Mediaboss Marketing

2:45 P.M. EDT

MS. PSAKI: Hi, everyone. Okay, we have a very special return guest today, Deputy National Security Advisor Anne Neuberger, who is here to provide a brief update on cyber. You probably have seen the statement from the President we issued, as well as a factsheet; shell talk about that. Has a little bit of time to take some questions, and then well do a briefing from there.

With that, Ill turn it over to Anne.

MS. NEUBERGER: Thank you, Jen. Good afternoon, everyone.

This afternoon, the President released a statement and factsheet regarding cyber threats to the homeland, urging private sector partners to take immediate action to shore up their defenses against potential cyberattacks.

Weve previously warned about the potential for Russia to conduct cyberattacks against the United States, including as a response to the unprecedented economic costs that the U.S. and Allies and partners imposed in response to Russias further invasion of Ukraine.

Today, we are reiterating those warnings, and were doing so based on evolving threat intelligence that the Russian government is exploring options for potential cyberattacks on critical infrastructure in the United States.

To be clear, there is no certainty there will be a cyber incident on critical infrastructure. So why am I here? Because this is a call to action and a call to responsibility for all of us.

At the Presidents direction, the administration has worked extensively over the last year to prepare to meet this sort of threat, providing unprecedented warning and advice to the private sector and mandating cybersecurity measures where we have the authority to do so.

For example, just last week, federal agencies convened more than 100 companies to share new cybersecurity threat information in light of this evolving threat intelligence. During those meetings, we shared resources and tools to help companies harden their security, like advisories sourced from sensitive threat intelligence and hands-on support from local FBI field offices and sister regional offices, including their Shields Up program.

The meeting was part of an extensive cybersecurity resilience effort that we began in the fall, prompted by the President. Agencies like Energy, EPA, Treasury, and DHS have hosted both classified and unclassified briefings with hundreds of owners and operators of privately owned critical infrastructure. CISA, NSA, and FBI have published cybersecurity advisories that set out protections the private sector can deploy to improve security.

The President has also directed departments and agencies to use all existing government authorities to mandate new cybersecurity and network defense measures. Youve seen us do that where we have the authority to do so, including TSAs work that mandated directives for the oil and gas pipelines following the Colonial Pipeline incident that highlighted the significant gaps in resilience for that sector.

Our efforts together over the past year has helped drive much-needed and significant improvements. But theres so much more we need to do to have the confidence that weve locked our digital doors, particularly for the critical services Americans rely on.

The majority of our critical infrastructure, as you know, is owned and operated by the private sector. And those owners and operators have the ability and the responsibility to harden the systems and networks we all rely on.

Notwithstanding these repeated warnings, we continue to see adversaries compromising systems that use known vulnerabilities for which there are patches. This is deeply troubling.

So were urging, today, companies to take the steps within your control to act immediately to protect the services millions of Americans rely on and to use the resources the federal government makes available. The factsheet released alongside the Presidents statement contains the specific actions that were calling companies to do.

I would be remiss if I didnt reiterate the Presidents thanks to Congress for its partnership in this effort, including making cybersecurity resources available in the Bipartisan Infrastructure Law and, most recently, for working across the aisle to require companies to report cyber incidents to the federal government. That will ensure federal resources are focused on the most important cyber threats to the American people.

We welcome additional congressional work to identify new authorities that can help address gaps and drive down collective cybersecurity risk.

Bottom line: This is about us the work we need to do to lock our digital doors and to put the country in the best defensive position.

And there is them. As the President has said: The United States is not seeking confrontation with Russia. But he has also said that if Russia conducts disruptive cyberattacks against critical infrastructure, we will be prepared to respond.

Thank you.

MS. PSAKI: All right. Let me just first ask, for those of you in the aisles, if youre not a photographer, theres plenty of seats. So if you could sit down, that would be great, and not crowd the others in the seats.

So, we dont have unlimited time, so if people we just want to get to as many people as possible.

So, go ahead.

Q Thank you, Jen. Hi, Anne. Just a quick question on the Viasat attack that happened on the 24th of Feb, the day Russia attacked Ukraine. Weve obviously seen that impact satellite communication networks in Eastern Europe. And since then, the FBI and CISA have issued warnings that similar attacks can happen against U.S. companies.

