NIST Updates Malware & Patch Management Guideines

First Revisions to Both Publications in Eight Years

The National Institute of Standards and Technology has published new guidance on malware incident prevention and handling for desktops and laptops as well as enterprise patch management technologies.

NIST Special Publication 800-83 Revision 1, "Guide to Malware Incident Prevention and Handling for Desktops and Laptops," provides recommendations for improving an organization's malware incident prevention measures. The publication also gives extensive recommendations for enhancing an organization's existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts.

SP 800-40 Revision 3, "Guide to Enterprise Patch Management Technologies," provides an overview of enterprise patch management technologies. It also briefly discusses metrics for assessing the technologies' effectiveness. The publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. Patch management is the process of identifying, acquiring, installing and verifying patches for products and systems.

NIST also issued SP 800-165, "2012 Computer Security Division Annual Report," which highlights the activities of NIST's Computer Security Division during fiscal year 2012, which ended Sept. 30.

NIST Publishes Draft Cloud Computing Security Document for Comment

NIST Cloud Computing Security Reference Architecture provides a security overlay to the NIST Cloud Computing Reference Architecture published in 2011

The National Institute of Standards and Technology (NIST) has published a draft document on security for cloud computing as used in the federal government. The public comment period runs through July 12, 2013.

The 2011 NIST Cloud Computing Reference Architecture provided a template and vocabulary for federal cloud adopters to follow for a consistent implementation of cloud-based applications across the government.

This new addition, the NIST Cloud Computing Security Reference Architecture, contributes a comprehensive security model that supplements the NIST Cloud Computing Reference Architecture.

Using this model and an associated set of security components derived from the capabilities identified by the Cloud Security Alliance in its Trusted Cloud Initiative Reference Architecture, the NIST Cloud Computing Security Reference Architecture introduces a cloud-adapted Risk Management Framework for applications and/or services migrated to the cloud.

The NIST Cloud Computing Security Reference Architecture provides a case study that walks readers through steps an agency follows using the cloud-adapted Risk Management Framework while deploying a typical application to the cloud—migrating existing email, calendar and document-sharing systems as a unified, cloud-based messaging system.

Deadline for comments is July 12, 2013. Please use the template for comments and mail to Michaela Iorga at Michaela.iorga@nist.gov with the subject line "Comments SP 500-299."

NIST Glossary of Infosec Terms

Looking for a gift for your boss who doesn't quite understand information security lingo?

The National Institute of Standards and Technology has one you can give, and it's free. NIST has issued a draft of Interagency Report 7298 Revision 2: NIST Glossary of Key Information Security Terms.

As we are continuously refreshing our publication suite, terms included in the glossary come from our more recent publications. The NIST publications referenced are the most recent versions of those publications. It is our intention to keep the glossary current by providing updates online.

New definitions will be added to the glossary as required, and updated versions will be posted on the Computer Security Resource Center website.

The glossary includes most of the terms found in NIST publications. It also contains nearly all of the terms and definitions from CNSSI-4009, an information assurance glossary issued by the Defense Department's Committee on National Security Systems, a forum that helps set the US federal government's information assurance policy.

NIST is seeking comments and suggestions on the revised glossary, and they should be sent by Jan. 15 to secglossary@nist.gov.

NIST Issues Credential Revocation Guide

Revocation Model for Federated Identities

Organizations can't easily revoke authentication credentials when they employ more than one identify provider. With multiple identity providers and unique requirements for organizations to federate them, no one approach exists to manage them.

To address this dilemma, the National Institute of Standards and Technology has issued NIST Interagency Report 7817: A Credential Reliability and Revocation Model for Federated Identities.

IR 7817 describes and classifies different types of identity providers serving federations. For each classification, the document identifies perceived improvements when the credentials are used in authentication services and recommends countermeasures to eliminate some identified gaps.

With the countermeasures as the basis, the document suggests a Universal Credential Reliability and Revocation Services model that strives to improve authentication services for federations.

Here's how NIST explains the challenge:

Identity providers establish and manage their user community's digital identities. Users employ these identities, in the form of digital credentials, to authenticate service providers. The digital identity technology deployed by an identity provider for its users varies and often dictates a specific authentication solution in order for the service provider to authenticate the user.

A federated community accommodates two or more identity providers along with the specific authentication solution. With the diverse set of identity providers and the unique business requirements for organizations to federate, there is no uniform approach in the federation process. Similarly, there is no uniform method to revoke credentials or their associated attributes.

In the absence of a uniform method, IR 7817 investigates credential and attribute revocation with a particular focus on identifying missing requirements for revocation. As a by-product of the analysis and recommendations, the report suggests a model for credential reliability and revocation services that serves to address some of the missing requirements.

