Articles

NIST Cybersecurity Framework update comments highlight a gamut of…

Better metrics, implementation guidance, and alignment with other frameworks are high on the list of suggested improvements to the NIST CSF.

In late February, the National Institute of Standards and Technology (NIST) issued a request for information (RFI) to evaluate and enhance its Cybersecurity Framework, or CSF, first produced in 2014 and last updated in 2018. Many developments in the swiftly changing cybersecurity field prompted NIST to revisit its complex and well-received template designed to help organizations best manage cybersecurity risk.

In its RFI, NIST asked a series of questions about how to improve the use of the framework. Among those questions are whether the framework allows for better risk assessments and management of risks, what relevant metrics might be used to measure the framework’s impact, and what challenges organizations face in using the framework. NIST also asked how to better align or integrate the CSF with other NIST resources, such as the NIST Risk Management and Privacy Frameworks. Finally, NIST asked how it could help identify supply chain-related cybersecurity needs and harmonize the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) with the CSF.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Pete Linforth from Pixabay

 

Articles

NIST releases software, IoT, and consumer cybersecurity labeling guidance

The new guidance aims to tighten security requirements for federally purchased software and give consumers better insight into the security of software and devices they buy.

On February 4, the National Institute of Standards and Technology (NIST) issued several documents and updates that spell out software security guidance and recommended consumer labeling practices for software and IoT devices. NIST also laid out its approach to consumer cybersecurity labeling projects.

These initiatives were mandated under President Biden’s wide-ranging executive order (EO) issued last May. They aim to tighten the federal government’s security requirements for the software products it purchases, hoping that the benefits will also flow to the private sector. The labeling initiatives aim to provide consumers greater insight into the security of the software and devices they purchase and spur greater transparency by consumer software and IoT device makers.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

NIST gears up for software security and IoT labeling…

Intended to help consumers make more secure software and IoT device purchases, the labeling guidelines are voluntary and self-policing at this time.

President Biden’s wide-ranging cybersecurity executive order issued last May directs the National Institute of Standards and Technology (NIST) to create pilot labeling programs to educate the public on the security of the internet-of-things (IoT) devices and software products they buy. The order requires NIST to produce by February 6, 2022, IoT cybersecurity criteria for a consumer labeling program and, separately, identify secure software development practices or criteria for a software labeling program.

To those ends, NIST held a workshop in September and solicited comments from stakeholders and experts. Based on the input received in these efforts and after issuing preliminary draft papers that outline various approaches, NIST issued draft Baseline Criteria for Consumer Software Cybersecurity Labeling on November 1 and a discussion draft on Consumer Cybersecurity Labeling for IoT Products on December 3.

After NIST produces both the IoT and software criteria in February, it will begin a labeling pilot testing phase. That phase will consist of NIST engaging with organizations that currently offer consumer labeling options. NIST says it may also decide to establish measures to demonstrate further proof of concept based on the criteria it publishes.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

NIST workshop provides clues to upcoming software supply chain…

Experts at a NIST-sponsored workshop weigh in on what might be in the final version of the Biden executive-order-mandated supply chain security guidelines.

President Biden’s wide-ranging cybersecurity executive order (EO) issued in May aims to improve software security through a series of guidelines. As the EO directed, the National Institute of Standards and Technology (NIST) has produced a definition of what constitutes “critical software,” published guidance on security measures for EO-critical software use, and released guidelines on vendors’ source-code testing. On November 8,  NIST published preliminary guidelines for enhancing software supply chain security.

NIST recently held a workshop to discuss the guidelines’ provisions, which are due in final form by February 6, 2022. The EO asks NIST to produce its software supply chain security guidelines according to ten criteria, including secure software development environments; the generation of “artifacts,” which can contain a host of information about how the software was developed; the provenance or origin of software code and components; software bills of materials (SBOMs); vulnerability disclosure programs; and attestation to conformity with secure software development practices.

The workshop gathered experts to share their insights on some of the components currently contemplated for the final supply chain security guidelines.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

US cryptocurrency exchange sanctions over ransomware likely not the…

The sanctions against Suex, aimed to cut ransomware gangs off from their revenue, sends a signal to other exchanges that support criminal activity.

Days after the Russia-linked BlackMatter ransomware gang hit an Iowa grain cooperative with a ransomware attack, the Biden administration unveiled its latest effort to address the ongoing ransomware crisis. In a move designed to cut off ransomware gangs from their financial rewards, the Treasury Department announced that its Office of Foreign Asset Control (OFAC) placed Czech Republic-registered but Russian national-owned and -operated cryptocurrency exchange Suex on its sanctioned entity list, formally called the Specially Designated Nationals and Blocked Persons (SDN) List.

Suex facilitates “financial transactions for ransomware actors, involving illicit proceeds from at least eight ransomware variants,” according to the announcement. Treasury says that over 40% of Suex’s known transaction history is associated with illicit actors, representing $370 million in illicit trading.

OFAC included on the SDN list a total of 25 bitcoin, ethereum, and tether addresses known to be controlled by Suex. These addresses received more than $934 million in various crypto assets overall. In addition, blockchain transactions tracking company Chainanalysis said that the Suex addresses have received more than $160 million in bitcoin alone from “ransomware actors, scammers, and dark net market operators” since the exchange was founded in 2018.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Jon Tyson on Unsplash

Articles

Software cybersecurity labels face practical, cost challenges

The federal government wants consumer software to have cybersecurity labels; experts question the feasibility of the mandate.