Is the U- is the U.S. in a position to perhaps identify who is behind the hack at this moment?

MS. NEUBERGER: Its a really good question. So, first, I want to lift up: FBI and CISA and NSA also highlighted protective security measures that U.S. companies can put in place to protect against exactly that kind of attack. We have not yet attributed that attack, but were carefully looking at it because, as you noted, of the impact not only in Ukraine but also in satellite communication systems in Europe as well.

Q Does the sophistication of the attack, perhaps the timing of it, suggest that its a state actor? I mean, are you willing to

MS. NEUBERGER: Those are certainly factors that are were looking at carefully as we look at who is responsible for them.

MS. PSAKI: Phil.

Q The evolving intelligence, it doesnt mean that its a certainty theres going to be an attack. Can you explain for the layman what youre seeing right now that precipitated this statement today, and what the evolving intelligence may be now compared to on the 24th or prior to the invasion?

MS. NEUBERGER: Absolutely. So, the first part of that is: Youve seen the administration continuously lean forward and share even fragmentary pieces of information we have to drive and ensure maximum preparedness by the private sector.

So as soon as we learned about that, last week we hosted classified briefings with companies and sectors who we felt would be most affected, and provided very practical, focused advice.

Todays broader, unclassified briefing is to raise that broader awareness and to raise that call to action.

Q So there was something specific you saw last week that was raised to the industries that it would have affected, is what youre saying?

MS. NEUBERGER: So I want to reiterate: There is no evidence of any of any specific cyberattack that were anticipating for. There is some preparatory activity that were seeing, and that is what we shared in a classified context with companies who we thought might be affected. And then were lifting up a broader awareness here in this in this warning.

MS. PSAKI: Major?

Q Hey, Anne. When you say a call to action, many who hear you say that might believe that something is imminent. Is it?

MS. NEUBERGER: So, first, a call to action is because there are cyberattacks that occur every day. Hundreds of millions of dollars were paid in ransoms by U.S. companies just last year against criminal activity happening in the U.S. today. Every single day, there should be a call to action.

Were using the opportunity of this evolving threat intelligence regarding potential cyberattacks against critical infrastructure to reiterate those with additional focus specifically to critical infrastructure owners and operators to say, You have the responsibility to take these steps to protect the critical services Americans rely on.

Q And as a follow-up: Critical infrastructure is a broad term. Is it as broad as you typically mean it when the government speaks about critical infrastructure, or is there something youve seen that you can be more a little bit more specific within that large frame of critical infrastructure?

MS. NEUBERGER: I wont get into specific sectors at this time, because the steps that are needed to lock our digital doors need to be done across every sector of critical infrastructure. And even those sectors that we do not see any specific threat intelligence for, we truly want those sectors to double down and do the work thats needed.

MS. PSAKI: Jacqui.

Q You guys, the administration, successfully declassified a lot of intelligence about what the Russians were planning leading up to the invasion to prebut what they might do. Can you do that a little bit here and at least list some of the industries that might be the biggest targets so that they can have a heightened awareness about what might be coming?

MS. NEUBERGER: As we consider declassifying intelligence, to your excellent point, that really has been the work that has been done the last few weeks and was driven by a focus on outcomes. It was driven by the Presidents desire to avoid war at all costs, to really invest in diplomacy.

So, as we consider this information, the first step we did was we gave classified, detailed briefings to the companies and sectors for which we had some preparatory information about. And then for those where we dont, thats the purpose of todays unclassified briefing: to give that broad warning. And I want to lift up the factsheet, which is really the call to action for specific activities to do.

Q So you believe the people, the industries that need to know about this risk know?

MS. NEUBERGER: We believe the key entities who need to know have been provided classified briefings. I mentioned, for example, just last week, several hundred companies were brought in to get that briefing.

MS. PSAKI: Peter.

Q Does the U.S. have any evidence that Russia has attempted a hack, either here in the U.S., in Europe, or in Ukraine, over the course of the last several weeks since this offensive began?

MS. NEUBERGER: So, we certainly believe that Russia has conducted cyberattacks to undermine, coerce, and destabilize Ukraine. And we attributed some of those a couple of weeks ago.

We consistently see nation states doing preparatory activity. That preparatory activity can pan out to become an incident; it cannot. And thats the reason were here.