10 Supply Chain Risk Management Best Practices

NIST Interagency Report Aims to Mitigate Vulnerabilities

The National Institute of Standards and Technology has issued a new report to help organizations mitigate supply chain risks. NIST says the 10 supply chain risk management practices can be applied simultaneously to an information system or the elements of an information system.

The practices are:

1) Uniquely identify supply chain elements, processes and actors. Knowing who and what is in an enterprise's supply chain is critical to gain visibility into what is happening within it, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into the supply chain, it is impossible to understand and therefore manage risk and to reduce the likelihood of an adverse event.

2) Limit access and exposure within the supply chain. Elements that traverse the supply chain are subject to access by a variety of actors. It is critical to limit such access to only as much as necessary for those actors to perform their roles and to monitor that access for supply chain impact.

3) Establish and maintain the provenance of elements, processes, tools and data. All system elements originate somewhere and may be changed throughout their existence. The record of element origin along with the history of, the changes to and the record of who made those changes is called "provenance."

Acquirers, integrators and suppliers should maintain the provenance of elements under their control to understand where the elements have been, the change history and who might have had an opportunity to change them.

4) Share information within strict limits. Acquirers, integrators and suppliers need to share data and information. Content to be shared among acquirers, integrators and suppliers may include information about the use of elements, users, acquirer, integrator or supplier organizations as well as information regarding issues that have been identified or raised regarding specific elements. Information should be protected according to mutually agreed-upon practices. 

5) Perform supply chain risk management awareness and training. A strong supply chain risk mitigation strategy cannot be put in place without significant attention given to training personnel on supply chain policy, procedures and applicable management, operational and technical controls and practices. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, provides guidelines for establishing and maintaining a comprehensive awareness and training program.

6) Use defensive design for systems, elements and processes. The use of design concepts is a common approach to delivering robustness in security, quality, safety, diversity and many other disciplines that can aid in achieving supply chain risk management. Design techniques apply to supply chain elements, element processes, information, systems and organizational processes throughout the system.

Element processes include creation, testing, manufacturing, delivery and sustainment of the element throughout its life. Organizational and business processes include issuing requirements for acquiring, supplying and using supply chain elements.

7) Perform continuous integrator review. Continuous integrator review is an essential practice used to determine that defensive measures have been deployed. Its purpose is to validate compliance with requirements, establish that the system behaves in a predictable manner under stress and detect and classify weaknesses and vulnerabilities of elements, processes, systems and any associated metadata.

8) Strengthen delivery mechanisms. Delivery, including inventory management, is an essential function within the supply chain, which has a great potential for being compromised. In today's environment, delivery can be physical such as hardware or logical such as software modules and patches. 

9) Assure sustainment activities and processes. The sustainment process begins when a system becomes operational and ends when it enters the disposal process. This includes system maintenance, upgrade, patching, parts replacement and other activities that keep the system operational. Any change to the system or process can introduce opportunities for subversion throughout the supply chain.

10) Manage disposal and final disposition activities throughout the system or element life cycle. Elements, information and data can be disposed of at any time across the system and element life cycle. For example, disposal can occur during research and development, design, prototyping or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys and partial reuse of components.

NIST says the recommendations in the interagency report are for information systems categorized at the FIPS 199 high-impact level. But NIST says agencies and other agencies can choose to apply the recommended practices to specific systems with a lower impact level, based on the tailoring guidance provided in the draft of NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.

Refer here to download the report.

NIST Drafts Guidance on Securing Smart Phones & Tablets

3 Key Facets of Mobile Device Security

Securing mobile devices - whether employee or enterprise owned - has become vital for many organizations and government agencies as the devices increasingly take the place of PCs and laptops.

The National Institute of Standards and Technology has issued a draft of guidance that defines the fundamental security components and capabilities needed to help mitigate risks involved in using the latest generation of mobile devices.

Andrew Regenschied, one of the co-authors of Special Publication 800-164 (Draft): Guidelines on Hardware-Rooted Security in Mobile Devices, says many mobile devices lack a firm foundation from which to build security and trust. 

These guidelines are intended to help designers of next-generation mobile phones and tablets improve security through the use of highly trustworthy components, called roots of trust, that perform vital security functions.

On laptop and desktop systems, Regenschied explains, roots of trust are implemented in a tamper-proof separate security computer chip. But the power and space constraints in mobile devices have led manufacturers to pursue other approaches, such as leveraging security features built into the processors these products use. NIST says the guidelines focus on three security capabilities to address known mobile device security challenges: device integrity, isolation and protected storage.

According to NIST, a tablet or phone supporting device integrity can provide information about its configuration and operating status that can be verified by the organization whose information is being accessed. Isolation capabilities can keep personal and organization data components and processes separate. That way, NIST says, personal applications should not be able to interfere with the organization's secure operations on the device. Protected storage keeps data safe using cryptography and restricting access to information.

To achieve the security capabilities, the guidelines recommend that each mobile device implement three security components that can be employed by the device's operating system and applications:

• Roots of trust, which combine hardware, firmware and software components to provide critical security functions with a very high degree of assurance that they will behave correctly;
  
• An application programming interface that allows operating systems and applications to use the security functions provided by the roots of trust; and
  
• A policy enforcement engine to enable the processing, maintenance and policy management of the mobile device. NIST is seeking comments on the draft guidance.

Those with suggestions should submit them to 800-164comments@nist.gov by Dec. 14.

NIST Issues Access-Control Guidance

Guidelines for Access-Control Systems Evaluate Metrics

The National Institute of Standards and Technology has released an interagency report, Guidelines for Access-Control Systems Evaluation Metrics, which provides background information on access-control properties.

NIST says the guidance, NISTIR 7874, is aimed to help access control experts improve their evaluation of the highest security access-control systems by discussing the administration, enforcement, performance and support properties of mechanisms that are embedded in each access-control system. The new report extends the information in NISTIR 7316, Assessment of Access Control Systems, which demonstrates the fundamental concepts of policy, models and mechanisms of access-control systems.

Why is this guidance important?

NIST explains: Adequate security of information and information systems is a fundamental management responsibility. Nearly all applications include some form of access control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system.

Access control is concerned with how authorizations are structured; in some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control. Access-control system planning consists of three primary abstractions: Policies, models and mechanisms.

According to NIST, policies consist of high-level requirements that specify how access is managed and who may access information under what circumstances. At a high level, access-control policies are enforced through a mechanism that translates a user's access request, often in terms of a structure that a system provides.

Access-control models bridge the gap in abstraction between policy and mechanism. Rather than attempting to evaluate and analyze access-control systems exclusively at the mechanism level, access-control models are usually written to describe the security properties of an access-control system.

These systems come with a wide variety of features and administrative capabilities, and their operational impact can be significant. In particular, NIST says, this impact can pertain to administrative and user productivity, as well as to the organization's ability to perform its mission. It's reasonable to use quality metrics to verify the mechanical properties of access-control systems.

The publication provides metrics for the evaluation of AC systems based on these features:

• Administration, the main consideration of cost;
• Enforcement capabilities, the requirements for access-control applications;
• Performance, a major factor for access-control usability; and
• Support, functions allowing an access-control system to use and connect to related technologies so as to enable more efficient integration with network and host services.

"Because of the rigorous nature of the metrics and the knowledge needed to gather them, these metrics are intended to be used by access-control experts who are evaluating the highest security access-control systems," the authors of the report write.

The Bible of Risk Assessment

NIST Issues Risk Assessments Guidance

Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39: Managing Information Security Risk. Though SP 800-30 was written for federal information systems and organizations, its lessons can be applied to other organizations in and out of government.

The new guidance document, issued Sept. 18, provides direction for carrying out each of the steps in the risk assessment process, such as preparing for the assessment, conducting the assessment, communicating the results of the assessment and maintaining the assessment. It also shows how risk assessments and other organizational risk management processes complement each other.

Continuous Monitoring

Special Publication 800-30 also provides guidance to organizations on identifying specific risk factors to monitor systems continuously so that they can determine whether risks have increased to unacceptable levels, such as exceeding organizational risk tolerance. And it offers insights on different courses of action that should be taken.

Information technology risks include risk to the organization's operations, such as mission and reputation, as well as its critical assets, including data and physical property as well as individuals who are part of or served by the organization.

Can't Protect Everything

The new publication focuses exclusively on risk assessment, the second step in the information security risk management process. The guidance covers the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations.

It also addresses the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.

With the insurance of the revised SP 800-30, the original series of five key computer security documents (including SP 800-39) envisioned by the Joint Task Force to create a unified information security framework for the federal government is completed. The Joint Task Force is a partnership of NIST, the Department of Defense, the Office of the Director of National Intelligence and the Committee on National Security Systems.

11 Ways Enterprises Can Battle Malware

NIST guidelines will help you keep pace with changing Malicious Code Threat

As malicious code rapidly evolves, the National Institute of Standards and Technology is updating its guidance to reflect changes in the threat malware presents organizations.

NISTG says is the just-published draft of Special Publication 800-83 Revision 1: Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

"Unlike most malware threats several years ago, which tended to be fast-spreading and easy to notice, many of today's malware threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to exfiltration of sensitive data and other negative impacts.

