Given the rise of cybercrime over the last few years, few would argue that the federal government is doing enough to address the risks, although the National Institute of Standards and Technology has been trying.
Earlier this year, NIST developed Revision 4 of its 800-53 standard that aims to set a higher standard of security for federal government information processing systems. This is a huge undertaking, as there are more than a million of these processing systems today.
The latest standard from NIST gives us a more tangible protocol for approaching Federal Information Security Management Act (FISMA) compliance than agencies have had previously. However, there is a major difference between being "compliant," and being "secure."
There are a couple of common fallacies and pitfalls that leave a compliant organization still vulnerable to cyber criminals.
Fallacy: Compliance With NIST 800-53 Revision 4 Is Attainable
The truth: You are never completely safe.
Protecting sensitive data is akin to achieving light speed -- if you have non-zero mass, you need an infinite amount of thrust to reach light speed and only objects of zero mass can actually reach it. The same holds true for data security; if you have data to protect, it is nearly impossible to be 100% secure. The only instance where you can be truly secure is when you have nothing to protect and there is nothing at stake.
You can, however, become very close to full protection. What makes defense of sensitive data difficult is that the data is there for a reason; it is used to achieve a mission or objective. This means it will be collected, correlated, compared and stored to achieve the primary goals of any organization. As the data is changing, the defenses must keep pace.
Are all backup locations known? Are old services taken offline? Are employees creating local copies on their desktops? What data is being stored on devices, such as iPhones? What organizations are we sharing data with?
Pitfall: Following The Guidelines Creates A False Sense Of Security
Threats are constantly evolving, and the attacker is becoming more sophisticated.
Conventional military defense puts a strong focus on territory and terrain, identifying those points where a potential attacker has a strategic advantage. Similarly, FISMA and NIST 800-53 start by telling the defender to take a value-based approach to taking inventory of the cyber assets. In other words, the standards recommend finding your most sensitive data and classifying it.
Building cyber defenses is similar to building a wall or barrier. If you raise your wall, the attacker will dig, climb or walk around it. The act of creating a wall will affect the behavior of the attacker. We cannot simply put up cyber defenses and feel "secure." Just as a battlefield commander will watch the defenses and monitor the enemy, we must take care to monitor our cyber defenses and learn how our cyber threats are evolving.
Active defense means evolving with the attacker, learning his methods and strategies, and redeploying our cyber defenses to counter his changing techniques. Any action invokes an equal and opposite reaction.
The true objective of NIST 800.53 Revision 4 is to help government organizations secure sensitive data. This is not the endgame; instead, it is our first steps in bolstering a comprehensive cyber defensive posture. Without a doubt the guidelines in this publication will change as the years go by.
The truth remains, however, that we cannot simply expect the NIST guidelines to be a step-by-step recipe for achieving decent data security. Understanding the nature of the data at stake, and the risks to it, will be the most important step any agency can take to bolster the appropriate defenses. Simply putting up the wall might get the compliance checkbox checked, but it won't make you that much more secure.
Although the NIST guidelines put focus on understanding the data at risk, it leaves behind the second, and equally important aspect of data security: knowing your enemy.
Agencies should not forget that an understanding of the adversary is a constant and ongoing process of monitoring, interacting and outsmarting. The operators in charge of this mission will need to be properly equipped, meaning they should not simply carry responsibility, but should be given the proper mandate and resources to understand the adversary and build out the defenses.
In practical terms, this means putting more focus on intelligence gathering, moving data acquisition and analysis out-of-band, and shifting the emphasis to behavioral anomaly detection. Evolving threats are usually not known up front, but strange behaviors on the network can be identified by anomaly detection. Proper out-of-band data acquisition allows operators to investigate anomalies, and when needed, change the defensive posture.