Q So, specifically in the U.S., as there was an assessment early on that we thought that we would be a likely target here, why do you think we have not seen any attack on critical infrastructure in the United States to this point so far?

MS. NEUBERGER: I cant speak to Putin or Russian leaderships strategic thinking regarding how cyberattacks factor in.

What I can speak to is the preparatory work weve been doing here in the U.S. and the fact that as soon as we have some evolving threat intelligence regarding a shift in that intention, that were coming out and raising the awareness to heighten our preparedness as well.

Q So you cant say declaratively that we stopped an attack, I guess Im saying, to this point on critical infrastructure?

MS. NEUBERGER: Correct.

Q Okay. Thank you.

MS. PSAKI: Colleen.

Q Can you explain a little bit more what preparatory activity on the part of the Russians would be? What does that look like?

MS. NEUBERGER: So, preparatory activity could mean scanning websites; it could be hunting for vulnerabilities. Theres a range of activity that malicious cyber actors use, whether theyre nation state or criminals.

The most troubling piece and really one I mentioned a moment ago is we continue to see known vulnerabilities, for which we have patches available, used by even sophisticated cyber actors to compromise American companies, to compromise companies around the world. And thats one of the reasons and that makes it far easier for attackers than it needs to be.

Its kind of you know, I joke I grew up in New York you had a lock and an alarm system. The houses that didnt or left the door open clearly were making it easier than they should have. Right? No comment about New York. (Laughter.)

So, clearly what were asking for is: Lock your digital doors. Make it harder for attackers. Make them do more work. Because a number of the practices we include in the factsheet will make it significantly harder, even for a sophisticated actor, to compromise a network.

MS. PSAKI: Go ahead.

Q Sorry, just to be clear: The warning today, is this in response to some of these more desperate tactics weve seen from Russia on ground? Are you now fearing that there might be more of a cyber risk because of what were seeing on the ground in Ukraine?

MS. NEUBERGER: So, weve given a number of threat intel- of threat warnings over the last number of weeks that Russia could consider conducting cyberattacks in response to the very significant economic costs the U.S. and partners have put on Russia in response. This speaks to evolving threat intelligence and a potential shift in intention to do so.

Q And do you have a message for individuals? Youre talking a lot about private companies. What about households? Should they be worried about cyberattacks here?

MS. NEUBERGER: The items in the factsheet apply to companies and individuals as well. Im specifically speaking to companies because theres a responsibility to protect the critical services Americans rely on. But every individual should take a look at that fact sheet because its a truly helpful one. We only put in place the things that we really try to practice and work to practice ourselves.

MS. PSAKI: Jordan.

Q Thanks. As part of this preparatory activity, do you have evidence that Russian hackers have infiltrated the networks of U.S. companies already and just havent carried out the attacks?

MS. NEUBERGER: There was as I noted, we frequently see preparatory activity. Whenever we do, we do sensitive warnings to the individual companies and provide them information to ensure they can look quickly at their networks and remediate what may be occurring.

Q So have you seen any evidence that there have been infiltrations as part of that activity?

MS. NEUBERGER: We routinely see information about infiltrations. Right? Technology is not as secure as it needs to be. I mentioned the ransomware activity. There are multiple nation-state actors. Its a line of work for the intelligence community and the FBI to knock on a companys door and say, Weve seen some evidence of an intrusion. Well work with you. Well make these resources available via a regional office to work with you to help you recover. Thats thats pretty routine practice.

What were seeing now is an evolving threat intelligence to conduct potential cyberattacks on critical infrastructure. And that raises up a point because were concerned about potential disruption of critical services.

MS. PSAKI: Ken.

Q Anne, you did a briefing for us about a month ago. Do you think the U.S. banking system is more vulnerable, less vulnerable since the briefing, given the warnings that the government has produced?

MS. NEUBERGER: The U.S. banking sector truly takes cyber threats seriously, both individually and as a group. Treasury has worked extensively with the sector to share sensitive threat intelligence at the executive level, at the security executive level, repeatedly at the classified and unclassified level. So, I do not believe theyre more at risk, but it is always important for every critical infrastructure sector to double down in this heightened period of geopolitical tension to carefully look at any threat.

MS. PSAKI: Go ahead.

Q Can you paint a worst-case scenario picture for us? What exactly are you most worried about if people the private sector chooses to not take these steps?

