Mediaboss Marketing

A new cybersecurity guidance from the National Security Agency is calling on network defenders of the Department of Defense, Defense Industrial Base and National Security System to implement zero trust security on their information technology devices.

NSA on Thursday published an information sheet recommending device security assessment and enhancement through zero trust principles including real-time inspection, remote access protection and patch management.

The cybersecurity information sheet, or CSI, discusses the device pillar of the ZT framework, which ensures that hardware that is within an environment or connecting to resources undergoes strict location, enumeration, authentication and assessment.

An organizations registered IT hardware and software should be inventoried along with their versions and patch levels. They should also be part of acceptance testing and deprovisioning before retirement.

Agencies must regularly check their devices compliance to internal policies and general standards, and update their configuration and firmware versions if necessary, NSA said. Obsolete encryption could lead to easy accessibility and subsequently data breach.

The CSI is also applicable to non-government organizations that could face threats from sophisticated malicious actors, according to NSA.

Read more here:
NSA Cybersecurity Information Sheet Pushes for Zero Trust Security in DOD Devices - Executive Gov

A new advisory from signals intelligence and cybersecurity experts at the National Security Agency (NSA) highlights the top 10 most common cybersecurity misconfigurations in large organisations including regular exposure of insecure Active Directory Certificate Services.

It comes as the NSAs Cybersecurity Director Rob Joyce warned that if your infrastructure cant survive a user clicking a link, you are doomed.

"Im the director of cybersecurity at NSA and you can definitely craft an email link I will click he added on X writing as generative AI models make it far easier for non-native speakers to craft convincing phishing emails and as such campaigns remain highly effective for threat actors.

The list is a useful guidebook to those seeking to secure IT estates and is no doubt based in part on the NSAs extensive experience of breaching services, as well as support defending CNI. To The Stack, it is also a crisp reminder that strict organisational discipline is critical for cyber hygiene.

Too many network devices with user access via apps or web portals still hide default credentials for built-in administrative accounts. (Cisco, were looking at you, you, you. (Others are also regularly guilty.) The problem extends to printers and scanners with hard coded default credentials on them but are set up with privileged domain accounts loaded so that users can scan and send documents to a shared drive).

NSA says: Modify the default configuration of applications and appliances before deployment in a production environment . Refer to hardening guidelines provided by the vendor and related cybersecurity guidance (e.g., DISA's Security Technical Implementation Guides (STIGs) and configuration guides)

More specifically on default permissions risks, NSA says it regularly says issues with configuration of Active Directory Certificate Services (ADCS); a Microsoft feature used to manage Public Key Infrastructure (PKI) certificates, keys, and encryption inside of AD environments.

Malicious actors can exploit ADCS and/or ADCS template misconfigurations to manipulate the certificate infrastructure into issuing fraudulent certificates and/or escalate user privileges to domain administrator privileges it warns, pointing to ADCS servers running with web-enrollment enabled; ADCS templates where low-privileged users have enrollment rights and other associated issues with external guidance on a handful of known escalation paths here, here and here.

Ensure the secure configuration of ADCS implementations. Regularly update and patch the controlling infrastructure (e.g., for CVE-2021-36942), employ monitoring and auditing mechanisms, and implement strong access controls to protect the infrastructure. Disable NTLM on all ADCS servers. Disable SAN for UPN Mapping. If not required, disable LLMNR and NetBIOS in local computer security settings or by group policy.

Already have an account? Sign in

See more here:
Top 10 misconfigurations: An NSA checklist for CISOs - The Stack

FORT MEADE, Md. - The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners released an updated Cybersecurity Information Sheet (CSI) to provide additional guidance for technology manufacturers to ensure their products are secure by design and default.

The joint CSI adds guidance to the Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software report published in April 2023. The new guidance provides more detail on the three secure by design and default principles as they apply to both software manufacturers and their customers.

We need to continue working together to proactively design, build, and deploy secure products for our critical systems, said Rob Joyce, NSA Cybersecurity Director. The implementation of secure by design and default principles not only increases the security posture of manufacturers products, but customers as well.

As indicated in the CSI, the authoring agencies recognize the contributions from private sector partners in advancing secure by design and default implementation. The new CSI is intended to continue enabling international conversation about key priorities, investments, and decisions necessary to achieve a future where technology is safe, secure, and resilient by design and default.

The agencies recommend software manufacturers implement the strategies outlined in the CSI to take ownership of the security outcomes of their customers through secure by design and default principles. The agencies also advise that recommendations in this CSI apply to manufacturers of artificial intelligence (AI) software systems and models.

CISA authored the CSI in collaboration with the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the United Kingdoms National Cyber Security Centre (NCSC-UK), Germanys Federal Office for Information Security (BSI), Netherlands National Cyber Security Centre (NCSC-NL), the Computer Emergency Response Team New Zealand (CERT NZ) and New Zealands National Cyber Security Centre (NCSC-NZ), the Korea Internet & Security Agency (KISA), Israels National Cyber Directorate (INCD), Japans National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT), the Network of Government Cyber Incident Response Teams (CSIRT) Americas, the Cyber Security Agency of Singapore (CSA), and the Czech Republics National Cyber and Information Security Agency (NKIB).

Read the full report here. Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations MediaRelations@nsa.gov 443-634-0721

Continued here:
NSA and Partners Issue Additional Guidance for Secure By Design ... - National Security Agency

FORT MEADE, Md. - The National Security Agency (NSA) has released a Cybersecurity Information Sheet (CSI) to enable federal agencies, partners, and organizations to assess devices in their systems and be better poised to respond to risks associated with critical resources. Cybersecurity threats continue to increase, and traditional defenses cannot scale to provide effective security against these threats. Transitioning to a Zero Trust security framework places defenders in a better position to secure sensitive data, systems, applications, and services against nation-state actors and malicious actors seeking quick financial gains. The Advancing Zero Trust Maturity Throughout the Device Pillar CSI provides recommendations to effectively ensure all devices meet an organizations access criteria and security policies. The NSA advises National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network owners and operators to implement the recommendations in the CSI to increase maturity levels of the device pillar capabilities. These include device identification, inventory, and authentication, device authorization using real time inspection, and remote access protection. Traditional security defenses have been shown to be insufficient to address the current threat environment said Alan Laing, NSAs Vulnerability Analysis Subject Matter Expert. Government organizations and critical system owners need to enhance management of their device inventories to improve detection of sophisticated threats as part of comprehensive cybersecurity strategy integrating effective and scalable solutions to secure sensitive data, applications and services. As indicated in the CSI, the device pillar is a foundational component of the Zero Trust security framework. It ensures devices within an environment or attempting to connect to resources in such environment are located, enumerated, authenticated, and assessed. A device is only authorized access if it meets the environments security policies. The device pillar is one of the seven pillars defined in the DoD Zero Trust Reference Architecture. The capabilities discussed in this CSI complement on the Advancing Zero Trust Maturity Throughout the User Pillar published on 14 March 2023. NSA advises progression of the capabilities in each of the seven pillars in the Zero Trust security framework should be seen as a cycle of continuous improvement based on evaluation and monitoring of threats. The NSA Zero Trust security framework adheres to the Presidents Executive Order of Improving the Nations Cybersecurity (EO 14028) and National Security Memorandum 8 (NSM-8), which direct Federal Civilian Executive Branch (FCEB) agencies and NSS owners and operators to develop and implement strategic plans to adopt a Zero Trust cybersecurity framework. Read the full report here. Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations MediaRelations@nsa.gov 443-634-0721

Read the original:
NSA Shares Recommendations to Advance Device Security Within ... - National Security Agency

The National Sheep Association (NSA) has called for a root and branch review of Red Tractor following the announcement of the assurance body's Greener Farms Commitment last week.

The association said the industry had been sideswiped' and that it was deeply concerned none of the detail of the new environmental bolt-on which requires farmers to adopt five environment standards.

Following an extraordinary meeting of the NSA English Committee earlier this week, the association has demanded a root and branch review of the assurance scheme and its governance.

NSA chief executive Phil Stocker said the NSA continued to support the concept of farm assurance as an open gate declaration of good practice'. But he continued: "We have long been frustrated that the scheme is losing its way and has become less relevant to sheep farmers with little acceptance of the unique nature of our sector.

"Most of the nation's sheep farms are not big businesses with layers of management, but are family farms and single operators, many with little land of their own, and our sector still offers a valuable first step on the farming ladder for young new entrants. Becoming Red Tractor Assured presents a huge hurdle for many sheep farms, and for most of the sector's routes to market it adds no value."

See also: Red Tractor crossed the 'red line on environmental module introduction

NSA said it believed the Greener Farms Commitment takes Red Tractor into the realm of setting environmental policy in isolation rather than getting behind the key environmental and sustainable farming schemes being introduced by Defra.

Following the meeting of the NSA English Committee on Monday, chair Kevin Harrison added: "It is quite telling that those responsible for the governance of the assurance scheme felt the need to work on this behind closed doors without even consulting their boards or technical advisory committees." NSA Chief Executive Phil Stocker continued:"Anyone who has had any contact with NSA will recognise that we are pro-environment, but the recent announcement of the Greener Farm Commitment, developed with no practical input from ourselves or the farming sector, is flawed and simply a step too far. We do not accept this will remain a voluntary scheme and additionality like this comes with a cost that needs to be supported via market premiums or by full alignment with Defra's Sustainable Farming Incentive (SFI) and Countryside Stewardship schemes.

"We are frustrated by the fact there has been no consideration for the hundreds of sheep farmers who operate as graziers on other people's land and have no influence on wider land management decisions, or direct access to SFI and similar schemes, yet do a great job within the boundaries of their authority. We are not prepared to put at risk the social and cultural makeup of our industry in this drive for more industrialisation, supposed professionalisation, and red tape."

See also: Red Tractor defends 'greenwashing' slur

Earlier this week, the NFU passed a resolution highlighting members' concerns around the detail of Red Tractor's new green module. The union was forced to act following the proposal of a resolution from the Midlands (Transitional) Region which called for an independent review of Red Tractor governance and a pause to further bolt-ons'.

According to the NFU, while members still recognised and embraced' the increasing role of sustainability in farm assurance, some felt more granular, technical and practical elements of the GFC' should have been consulted on more widely before the module was unveiled.

NFU deputy president Tom Bradshaw said: "Red Tractor has been a positive thing for our members and, indeed, is an organisation we helped establish for that very reason... We all accept the roll-out of the GFC has not been as any of us would have wished, but the issue is about procedures, not principles. We can and should work together to address those issues, get past this and move on for the benefit of farmers, growers, the wider supply chain and, crucially, consumers."

A spokesperson for Red Tractor said: "NFU Council have raised the importance of involving farmers in the continued development of Red Tractor's environment module. We agree about how important this is, and that there are benefits for farmers, growers, and the wider supply chain, from a common industry approach.

"Work to this point included trials with 25 farms last year, for example. As the main Red Tractor board agreed last month, our existing Technical Advisory Committees and Sector Boards are meeting over coming weeks to provide their feedback on technical and practical considerations.

"But we recognise there is always more we can do to listen to farmers' feedback and understand their point of view. The new Development Advisory Panel (DAP) is being created and will meet for the first time next month and will have a critical role to ensure that the Greener Farms Commitment (GFC) takes full account of the first-hand experience of farmers."

See the original post:
NSA calls for a 'root and branch' review of Red Tractor - Farmers Guardian