NSA Releases New Guidance on Eliminating Weak Encryption Protocols
by Kapua Iao
Recently, the National Security Agency (NSA) released guidance on eliminating weak encryption protocols.
Encryption protocols ensure secure communication over the Internet, and weak/obsolete protocols can do as much damage as using none at all. The NSA’s recommendations are critical for anyone who wants to recognize and mitigate vulnerabilities.
The NSA now only recommends the use of TLS 1.2 or TLS 1.3 encryption protocols, as legacy protocols and insecure in today’s cyber landscape.
What are encryption protocols?
Hackers attempt to enter and exploit network systems, particularly for organizations or people that work with sensitive data. Cyberattacks are extremely harmful to covered entities (CEs) tasked with safeguarding patients’ protected health information (PHI).
To combat cyberattacks, in the mid-1990s Netscape developed Secure Socket Layer (SSL) protocol to provide extra security for Internet users. Such protocols encrypt data through a variety of methods to keep communication between two parties secure.
As an SSL descendent, Transport Layer Security (TLS), addresses problems with SSL by providing extra layers of protection. Moreover, the TLS protocol encrypts every type of Internet traffic, including web, email, and Usenet.
Over time, cyberattackers have discovered holes (i.e. areas to breach) in past encryption protocols. This is why several updates have been created and released. TLS 1.3 is the newest, most secure version to date.
And this is also why NSA’s guidance is critical:
Obsolete configurations provide adversaries access to sensitive operational traffic using a variety of techniques, such as passive decryption and modification of traffic through man-in-the-middle attacks.
Continued use of vulnerable protocols not only increases cyberattack risk but also provides a false sense of security. If you think you are secure then you won’t fix possible problems.
According to the NSA, while protocols are continuously updated, implementation is not always immediate.
Within the release, the NSA explains:
Networks and systems that use deprecated forms of [TLS] and [SSL] for traffic sessions are at risk of sensitive data exposure and decryption.
Therefore, the guidance delineates the required critical steps to ensure up-to-date TLS configurations. Users can find accompanying tools on the NSA’s GitHub.
First, users must employ network monitoring systems to detect obsolete encryption protocols. These are SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1.
Second, for TLS 1.2 sessions, users should run further checks that identify outdated cipher suites.
Finally, for TLS 1.2 and TLS 1.3 sessions with recommended cipher suites, users should employ monitoring systems to find weak key exchange methods.
All protocols, cipher suites, and key exchange methods must meet the standards communicated in the Committee on National Security Systems Policy 15. If these checks reveal issues and/or unmet standards, users must reconfigure TLS sessions.
The guidance ends by stating users should design network monitoring systems to automatically send alerts about and possibly block weak TLS traffic.
Such alerts provide immediate detection so that users know when communication may not be secure.
By following these steps and standards, companies can protect their Internet communication methods and use only the best protection afforded to them by encryption protocols.
Paubox is prepared
Paubox provides HIPAA compliant email solutions that protect patients’ PHI. One of the main features of Paubox security is our up-to-date TLS protocols.
We only accept TLS 1.2 or higher connections from our customers. Furthermore, we offer TLS 1.3 email encryption for all three of our solutions:
The best part of choosing Paubox is that our tough cybersecurity measures have no impact on user behavior. Our products are perfect for CEs when they need to email PHI safely and securely, with no extra steps, portals, and logins.
Along with our stringent access controls and HITRUST CSF certification, you can always guarantee that your healthcare organization and patients are cybersafe with Paubox.