Infrastructure // Network Security
Commentary
10/14/2013
11:33 AM
Vincent Berk
Vincent Berk
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%
Repost This

NIST Security Standards: Fallacies And Pitfalls

National Institute of Standards and Technology's latest revision to its Network Security Standard is an improvement, but gives compliant agencies a false sense of security.

5 Army Tech Innovations To Watch
5 Army Tech Innovations To Watch
(click image for larger view)

Given the rise of cybercrime over the last few years, few would argue that the federal government is doing enough to address the risks, although the National Institute of Standards and Technology has been trying.

Earlier this year, NIST developed Revision 4 of its 800-53 standard that aims to set a higher standard of security for federal government information processing systems. This is a huge undertaking, as there are more than a million of these processing systems today.

The latest standard from NIST gives us a more tangible protocol for approaching Federal Information Security Management Act (FISMA) compliance than agencies have had previously. However, there is a major difference between being "compliant," and being "secure."

There are a couple of common fallacies and pitfalls that leave a compliant organization still vulnerable to cyber criminals.

Fallacy: Compliance With NIST 800-53 Revision 4 Is Attainable

The truth: You are never completely safe.

Protecting sensitive data is akin to achieving light speed -- if you have non-zero mass, you need an infinite amount of thrust to reach light speed and only objects of zero mass can actually reach it. The same holds true for data security; if you have data to protect, it is nearly impossible to be 100% secure. The only instance where you can be truly secure is when you have nothing to protect and there is nothing at stake.

You can, however, become very close to full protection. What makes defense of sensitive data difficult is that the data is there for a reason; it is used to achieve a mission or objective. This means it will be collected, correlated, compared and stored to achieve the primary goals of any organization. As the data is changing, the defenses must keep pace.

Are all backup locations known? Are old services taken offline? Are employees creating local copies on their desktops? What data is being stored on devices, such as iPhones? What organizations are we sharing data with?

Pitfall: Following The Guidelines Creates A False Sense Of Security

Threats are constantly evolving, and the attacker is becoming more sophisticated.

Conventional military defense puts a strong focus on territory and terrain, identifying those points where a potential attacker has a strategic advantage. Similarly, FISMA and NIST 800-53 start by telling the defender to take a value-based approach to taking inventory of the cyber assets. In other words, the standards recommend finding your most sensitive data and classifying it.

Building cyber defenses is similar to building a wall or barrier. If you raise your wall, the attacker will dig, climb or walk around it. The act of creating a wall will affect the behavior of the attacker. We cannot simply put up cyber defenses and feel "secure." Just as a battlefield commander will watch the defenses and monitor the enemy, we must take care to monitor our cyber defenses and learn how our cyber threats are evolving.

Active defense means evolving with the attacker, learning his methods and strategies, and redeploying our cyber defenses to counter his changing techniques. Any action invokes an equal and opposite reaction.

The true objective of NIST 800.53 Revision 4 is to help government organizations secure sensitive data. This is not the endgame; instead, it is our first steps in bolstering a comprehensive cyber defensive posture. Without a doubt the guidelines in this publication will change as the years go by.

Conspicuously Missing

The truth remains, however, that we cannot simply expect the NIST guidelines to be a step-by-step recipe for achieving decent data security. Understanding the nature of the data at stake, and the risks to it, will be the most important step any agency can take to bolster the appropriate defenses. Simply putting up the wall might get the compliance checkbox checked, but it won't make you that much more secure.

Although the NIST guidelines put focus on understanding the data at risk, it leaves behind the second, and equally important aspect of data security: knowing your enemy.

Agencies should not forget that an understanding of the adversary is a constant and ongoing process of monitoring, interacting and outsmarting. The operators in charge of this mission will need to be properly equipped, meaning they should not simply carry responsibility, but should be given the proper mandate and resources to understand the adversary and build out the defenses.

In practical terms, this means putting more focus on intelligence gathering, moving data acquisition and analysis out-of-band, and shifting the emphasis to behavioral anomaly detection. Evolving threats are usually not known up front, but strange behaviors on the network can be identified by anomaly detection. Proper out-of-band data acquisition allows operators to investigate anomalies, and when needed, change the defensive posture.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Author
10/15/2013 | 12:57:00 PM
re: NIST Security Standards: Fallacies And Pitfalls
NIST provides an important service in bringing together best recommended standards and practices. But in many ways, that amounts to specifying the types of locks that need to be on every door in a commercial building and recommendations for the guards to check the locks on routine basis. Even those that comply with those know thieves are looking for other ways in. That's one reason why DHS's recent efforts to develop a Continuous Diagnostics and Mitigation approach to its systems vs just continuous monitoring represents a more holistic approach to security that deserves fuller consideration in the NIST 800-53.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Author
10/14/2013 | 11:43:58 PM
re: NIST Security Standards: Fallacies And Pitfalls
The distinction between compliant and secure seems to be lost on a lot of organizations.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.