Critical software security guidance issued by NIST
The phrase "no man is an island" also describes the software ecosystem that modern IT systems are built upon. The API economy and cloud computing dictate that the software we use is rarely isolated from other software. Many IT services and applications are dependent on open source and third-party software libraries. Remote updates are common across cloud applications. These practices have led to the exploitation of vulnerabilities unique to these types of connected and dependent systems across wide-ranging supply chains. One infamous example of this was the recent SolarWinds attack: SolarWinds, a software supplier to the government, was compromised, resulting in the distribution of infected trojan updates to its vast numbers of software users.
Events like the SolarWinds attack have resulted in recent guidance issued by the National Institute of Standards and Technology (NIST) on federal agency use of EO-critical software, "Security Measures for EO-Critical Software Use."
What's included in Security Measures for EO-Critical Software Use
Supply chain vulnerabilities in government are well-known, and programs such as the Cybersecurity Maturity Model Certification (CMMC) are designed to address government supply chain security issues. Further to this, in May 2021, Joe Biden set out the "Executive Order on Improving the Nation's Cybersecurity." This order details how to address the serious nature of security attacks against both the public and private sectors. The core focus of the order is to enable and strongly encourage the sharing of data on cybersecurity threats and attacks.
The scope of the NIST guidance is federal agency use of EO-critical software instead of the development and acquisition of EO-critical software.
The five objectives of NIST's Security Measures for EO-Critical Software Use
The NIST guidance is based on five 'objectives':
- Access: robust access control is a key enabler of EO-critical software and platform protection.
- Protect: the three principles of data protection, confidentiality, integrity and availability are the guidance's foundation stone.
- Identify: visibility of the EO-critical software and its platforms is vital to maintaining security and providing insight into vulnerable areas of IT systems.
- Detect, respond and recover: in line with other NIST security guidance is the ability to quickly detect, recover, and respond to security threats.
- Awareness: a focus is on frequent training and retraining of employees based on their roles in security matters that impact EO-critical software and platforms.
Each of the five objectives is broken down into several sub-areas that offer guidance on applying each objective. Each objective is also cross-referenced to relevant NIST guidance. For example, the NIST Cybersecurity Framework is referenced in all the five objectives.
Best critical software security practices for Non-Federal organizations
It is not just government supply chains that are responsible for vulnerabilities that cybercriminals then exploit. Research from Accenture in their "State of Cyber Resilience 2020" report demonstrates how the supply chain is being used as an entry-point for cyber-attacks:
"Indirect attacks against weak links in the supply chain now account for 40 percent of security breaches."
The NIST guidance for federal EO-Critical systems can be extrapolated to non-federal use too. Here are five best practices for organizations of all types and across all sectors that are based on the NIST Security Measures for EO-Critical Software Use:
Robust authentication and privileged access
Multifactor authentication is a fundamental tenet of threat prevention. Unauthorized access and use of critical software provide the entry point for malicious actions, including ransomware infection. Privileged access management and control should be a baseline protective measure for all critical software and platforms that the software runs on. Refer to NSA's "Selecting Secure Multifactor Authentication Solutions" for further advice.
Encryption across the data lifecycle
A data inventory provides visibility into data usage across an organization. This inventory is the intelligence needed to apply best-practice encryption and authentication/authorization. Data at rest and data in transit must be encrypted to NIST cryptographic standards.
Protect endpoints
Endpoints are part of the extended critical IT infrastructure of an organization. Threat detection and response must be extended to include endpoints. Endpoint protection should ensure that only permitted apps can run on an endpoint.
Backup and recovery
Backup of critical systems and data is also a best practice promoted by NIST. Depending on which industry your organization falls under, backup and recovery may also have specific regulatory compliance requirements. For example, the HIPAA (the Health Insurance Portability and Accountability Act) security rule sets out specific backup processes.
Security awareness training
Security awareness training across the organization regularly is a foundation stone of security. The NIST guidance expands on this, stating that "all security operations personnel and incident response team members must be trained to handle incidents involving EO-critical software or EO-critical software platforms."
Software management
Critical software and platforms must be carefully managed to avoid misconfiguration and common vulnerabilities. In a Threat Stack survey, 73% of organizations identified at least one critical security misconfiguration. A software inventory is the foundation stone of robust software management. This inventory allows an organization to deploy rapid patches and more effective monitoring to ensure that mitigative measures are not removed under change control.
It all comes down to zero trust
The NIST guidance is not only best practice but pragmatic. The security measures laid out are part of a zero-trust approach to security that NIST has previously offered guidance on in its special publication "SP 800-207 Zero Trust Architecture." Any organization that wants to use a belt and braces approach to security should look to the wisdom of NIST and Zero Trust.
Sources
- SolarWinds supply chain breach: Insights from the trenches, Infosec
- Security Measures for EO-Critical Software Use, National Institute of Standards and Technology (NIST)
- Biden Signs Sweeping Executive Order on Cybersecurity, GovInfoSecurity
- CMMC certification: How to get your organization certified, Infosec
- Selecting Secure Multi-factor Authentication Solutions, NSA
- The Dangers of “Rolling Your Own” Encryption, Infosec
- Threat Stack survey
- SP 800-207 Zero Trust Architecture, NIST