MS. NEUBERGER: Clearly, what were always I wont get into hypotheticals, right? But the reason Im here is because critical infrastructure power, water, many hospitals in the United States are owned by the private sector. And while the federal government makes extensive resources available I mentioned FBIs 56 regional offices you can just walk in; CISA has offices near most FEMA sites in the United States. Theyve had their Shields Up program. We can make those resources available. For those sectors where we can mandate measures like oil and gas pipelines, we have. But its ultimately the private sectors responsibility, in our current authority structure, to do those steps, to use those resources to take those steps.

So, the purpose here is to say: Americans rely on those critical services. Please act. And were here to support with the resources we have.

MS. PSAKI: Kayla, last one.

Q Thank you. Anne, are you still seeing the Russians carrying out cyberattacks inside Ukraine? Its been a few weeks since weve been discussing that in particular.

And as financial tools levied by the West have proven ineffective, what cyber tools does the West have that it can possibly utilize?

MS. NEUBERGER: We do continue to see Russia conducting both as you know, right? significant malicious activity in Ukraine; major kinetic attacks, which have disrupted and killed lives; as well as cyber activity. And we believe the unprecedented economic costs the United States and partners have levied is significant in that way.

With regard to your question about whether cyberattacks would change that: I think the President was very clear were not looking for a conflict with Russia. If Russia initiates a cyberattack against the United States, we will respond.

MS. PSAKI: Thank you, Anne, so much for joining us.

MS. NEUBERGER: Thank you. Thank you for having me.

Q Thanks, Anne.

Q Thank you, Anne.

MS. PSAKI: All right. I just had two brief items for all of you at the top.

There was a scheduled meeting today that Secretary Yellen, Secretary Raimondo, Jake Sullivan, and Brian Deese had with 16 CEOs this afternoon. The President also dropped by for about 20 minutes and provided them an update on Russia, Ukraine. Im sure we can get you a list of the attendees at that meeting as well.

Also wanted to note a number of you have asked about whether the President would be watching the hearings today. One scheduling note is the Quint meet- call he had this morning was at exactly the same time as her opening statement, but he did request regular updates or has been requesting regular updates from members of the team on how the hearing is going.

And he also called her last night to wish her good luck this week at the hearings.

And I would also note that hes very grateful to Judge Tom Grif- Thomas Griffith, as well as Lisa Fairfax, for introducing her today.

So with that, I will stop. And, Colleen, why dont you kick us off.

Q Okay. So, do you can give us a readout of the call with the European leaders from earlier? Just sort of what was discussed, what happened.

And then I have one other question after that.

MS. PSAKI: Absolutely. If you havent already there should be a readout going out shortly, but let me give you a few of the preview points of this call:

Read the original:
Press Briefing by Press Secretary Jen Psaki and Deputy NSA for Cyber and Emerging Technologies Anne Neuberger, March 21, 2022 - The White House

Image courtesy of General Dynamics Mission Systems.

In this Q&A with Brian Morrison, Cyber Systems vice president and general manager for General Dynamics Mission Systems, we discuss cost-effective strategies for crypto mod, how Layer 2 encryption will enable missions such as the Joint Warfighting Cloud Capability, and how organizations can keep cryptographic systems compliant with NSA requirements.

Breaking Defense: Lets set the scene. What is the steady state right now in cryptographic solutions? Where is modernization needed?

Brian Morrison, Cyber Systems vice president and general manager for General Dynamics Mission Systems.

Morrison: At a threshold level, NSA is the standard-setting organization and the certifier for all cryptographic equipment across the National Security Enterprise. Its fair to say that crypto modernization for NSA has always been viewed as a continuous process.

That is to say, you and I have email accounts that we originally set up with a strong password. But since then, maybe we used that password on other accounts, or there was a penetration somewhere, or compute power has increased such that password crackers are more capable today. So what was once a strong password ends up being a really weak one and a vulnerability.

Thats an oversimplification, but whats true for passwords is true for crypto gear. You can build the strongest crypto gear that exists but over time the security of that device, of the algorithms that underlie that device, of the protections that are wrapped around that device, all erode over time. Our adversaries get better at doing what they do. And were seeing new, persistent attacks due to network vulnerabilities.

