Tag Archives: NIST

New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Implementing a robust cybersecurity program is a business investment. Recently, numerous states have proposed a return on that investment in the form of statutory incentives for organizations that maintain certain technical safeguards. Incentive-based legislation can be used to convince management that investing in a cybersecurity program will create a return in the future.

For example, last year, Ohio proposed a bill that created a legal incentive for companies to create and implement a cybersecurity program. The proposed bill has now passed and will become effective November 2, 2018 (“Ohio Data Protection Act” or “Act”).

Under the Act, a company can raise an affirmative defense to data breach tort claims (such as negligence) brought under the laws or in the courts of Ohio if the company created, maintained and complied with a written cybersecurity program. To establish the defense, a company would have to show that its security program contained administrative, technical and physical safeguards designed to protect either “personal information” or “personal information and restricted information.” Continue reading New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Guidance on Disposing Sensitive Data-Storing Devices

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released their July 2018 newsletter entitled: Guidance on Disposing of Electronic Devices and Media(Guidance) , which provides suggestions for properly disposing technology that may contain sensitive data – such as financial or protected health information (PHI). While directly applicable to the healthcare sector, this guidance is best practice for all organizations.

OCR’s Mission

Part of OCR’s mission is to provide guidance to health care providers, insurers and other stakeholders on cybersecurity issues like properly disposing equipment that contains sensitive information. This equipment includes desktops, laptops, tablets, copiers, servers, smartphones, hard drives, USB drives and other type of electronic storage devices.

Improper disposal of devices can lead to a data breach that can be costly to an organization, both financially and reputationally. Some of the financial costs include notifications, investigations, lawsuits, consultants, legal counsel, fees paid to security specialists and loss of clients. Continue reading Guidance on Disposing Sensitive Data-Storing Devices

NIST Releases Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity

On April 17th, just over four years after the initial development was released, the National Institute of Standards and Technology (NIST) has released an updated version (1.1) of the Framework for Improving Critical Infrastructure Cybersecurity. The framework, developed under the Obama administration, was to be a voluntary, risk-based guide for improving cybersecurity infrastructure in the United States.

Framework Updates & Goals

Then-President Obama’s executive order pushed for the development of standards and practices to assist organizations within the financial, health care and energy fields, among others, to protect their data from a cyber-attack.

The Cybersecurity Framework has 3 components: Continue reading NIST Releases Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity

Ransomware Update: September Edition

As noted here in our monthly updates, ransomware is a destructive cyber-attack that only seems to be gaining traction. It poses a serious threat to an organization’s active data, backup data, system configurations, and baseline operating systems.

NIST & NCCoE Publish Guidelines for Ransomware

NIST and NCCoE partnered to provide guidance on recovering from ransomware.

The complete guide is NIST SP 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events.

“This project explores methods to effectively recover operating systems, databases, user files, applications, and software/system configurations. It also explores issues of auditing and reporting to support recovery and investigations.”

“The goal of this effort is to help organizations identify:

  • Altered data, as well as the date and time of alteration
  • The identity of those who alter data
  • Other events that coincide with data alteration
  • Any impact of the data alteration
  • The correct backup version (free of corrupted data) for restoration”

IT security professionals will find this practical guide helpful in improving the legitimacy of backup data, reducing the impact and downtime of a ransomware attack, and providing more continuity of operations.

Bitpaymer Ransomware Wreaks Havoc on Scottish Hospitals

A new version of Bitpaymer ransomware is back and spreading via remote desktop protocols. NHS Lanarkshire experienced the new ransomware as they deal with their second attack of the year.

NHS Lanarkshire is part of Britain’s National Health Service, and were victimized earlier in May by the WannaCry ransomware outbreak.

Once they discovered the Bitpaymer attack, NHS Lanarkshire alerted the public on Facebook noting the IT issues and disruption to services. That was quickly followed up by a warning to patients looking for care at the emergency department.

NHS Lanarkshire promptly engaged their contingency plan, and within a few days the IT team restored most of the affected systems. The hospital did not pay the ransom demand.

