InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NIST group releases drafts on TLS 1.3 best practices aimed at the financial industry
On January 30, the NIST National Cybersecurity Center of Excellence (NCCoE) released a draft practice guide, titled “Addressing Visibility Challenges with TLS 1.3 within the Enterprise.” The protocol in question, Transport Layer Security (TLS) 1.3, is the most recent iteration of the security protocol most widely used to protect communications over the Internet, but its implementation over TLS 1.2 (the prior version) remains challenging for major industries, including finance, that need to inspect incoming network traffic data for evidence of malware or other malicious activity. A full description of the project can be found here.
Compared to TLS 1.2, TLS 1.3 is faster and more secure, but the implementation of forward secrecy, i.e., protecting past sessions against compromises of keys or passwords used in future sessions, creates challenges related to data audit and legitimate inspection of network traffic. As a result, NIST released the practice guide to offer guidance on how to implement TLS 1.3 and meet required audit requirements without compromising the TLS 1.3 protocol itself. The practice guide suggests how businesses improve their technical methods, such as implementing passive inspection architecture either using “rotated bounded-lifetime [Diffie Helman] keys on the destination TLS server” or exported session keys, to support ongoing compliance with financial industry and other regulations––for continuous monitoring for malware and cyberattacks. The draft practice guide is currently under public review with Volumes A and B of the guide open until April 1, 2024. Volume A is a second preliminary draft of an Executive Summary and Volume B is a preliminary draft on the Approach, Architecture, and Security Characteristics.
OFAC issues Iran GL and related FAQs
On September 23, the U.S. Treasury Department issued Iran General License D-2, General License with Respect to Certain Services, Software, and Hardware Incident to Communications General License (GL), to add further authorizing guidance in line with changes in modern technology since the issuance of Iran GL D-1. According to Treasury, the Iranian government cut off Internet access for most of its citizens to prevent the viewing of its violent crackdown on peaceful protestors, provoked by the death of an individual in the custody of Iran’s Morality Police. Treasury further noted that the U.S. supports “the free flow of information and access to fact-based information to the Iranian people.” Highlights of the extended GL includes, among other things: (i) additional covered categories of software/services; (ii) additional authorization for the services that support the communication tools to assist ordinary Iranians in resisting repressive internet censorship and surveillance tools deployed by the Iranian regime; and (iii) the continued authorization of anti-virus and anti-malware software, anti-tracking software, mobile operating systems and related software, and anti-censorship tools and related software. The GL is effective immediately. The same day, Treasury published three frequently asked questions, which clarify GL D-2 and other information on Iran sanctions.