Under the leadership of the NSA, we, as a National Security Enterprise, must continually refresh our crypto gear. That means discreet gates for Advanced Cryptographic Capability prescribed by NSA. It also means continuing to patch, maintain, and update all of our gear over time. And then at certain points in time, NSA says a particular family of cryptographic gear has to come offline because it has aged out; it cant be secure anymore.

Thats the way I look at crypto modernization: from new crypto boxes to upgrading existing crypto boxes, to removing legacy crypto boxes from a network. All of that is the process of crypto mod. Our reason for being at General Dynamics Mission Systems is to make sure that our customers and the national security establishment have the most secure crypto that American ingenuity can provide.

Breaking Defense: How should organizations approach crypto mod? Is it akin to a software patch or a new iOS update that downloads in the background while were asleep?

Morrison: I wish it were that easy. There are two aspects. One is we know, without speaking to crypto gear specifically, that the overwhelming majority of cyber-security penetrations happen because somebody has not patched and updated, or they have been phished.

Our customers operate in vast networks, widely dispersed networks, high-latency networks, and in tactical, DIL (disconnected, intermittent, limited) environments. Its very difficult for those networks with many pieces of gear to stay patched and updated all the time. At General Dynamics Mission Systems, we have what we call the GEM One Encryptor Manager, which is a software package that manages and updates all of the Type 1 crypto in the enterprise, including crypto devices made by other manufacturers. Remote management improves the health of the network and eases maintenance.

The second part of the problem is that our customers have thousands and thousands of cryptographic units in their inventory. The ongoing process of crypto mod, including the periodic deadlines that the NSA rightfully imposes, is difficult to manage from both a budgetary and a logistics perspective.

So were encouraging our customers to think proactively about what their needs are going to be for crypto in 6, 12, 18, 24, 36 months out. That helps them plan from a budget perspective so that we are able to plan from a manufacturing-capacity perspective so that when the time comes to switch out boxes, theyve got the budget for it and were ready to satisfy their demand on time and within their budget. Thats easy to say and hard to do because theyre substantial investments. At the same time, theyre investments in the security of the most important secrets the nation has.

Breaking Defense: Is crypto mod more of a hardware or a software modification, or both?

Morrison: When we talk about crypto mod, were normally talking about updates to the hardware. But there are major software updates that we can do to provide compliance with crypto mod gates from the NSA. For example, our TACLANE-FLEX, TACLANE-10G, TACLANE-Nano, TACLANE-Micro, and Sectra vIPer phones have all been software upgraded to the NSAs Advanced Cryptographic Capabilities standard of modernization.

Breaking Defense: What is involved in keeping data-protection solutions up to date. Im assuming were talking about NSA requirements and certifications.

Morrison: Yes, the NSA is the certification authority for Type 1 crypto. If you want to pass classified information across the network, youve got to do it over a piece of crypto that the NSA has certified. For the vendors and programs that develop new crypto, that certification process is every bit as rigorous, complicated, and demanding as you would imagine. And, frankly, as rigorous as you would hope as these are high-stakes networks. For the missions that consume the crypto, the fact that NSA has certified the encryptor makes the long-term management of the crypto infinitely simpler and more stable.

Today, the NSA is in the midst of introducing a new specification for what we call Layer 2 encryption. This is a new standard for encryption at a different network layer that is intended to deliver much higher speeds over the next few years. Were very much a part of that effort and have made significant investments in delivering some mind-boggling speeds.

Breaking Defense: Speeds for what exactly?

Morrison: For the defense and intelligence establishments migration to the cloud. With defense networks operating in cloud environments, you have data center to data center transfers that have to happen at a very high rate of speed because those data center to data center transfers are aggregated traffic.

These transfers must be as bandwidth efficient as possible while keeping high security standards. When you move to Layer 2, you open up the possibility of much higher speeds at any given compute power. At the same time, we are pushing the boundaries of what compute power is available. Were always looking for more compute power to deliver higher and higher speeds.

As we address the data center market for government data centers, we need to be able to deliver speeds that there isnt even a market for today, but we know there will be tomorrow.

Breaking Defense: It almost sounds like the future of cloud computing in the DoD, particularly the Joint Warfighting Cloud Capability, is dependent on Layer 2 encryption. Is that an oversimplification?

Morrison: I dont think it is. The cloud providers likely can, with their existing or soon-contemplated infrastructure, handle what is already within the boundaries of their clouds. But as we know, defense customers are going to require hybrid clouds. Theyre going to require data transitioning from cloud to cloud, and thats where we really need those higher speeds.

Breaking Defense: What do you see as hindrances to proper crypto modernization?

Morrison: Im always sympathetic to the fact that the business Im in, the crypto business, is often perceived by some of our customers as an unfunded mandate. Its a real challenge.

That often stands in the way, even though nobody wants their systems to not be secure. Their number one concern is the life of their soldiers, sailors, airmen, and Marines. That necessitates the security of national security information traveling across their networks. But for many missions, crypto is not the core mission, its the thing that enables the mission.

As new requirements come online and as standards for crypto mod continue to evolve, tactical units might want to upgrade their crypto but just dont have the budget or logistics bandwidth. In response to that, we have added more remote management features to ease the logistics burden of crypto mod. And a couple of years ago, we introduced the smallest, lightest, least expensive Type 1 crypto in its class the TACLANE-Nano which brought affordable crypto to the tactical market.

Breaking Defense: Your point about crypto enabling the mission and not being the mission is well taken. Can you offer a scenario where TACLANE-Nano is particularly valuable to a warfighter and also an affordable and effective crypto solution?

Morrison: Sure. The last decade or more has seen a large increase in the use of unmanned and unattended systems. The nice thing about the TACLANE-Nano is that it is at a price point where you can put it on an unmanned or unattended system, insert it into your adversarys territory, for example, and not worry if it is lost or you lose connectivity; you can remotely zeroize that device. That means that if the cryptographic unit falls into the hands of our adversaries, it cant be used against us.

You cant do that with a big, heavy piece of crypto or one that costs $60,000 because thats not the way those types of unmanned missions run by and large. Were talking about much smaller, lighter airframes. We dont think of those classes of UAVs as attritable, but it may be approaching the attritable market.

Breaking Defense: Final thoughts?

Morrison: Any customer in the national security space has to be thinking about, worrying about, and planning for crypto mod. It is not something that any of us can ignore and then play catch up later on. The planning and logistics behind replacing legacy gear and modernizing a network cryptographic solution is complicated and long tailed.

Thats what General Dynamics Mission Systems is all about. We are a leader in crypto mod and are ready for both todays gates and tomorrows gates from the NSA. Our goal is to partner with our customers, help them understand and implement their modernization needs, and ensure their networks and communications are as secure as anyone can keep them.

More here:
Modernization of crypto isn't the core mission for DoD and the IC, it's what enables the mission - Breaking Defense

SAVE THE DATE

March 21st - 25th 2023

Announcements & Meetings

RENEW YOUR MEMBERSHIP DUES

NOT A MEMBER - JOIN NSA NOW!

Institutional Subscriptions to the Journal of Shellfish Research

Statement on Racism and Discrimination

Congratulations to the 2021 student awardees!

The Journal of Shellfish Research received a 2020 APEX Awards for Publication Excellence!

NSA Cookbook: SIMPLY SHELLFISH

Order your copy from Sandy Shumway!

The 2021(4) NSA Quarterly Newsletter is now available!

Upcoming Meetings/Workshops:

23rd International Pectinid Workshop: Apr. 20-26, 2022. Douglas, Isle of Man.

World Congress on Genetics Applied to Livestock Production - "Challenges and Solutions in Shellfish Aquaculture" session: July 3-8, 2022. Rotterdam, the Netherlands

Aquaculture Canada/WAS North America 2022: Aug. 15-18, 2022. Newfoundland, Canada

Aquaculture America 2023: Feb 19-22, 2023. NewOrleans, Louisiana.

116th NSA Annual Meeting 2024, March 22-26, Charlotte, North Carolina

See the article here:
NSA home - Shellfish

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published updated guidance about how to harden Kubernetes for managing container applications.

Kubernetes is an open-source system that automates deployment, scaling, and management of applications run in containers.

The updated guidance refreshes the two agencies' first Cybersecurity Technical Report regarding Kubernetes hardening guidance from August 2021. CISA says the update contains additional details and explanations based on feedback from industry, including more detailed info on logging and threat detection in addition to other clarifications.