NIST, in announcing the draft revision, points out that protecting desktops and laptops remains critical even as many government agencies and companies focus on mobile security.

The guidance provides information on the major categories of malware that afflict desktop and laptop computers and furnishes practical procedures on how to prevent malware incidents and what to do when a system becomes infected.

To battle malware, the NIST guidance suggests organizations should:

1. Develop and implement an approach to malware incident prevention.
   
2. Plan and implement an approach to malware incident prevention based on the attack vectors that are most likely to be used now and in the near future.
   
3. Ensure that their policies address prevention of malware incidents.
   
4. Incorporate malware incident prevention and handling into their awareness programs.
   
5. Implement awareness programs that include guidance to users on malware incident prevention.
   
6. Maintain vulnerability mitigation capabilities to help prevent malware incidents.
   
7. Document policy, processes and procedures to mitigate vulnerabilities that malware might exploit.
   
8. Apply threat mitigation capabilities to assist in containing malware incidents.
   
9. Perform threat mitigation to detect and stop malware before it can affect its targets.
   
10. Consider using defensive architecture methods to reduce the impact of malware incidents.
    
11. Sustain a robust incident response process capability that addresses malware incident handling.

NIST is seeking comments from stakeholders on the draft. Comments can be sent to 800-83comments@nist.gov by Aug. 31. A final revision is expected to be published by late summer.

NIST Drafting New Guidance to Mitigate Supply Chain Risk

10 Practices to Secure the Supply Chain 


Guidance that identifies 10 overarching practices to mitigate supply chain risks is being developed by the National Institute of Standards and Technology. Supply chain risks can occur when organizations purchase and implement information and communications technology products and services. 

"Supply chain risk is significant and growing," says Jon Boyens, a NIST senior advisor for information security who's co-authoring the new guidance, NIST Interagency Report 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems.

This is the second draft of IR 7622. In the latest version, NIST computer scientists pared to 10 from the 21 prescriptive practices to blunt supply chain risks described in the initial draft. They are:

1. Uniquely identify supply chain elements, processes and actors;
   
2. Limit access and exposure within the supply chain;
   
3. Create and maintain the provenance of elements, processes, tools and data;
   
4. Share information within strict limits;
   
5. Perform supply chain risk management awareness and training;
   
6. Use defensive design for systems, elements and processes;
   
7. Perform continuous integrator review;
   
8. Strengthen delivery mechanisms;
   
9. Assure sustainment activities and processes; and
   
10. Manage disposal and final disposition activities throughout the system or element life cycle.

Supply chain risk management, as described in the guidance, is a multidisciplinary practice with a number of interconnected enterprise processes that, when performed correctly, will help departments and agencies manage the risk of using information and communication technology products and services.


The publication calls for procurement organizations to establish a coordinated team approach to assess the supply chain risk and to manage this risk by using technical and programmatic mitigation techniques. Improving the supply chain is part of the federal government's Comprehensive National Cybersecurity Initiative, which states that managing risk requires a greater awareness of the threats, vulnerabilities and consequences associated with acquisition decisions.

"The growing sophistication of technology and increasing speed and scale of a complex, distributed global supply chain leave government agencies without a comprehensive way of managing or understanding the processes from design to disposal, and that increases the risk of exploitation through a variety of means including counterfeit materials, malicious software or untrustworthy products," according to a NIST statement that accompanied the latest draft. 

NIST is basing IR 7622 on security practices and procedures it published along with those from the National Defense University and the National Defense Industrial Association. NIST is expanding the guidance to meet specific demands of the supply chain. Before issuing the final guidance later this year, the authors of IR 7622 seek comments on the document, including prioritizing the supply chain risk management components.


To help understand how the proposed process works, the authors want reviewers to consider how the practices could be applied to recent and upcoming procurement activities and provide comments on the practicality, feasibility, cost, challenges and successes. Comments should be sent to scrm-nist@nist.gov by May 25.

NIST Releases Final Smart Grid 'Framework 2.0' Document

Framework will provide an expanded view of the architecture of the Smart Grid

An updated roadmap for the Smart Grid is now available from the National Institute of Standards and Technology (NIST), which recently finished reviewing and incorporating public comments into the NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0.

The 2.0 Framework lays out a plan for transforming the nation's aging electric power system into an interoperable Smart Grid—a network that will integrate information and communication technologies with the power-delivery infrastructure, enabling two-way flows of energy and communications.

The final version reflects input from a wide range of stakeholder groups, including representatives from trade associations, standards organizations, utilities and industries associated with the power grid.

Refer here to read further details or here to download the document.