Careers & Certifications

07:29 PM
Connect Directly
Repost This

Do NIST Information Security Standards Matter?

The information security field is awash in regulations and requirements, but National Institute of Standards and Technology standards provide a strong foundation for an information security program.

The National Institute of Standards and Technology (NIST) recently released its Preliminary Cybersecurity Framework with little fanfare. The initiative is a response to President Obama's cybersecurity executive order, which was issued in February due to increased fears of attacks against components of the critical infrastructure: power, transportation and telecommunications. While there are still questions regarding how much of the framework will be mandatory for private industry and exactly what will be classified as “critical infrastructure,” the larger question is how much this or other NIST standards really impact information security outside of the U.S. federal government and the CISSP test?

It’s common to hear someone in governance, risk and compliance (GRC) bring up a NIST standard when discussing the implementation of a security control. Often, it’s quoted like Holy Scripture in hushed tones, “In accordance with NIST SP800-yadda-yadda....” However, in the information security landscape, NIST is only one in a veritable sea of global standards bodies proposing guidelines and frameworks. Along with PCI-DSS, SOX, HIPAA, and international laws that mandate specific cybersecurity requirements, standards from NIST, ISO/IEC (the 27000 series), CobiT, and COSO can feel overwhelming to those unfamiliar with this esoteric part of infosec.

So what is NIST and why should we care? Originally created in 1901 because U.S. industrial infrastructure seemed to be lagging behind the rest of the world, its stated mission is to: "Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life."

Basically, NIST is where the best practice unicorns go to graze. NIST IT standards documents cover everything from managing the security of mobile devices to improving the usability of electronic health records. NIST reports and standards represent research from some of the best super nerds our tax dollars can fund. And even though you may not realize it, NIST output has helped to establish the foundation for many of the principles we use in today’s enterprise security programs.

Consider Special Publication 800-92, Guide to Computer Security Log Management from 2006:

Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.

Not only does this document outline the basic concepts of good log correlation, it reads like a log management 101 class. You could use it to create a policy, then hand it to an infrastructure team and say, “Use this as your guide.”

[Why do we keep buying traditional security products that aren't doing much to help us manage risk? Read Michele Chubirka's analysis in "Security Snake Oil For Sale."]

Then there’s Special Publication 800-61, Computer Security Incident Handling Guide Revision 2 from 2012. If your organization doesn’t have a detailed incident response plan, you could use this document as a how-to guide for its creation. It even tells you how to build an incident response team and how to deal with media and law enforcement. This document could save your organization the money you would have spent paying a consultant to come in and write up the plan for you. Could it get any better?

And you know that inevitable pushback you get from senior management when you try to implement policies and procedures? Think of the credibility you have when referencing a document from NIST.

NIST standards and frameworks should -- and do -- have influence on information security practices outside of the federal realm. This work represents the efforts of many researchers to standardize an effective security methodology and informs many of the established policies and procedures in organizations. Although not mandatory, it pervades industry best practices and establishes the principles for proper information security practices.

The proposed cybersecurity framework is a method for managing organizational risk and a solid foundation for programmatically implementing many of those existing NIST standards. It’s like we’ve been given a gift by the federal government. Ignore it at your peril.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/4/2013 | 10:27:17 AM
re: Do NIST Information Security Standards Matter?
As Chubirka states G㢠the NIST standards & framework are indeed a gift from the US federal government.

As a result of this fresh look at how best to defend against the contemporary cyber security threats, NISTGăÍs Framework Core presents a five step methodology by which an organization can assess risk and correspondingly protect information assets. The Gă Identify, Protect, Detect, Respond, and RecoverGăÍ framework also places emphasis on the need for contingency planning so that, if the unthinkable happens and a breach is successful, the organization can recover.

Even so, in common with all other previous best practice frameworks, getting the basic principles of security right is a good place to start. Perceived by some as a black art, security hardening checklists can now be delivered in a best practice template that reflects the specific operating system and network environment. With access to a list of recommendations within a matter of minutes G㢠is there really an excuse for continuing to ignore the essentials of IT security?

Yet, organisations also need a completely infallible way of detecting the presence of malware if and when it does manage to bypass security defences. The back stop to traditional defences ideally needs to be a real time alert triggered by any change to file structure that might indicate compromise or the beginning of the slow move towards the central core of the business.

File Integrity Monitoring (FIM) is proven to radically reduce the risk of security breaches; indeed it is a core recommendation of the PCI DSS and other security standards. It raises an alert related to any change in underlying, core file systems G㢠whether that has been achieved by an inside man or an unwittingly phished employee introducing malware, or some other zero day threat blasting unrecognised through the AV. Flagging up changes in this way ensures there is no chance of an APT gaining hold; no risk of the stealth attack that gets in and out leaving no trace G㢠there is a trace and the business is immediately notified.

The risks have changed. The threat is stealthy and targeted. It is time to take the risk of the contemporary cyber security threat serious and arm the business with the right defences.

Mark Kedgley, CTO, New Net Technologies
More Blogs from Commentary
SDN: Waiting For The Trickle-Down Effect
Like server virtualization and 10 Gigabit Ethernet, SDN will eventually become a technology that small and midsized enterprises can use. But it's going to require some new packaging.
IT Certification Exam Success In 4 Steps
There are no shortcuts to obtaining passing scores, but focusing on key fundamentals of proper study and preparation will help you master the art of certification.
VMware's VSAN Benchmarks: Under The Hood
VMware touted flashy numbers in recently published performance benchmarks, but a closer examination of its VSAN testing shows why customers shouldn't expect the same results with their real-world applications.
Building an Information Security Policy Part 4: Addresses and Identifiers
Proper traffic identification through techniques such as IP addressing and VLANs are the foundation of a secure network.
SDN Strategies Part 4: Big Switch, Avaya, IBM,VMware
This series on SDN products concludes with a look at Big Switch's updated SDN strategy, VMware NSX, IBM's hybrid approach, and Avaya's focus on virtual network services.
Hot Topics
Heartbleed's Network Effect
Kelly Jackson Higgins, Senior Editor, Dark Reading,  4/16/2014
White Papers
Register for Network Computing Newsletters
Current Issue
Twitter Feed