Summary of the USA federal government's zero-trust memo
The U.S. government's Zero Trust Cybersecurity Memo promotes enhanced federal cybersecurity by advocating dynamic authentication methods, eliminating long-lived credentials, mandating encryption, and encouraging bug bounty programs for vulnerabilities.
Read original article
The U.S. government's recent Zero Trust Cybersecurity Memo, released by the Office of Management and Budget (OMB), aims to enhance federal cybersecurity in response to significant incidents like the SolarWinds breach and the Colonial Pipeline ransomware attack. The memo outlines a shift towards a Zero Trust model, emphasizing the need for agencies to adopt modern authentication methods, including Single Sign-On (SSO) and Multi-Factor Authentication (MFA) that are dynamic and fine-grained. It discourages reliance on long-lived credentials and traditional VPNs, advocating for application-level authentication instead. The memo also calls for the elimination of SMS-based MFA and the use of phishing-resistant tokens. Additionally, it mandates the encryption of both internal and DNS traffic, and encourages agencies to implement bug bounty programs for vulnerability disclosures. Overall, the memo sets a high standard for cybersecurity practices, pushing for a more robust posture that could influence private sector practices as well.
- The U.S. government is adopting a Zero Trust cybersecurity model to enhance security.
- Agencies are encouraged to use dynamic MFA and eliminate long-lived credentials.
- Traditional VPNs are being phased out in favor of application-level authentication.
- The memo mandates encryption of internal and DNS traffic.
- Bug bounty programs are recommended to improve vulnerability disclosure processes.
Related
Microsoft a national security threat says ex-White House cyber policy director
A former White House cyber policy director raises national security concerns over Microsoft's control in US government IT. Calls for diversification and enhanced cybersecurity amid debates on tech companies' role in national security.
How MFA is falling short
Multi-factor authentication (MFA) faces challenges from cyber attackers exploiting weaknesses. Breaches despite VPN, SSO, and Google Authenticator usage show risks like phishing, vishing, and Man-In-The-Middle attacks. Recent developments include "Tycoon 2FA" targeting Microsoft 365 and Gmail accounts, emphasizing the need for stronger authentication methods.
The Sad State of Two-Factor Authentication in U.S. Banking (2020)
The article critiques U.S. banking's reliance on SMS-based two-factor authentication, highlighting its vulnerabilities. It advocates for stronger security measures, including hardware tokens and biometrics, urging consumers to demand better protections.
Every Microsoft employee is now being judged on their security work
Microsoft has prioritized security for all employees, affecting performance evaluations, promotions, and bonuses. Employees must integrate security into their work, while the Secure Future Initiative enhances overall security measures.
Cyberattacks on clean energy are coming – the White House has a plan
The Biden administration is prioritizing cybersecurity for clean energy infrastructure, focusing on key technologies and collaboration among stakeholders to enhance defenses against cyber threats and modernize aging systems.
7 commentshttps://securitycryptographywhatever.com/2022/06/10/omb-zero...
I think for HN the most important thing you can keep in your head about the OMB ZT memo is that vendors jumped on it like the Bumpus hounds to the Parker family Christmas turkey, so there are a lot of ZT takes that more or less condense to "our product is now rated M for Mandatory".
It's not. Allow SMS to be disabled in favor of a more secure option (WebAuthn). Strongly suggest that users purchase a token.
Still, echoing other commenters' sentiments, it's nice to see the government being forward-thinking on this. Jury is still out for NIST to weigh in on post-quantum encryption.
> “Enterprise applications should be able to be used over the public internet.”
This is straight up arguing against defense-in-depth, and getting rid of connection auditing and interception capability. Seems extremely dubious, unless by "be able to" they mean "it should be OK security-wise if you get rid of the VPN" and not "you should actually get rid of the VPN".
Hopefully my bank implements this recommendation ASAP... I haven't had access to online banking in the two years since they've required phone/text to log in, but are incompatible with my YubiKey (which is phish-resistant).
I have complained for two years to them, visiting a physical teller every time I need an account inquiry.
Related
Microsoft a national security threat says ex-White House cyber policy director
A former White House cyber policy director raises national security concerns over Microsoft's control in US government IT. Calls for diversification and enhanced cybersecurity amid debates on tech companies' role in national security.
How MFA is falling short
Multi-factor authentication (MFA) faces challenges from cyber attackers exploiting weaknesses. Breaches despite VPN, SSO, and Google Authenticator usage show risks like phishing, vishing, and Man-In-The-Middle attacks. Recent developments include "Tycoon 2FA" targeting Microsoft 365 and Gmail accounts, emphasizing the need for stronger authentication methods.
The Sad State of Two-Factor Authentication in U.S. Banking (2020)
The article critiques U.S. banking's reliance on SMS-based two-factor authentication, highlighting its vulnerabilities. It advocates for stronger security measures, including hardware tokens and biometrics, urging consumers to demand better protections.
Every Microsoft employee is now being judged on their security work
Microsoft has prioritized security for all employees, affecting performance evaluations, promotions, and bonuses. Employees must integrate security into their work, while the Secure Future Initiative enhances overall security measures.
Cyberattacks on clean energy are coming – the White House has a plan
The Biden administration is prioritizing cybersecurity for clean energy infrastructure, focusing on key technologies and collaboration among stakeholders to enhance defenses against cyber threats and modernize aging systems.