How to Scale End-to-End Observability in AWS Environments

NSA Recommends the Use of TLS 1.2 or TLS 1.3 as Other TLS Versions Prove Obsolete

TL;DR

Earlier this month, The US National Security Agency (NSA) announced in a security advisory that obsolete versions of the Transport Layer Security (TLS) should be replaced. This guidance was issued for system administrators across federal agencies such as the Department of Defense (DoD), National Security System (NSS), and Defense Industrial Base (DiB).

In the report released on January 5, they were quick to add that “Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks”

The NSA issued guidance against using older protocol versions and ensured that only TLS 1.2 and TLS 1.3 be adopted for security as other versions are now flawed
The NSA issued guidance against using older protocol versions and ensured that only TLS 1.2 and TLS 1.3 be adopted for security as other versions are now flawed
Key Facts
  1. 1

    Secure Socket Layer (SSL) and Transport Layer Security (TLS) are known as the protocol that gives encryption and privacy for authentication and data integrity between two communicating computer applications.

  2. 2

    SSL, TLS 1.0, and TLS 1.1 have now been considered deprecated and systems still relying on these protocols for security can be exposed at any moment.

  3. 3

    In its newly released advisory, the NSA warns that new attacks against TLS protocols are being discovered and organizations should make use of the latest security protocols (TLS 1.2 or TLS 1.3 ).

  4. 4

    The cybersecurity agency in the US also published a list of tools to aid security experts with the task of identifying systems in their network still running on these obsolete protocols.

  5. 5

    The NSA advisory, published on January 5, was echoed on the 19th by the agency's counterpart within the Netherlands, the Dutch National Cyber Security Center.

Details

Delicate and significant information requires solid securities inside electronic frameworks and transmissions. Ensured transmissions utilize a private, secure channel between a server and a client to communicate. Transport Layer Security (TLS) and Secure Sockets Layer 2 (SSL 2.0) were created as conventions to make these ensured channels utilize encryption and overall authentication. Older versions of these protocols are now weak and have depleted in many already existing services and applications online.

Over time, It was discovered that new methods of attacks against TLS and its known algorithms became rampant, and for this reason, the NSA has recommended that only TLS 1.2 and TLS 1.3 should be used, rendering SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 redundant. The agency’s first step was to identify obsolete configurations still in use in government systems across the USA by highlighting clients and servers using the older TLS versions and then make test runs with old cipher codes and weak key exchange methods.

Steps for remediation have also been suggested for security experts and analysts, depending on the organization, network monitoring devices can be set up to give alerts to clients or servers that bargain obsolete TLS or want to use it to block weak TLS traffic. It is also worth mentioning that TLS is dependent on the right use of certificates. The use of compromised, weak, or revoked certificates can lead to attacks even with the protocol properly implemented. The use of this guidance will ensure that cybersecurity experts and government network owners will make informed and improved decisions to reduce their risk exposure and hinder incoming malicious threats.

The agency also added that “Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected, even though it really is not”.

“This will also help organizations prepare for cryptographic agility to always stay ahead of malicious actors’ abilities and protect important information. Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected, even though it really is not,” the NSA makes mention.

Supported Protocols and Obsolete Protocols in a nutshell

  • TLS 1.2 (Supported)
  • TLS 1.3 (Supported)
  • TLS 1.0 (Not Supported)
  • TLS 1.1 (Not Supported)
  • SSL v2 (Not Supported)
  • SSL v3 (Not Supported)

In other similar news, the Dutch National Cyber Security Centre (NCSC) also provided an update future-proofing the TLS configurations using TLS 1.3, aimed at securing network connections.

Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected, even though it really is not.
avatar
NSA
The National Security Agency is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (Wikipedia)

Get similar news in your inbox weekly, for free

Share this news:
How to Scale End-to-End Observability in AWS Environments

Latest stories


How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …

Why Your Business Should Connect Directly To Your Cloud

Today, companies make the most use of cloud technology regardless of their size and sector. …

7 Must-Watch DevSecOps Videos

Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …