

      • They are tasked with both breaking into things and with securing things. Honestly they should be split into two separate agencies.

        They are internally split along those lines.

        • They are internally split along those lines.

          I would expect that, but I think a formal split is really necessary. From the outside, there's certainly an impression of divided loyalties - and their past advice regarding earlier elliptic curve algorithms (which were likely back-doored [cloudflare.com]) would seem to support that.

          • They are internally split along those lines.

            I would expect that, but I think a formal split is really necessary. From the outside, there's certainly an impression of divided loyalties - and their past advice regarding earlier elliptic curve algorithms (which were likely back-doored [cloudflare.com]) would seem to support that.

            I am pretty allergic to the NIST curves, ECDSA and I was personally responsible for preventing the use of the dial-ec-drbg in the company I work for, long before the Snowden revelations since it was obviously stupid.

            This is challenging when your employer has prescriptions that all products be FIPS compliant. There are better and still compliant alternatives to ECDSA for signing, but dodging P256 is a bitch. I've managed it so far. I baked 25519 (for DH) into silicon (where I should have used the compliant P

    • Their advice is pretty high-level, general things.
      Have antivirus. Have a CISO. Patch regularly. Encrypt your VPN and TLS connections. (Yes I've seen some, in production, with Null encryption enabled. The "null" cipher means no encryption).

      The way they get into systems is about three levels of specificity deeper. They have an exploit for a specific version of a specific application, when it's used in a certain way in combination with a certain other software.

  • The proper way to secure your systems is:

    1. Put all your systems into a room.
    2. Line the room with lead.
    3. Unplug the systems.

  • Focusing too much on Cisco is doing a disservice, although it is understandable that they are trying to convey a minimum level of security.

    But, what do you recommend for those of us with smaller systems/networks where we really don’t want Cisco or lesser "enterprise" gear? Are we really better off with a VM for VPN server than an appliance? Wireguard?

    I think a more generic solution would be nice to offer-- something that gives people a solid understanding of bad architecture and good architecture.

    (M

    • They have to start somewhere. This is a good start. If you are rolling your own, you should really investigate it fully before rolling your own.
  • Oh, about 20 years ago - memory hazy, the five eyes countries brought in a National security checklist, just like this one. It still exists today, ticking all the boxes. I seem to remember the USN led the pack, with custom Microsoft patches, which looking backwards, were really advanced. It also had approved security level certifications where experts had run the ruler over products from Cisco and Microsoft and encryption products, and a secret add-on list. Anyway when CERT got going in a big way,CVE's etc,
  • 5.6 The requirements for strong passwords is incorrect "Use all the different character classes (uppercase, lowercase, numbers, and special characters)". Using uppercase and lower case just leads to the first character being upper case. Numbers and symbols leads to either people writing down the password or having the last two digits !1.

    They did get section 5.8 right. Only change passwords when needed. If you ask people to regularly change their passwords they will choose weaker and weaker passwords
    • 5.6 The requirements for strong passwords is incorrect "Use all the different character classes (uppercase, lowercase, numbers, and special characters)". Using uppercase and lower case just leads to the first character being upper case. Numbers and symbols leads to either people writing down the password or having the last two digits !1.

      NIST removed the requirement for character classes from their guidelines a few years ago. I'm still hoping that the rest of the government departments will catch up sometime soon.

news: gotcha

Working...