In early March, the National Security Agency (NSA) announced the publication of a 58-page cybersecurity technical report offering guidance on network infrastructure security. The paper offers a comprehensive series of recommendations and guidance for ensuring networks are doing everything they can to remain secure. While much of the information within the report is not likely to be brand new to a company maintaining a digital network of any size, it can still provide some insight into best practices and be used as a decent starting point for a security audit.
Unlike some of the NSA's other publications — such as its handy 2021 quick guide to mobile device best practices — this paper is far more detailed. To help pare down the recommendations in this rather lengthy report, here is a selection of "best points" to consider for a digital security spring-clean.
Zero Trust security
"The National Security Agency (NSA) fully supports the Zero Trust security model," according to the opening pages of the guide.
Zero Trust security, as defined by Cloudflare, "is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter." This is pretty self-explanatory: don't trust anyone until they have verified themselves, even those within the network. This is the defining principle that differentiates Zero Trust from a more conventional "castle-and-moat" form of network security, which traditionally "trusts anyone and anything inside the network," making it more complacent in regard to those within the network, allowing easier access to information.
The NSA paper does, however, acknowledge that the implementation of Zero Trust security is not immediately feasible for all, hence the information that follows in relation to the enhancement of defenses for the traditional "castle-and-moat" systems most are still operating with.
It's all about layering, according to the NSA. The more layers of defense you can enshrine your network in, the more secure it is likely to be. Not only should this mean using various methods of defense — such as border routers and network intrusion detection systems (NIDS) — but it's also recommended that you implement multiple layers of the same security feature. For example, don't limit yourself to just one firewall. Place firewalls within firewalls, each from different vendors so that any exploitable vulnerability in one will not necessarily be so easily compromised in another.
A useful benefit of a multi-firewall approach is that systems can be grouped together strategically between different firewalls, making the other groups less vulnerable to incursion should one be compromised. One way of separating technology into different groups is to create boundaries between operational tech and information tech, as per recommendations from the Cybersecurity & Infrastructure Security Agency (CISA).
Performing a full maintenance check of your network isn't just about running updates on security systems. Consider the full spectrum of peripherals involved and interconnected in the network. This can include hardware and software updates, as well as things like reviewing file systems and operating system settings. Additionally, endeavor to remain aware of end-of-life notices for devices and programs, which will subsequently not be supported. Establish sustainment plans, or seek replacements sooner rather than later.
Changing passwords regularly is no longer considered best practice, and is certainly not enough to keep a network secure. The National Institute of Standards and Technology (NIST) Special Publication 800-63 denounced the regular changing of passwords in 2017, stating that you needn't "require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise." This is because continual password changes, especially where the parameters of what is deemed a "strong password", make it almost impossible for users to be able to always remember them all. According to NIST, the "benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe." Instead, the application of additional layers of access security can provide much more reliable ways of ensuring only authorized users are logging in to systems. These can come in the form of multi-factor authentication (MFA), the likes of which can now be seen in even the most commonplace public systems, such as a Google account.
Granted, not every system is suitably equipped to implement more sophisticated verification methods like MFA, meaning passwords will likely remain the primary form of authentication for users. Whether this is the case or not, section five of the NSA security guidance — which starts on page 21 — goes into enormous detail about what can be done to strengthen password protocols to what is considered the best it can be.