NIST Cyber Security Framework

Critical software security guidance issued by NIST

Susan Morrow
October 26, 2021 by
Susan Morrow

The phrase "no man is an island" also describes the software ecosystem that modern IT systems are built upon. The API economy and cloud computing dictate that the software we use is rarely isolated from other software. Many IT services and applications are dependent on open source and third-party software libraries. Remote updates are common across cloud applications. These practices have led to the exploitation of vulnerabilities unique to these types of connected and dependent systems across wide-ranging supply chains. One infamous example of this was the recent SolarWinds attack: SolarWinds, a software supplier to the government, was compromised, resulting in the distribution of infected trojan updates to its vast numbers of software users.

Events like the SolarWinds attack have resulted in recent guidance issued by the National Institute of Standards and Technology (NIST) on federal agency use of EO-critical software, "Security Measures for EO-Critical Software Use."

What's included in Security Measures for EO-Critical Software Use

Supply chain vulnerabilities in government are well-known, and programs such as the Cybersecurity Maturity Model Certification (CMMC) are designed to address government supply chain security issues. Further to this, in May 2021, Joe Biden set out the "Executive Order on Improving the Nation's Cybersecurity." This order details how to address the serious nature of security attacks against both the public and private sectors. The core focus of the order is to enable and strongly encourage the sharing of data on cybersecurity threats and attacks.

The scope of the NIST guidance is federal agency use of EO-critical software instead of the development and acquisition of EO-critical software.

The five objectives of NIST's Security Measures for EO-Critical Software Use

The NIST guidance is based on five 'objectives':

  1. Access: robust access control is a key enabler of EO-critical software and platform protection.
  2. Protect: the three principles of data protection, confidentiality, integrity and availability are the guidance's foundation stone.
  3. Identify: visibility of the EO-critical software and its platforms is vital to maintaining security and providing insight into vulnerable areas of IT systems.
  4. Detect, respond and recover: in line with other NIST security guidance is the ability to quickly detect, recover, and respond to security threats.
  5. Awareness: a focus is on frequent training and retraining of employees based on their roles in security matters that impact EO-critical software and platforms.

Each of the five objectives is broken down into several sub-areas that offer guidance on applying each objective. Each objective is also cross-referenced to relevant NIST guidance. For example, the NIST Cybersecurity Framework is referenced in all the five objectives.

Best critical software security practices for Non-Federal organizations

It is not just government supply chains that are responsible for vulnerabilities that cybercriminals then exploit. Research from Accenture in their "State of Cyber Resilience 2020" report demonstrates how the supply chain is being used as an entry-point for cyber-attacks:

"Indirect attacks against weak links in the supply chain now account for 40 percent of security breaches."

The NIST guidance for federal EO-Critical systems can be extrapolated to non-federal use too. Here are five best practices for organizations of all types and across all sectors that are based on the NIST Security Measures for EO-Critical Software Use:

Robust authentication and privileged access

Multifactor authentication is a fundamental tenet of threat prevention. Unauthorized access and use of critical software provide the entry point for malicious actions, including ransomware infection. Privileged access management and control should be a baseline protective measure for all critical software and platforms that the software runs on. Refer to NSA's "Selecting Secure Multifactor Authentication Solutions" for further advice.

Encryption across the data lifecycle

A data inventory provides visibility into data usage across an organization. This inventory is the intelligence needed to apply best-practice encryption and authentication/authorization. Data at rest and data in transit must be encrypted to NIST cryptographic standards. 

Protect endpoints

Endpoints are part of the extended critical IT infrastructure of an organization. Threat detection and response must be extended to include endpoints. Endpoint protection should ensure that only permitted apps can run on an endpoint.

Backup and recovery

Backup of critical systems and data is also a best practice promoted by NIST. Depending on which industry your organization falls under, backup and recovery may also have specific regulatory compliance requirements. For example, the HIPAA (the Health Insurance Portability and Accountability Act) security rule sets out specific backup processes. 

Security awareness training

Security awareness training across the organization regularly is a foundation stone of security. The NIST guidance expands on this, stating that "all security operations personnel and incident response team members must be trained to handle incidents involving EO-critical software or EO-critical software platforms."

Software management

Critical software and platforms must be carefully managed to avoid misconfiguration and common vulnerabilities. In a Threat Stack survey, 73% of organizations identified at least one critical security misconfiguration. A software inventory is the foundation stone of robust software management. This inventory allows an organization to deploy rapid patches and more effective monitoring to ensure that mitigative measures are not removed under change control.

It all comes down to zero trust

The NIST guidance is not only best practice but pragmatic. The security measures laid out are part of a zero-trust approach to security that NIST has previously offered guidance on in its special publication "SP 800-207 Zero Trust Architecture." Any organization that wants to use a belt and braces approach to security should look to the wisdom of NIST and Zero Trust.

 

Sources

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.