The National Security Agency (NSA) has released a new report that gives all organizations the most current advice on how to protect their IT network infrastructures from cyberattacks. NSA's report 'Cybersecurity Technical Report (CTR): Network Infrastructure Security Guidance' is available freely for all network admins and CIOs to bolster their networks from state-sponsored and criminal cyberattacks. The report covers network design, device passwords and password management, remote logging and administration, security updates, key exchange algorithms, and important protocols such as Network Time Protocol, SSH, HTTP, and Simple Network Management Protocol (SNMP). The US Cybersecurity and Infrastructure Security Agency (CISA) is encouraging tech leaders to view the NSA document as part of its new push for all organizations in the US and elsewhere to raise defenses after the recent disk wiper malware targeting Ukrainian organizations. The document, from NSA's cybersecurity directorate, encourages the adoption of 'zero trust' networks. Zero trust assumes malicious insiders and threats existing inside and outside classical network boundaries. The NSA says it "fully supports the Zero Trust model" and offers recommendations for creating it, from installing routers and using multiple vendors to creating firewalls that reduce the potential of an exploit impacting one vendor's product. However, the agency also notes that its guidance focuses on mitigating common vulnerabilities and weaknesses on existing networks. The Biden administration has given federal agencies until 2024[/color] to implement zero trust architectures, so the NSA's guidance joins recommendations from the National Institute of Standards and Technology's (NIST) work to explain what zero trust is with key vendors such as Microsoft and Google. The UK is also pushing organizations to adopt zero trust. Among other things, the document focuses closely on Cisco and its widely used IOS networking software for routers and switches, including configuring its one to 15 levels of privileged access to network devices and how to store passwords with algorithms that Cisco IOS devices use. The NSA knows a lot about Cisco gear, as Edward Snowden's 2013 leaks revealed. NSA recommends that similar systems within a network should be grouped together to protect against an attacker's lateral movement after a compromise. Attackers will target systems like printers that are more easily exploitable, for example. It also recommends removing backdoor connections between devices in the network, using strict perimeter access control lists, and implementing network access control (NAC) that authenticates unique devices connected to the network. Regarding VPNs, it says to "disable all unneeded features and implement strict traffic filtering rules". It also specifies the algorithms that should be used for key exchanges in IPSec VPN configurations. NSA says local administrator accounts should be protected with a unique and complex password. It recommends enforcing a new password policy and warns that "most devices have default administrative credentials which are advertised to the public". Admins should remove all default configurations and then reconfigure them with a unique secure account for each admin. "Do not introduce any new devices into the network without first changing the default administrative settings and accounts," NSA says. The new report follows NSA's guidance to help people and organizations choose virtual private networks (VPN). VPN hardware for securing connections between remote workers to corporate networks became a prime target during the pandemic. Follow this thread on OUR FORUM.

Russia's invasion of Ukraine is creating new cracks in the world-spanning foundation of the internet. Since Feb. 25, the day after Russia began an assault on its neighbor, Moscow has made it harder for citizens to reach Facebook and Twitter. Separately, Facebook, YouTube, and TikTok have limited access to Russian state-owned media in the European Union at the request of governments in the 27-country bloc. Russia has also exercised the power of its Sovereign Internet Law, which President Vladimir Putin signed in 2019. The law is designed to help the Russian internet survive any Western attempt to cut it off, but it also centralizes state network control so that the government can take actions like censoring sites or hobbling social networks. The increasing fragmentation of the internet, a phenomenon commonly called the "splinternet," reflects the differences in how countries treat both low-level technology that shuttles data around the planet and higher-level applications, such as search engines and messaging apps. Increasingly, a patchwork of different national rules threatens to cripple one of the most powerful means of connection and communication that humanity has created. If the splinternet trend continues, the internet will be replaced by "a bunch of national islands that are sometimes connected to other places," said Andrew Sullivan, chief executive of the Internet Society, a nonprofit seeking to expand internet access. Overall, the internet still works as originally designed, an interlinked collection that now includes more than 32,000 smaller networks run by entities like internet service providers, tech giants, universities, and governments. Technology standards govern how your emails and Instagram photos traverse these networks, hopping across routers and switches linked by fiber-optic lines, radio links, and copper cables. The technologists who invented the internet and created many of its most influential companies have fought fragmentation for years. For example, the Internet Society, the European Commission, the Internet Engineering Task Force (IETF), and Ripe Labs pushed back against a Chinese call for centralized internet standards, which the internet pioneers considered antithetical to the network's distributed ethos. The most powerful manifestation of the splinternet is China's Great Firewall, an internet monitoring and control system the country uses to block companies like US social networks or content like Hong Kong protest information. Now, however, some restrictions are coming from liberal democracies like the EU. However well-intentioned, every regional change adds new complexity, cost, and usage barriers to the internet. As with many industries, governmental restrictions vary around the world. Europe and California created their own privacy laws; China imposes top-down government censorship; India has banned Chinese apps such as TikTok, WeChat, and Weibo; former President Donald Trump attempted to ban TikTok and WeChat, and Russia forced the ejection of a voting app from Google's and Apple's app stores. Russia's war in Ukraine is changing the rules again thanks to government actions and corporate policies against problems such as disinformation. After Russia's invasion, the European Union's effort to "ban the Kremlin's media machine in the EU" meant Facebook, Microsoft and TikTok restricted access to Russian state-controlled media, notably RT and Sputnik. The moves came after similar though smaller actions had been taken. For example, Russia restricted access to Facebook and hobbled Twitter for some users, and Facebook and Twitter restricted ads on Russian state channels. Google's YouTube also reportedly curtailed Russian state-owned media ad revenue and reduced the likelihood their videos would be recommended. Russian law requires larger streaming video services to carry state-run media, although Netflix refused to do so because of the Ukrainian invasion, according to The Wall Street Journal. US sanctions blocked Apple Pay and Google Pay for some Russian bank customers. Mykhailo Fedorov, Ukraine's vice prime minister, wants more. On Feb. 25, the day after Russia invaded Ukraine, he called on Apple CEO Tim Cook to stop selling Apple products and services in Russia and to block Russians from using its app store. "Modern technology is perhaps the best answer to the tanks, multiple rocket launchers ... and missiles," he tweeted, and Apple granted at least some of his wish. For more please visit OUR FORUM.