U.S. Security Agencies Release Network Security, Vulnerability Guidance

The U.S. National Security Agency (NSA) released comprehensive network security guidance on March 3, on the same day that the Cybersecurity and Infrastructure Security Agency (CISA) released its longest-ever list of exploited vulnerabilities.

With organizations around the world on heightened alert in the wake of Russia’s unprovoked war against Ukraine, government agencies have stepped up efforts too. The U.S. Senate has also been active, passing the “Strengthening America Cybersecurity Act,” which requires critical infrastructure owners to report cyber attacks within 72 hours and ransomware payments within 24. The legislation must still be approved by the House.

The 95 vulnerabilities added to CISA’s Known Exploited Vulnerabilities Catalog (sort by date) are by far the most yet, growing the list to 478.

Among the latest additions are:

  • Cisco Small Business RV routers and IOS software (38 new Cisco vulnerabilities in all)
  • Privilege and other vulnerabilities in Microsoft Windows, Exchange Server, Excel, Office, PowerPoint, Malware Protection Engine, Internet Explorer and more (27 in all)
  • The Linux Kernel and Apache Tomcat
  • Oracle Java SE and VirtualBox

CISA urges organizations to prioritize fixes identified in the Catalog, a priority also included in the recent Shields Up guidance outlining steps to take to prepare for any Russian cyberattacks that might occur as a fallout from the war.

Also read: Top Vulnerability Management Tools for 2022

Segmentation Figures Prominently in NSA Guidance

SANS Institute officials have been active lately with network security advice in response to the war in Ukraine, and some of that advice has sparked considerable interest among cybersecurity pros.

The NSA’s 58-page Network Infrastructure Security Guidance (PDF) is more of a catalog of network security best practices, based on principles of zero trust and segmentation, following up on brief January guidance (PDF) on segmentation that discussed the Purdue Enterprise Reference Architecture (image below).

Purdue network architecture
Purdue network architecture

The new guidance is significantly more comprehensive and in-depth, addressing network architecture, maintenance, authentication, routing, ports, remote logging,…