NSA Releases Guidance on Eliminating Obsolete TLS Protocol Configurations
Date Modified: 01/5/2021 10:03 PM EST
Description
Description
Summary:
On January 5th 2021, the NSA | CSS (National Security Agency Central Security Service) issued a report offering guidance on Eliminating Obsolete TLS Protocol Configurations. The guide highlights evidence that using obsolete TLS configurations provides a false sense of security since it looks like the data is protected, even though it really is not. NSA Leverages its technical capability to develop advisories and mitigations on evolving cybersecurity threats. NSA's three page document covers key areas of focus such as: obsolete TLS versions, obsolete cipher suites, obsolete key exchange mechanisms, recommended TLS configurations, detection strategy, and remediation.
Impact:
Obsolete TLS provides a false sense of security. Over time, new attacks against TLS and the algorithms it uses have been discovered. The standards and most products have been updated, but implementations often have not kept up. Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries.
Mitigation:
By using the following guidance, government network owners can make informed decisions to enhance their cybersecurity posture.
Since these risks affect all networks, all network owners and operators should consider taking these actions to reduce their risk exposure and make their systems harder targets for malicious threat actors.
Comments:
The E-ISAC has not established any specified threat to the electricity community based upon this information. If any adversarial action is experienced, contact the E-ISAC Watch Operations Team, and create a Portal Post for instant community awareness.
References:
NSA | Eliminating Obsolete TLS Protocol Configurations
Cybersecurity Advisories & Technical Guidance
https://www.nsa.gov/What-We-Do/Cybersecurity/Advisories-Technical-Guidance/
Infographic on obsolete TLS