Bitpaymer Details

The new version of Bitpaymer was successful at sliding by anti-virus defenses unnoticed and infecting the system. From there, it performs the encryption process and saves the locked files with the ‘.locked’ extension.

Below is the Bitpaymer ransom message:

Bitpaymer is known to spread by leveraging remote desktop protocols (RDP). Attackers will search for connected endpoints with RDP enabled and brute force the username password combinations. Then they use RDP client software to remotely access target PCs and servers to install ransomware.

Bitpaymer is looking to catch big fish. Attackers spreading the new version are targeting larger-sized companies and organizations. This is reflected in their ransom demand of 50 Bitcoins – currently worth about $235,000.

IT teams will want to secure and protect all endpoints where RDP is enabled, including strengthening RDP passwords and implementing multi-factor authentication.

PrincessLocker Brings Exploit Kits Back into Fashion

PrincessLocker isn’t a fun game with rainbows and unicorns. Instead, it’s a fresh ransomware version designed to encrypt files and PCs.

First spotted in September 2016, a decryptor tool was quickly built to assist victims on PrincessLocker ransomware. Attackers fixed the issues in the ransomware code and we’re seeing it pop up on the radar again.

Below is the PrincessLocker ransom message:

Exploit Kit Distribution

The notable feature about PrincessLocker ransomware is the use of an exploit kit called RIG to deliver the malware.

Exploit kits are malicious software hiding on websites to automatically exploit vulnerabilities in a web user’s browser or plug-ins. The malware waits for unsuspecting users to visit the website while running browsers or plug-ins with vulnerabilities.

Attackers will often use spam or phishing emails to lure victims to the website. This is one reason why clicking the link in emails is dangerous. In this case, if the RIG exploit kit finds any of these flaws in Internet Explorer or Flash Player, PrincessLocker gets installed and performs the encryption process (CVE-2013-2551, CVE-2014-6332, CVE-2015-2419, CVE-2015-8651, CVE-2016-0189).

Browsers have played their part in securing their code to protect against these types of attacks. But the continued use of exploit kits as an attack method indicates vulnerabilities still exist.

NIST Updates Password Best Practices and Guidelines

The National Institute of Standards and Technology (NIST) published an updated document highlighting guidelines and best practices related to passwords and authentication methods.

These guidelines revise previous NIST recommendations. Security professionals can leverage the new standards when implementing or revising password policies and protocols for their organizations. The updates lean toward favoring the user, cutting out complexities that don’t actually help security.

Here’s an overview of the major changes:

Remove ‘Change your Password’ Requirements

NIST advises organizations should not require periodic changes for passwords. This guidance catches up to other industry studies showing frequent password changes are actually hurting overall password security.

This is a hefty change to policy, but it removes a burden from both IT departments and users. The only time a password should be reset according to NIST is if a user requests a change, or there is evidence of password compromise (i.e. if the user has been phished, or if a password database has been stolen and could be subject to attack).

Remove Complexity Requirements

NIST notes other than a minimum length requirement, no other complexity requirements should be imposed on users. This includes requirements to have a combinations of upper case letters, lower case letters, numbers, and symbols. Studies have shown these arbitrary complexity requirements can often lead to worse password choices by users.

Remove Password “Hints”

Password “hints” are no longer recommended either. What was originally thought to help the user remember their password can help an unauthorized individual guess the password.

NIST guidelines advise against these types of hints, along with reminder prompts (i.e. “What is the name of your first pet?”) Social engineers can often find this information through social media or other means.

Screen against Commonly Used and Compromised Password Lists

When a user chooses a new password, NIST recommends comparing it against a list or inventory of commonly-used or compromised passwords. This includes:

  • Passwords obtained from previous breaches
  • Dictionary words
  • Repetitive or sequential characters (“password”, “123456”, “aaaaaa”)
  • Usernames and other contextual terms

Industry Powerhouse (NIST) Provides Updated Digital Password Best Practices

userIt’s the question we all ask our IT people… what is the best way to create a good password? The National Institute for Standards and Technology (NIST) is trying to help answer that question.

NIST is working to develop new guidelines for password policies to be used throughout the United States government. These guidelines will serve as a solid template for all organizations to use when establishing password management policies.