As part of his extensive cybersecurity executive order issued in May, President Biden directed the National Institute of Standards and Technology (NIST) to develop two pilot labeling programs on the cybersecurity capabilities of internet-of-things (IoT) consumer devices and software development practices. Although these pilot programs won’t be mandatory for device or software sellers, they could likely raise market expectations. In addition, whatever labels come out of these programs would also carry with them some sense of government authority and might ultimately become part of the government contracting process.

Last week NIST held a two-day workshop on these topics. Of the two pilot programs, the consumer software labeling initiative is the trickier one given the ever-changing nature of software and the absence of any similar existing consumer software labeling initiative.

To help it grasp the more complex task of developing labels for software, NIST solicited one- to two-page labeling position papers from interested parties. In calling for these papers, NIST cited “the challenges and practical approaches to consumer software labeling,” asking` for feedback on the “technical criteria needed to support validation of consumer software security assertions that reflect a baseline level of secure practices.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Jon Tyson on Unsplash

Articles

NIST’s EO-mandated software security guidelines could be a game-changer

While experts applaud the new security guidance, it’s unclear whether software vendors will completely embrace and implement the needed security practices.

Following a string of high-profile supply chain hacks, President Biden’s wide-ranging executive order on cybersecurity (EO) issued on May 12 directed the National Institute of Standards and Technology (NIST) to produce guidance on a series of software security matters. First, the EO asked NIST to produce a definition of critical software, which it released at the end of June. Second, the EO directed NIST to publish guidance on security measures for EO-critical software use, which NIST released last Friday.

To tackle the complex issue of keeping software secure, NIST solicited papers from interested parties and held a two-day workshop to gain insight from industry and other experts.  NIST defined five objectives for the operational-only (not covering development and acquisition matters) security measures:

  1. Protect EO-critical software and EO-critical software platforms (the platforms on which EO-critical software runs, such as endpoints, servers, and cloud resources) from unauthorized access and usage. Measures here include use of multi-factor authentication, following privileged access management principles, and employing boundary protection techniques.
  2. Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms. Measures here include maintaining a data inventory, protecting data at rest and in transit, and back up data with a tested recovery plan.
  3. Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation. Measures here include maintaining a software inventory, have a patch management plan, and use configuration management practices.
  4. Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms. Measures here include recording necessary logging information, continuous security monitoring, and using endpoint and network security protection.
  5. Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms. Measures here include training all users and administrators of EO-critical software and conducting frequent awareness activities.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Fotis Fotopoulos on Unsplash

 

Articles

NIST defines “critical software” with a broad range of…

The goal is to enable stronger security practices for government-purchased software mandated by President Biden’s cybersecurity executive order.

A significant part of the Biden administration’s wide-ranging cybersecurity executive order (EO) mandates that the National Institute of Standards and Technology (NIST) define what constitutes “critical software,” a deliverable that is central to the wider effort of securing software supply chains. Last week NIST made good on this assignment when it released a preliminary list of software categories within the scope of this definition.

The EO stipulates that NIST’s definition “shall reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.” Thus, the goal of the definition is to drive several additional activities required under the EO to shape how the federal government purchases and manages deployed critical software.

One driving principle behind the critical software definition is that when combined with other aspects of the EO, software acquisition by the federal government would tilt over time toward only those products that have met reasonable security measures. The hope is that the federal government’s “power of the purse” would spill over to the private sector because most major software suppliers sell to both public and private sector customers and would find it more efficient to create a single secure product for both sectors.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

The cybersecurity legislation agenda: 5 areas to watch

lead centered=”no”The 116th Congress is only a few months old, but far-reaching cybersecurity bills to protect infrastructure and the supply chain, ensure election integrity, and build a security workforce are now being considered. Here’s the list. /lead

New digital threats that could topple business, government, military and political institutions is moving cybersecurity to the top of the congressional agenda. The newly seated 116th Congress has so far seen 30 bills introduced in the House of Representatives and seven bills introduced in the Senate that directly deal with cybersecurity issues. That does not include other pieces of legislation that have at least some provisions that deal with information and digital security.

A key problem in grappling with such a complex issue as cybersecurity in Congress — and in Washington in general — is the diffused responsibility spawned by the wide-ranging, interconnected nature of the topic. Representative Jim Langevin (D-RI), a member of the Armed Services and Homeland Security Committees, and one of the founders of the Congressional Cybersecurity Caucus, flagged this stumbling block at the 2019 State of the Net conference in January by calling for consolidation in Congress over cybersecurity.

Noting that around 80 groups within the legislative branch claim some jurisdiction over cybersecurity matters, Langevin said, “We as a Congress are going to have to move with greater agility to respond to the cybersecurity threats we face going forward, and we can’t do it under the current construct.” Langevin wants the House Homeland Security issue to take the lead on all matters related to cybersecurity.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Who is responsible for IoT security in healthcare?

lead centered=”no”NIST panel debates who should own IoT security: vendors or users. The issue is especially important when it comes to protecting medical devices./lead

The next big challenge in cybersecurity will undoubtedly be to secure the billion-plus (and growing) internet-of-things (IoT) devices around the globe, which exponentially expand the attack vector across the increasingly interconnected IT sector. Based on statistics from Symantec, attacks that leverage internet-connected cameras, appliances, cars, and medical devices to launch attacks or infiltrate networks soared by 600 percent from 2016 to 2017.

“It was a big year for cyberattacks,” Ken Durbin, senior strategist for global government affairs at Symantec, said speaking on a panel at NIST’s Cybersecurity Risk Management Conference. Much of that panel’s discussion focused on who should own IoT security. The nature of IoT risk makes that a hard question to answer.

This article appeared in CSO Online. To read the rest of the article please visit here.