New NSA Report: This is How You Should Be Securing Your Network (zdnet.com) 62
America's National Security Agency (NSA) released a new report "that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks," writes ZDNet:
NSA's report 'Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance' is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks. The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP).
The U.S. Cybersecurity and Infrastructure Security Agency is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations. The document, from NSA's cybersecurity directorate, encourages the adoption of 'zero trust' networks....
The new report follows NSA's guidance to help people and organizations choose virtual private networks (VPN). VPN hardware for securing connections between remote workers to corporate networks became a prime target during the pandemic.
Thanks to long-time Slashdot reader Klaxton for sharing the link!
The U.S. Cybersecurity and Infrastructure Security Agency is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations. The document, from NSA's cybersecurity directorate, encourages the adoption of 'zero trust' networks....
The new report follows NSA's guidance to help people and organizations choose virtual private networks (VPN). VPN hardware for securing connections between remote workers to corporate networks became a prime target during the pandemic.
Thanks to long-time Slashdot reader Klaxton for sharing the link!
Comment removed (Score:3)
Re: (Score:2)
Re: (Score:2)
I'm not saying they don't know what they're doing, but acting as though their security principles should be some sort of gold standard makes me chuckle
No, what they are trying to convey is that these are the minimum security measures you should be taking and that anything less exposes you to significant risk.
Re: (Score:2)
These are not "their" principles. This is just the standard stuff any competent IT security expert recommends these days anyways.
It's not a gold standard. (Score:2)
This paper is clearly intended as a single, unified, description of the absolute minimum standard needed.
Re: (Score:3)
Re: (Score:2)
True, but since they don't use any of the methods anyone else is using to break in, stopping their rivals won't hurt them.
Re: I don't trust them (Score:2)
You fail at game theory, good sir! That's what they *WANT* you to think!
Re: (Score:2)
No, you should look at all advice and weigh it for what it is and that alone. Everything in the paper is good advice. It won't touch the zero-days they use, sure, but it will block any other attacker. They don't want those other guys getting in.
NSA secure (Score:2)
Leave everything in their unopened boxes.
Re: Mine sweeper, anyone? (Score:2)
Re: (Score:2)
Well, that wasn't actually the CIA, IIRC. Windows never managed above a C3 rating under the old Orange Book standard, so that was the only secure configuration at that time, you are correct there. But Orange Book wasn't CIA, it was DoD and NIST.
Re: (Score:2)
Well, it does, because that's the only configuration that actually met the C3 rating criteria.
Comment removed (Score:3)
Re: (Score:3)
Pretty much this.
If your CSO doesn't know all this stuff already they need to be replaced.
And by "CSO" I mean reasonably competent IT manager.
Re: (Score:2)
Re: (Score:2)
Do you mean "CISO"? A CSO usually cannot do IT security competently. Well, to be fair, there are many CISOs that cannot either, but usually a CSO is not even an IT role.
Re: (Score:2)
I, and several of my peers, am a CSO. I was CISO for a few years, then I added physical security to my domain, along with a few other bits and bobs.
I have a degree in telecoms and networking, worked as a Unix admin for the first years of my career, and have done things as technical as malware decomposition.
So yeah, I’d say your assertion is a little broad.
Re: (Score:2)
You seem to have a problem with your governance there...
Yes, sure, _you_ may be fit to fill that slot in your specific situation. What happens when you get replaced? Amateurs at Governance always overlook that little problem.
Re: (Score:2)
If I was the CSO or CISO at a company that wasn't listening to me, I would push for an outside security audit. I would say it's been over 10 years since we had an outside audit, and just like a financial audit, it's designed to reveal new industry and best practices that we might be lacking.
If the board doesn't see the value in that, I would start putting out feelers for a new job or counting months until retirement. Or at least make sure my request was listed in the board meeting minutes for the last six
Re: (Score:2)
If I was the CSO or CISO at a company that wasn't listening to me, I would push for an outside security audit. I would say it's been over 10 years since we had an outside audit, and just like a financial audit, it's designed to reveal new industry and best practices that we might be lacking.
If the board doesn't see the value in that, I would start putting out feelers for a new job or counting months until retirement. Or at least make sure my request was listed in the board meeting minutes for the last six months.
