Encryption & Key Management , Governance & Risk Management , IT Risk Management
NSA Releases Guidance on Obsolete Encryption Tools
Agency Recommends Replacement of Old TLS and SSL ProtocolsThe National Security Agency has released guidance on how the Defense Department, other federal agencies and the contractors that support them should replace obsolete encryption protocols that can enable cyber intrusions.
The NSA recommends that system administrators working at the Pentagon, other agencies in the U.S. government that oversee national security issues, as well as private firms and third parties that supply agencies with technology replace obsolete Transport Layer Security and Secure Sockets Layer protocols that are used to encrypt network traffic traveling between servers. The NSA advises other organizations to follow the guidelines as well.
The agency notes that all federal agencies should prioritize replacing outdated TLS protocols because they can enable unauthorized network access to nation-state actors and other adversaries, who can then modify the traffic to perform man-in-the-middle attacks.
The guidance recommends that organizations only use the TLS 1.2 or TLS 1.3 versions of the protocol. The agency also says organizations should refrain from using outdated Secure Sockets Layer 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 versions as they are now outdated.
"This guidance provides detection strategies that can aid network security analysts in identifying continued use of obsolete TLS protocol versions, cipher suites and key exchanges," the agency notes. "This remediation is crucial to decreasing computer system and network attack surfaces and preventing unauthorized access to private data."
NSA Recommendations
NSA has released on GitHub a free detection tool for identifying obsolete TLS versions in their systems.
Federal agencies should update old protocols to the latest versions and ensure that they are configured to meet the encryption standards stipulated by the intergovernmental Committee on National Security Systems organization as well as the National Institute of Standards and Technology, the NSA says.
The NSA notes the use of weak, compromised or revoked certificates for TLS can lead to man-in-the-middle attacks. Federal agencies must ensure that TLS certificates are issued by legitimate certification authorities, accurately represent the server and are replaced prior to their expiration, the agency adds.
The NSA also says that organizations running out-of-date versions of TLS tools should disable those tools until they are reconfigured to the latest version.
TLS-Related Attacks
In recent years, threat actors have developed work-arounds to bypass TLS encryption or to weaponize the protocol.
In 2015, Microsoft revealed that hackers were selling counterfeit TLS certificates to trick Windows users into running malware (see: Microsoft Blacklists Fake Certificate).
In 2020, independent security researchers found attackers could use phony TLS certificates to spoof a legitimate website. The researchers went on to spoof the webpages of GitHub - owned by Microsoft (see: Windows Vulnerability: Researchers Demonstrate Exploits).
In May, the U.S. Cybersecurity and Infrastructure Security Agency warned that a North-Korean advanced persistent threat group was using fake TLS protocols to authenticate and encrypt its activities to hide from security tools (see: Group Behind WannaCry Now Using New Malware).