SEE: What is cloud computing? Everything you need to know about the cloud explained

Some of the updates are subtle but important for those who protect Kubernetes clusters. NSA and CISA do not list what the changes are in the updated guidance, but the initial recommendations weren't met with universal approval.

For example,NCC Group noted that advice about Kubernetes authentication was "largely incorrect when it states that Kubernetes does not provide an authentication method by default", whereas most customer implementations NCC Group had reviewed "support both token and certification authentication, both of which are supported natively." NCC Group advised against both for production loads because Kubernetes does not support certificate revocation, which can be a problem if an attacker has gained access to a certificate issued to privileged accounts. The updated guidance now says that "several user authentication mechanisms are supported but not enabled by default."

Otherwise, key points of the original document appear to be unchanged. It looks at hardening within the context of typical Kubernetes cluster designs that include the control plane, worker nodes (for running containerized apps for the cluster), and pods for containers that are hosted upon these nodes. These clusters are often hosted in the cloud and across multiple clouds in AWS, Azure, Google and elsewhere.

The agencies maintain that Kubernetes is commonly targeted for data theft, computational power theft, or denial of service. Historically, flaws in Kubernetes and various dependencies as well as misconfigurations have been used to deploy crypto miners on victim's infrastructure.

It also maintains that Kubernetes is exposed to significant supply chain risks because clusters often have software and hardware dependences built by third-party developers.

For example, security analysts last year warned of attacks against Kubernetes clusters via misconfigured Argo Workflows container workflow engines for K8s clusters.

Besides supply chain risks, other key actors in the agencies' threat model include malicious outsiders and insider threats. These help define its hardening recommendations.

For example, there is a common cloud case where workloads that aren't managed by a given Kubernetes cluster share the same physical network. In that instance, a workload may have access to the kubelet and to control-plane components, such as the API server. So, the agencies recommend network-level isolation.

The agencies provide advice on how to ensure strict workload isolation between pods running on the same node in a cluster, given that Kubernetes doesn't by default guarantee this separation.

Announcing the updated guidance, the NSA says: "Primary actions include the scanning of containers and pods for vulnerabilities or misconfigurations, running containers and pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing."

The agencies also recommend periodic reviews of Kubernetes settings and vulnerability scans to ensure appropriate risks are accounted for and security patches are applied.

SEE: There's a critical shortage of women in cybersecurity, and we need to do something about it

But patching is not easy in the context of Kubernetes. CISA regularly publishes alerts about new Kubernetes-related vulnerabilities. In February, for example, it warned of a critical (severity score 8.8 out of 10) privilege escalation flaw,CVE-2022-23652, which affected the capsule-proxy reverse proxy for Capsule Operator.

But as NCC Group points out: "patching everything is hard", partly because of the pressure to avoid downtime, but also because vulnerabilities span Kubernetes,Containerd, runc, the Linux kernel, and more.

"This is something that Kubernetes can help with, as the whole concept of orchestration is intended to keep services running even as nodes go on and offline. Despite this, we still regularly see customers running nodes that haven't had patches applied in several months, or even years. (As a tip, server uptime isn't a badge of honour as much as it used to be; it's more likely indicative that you're running an outdated kernel)," NCC Group noted.

Read the original here:
NSA and CISA: Here's how to improve your Kubernetes cluster security - ZDNet

Lucknow: The Uttar Pradesh government on Tuesday said action under the National Security Act (NSA) will be taken against those involved in organised copying racket in high school and intermediate exams conducted by the UP Board of Secondary Education.

The directives were given at a meeting held by chief secretary Durga Shankar Mishra with all divisional commissioners, police commissioners, district magistrates and SSPs through video conferencing, an official statement said.

He directed that zonal and sector magistrates should be deputed in districts to conduct copying-free examinations and they should regularly inspect and supervise the examination centres.

Action under the NSA should be taken against those involved in organised copying racket, the officer said, adding that special attention should be paid to those spreading rumours.

In the meeting, additional chief secretary (ACS), secondary education, Aradhana Shukla, said 51,92,689 candidates will appear for the UP board examination at 8,373 examinations centres in the state.

CCTVs have been installed in each examination hall.

The examinations will start from March 24.

(PTI)

Read more from the original source:
UP Govt to Slap NSA Against Those Involved in Copying Rackets in School Exams - The Wire