Password Best Practices

NIST published the draft guidance recently, so what’s new and novel here?

Favor the User. One big takeaway from the NIST guidance is the emphasis on user friendly policies. The theme is shifting towards putting the burden on the verifier. When we make password policies hard to follow, and thus passwords hard to remember, users make poor security decisions – i.e. writing their password on a sticky note next to the computer.

Knowledge-Based Authentication. KBA is no longer a best practice. Actually, it can be counter-intuitive to security. KBA is when the website or account asks you to choose a security question that only you should know the answer to – i.e. What is your mother’s maiden name, what was your high school mascot, etc. The problem with these questions is hackers have ample resources with social media and social engineering techniques to find the answers and hack into your account.

Password Expiration. Expiring passwords are also dropping off the best practice list. This goes along with the favor the user approach. It’s unreasonable to expect your employees to choose long, complex passwords… and then make them change it every three months. The new guidance recommends passwords only be changed or reset if they’re forgotten or compromised.

SMS Authentication. This is a significant change, as many two-factor authentication methods involve sending a code by SMS or text message to go along with the username and password. With attacks against mobile networks – like the SS7 attack we reported here – there are serious problems with the security of SMS messages. NIST recommends no longer using SMS as a part of two-factor authentication.

Password Safety. Another bit of guidance from the NIST publication relates to the way passwords are stored. According to the guidelines, passwords need to be hashed, salted, and stretched. Technical details can be found in the NIST document, but they call for a salt of at least 32 bits, a keyed HMAC hash using SHA-1, SHA-2, or SHA-3, and the stretching algorithm PBKDF2 with at least 10,000 iterations.

Key Takeaway

There are many opinions swirling from security experts about password best practices. But the reality is that when we make it too difficult and put the burden on the user, security suffers. This is proven every year when the most common password list is released and “password” takes the top spot each time. Users favor convenience over security.

When developing or reviewing password policies for your organization, these guidelines can provide a good foundation to work from and help improve the overall security of your workforce. The goal is to make it easy for employees to use good security hygiene.

NIST Publishes Guide for Application Whitelisting

The National Institute of Standards and Technology published a Guide to Application Whitelisting. Whitelisting is a strategy deployed by the IT department to allow only approved software to run on an enterprise computer system.

While anti-malware and anti-virus software blocks activity it recognizes as malicious, whitelisting only allows good activity and blocks the rest. This prevents employees from downloading programs that have malware or viruses and running them on the company’s systems or networks.

The guidance provides step-by-step instructions for organizations looking to implement whitelisting into their business practices. Larger organizations might see the most benefit from whitelisting as there is more often centralized control over computer devices that are connected to the company’s network.

NIST Updates ICS Security Guide

The National Institute of Standards and Technology (NIST) issued an update to its Guide to Industrial Control Systems (ICS) Security. ICS involves the hardware and software that control the information technologies that gather and process data. It’s commonly used in factories and infrastructure systems.

The update includes guidance on threats, vulnerabilities, risk management, recommended practices, and security capabilities and tools.

With the increased connectivity of software applications, Internet-enabled devices, and other IT offerings into ICS, the vulnerability of the systems has also increased. The NIST guidance is a good framework for developing a plan to secure ICS.

NIST Updates SP 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations

The National Institute of Standards and Technology (NIST) has updated SP 800-53A (now Revision 4), Assessing Security and Privacy Controls in Federal Information Systems and Organizations.  SP 800-53A provides guidelines for building effective security assessment plans and procedures for assessing the effectiveness of security controls employed in federal information systems and organizations. Revision 4 updates the 2010 version.

NIST Security Guide: Employee Mobile App Security

The National Institute of Standards and Technology (NIST) released a new guide, Vetting the Security of Mobile Applications (NIST SP 800-163). The guide is directed at improving security as employees migrate towards mobile devices and applications for work use.

NIST AP 800-163 provides recommendations for developing app security requirements and a vetting process to determine vulnerabilities. The practical guidance will help organizations determine if an app is acceptable for organizational use.