FB pixel

CISA, Five Eyes issue hardening guidance for communications infrastructure

CISA, Five Eyes issue hardening guidance for communications infrastructure
 

The threat landscape for communications infrastructure has intensified significantly, with adversarial groups such as People’s Republic of China (PRC)-affiliated threat actors targeting global telecommunications providers. These campaigns have underscored the necessity for enhanced visibility and hardened defenses against exploitation.

The that end, The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency, Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Center, Canadian Cyber Security Center, and New Zealand’s National Cyber Security Center, have issued guidance for network engineers and other defenders of communications infrastructure. This guidance includes the best practices that should use to strengthen visibility and harden network devices against successful exploitation carried out by PRC-affiliated and other malicious cyber actors.

The joint guidance is in direct response to the breach of telecommunications infrastructure carried out by the Chinese government-linked hacking collective known as Salt Typhoon. Central to the guidance are measures that prioritize user privacy and robust authentication mechanisms that are critical for countering modern cyber threats.

“Although tailored to network defenders and engineers of communications infrastructure, this guide may also apply to organizations with on-premises enterprise equipment,” the guidance states. “The authoring agencies encourage telecommunications and other critical infrastructure organizations to apply the best practices in this guide.”

“As of this release date,” the guidance says, “identified exploitations or compromises associated with these threat actors’ activity align with existing weaknesses associated with victim infrastructure; no novel activity has been observed. Patching vulnerable devices and services, as well as generally securing environments, will reduce opportunities for intrusion and mitigate the actors’ activity.”

Visibility, a cornerstone of network defenses to monitoring, detecting, and understanding activities within their infrastructure, is pivotal in identifying potential threats, vulnerabilities, and anomalous behaviors before they escalate into significant security incidents.

Network engineers are urged to rigorously scrutinize any configuration changes within their environments. Unauthorized modifications to devices such as routers, switches, and firewalls, if left unchecked, can serve as entry points for adversaries.

Comprehensive alerting mechanisms should be implemented to detect changes to configurations, route updates, and Access Control Lists (ACLs). Storing configurations centrally and regularly verifying them ensures consistency and reduces the risk of tampering. Network flow monitoring solutions, strategically placed at key ingress and egress points, offer visibility into traffic patterns and help detect inter-customer traffic anomalies.

To minimize exposure, management traffic must be limited to a secure and defined network path, preferably accessed only through dedicated administrative workstations. User authentication should be continuously monitored to detect anomalies, such as unauthorized logins or the use of inactive accounts. Centralized logging systems, employing encrypted transport protocols like IPsec or TLS, should be used to securely store and analyze logs. These systems should enable real-time data correlation and analysis, further enhancing threat detection capabilities.

Security Information and Event Management (SIEM) tools can significantly bolster visibility by aggregating data from diverse sources for rapid threat identification. Establishing baselines for normal network behavior helps define rules for detecting and alerting unusual activity. Additionally, maintaining an up-to-date inventory of devices and firmware ensures compatibility and mitigates vulnerabilities.

A defense-in-depth approach to hardening network architecture and devices reduces the attack surface and strengthens defenses against exploitation. Implementing secure configurations and adhering to best practices limits potential vulnerabilities.

Key hardening measures include the use of out-of-band management networks, which are physically segregated from operational data networks. This separation prevents lateral movement in case of a breach and ensures secure management of network infrastructure. A strict, default-deny ACL strategy, coupled with packet inspection and segmentation using VLANs or private VLANs (PVLANs) further enhances security. Externally facing services, such as DNS and web servers, should be isolated within a demilitarized zone to shield internal resources.

The secure configuration of virtual private network (VPN) gateways is essential. Only essential ports should be exposed, and strong cryptographic protocols should be enforced for key exchange, authentication, and encryption. Outdated cryptographic algorithms and unused features should be disabled to reduce vulnerabilities. Transport Layer Security version 1.3 should be adopted to ensure data integrity and confidentiality, and Public Key Infrastructure (PKI)-based certificates should replace self-signed certificates for authentication.