I know people that left a well-paying CISO slot exactly because of that. They usually hire somebody without a clue as a replacement in those cases. (See Equifax with their music-major. And then they screwed up pretty mich as expected.) The board typically never goes for an outside audit unless there is some personal liability involved and that is rare in non-regulated environments. Outside audits may show that some C-level or the board is not doing its job right. Cannot have that. That said, in the last hal
Re: (Score:2)
Most CSOs and CISOs I have met were capable of doing the job of the opposite specialty at need. And often did for one reason or another.
But you are right, my comment was more appropriate for the CISO function.
Re: (Score:2)
Do Cisco ship their hardware with the most secure options enabled by default? If not why not?
Re: (Score:2)
Admittedly, quite a few of those findings are for things like logging to a remote syslog host, NTP configurations, and other options that can't be defau
Re: (Score:2)
On classic IOS, somewhat...
there is no default username and/or password. you have to have a serial connection (don't forget physical site security) to enable ports and assign ips. The only plug and play on their big devices is switches will switch as soon as you power them on, but you don't have management until you console in and activate systems and assign an address.
if you remote into an IOS switch/router via telnet/ssh, you can't get to privileged mode if you haven't put an enable password on the remo
Re: (Score:2)
Do Cisco ship their hardware with the most secure options enabled by default? If not why not?
Simple: Saving on customer support. Traditionally professional gear was "default off/closed" and amateur gear was "default on/open". Cisco apparently found it saves them some money to ship what is supposedly professional gear with the amateur defaults. Insecure configs do not cause support calls, but "it does not work" do with network "admins" that cannot read documentation and think you just need to plug in the right box.
Re: (Score:2)
"There are much better design, best practices, and hardening documents that can be found out there. "
Would anyone care to make some suggestions (URLs)? - thanks
Re: (Score:2)
Indeed. On the other hand, available catalogs are somewhat unwieldy. For example, both ISO and BSI are monsters that need the help of an expert to just sort through them and you find language in there that is borderline incomprehensible. A positive exception is the CIS Controls, but they still need the help of an expert to supply details. The are a good starting point though and much more pragmatic and less bureaucratic than ISO or BSI.
The NSA may have tried here to supply something that does not require th
Re: (Score:2)
>For example, both ISO and BSI are monsters
And very expensive monsters. Try costing out ISO 19790 and all it's references. That cost is per-engineer.
Re: (Score:2)
Re: (Score:2)
I think this is the best comment yet. This is something simple that a typical IT Admin or even a CIO can read and understand. And it's pretty comprehensive. And in one place, making it easy to find/use.
Thanks! I assume your refer to me referencing the CIS Controls? I really like the CIS catalog. A rare instance of people with a real clue behind it. And it has three severity/maturity levels which provides you a _path_ to where you eventually want to get. Neither BSI nor ISO has anything comparable.
Re: (Score:2)
I read through this and the related NIST stuff that came out recently.
They are pushing what they call a "zero trust" model, which is just a minimized trust model and I have already witnessed it cause confusion with zero trust vs zero knowledge protocols which are something completely different. So the NIST+NSA habit of coming up with replacement names for things is still alive and well and causing confusion.
It seemed rather high level and the detail was in documents that are already part of the usual canon
Ammo (Score:2)
There are a *lot* of old, outdated systems out there where it isn't feasible to implement a lot of this stuff because it simply isn't supported. This document is ammo for an IT guy to go to whomever and demand funding for old stuff to get replaced.
Re: (Score:2)
The NSA loves Cisco gear because they have an extensive catalogue of exploits for Cisco systems. The Snowden leaks show how they intercept Cisco gear during shipping, install their own hardware that makes it impossible to remove or detect the malware, and then send them on to the customer.
The NSA recommends you use the hardware they can most easily exploit so that they have access to your internal networks.
Re: (Score:2)
Um, they clearly recommended different vendors, layered to avoid the problem of single vendor exploits.
Link to your comment about intercepting gear during shipping please. I highly doubt they'd need to do that since they've been in bed with Cisco before.
Re: (Score:2)
https://arstechnica.com/tech-p... [arstechnica.com]
Re: (Score:2)
Re: (Score:2)
I agree, though would point out that many businesses rip out the out-the-box security because it's expensive to maintain and inconvenient to managers. Mandating an absolute minimum standard that managers shouldn't be allowed to go beyond makes some sense.
There are indeed better papers. It would be great if they could be centralised, perhaps they already are. But you can be sure managers won't accept those recommendations at all.
Swing and a miss (Score:2)
Re: (Score:2)
Probably because if they did that they would have to mention the elephant in the email room, namely Outlook. Other than user awareness, it is next to impossible to really secure Outlook.
You are perfectly right on that document attack vector. But people do not want to hear it. It is just too much effort for most to follow secure practices.
Conflict of interest? (Score:2)
Is it overly cynical of me to wonder at this - I mean, Isn't part of their work figuring out ways to break into things? Or is that just the CIA etc?
Re: (Score:2)
Is it overly cynical of me to wonder at this - I mean, Isn't part of their work figuring out ways to break into things? Or is that just the CIA etc?
This is the most basic/bare minimum to protect Enterprises big and small from script kiddies, ransomware gangs, becoming part of botnets, etc, while leaving them wide open to 3 letter agencies, 5 eyes nations and other state actors.
If there are enterprises that (in the opinion of the NSA) need protection from state actors and 3 letter agencies, they probably have private guide(lines)s that they will share with those enterprises only, under NDA.
Re: (Score:2)
They are tasked with both breaking into things and with securing things. Honestly they should be split into two separate agencies.
Re: (Score:2)
They are tasked with both breaking into things and with securing things. Honestly they should be split into two separate agencies.
They are internally split along those lines.
Re: (Score:2)
They are internally split along those lines.
I would expect that, but I think a formal split is really necessary. From the outside, there's certainly an impression of divided loyalties - and their past advice regarding earlier elliptic curve algorithms (which were likely back-doored [cloudflare.com]) would seem to support that.
Re: (Score:2)
They are internally split along those lines.
I would expect that, but I think a formal split is really necessary. From the outside, there's certainly an impression of divided loyalties - and their past advice regarding earlier elliptic curve algorithms (which were likely back-doored [cloudflare.com]) would seem to support that.
I am pretty allergic to the NIST curves, ECDSA and I was personally responsible for preventing the use of the dial-ec-drbg in the company I work for, long before the Snowden revelations since it was obviously stupid.
This is challenging when your employer has prescriptions that all products be FIPS compliant. There are better and still compliant alternatives to ECDSA for signing, but dodging P256 is a bitch. I've managed it so far. I baked 25519 (for DH) into silicon (where I should have used the compliant P
Level of specificity avoids conflict (Score:2)
Their advice is pretty high-level, general things.
Have antivirus. Have a CISO. Patch regularly. Encrypt your VPN and TLS connections. (Yes I've seen some, in production, with Null encryption enabled. The "null" cipher means no encryption).
The way they get into systems is about three levels of specificity deeper. They have an exploit for a specific version of a specific application, when it's used in a certain way in combination with a certain other software.
Shorter NSA: how to secure your systems (Score:1)
The proper way to secure your systems is:
1. Put all your systems into a room.
2. Line the room with lead.
3. Unplug the systems.
and for those of us that DON’T use Cisco? (Score:2)
Focusing too much on Cisco is doing a disservice, although it is understandable that they are trying to convey a minimum level of security.
But, what do you recommend for those of us with smaller systems/networks where we really don’t want Cisco or lesser "enterprise" gear? Are we really better off with a VM for VPN server than an appliance? Wireguard?
I think a more generic solution would be nice to offer-- something that gives people a solid understanding of bad architecture and good architecture.
(M
Re: (Score:2)
Remember ASL? Certifications (Score:2)
They almost got passwords right (Score:2)
They did get section 5.8 right. Only change passwords when needed. If you ask people to regularly change their passwords they will choose weaker and weaker passwords
Re: (Score:2)
5.6 The requirements for strong passwords is incorrect "Use all the different character classes (uppercase, lowercase, numbers, and special characters)". Using uppercase and lower case just leads to the first character being upper case. Numbers and symbols leads to either people writing down the password or having the last two digits !1.
NIST removed the requirement for character classes from their guidelines a few years ago. I'm still hoping that the rest of the government departments will catch up sometime soon.