NSA Shares Guide to Eliminating Obsolete TLS Protocol Configurations

January 06, 2021 - The NSA released insights designed to help organizations eliminate obsolete Transport Layer Security (TLS) protocol configurations. The guide comes on the heels of a report that found a staggering 260 percent increase in attacks on SSL/TLS-encrypted channels.

SSL/TLS encryption is an industry-standard function for keeping data in transit secured and is designed to hide traffic from unauthorized access. Previous Zscaler research shows hackers are increasingly targeting the encrypted channels to bypass legacy security controls.

The healthcare sector is the leading target for these SSL-based attacks.

“Cybercriminals know what security experts know: that SSL/TLS encryption is the industry-standard way to protect data in transit,” researchers explained, at the time. “Those same cybercriminals use industry-standard encryption methods themselves, devising clever ways to hide malware inside encrypted traffic to carry out attacks that bypass detection.”

TLS and SSL were designed to create private, secure channels for communication between a server and a client, which leverage both encryption and authentication means. Most products and standards have been updated with necessary security features, but the NSA noted that implementations of these protocols have not kept pace.

The new NSA guidance identifies strategies to detect those obsolete and legacy security controls found in TLS configurations, including vulnerable cipher suites and key mechanisms.

The insights also provide entities with recommended TLS configurations and remediation steps for organizations that rely on obsolete configurations. Network administrators and security analysts can also learn how detect weak configurations, as well as necessary remediation steps.

Further, the guide sheds light on necessary methods for block obsolete TLS versions, cipher suites, and key exchange methods. NSA officials explained these steps will help entities prepare for cryptographic agility, which can better prevent malicious cyber activities.

The NSA “emphatically recommends” all entities replace the obsolete protocols with ones that leverage strong encryption and authentication to protect sensitive information.

“Over time, new attacks against TLS and the algorithms it uses have been discovered. Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries,” NSA explained. “Using obsolete encryption provides a false sense of security because it may look as though sensitive data is protected, even though it really is not.”

“Obsolete TLS configurations are still in use in US government systems,” they added. “Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks.”

There are a range of means that can support entities in identifying obsolete protocols across the enterprise. The provided remediation approaches can be modified to match the needs of an organization based on its type or size, which will help reduce the impact to the network.

Before remediating obsolete protocols, organizations will need to ensure they’ve detected all instances across the network. The NSA provided additional guidance to support those efforts, including links to helpful tools and even sample configurations.

Once an administrator has found all obsolete protocols, they can review recommended remediation steps. The NSA noted that network monitoring devices can be configured to alert analysts to servers and clients that negotiate obsolete TLS. Those alerts can be used to block weak TLS traffic, depending on the organization.

The NSA also stressed that organizations will need to use a phased approach to tackle obsolete TLS protocols to minimize the impact on the network. As such, the guide provides tables to support administrators in prioritizing responses for each step of the process.

Lastly, administrators should also plan to update all other servers and or clients to support industry-standard algorithms.

“By using the following guidance, network owners can make informed decisions to enhance their cybersecurity posture,” according to the guide. “Since these risks affect all networks, all network owners and operators should consider taking these actions to reduce their risk exposure and make their systems harder targets for malicious threat actors.”