Authentication processes are critical for maintaining network security and user privacy. All devices should utilize the most secure authentication mechanisms available. Multi-factor authentication (MFA), particularly phishing-resistant MFA methods like hardware-based PKI or FIDO authentication, should be mandated for all administrative and user accounts. MFA ensures that access is granted only to authorized personnel and reduces the likelihood of compromised credentials being exploited.

Session management policies should include limited token durations and mandatory reauthentication upon expiration. Role-Based Access Control strategies should be implemented to assign specific roles to users, ensuring they have access only to the resources necessary for their responsibilities. Periodic audits of account activity and permissions ensure compliance with the principle of least privilege.

Unused or unnecessary accounts should be disabled promptly. Local accounts should be used only as a last resort, with their credentials changed immediately after use. Centralized authentication, authorization, and accounting servers supporting MFA should manage routine access to infrastructure.

Organizations must adopt stringent password policies, ensuring that passwords meet complexity requirements and are securely stored using one-way hashing algorithms. Deprecated hashing techniques, such as Type-5 or Type-7 passwords, should be avoided. Instead, secure options like Type-8 passwords or Type-6 encrypted TACACS+ keys should be employed where they are supported.

Cryptographic standards must be meticulously enforced. VPNs, for example, should utilize robust key exchange algorithms such as Diffie-Hellman Group 16 with 4096-bit Modular Exponential or Group 20 with 384-bit Elliptic Curve Group. Encryption should leverage AES-256, with hashing performed using SHA-384 or SHA-512. For Secure Shell protocols, version 2.0 must be implemented with at least a 3072-bit RSA key and a 4096-bit Diffie-Hellman key size.

Another critical aspect of securing communications infrastructure involves preparing for and responding to incidents. Centralized logging and monitoring systems should include the capability to retain logs securely off-site, ensuring that they cannot be tampered with by malicious actors. Logs should also be encrypted during transmission and storage to maintain data integrity and confidentiality.

In the event of suspicious activity, organizations must have clear reporting channels. U.S. organizations are advised to contact the FBI’s Internet Crime Complaint Center or CISA. Similarly, respective agencies in Australia, Canada, and New Zealand have established reporting mechanisms to address cybersecurity incidents.

To enhance the overall security posture, software manufacturers are encouraged to adopt secure-by-design principles, an approach that integrates security measures into the development lifecycle, reducing the need for customers to implement additional hardening measures post-deployment. Customers should prioritize purchasing software and hardware that adhere to secure-by-design standards and demand accountability from vendors.

The recommendations outlined in the guidance aim to mitigate the risks posed by PRC-affiliated and other cyber threat actors. Enhanced visibility and robust authentication mechanisms are essential components of a secure communications infrastructure. By implementing these best practices, organizations can protect sensitive data, ensure user privacy, and maintain the resilience of critical systems.

Related Posts

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Liquid identity verifications surge past 60M as Japan leans into chip-scanning

Liquid has reached the 60 million digital identity verification milestone with its online KYC service, with a surge in verifications…

 

Car dealerships rev up digital ID verification to counter rise in identity fraud

Whether it’s a fake credit history, a phony license or a test driver with a stolen identity who makes tracks…

 

GovTech to deliver $10 trillion in value by 2034, says WEF

At the meeting of the World Economic Forum (WEF) in Davos this week, tech is front and center – and…

 

Davos discusses digital wallets, AI economy

This year’s Davos World Economic Forum (WEF) is bringing not only tense trade talks between the U.S. and Europe but…

 

ASEAN updates guidance on deepfakes

The threat of deepfakes is entering high-level discussions from Southeast Asia to Davos. The Association of Southeast Asian Nations (ASEAN)…

 

Philippines faces 36 million backlog in ID cards

The Philippines are still facing a 36 million backlog in distributing the country’s national ID cards which will need additional…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events