Tag Archive for: nist

NIST Releases Draft Zero-Trust Architecture Guide

/in


Agencies looking to adopt zero-trust security architecture can expect to see new guidance roll out throughout this summer.

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) works with government agencies, industry organizations and academic institutions to create example solutions for pressing cybersecurity concerns, and in recent years turned its focus to zero trust, said NCCoE Security Engineer and Project Manager Alper Kerman during an RSA Conference panel.

Under its Implementing a Zero Trust Architecture project, NCCoE has been working to identify the core components of a zero-trust approach, as well as demonstrate different ways for achieving it, using commercially available technologies. The effort aims to show how a zero-trust architecture could work for different scenarios such as an employee or guest user trying to access online resources, or a contractor trying to access an on-premise resource, Kerman said.


Now in early June, NCCoE has released a draft guide, with more to follow.

“We want to be able to figure out what would be the minimum viable solution that would give us some level of zero-trust orchestration,” Kerman said.

There are three key aspects of a zero-trust architecture: enhanced identity governance (EIG), micro segmentation and software-defined perimeters, he said. Organizations may find it easier to focus more heavily on one or another, depending on their workflows, while still including elements of the other two, per NIST.

For the project, NCCoE is first demonstrating zero-trust example scenarios that focus on EIG techniques and is releasing preliminary drafts of its guidance on this method.

On June 3, NCCoE released a draft high-level overview document intended to help leadership consider their planning. NCCoE will be following up with two more detailed and technical guides, with those drafts slated for release in July and August.

WHAT’S ZERO TRUST AGAIN?

Zero trust isn’t a specific standard but rather “a set of principles used in designing and implementing and operating an infrastructure,” said NIST Computer Scientist…

Source…

NIST provides recommended criteria for cybersecurity labeling for consumer software and IoT products

/in


Will NIST’s cybersecurity labeling for consumer software and IoT products help us achieve better security? Our experts weigh in.

NIST cybersecurity labeling recommendations | Synopsys

If one of the goals of President Biden’s May 2021 “Executive Order on Improving the Nation’s Cybersecurity” is fulfilled, you’ll be able to look for a quality and security assurance label on any software product you consider buying. To which anyone who cares about such things—and everybody should—might say “it’s about time.”

Indeed, consumer labeling has long been mainstream when it comes to just about everything else. We take for granted that what we plan to eat or drink has a list of ingredients on the packaging or container. The U.S. Department of Agriculture has a label that food vendors can use if their product is certified organic. Most of us are familiar with the Good Housekeeping Seal and UL certification, which offer some assurance that a vast range of products meet a minimum quality standard. “Look for the union label” has been a slogan for almost 50 years.

But details or seals of approval on the quality of software ingredients? Not so much. Pretty much not at all.

Current state of consumer cybersecurity awareness

While Americans rely on software for just about everything in modern life—communication (email, text, phone), social media, online purchases, games, research, home security, transportation, and much, much more—most remain only dimly aware of what it is, how it works, and the level of its quality and security. 

As the National Institute of Standards and Technology (NIST) recently put it, “most consumers take for granted and are unaware of the software upon which many products and services rely, [and] the very notion of what constitutes software may even be unclear.” That is, in large measure, because consumers aren’t told much of anything about it. They generally see only what it does, not what it is, who made it, how it works, or how it could put them at risk. 

The Biden executive order (EO) is obviously aimed at closing that gap in consumer awareness. It calls for NIST, the Federal Trade Commission, and other agencies to “initiate pilot programs informed by existing consumer product labeling…

Source…

NIST Releases New “Cybersecurity Framework Profile for Ransomware Risk Management” to Battle Growing Threat of Ransomware Attacks | Faegre Drinker Biddle & Reath LLP

/in


Ransomware incidents continue to be on the rise, wreaking havoc for organizations globally. Ransomware attacks target an organization’s data or infrastructure, and, in exchange for releasing the captured data or infrastructure, the attacker demands a ransom. This creates a dilemma for organizations — the decision to pay the ransom, relying on the attacker to release the data as they say, or to reject the ransom demand and try to restore the data or operations on their own.

On the heels of new federal actions related to cyber security, the National Institute of Standards and Technology (NIST) recently issued a Cybersecurity Framework Profile for Ransomware Risk Management (Ransomware Profile), currently designated as “NISTIR 8374.” This new Ransomware Profile “maps security objectives” from the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Cybersecurity Framework). The Ransomware Profile “can be used as a guide to managing the risk of ransomware events” and can help “gauge an organization’s level of readiness to mitigate ransomware threats and to react to the potential impact of events.”

This is the second cybersecurity framework profile recently released by NIST to help reverse ransomware attacks. In late 2020, NIST released its “Zero Trust Architecture” framework as an additional alternative to ransomware defense. To learn more about NIST’s Zero Trust Architecture model,  read here.

This new NIST Ransomware Cybersecurity Framework Profile is composed of three unique parts:

  • The Framework Core
  • The Framework Implementation Tiers
  • The Framework Profile

Additionally, the Framework Core includes five parts, intended to be concurrent and continuous functions that adopting entities should employ:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

These functions “provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk” and, to simplify what NIST is propounding, the Ransomware Profile expands on the Cybersecurity Framework by using the five parts of the Framework Core to offer practical steps that organizations can take to safeguard their networks from potential…

Source…

NIST Releases Tips and Tactics for Dealing With Ransomware – Homeland Security Today

/in


Used in cyberattacks that can paralyze organizations, ransomware is malicious software that encrypts a computer system’s data and demands payment to restore access. To help organizations protect against ransomware attacks and recover from them if they happen, the National Institute of Standards and Technology (NIST) has published an infographic offering a series of simple tips and tactics.

NIST’s advice includes:

  • Use antivirus software at all times — and make sure it’s set up to automatically scan your emails and removable media (e.g., flash drives) for ransomware and other malware.
  • Keep all computers fully patched with security updates.
  • Use security products or services that block access to known ransomware sites on the internet.
  • Configure operating systems or use third-party software to allow only authorized applications to run on computers, thus preventing ransomware from working.
  • Restrict or prohibit use of personally owned devices on your organization’s networks and for telework or remote access unless you’re taking extra steps to assure security.

NIST also advises users to follow these tips for their work computers:

  • Use standard user accounts instead of accounts with administrative privileges whenever possible.
  • Avoid using personal applications and websites, such as email, chat and social media, on work computers.
  • Avoid opening files, clicking on links, etc. from unknown sources without first checking them for suspicious content. For example, you can run an antivirus scan on a file, and inspect links carefully.

Unfortunately, even with protective measures in place, eventually a ransomware attack may still succeed. Organizations can prepare for this by taking steps to ensure that their information will not be corrupted or lost, and that normal operations can resume quickly.

NIST recommends that organizations follow these steps to accelerate their recovery:

  • Develop and implement an incident recovery plan with defined roles and strategies for decision making.
  • Carefully plan, implement and test a data backup and restoration strategy. It’s important not only to have secure backups of all your important data, but also to make sure that backups are kept…

Source…