Depreciated and out-of- date TLS protocols are low-hanging fruit for malicious actors. This is why the National Intelligence Agency (NSA) is warning government organizations and other businesses to update their encryption protocols, specifically their Transport Layer Security (TLS) protocols.
The NSA recommends that organizations avoid TLS 1.0 and TLS 1.1 and upgrade to TLS 1.2 or 1.3 for improved security over data being transmitted. The NSA also recommends businesses stop using Secure Socket Layer (SSL) 2.0 and 3.0 altogether and instead use TLS 1.2 or 1.3. With these changes, corporate networks and their business-sensitive data will be better secured against man-in-the-middle attacks.
To understand the risks out-of-date TLS protocols pose, we first need to take a look at the data that's being transmitted through TLS. This data can be proprietary information, passwords, network-sensitive files, travel information, web traffic using HTTPS, online payment information, and Social Security numbers. Obsolete TLS protocols pose huge risks of data theft compared to authorized TLS protocols, which offer compliant cipher suite and strong key exchange methods.
The NSA has released this guidance particularly for the Department of Defense (DOD), National Security System (NSS), and Defense Industrial Base (DIB) entities. However, other security operations center (SOC) analysts, system administrators, and network analysts can also use these guidelines.
The NSA has also published its Cybersecurity Information Sheet, which delivers detailed information about recommended TLS versions, key exchange mechanisms, cipher suites, and other critical network configurations.
Google, Mozilla, and Apple have all supported TLS 1.2 and 1.3 for their browsers from early 2019, while Microsoft enabled TLS 1.3 by default in its latest Windows 10 builds.
Endpoints are the first entry point for major cyberattacks, and obsolete network security protocols will only magnify the impact of those endpoint-based attacks. Organizations need to ensure they have robust encryption protocols both at the endpoint and network levels to keep their business information safe and secured.