NIST SP 800-53 Revision Five is Coming

The draft publication of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Systems and Organizations, is on the street. 

This exciting publication, at least for us policy-geeks, makes changes to the structure of the controls to allow them to be adaptable to a wide range of missions; for example, mission and business focused enterprises, engineering organizations, those engaged in infrastructure design and their partners. There really is something for everyone.

The major changes to the SP 800-53 Rev 5 include fully integrating security and privacy controls by making them outcome based. Revision 5 clarifies the relationship between security and privacy to address all associated privacy risks. Controls have been consolidated and cross-mapped in tables to create a unified set of controls for easy reference between security and privacy.

Another major undertaking has been to separate the process from the actual controls, which allows organizations to easily adapt a control set to their mission. It comes in handy when engineers need to use a control differently than, say, a software developer, or business owner.

The SP 800-53 Rev 5 now makes it easier to integrate with other risk management and cybersecurity approaches i.e. ISO, ISACA, DOD, and NSS/IC. The various RMF’s are becoming more and more alike, which takes the strain off the beleaguered staff implementing them in complex environments.  

Other exciting revisions of the revision include incorporating new ‘state-of-the-practice” controls based on threat intelligence and empirical attack data, controls to strengthen privacy governance and accountability, new guidance on cloud, the Internet of Things, and booting the academic advice and tailoring guidance to other publications in the 800 series. This makes for a leaner, more impactful document.

2017 Cybersecurity Vulnerability Trends

Looking at the state of Cybersecurity by news headlines, one would logically assume that ransomware is all security professionals must worry about in their day-to-day operations. The nemesis of the moment is Petya. Petya is a ransomware variant that is built on the chassis of a leaked National Security Agency exploit called Eternal Blue. The ransomware looks for unpatched Windows machines of all flavors running SMB 1.0.SMB stands for Server Message Block It’s an outmoded application layer file-sharing protocol that has been superseded by Active Directory and later versions of SMB. Petya encrypts your Master Boot Record, so that you can’t do anything while it works to encrypt the rest of your files. The result? You can either pay $300 in Bitcoin to some shadowy Russian hacking group and maybe get a decryption key for your files, or turn off SMB 1.0. To turn off SMB, you’ll need to navigate to your windows features setting, uncheck the offending service, and reboot.  

​But Ransomware isn’t the nightmare that should keep security professionals up at night. Indeed, a good backup policy mitigates any lapses in patch management. What should keep us up at night is our own state of being human. As humans, we are imperfect creatures. As much as we strive for greatness, there is always that one thing we might not have accomplished while juggling the many tasks of our daily rituals. Statistically, the vulnerabilities we see reflect the state of our profession.  

​Per the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), the greatest threat of 2017 isn’t Ransomware, it’s buffer-errors, followed by improper access controls, information leaks / disclosure, cross-site scripting, and permission, privileges and access control weaknesses.

​Buffer-overflows? Okay, I get it. The development world is complex, and errors are going to happen. One of the beauties of our human condition is that we can always find better ways to do things, or, on the malevolent side, ways to exploit things. Luckily, protections against buffer-overflows are evolving using safe libraries, stack and executable containment strategies.

Cross-site scripting (XSS) has been on the security radar for a while now, yet it has declined from its height of 14.3% of all vulnerabilities in 2009, to its current 9.2%. XSS is a legitimate attack vector, and its decline in prevalence shows that developers and admins have been waging an effective battle against the threat. The industry focus on web threats has led to some interesting countermeasures, including containerization (essentially running a browser in its own virtual machine), JavaScript sandboxing, and Content Security Policies (CSP); all leading to effective mitigation of the threat.

​What should give security folks pause, is the rise in threats that stab at the very heart of our job description. Ensuring the confidentiality, integrity, and availability of information resources is what we do for a living. On a personal level, each of us should take offense that vulnerabilities exploiting access controls, permissions, and privileges even exist, let alone rank among the top threats to our networks. To be sure, buffer-overflows can lead to escalation of privilege, but we must not assume that security faults in controls and privileges are solely the result of software weaknesses. Certainly, NIST doesn’t take this approach as they have made buffer-overflows its own category, separate from access and privilege threats.

​So, what do we do? First and foremost, we should let go of our ego. Don’t assume that every security detail has been taken care of. Get in the habit of double-checking yourself, make sure those privileges and controls are properly set, and most important, still relevant. If security needs are not being met, double-down on ensuring your settings are up to date. Use those checklists, validate your templates, and adopt habits that put security first.

​Let’s make it a community goal to not see security essentials on the NVD vulnerability trends for 2018. 

What Hackers Really Want

By Rob Medley

19 June 2016

You’ve spent thousands of dollars on that new Intrusion Detection System, upgraded your firewalls and endpoint security.  You kick back, sip your latte and marvel at this titan of security that lies before you.  You’re confident that there is absolutely no way to break into the system; let them try.

Two months later, you’re standing in front of the CEO explaining the breach; the CISO sitting glum in a chair, having incurred the boss’s wrath prior to your arrival.  “How did the breach occur?”, the boss asks. “It’s not clear”, you say, “but it appears to be a privilege escalation that happened after a third party contractor fell victim to a phishing attack.”  A heavy silence falls on the room as the boss studies you, shredding any confidence you had left in getting that raise; you briefly wonder how many boxes you’ll need to clean out your desk.

This scenario plays itself out far too often across corporate America.  With the high profile attacks on LinkedIn, MySpace, iMesh, Tumblr, & GitHub, to name a few, it’s hard not to become jaded.  In fact, the ease with which hackers are able to penetrate networks and  steal passwords is becoming laughable.  Just this month it was reported that 45 million passwords were stolen from over 1,100 mainstream websites^[1].  In May, a Russian hacker was selling over a billion, with a ‘B’, passwords from major email providers^[2].  To be fair, it should be mentioned that there were only 272 million unique passwords.

With firms dumping serious cash into network defense, to the tune of 2.3 billion in 2015^[3], one must wonder why events such as those mentioned above come to fruition.  According to a recent Ponemon study, the average cost of cleaning up a data breach is $4 Million; that’s almost a third more than it was in 2013^[4].  Breaking that down further, network downtime is costing firms an average of $300,000 an hour due to incidents^[5].  In comparison, hackers are selling compromised servers for less than $10 dollars^[6].  That’s right, your multimillion dollar security scheme is worth less than the average trip to Starbucks.

If hackers are investing the time to break into systems, then selling the sensitive data therein for the price of a Whopper and fries, one has to wonder, “What do hackers really want?”  We all know that the motivation to break into networks and systems is as varied as there are people in the world; but network penetration can generally be grouped into financial motivation, curiosity, or hacktivism.  Regardless of the motivation, the psychological underpinning of any action is that the hacker wants a challenge.

Hackers tend to look at accessing resources as a game (Chess, not Call of Duty).  The psychological high that comes from winning is the reason most get into the intrusion game in the first place.  At the same time, hackers tend to view easy opponents with disdain, feeling that the ‘n00b’ who can’t defend his or her network gets everything they deserve, like publishing their entire user database online.  Yet in the hacker heart, they want us to not suck at network defense.  They hope defeating us will be more difficult than playing Mortal Combat with their three year old brother.

We defenders must do our part in this virtual chess game!  In addition to properly securing those new-fangled firewalls with more features/bling than Kim Kardashians closet, we have (as in really, people) to get our act together with regards to basic security hygiene.  Bling is fine after you learn the basics.  Let me ask, how long ago did your office update your network security policies?  Do you even have them?  One in four businesses do not have a basic security policy^[7].  Are you in the same boat as the Federal Government, with languishing policies as old as 2006? Just remember that in 2006 Facebook was new, flip-phones were cool, the iPod (with the wheel) was at its height, & IOS, Android, and Windows Vista were not part of our vocabulary yet.

In addition to updating policies for the present, your organization should stand up a risk management program.  The costs of one or two employees (better are consultants – I know one 🙂  to conduct audits of policy controls, NIST, ISO, or whichever framework you use, can save you hundreds of thousands of dollars in downtime.  These risk management professionals can also provide staff training to lock down the human aspect of hacking – social engineering (phishing, and whaling).  The end goal of all of this is not to suck at network defense.

Let’s face it; all of the technology in the world will not do any good if there are not sound security controls behind it.  Things like enforcing mandatory password lengths, expiry dates, lockouts – e.g. the basics of security, which seem to be at the root of these huge breaches, are what is needed.  By doing due diligence on these basic things, we make hackers happy.  It’s now harder for them to gain access into a system.  They are forced to spend more time trying to gain the prize and, conversely, we can spend more time playing with the technology toys that make us happy.  Not only will practicing basic security give the cybersecurity chess game renewed vigor; it will give us the respect of hackers.  If you haven’t got the respect of your opponent, what’s the point?

^[1] Nicks, D. (2016, June 14). Hackers Steal 45 Million Passwords From Over 1,100 Websites. Retrieved June 18, 2016, from http://time.com/money/4369098/hackers-steal-45-million-passwords/?utm_content=buffere9699

^[2] Wei, W. (2016, May 04). Hacker is Selling 272 Million Email Passwords for Just $1. Retrieved June 18, 2016, from http://thehackernews.com/2016/05/hacked-email-accounts.html

^[3] Reuters. (2015, September 22). Cyber security investing grows, resilient to market turmoil. Retrieved June 19, 2016, from http://fortune.com/2015/09/23/cyber-security-investing/

^[4] Olenick, D. (2016, June 15). Ponemon puts a $4 million price tag placed on mitigating data breaches. Retrieved June 18, 2016, from http://www.scmagazine.com/ponemon-puts-a-4-million-price-tag-placed-on-mitigating-data-breaches/article/503392/

^[5] Firewall Migrations: Five Ways To Maximise Security Resilience & Availability – Information Security Buzz. (2016, June 09). Retrieved June 18, 2016, from http://www.informationsecuritybuzz.com/articles/firewall-migrations-five-ways-maximise-security-resilience-availability/

^[6]Auchard, E. (2016, June 14). Cybercrime market sells servers for as little as $6 to launch attacks. Retrieved June 18, 2016, from http://www.stltoday.com/business/local/cybercrime-market-sells-servers-for-as-little-as-to-launch/article_fd775f99-3a04-5133-921b-feffeebc7f11.html

^[7] Hoffman, S. (2008, October 28). Corporate Security Policies Found Ineffective. Retrieved June 19, 2016, from http://www.crn.com/news/security/211601180/corporate-security-policies-found-ineffective.htm

The Cybersecurity Expert You Won’t Hire… But Should

According to Forbes magazine, spending on Cybersecurity reached $75 billion in 2015, and is expected to reach $170 billion by 2020[i].  Expected growth areas include security analytics and threat intelligence, each expected to grow 10 percent; governance, risk and compliance by 14%; mobile security by 18 percent, and cloud security by a whopping 50%.

As the world moves increasingly online, cybersecurity can only be expected to continue this growth pattern well beyond 2020.  Evolutions in cyber-attacks have driven the expansion of these technology sectors.  For example, in 2014, businesses reported 42.8 million detected attacks world-wide[ii].  The United States Government has responded to the rise in computer attacks by establishing programs to create cyber-warriors, such as CyberCorps®, policy initiatives such as the National Cybersecurity Framework, and huge investments in security research and development via the Office of Science and Technology Policy (OSTP)[iii].

And yet, the United States remains behind the eight-ball with regards to security of our networks and critical data.  China, with its corps of 100,000 dedicated hackers[iv] , repeatedly out maneuvers the U.S. on the cyber-playfield.  According to Michael McConnell, former Director of National Intelligence under President Bush, the Chinese “have penetrated every major corporation of any consequence in the United States and taken information. We’ve never, ever found Chinese malware.”  Considering the opposition we are up against as a nation – China, Russia, Iran with extensive cyber-programs; allies who sweet talk us but are digging in our cyber-trash at the same time, terrorists bent on our destruction, for profit hackers, and joy-riding script-kiddies – we need every cyber-warrior we can get our hands on.

So how is America doing in increasing our IT forces?  Honestly, not so well.  CyberCorps®, the national program to increase our cadre of professionals, has only produced 1, 500 graduates.  That’s a paltry number considering that China has penetrated and downloaded “the entire contents of the Pentagon’s mainframe computers at least seven times,” and an NSA review of CIA computers revealed approximately 1,500 pieces of installed malware; at least according to a source that may or may not be Gen. Keith B. Alexander, most recently head of U.S. Cyber Command[v].

This is not to say that we as a nation are not trying, we are, but we can be doing a lot more.  Aside from increasing throughput in cyber-programs at American universities, boosting Science, Technology, and Math (STEM) programs, and throwing more money in general at the problem, business and government leaders can utilize the resources right under their noses – those cyber-warriors suffering from mental health disabilities.

We all know that there is racial, gender and sexual discrimination in all aspects of society, the news outlets can’t stop reporting on these.  Yet, there is another group that suffers discrimination as much, if not more than others – those with mental illness.  You may be tempted to say, “Ridiculous, there is no discrimination like that!”  I’m here to change your mind.  I’m one of the depressed masses.

Before I tell you my experience of being a jobless cyber-knowledgeable, degreed and superfluously certified professional, allow me to regale you of the population in general.  People with mental illness account for about six percent of the total population, and among this monolithic group are subsets of bi-polar, schizophrenic, and just plain depressed people.  We don’t like to be grouped together, and are kind of at odds with each other as far as the direction of our awareness cause.  The schizophrenics always want to count all of their personalities, while the manic-depressives think big, but are gone when we make up the flyers.  It ends up being something like a Monty Python sketch.

Despite of this, mental illness awareness is starting to gain traction nationally; we even have our own month now!  Although response is growing, people with the disease still face more discrimination than the LGBTQ community.  After all, if someone is ‘mentally ill’, they have to be a loner, packing stacks of firearms in their basements, waiting for the right moment to explode – it’s the same subconscious narrative people get when someone of Muslim origin gets on a train and is sporting a backpack.  Both stereotypes could not be further from the truth, but in an age of people getting their news from social media, and establishment journalism itself languishing in a perpetual funk, the narrative is hard to change.

Indeed, people with mental illness, such as major depression, are five times as likely to be unemployed[vi] verses their ‘normal’ counterparts.  As of 2006, that translates to 60% of working age adults with mental health disabilities likely to be out of work, verses 20% in the non-disabled population.  One in three job applicants with mental health disorders reported being turned down for a job outright or being downsized once their mental health history was known.  Of course, the government has programs in place to prevent discrimination, such as the Americans with Disabilities Act, and ‘Schedule A’ employment opportunities, but they do not work once human bias enters the equation.  There is always something that an employer can use to disqualify an applicant; lack of experience, closing the position, etc.

In my own case, I have applied for approximately 500 jobs since I left the Navy in 2014; after 22 years of service.  I suffer from major depression.  I’ve been in regular treatment since 2012 but have been on and off through the system since about 2002. I’m highly skilled, have an impressive work history, speak a few languages, have advanced degrees in Cybersecurity and Strategic Intelligence, as well as the obligatory technical certifications.  Looking at me, you wouldn’t guess I have major depression, because I’m at my most vulnerable when I’m alone with my mental merry-go-round of a subconscious narrative.  I smile, I laugh, and I’m an outstanding leader (if you ask people who have worked for me) – so why is it so difficult to get a job?  Moreover, why is it so hard to get a job in a critical sector?  After all, I have a TS clearance that’s valid – there is absolutely no reason for me to not be working.

If you surf the government clearing house for jobs (USA Jobs), you’ll see tons of jobs for cyber, but it’s to the point now where I don’t cry (figuratively) anymore when I get the ‘lacking requisite experience’ rejection for the job that describes me to a ‘T’.  Why? I realize my error. I tell people up front I suffer from major depression.  Honesty, it’s a weakness….  I guess doing that makes the life of the HR guy easier – you’re welcome, but you’re doing a disservice to your organization and your country.

Exclusion from the work force does a lot of damage to both the person with mental health disabilities and the economic fabric of the country.  Exclusion “creates material deprivation, erodes self-confidence, creates a sense of isolation and marginalization and is a key risk factor for mental disability.”[vii]  In short, employer bias is making us crazier, forcing us onto Social Security and other programs (full disclosure, I’m on neither) when they could attempt to see past the narrative and employ cyber-professionals that want to work, want to be a contributing member of society, and could be that person who stops the eight full download of Pentagon computers by the Chinese military.

Maybe tomorrow when you get to work, go through those applications you’ve rejected due to bias.  You’ll be doing your part to make the world a better place, decrease homelessness and public assistance, reduce your taxes (got your attention, right?), and most important, you’ll be getting an employee that will work harder than your normal ones.

Rob Medley is a starving artist and cybersecurity expert writing blogs after midnight to pass the time.

[i] Morgan, S. (2015, December 20). Cybersecurity Market Reaches $75 Billion In 2015; Expected To Reach $170 Billion By 2020. Retrieved June 02, 2016, from http://www.forbes.com/sites/stevemorgan/2015/12/20/cybersecurity-market-reaches-75-billion-in-2015-expected-to-reach-170-billion-by-2020/#17b09c962191

[ii] Lingenheld, M. (2015, April 27). The Unfortunate Growth Sector: Cybersecurity. Retrieved June 02, 2016, from http://www.forbes.com/sites/michaellingenheld/2015/04/27/the-unfortunate-growth-sector-cybersecurity/#7080e9205a7e

[iii] Presidential Policy Directive — Critical Infrastructure Security and Resilience. (2013, February 12). Retrieved June 02, 2016, from https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

[iv] Lingenheld, M. (2015, April 27). The Unfortunate Growth Sector: Cybersecurity. Retrieved June 02, 2016, from http://www.forbes.com/sites/michaellingenheld/2015/04/27/the-unfortunate-growth-sector-cybersecurity/#7080e9205a7e

[v] Thomas, J. (2016, June 02). The 10 Baggers In Cybersecurity. Retrieved June 02, 2016, from http://seekingalpha.com/article/3979451-10-baggers-cybersecurity

[vi] Stuart, H. (2006). Mental Illness and Employment Discrimination. Retrieved June 03, 2016, from http://www.medscape.com/viewarticle/542517_2

[vii] Stuart, H. (2006). Mental Illness and Employment Discrimination. Retrieved June 03, 2016, from http://www.medscape.com/viewarticle/542517_2