New NCCoE Guide Helps Major Industries Observe Incoming Data While Using Latest Internet Security Protocol – NIST

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
https://www.nist.gov/news-events/news/2024/01/new-nccoe-guide-helps-major-industries-observe-incoming-data-while-using
The Transport Layer Security (TLS) protocol allows us to send data over the internet securely, protecting passwords and credit card numbers when we provide them to a site. A new practice guide will help industries perform required monitoring of incoming data for malware while using TLS 1.3, the protocol’s latest version.
Companies in major industries such as finance and health care must follow best practices for monitoring incoming data for cyberattacks. The latest internet security protocol, known as TLS 1.3, provides state-of-the-art protection, but complicates the performance of these required data audits. The National Institute of Standards and Technology (NIST) has released a practice guide describing methods that are intended to help these industries implement TLS 1.3 and accomplish the required network monitoring and auditing in a safe, secure and effective fashion.
The new draft practice guide, Addressing Visibility Challenges with TLS 1.3 within the Enterprise (NIST Special Publication (SP) 1800-37), was developed over the past several years at the NIST National Cybersecurity Center of Excellence (NCCoE) with the extensive involvement of technology vendors, industry organizations and other stakeholders who participate in the Internet Engineering Task Force (IETF). The guidance offers technical methods to help businesses comply with the most up-to-date ways of securing data that travels over the public internet to their internal servers, while simultaneously adhering to financial industry and other regulations that require continuous monitoring and auditing of this data for evidence of malware and other cyberattacks. 
“TLS 1.3 is an important encryption tool that brings increased security and will be able to support post-quantum cryptography,” said Cherilyn Pascoe, director of the NCCoE. “This collaborative project focuses on ensuring that organizations can use TLS 1.3 to protect their data while meeting requirements for auditing and cybersecurity.”
NIST is requesting public comments on the draft practice guide by April 1, 2024. 
The TLS protocol, developed by the IETF in 1996, is an essential component of internet security: In a web link, whenever you see the “s” at the end of “https” indicating the website is secure, it means TLS is doing its job. TLS allows us to send data over the vast collection of publicly visible networks we call the internet with the confidence that no one can see our private information, such as a password or credit card number, when we provide it to a site.
TLS maintains web security by protecting the cryptographic keys that allow authorized users to encrypt and decrypt this private information for secure exchanges, all while preventing unauthorized individuals from using the keys. TLS has been highly successful at maintaining internet security, and its previous updates up through TLS 1.2 enabled organizations to keep these keys on hand long enough to support auditing incoming web traffic for malware and other attempted cyberattacks.
However, the most recent iteration — TLS 1.3, released in 2018 — has challenged the subset of businesses that are required by law to perform these audits, because the 1.3 update does not support the tools the organizations use to access the keys for monitoring and audit purposes. Consequently, businesses have raised questions about how to meet enterprise security, operational, and regulatory requirements for critical services while using TLS 1.3. That’s where NIST’s new practice guide comes in.
The guide offers six techniques that offer organizations a method to access the keys while protecting the data from unauthorized access. TLS 1.3 eliminates keys used to protect internet exchanges as the data is received, but the practice guide’s approaches essentially allow an organization to retain the raw received data and the data in decrypted form long enough to perform security monitoring. This information is retained within a secure internal server for audit and forensics purposes and is destroyed when the security processing is completed. 
While there are risks associated with storing the keys even in this contained environment, NIST developed the practice guide to demonstrate several secure alternatives to homegrown approaches that might heighten these risks. 
“NIST is not changing TLS 1.3. But if organizations are going to find a way to keep these keys, we want to provide them with safe methods,” said NCCoE’s Murugiah Souppaya, one of the guide’s authors. “We are demonstrating to organizations who have this use case how to do it in a secure manner. We explain the risk of storing and reusing the keys, and show people how to use them safely, while still staying up to date with the latest protocol.”
The NCCoE is developing what will eventually be a five-volume practice guide. Currently available are the first two volumes — the executive summary (SP 1800-37A) and a description of the solution’s implementation (SP 1800-37B). Of the three planned volumes, two (SP 1800-37C and D) will be geared toward IT professionals who need a how-to guide and demonstrations of the solution, while the third (SP 1800-37E) will focus on risk and compliance management, mapping components of the TLS 1.3 visibility architecture to security characteristics in well-known cybersecurity guidelines. 
An FAQ is available to answer common questions. To submit comments on the draft or other questions, contact the practice guide’s authors at applied-crypto-visibility [at] nist.gov (applied-crypto-visibility[at]nist[dot]gov). Comments may be submitted until April 1, 2024.
Webmaster | Contact Us | Our Other Offices

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *