NIST Releases Revised Guidance on Engineering Trustworthy Secure Systems

NIST has released a major revision to Special
Publication (SP) 800-160 Volume 1, 
Engineering
Trustworthy Secure Systems
. This final
publication offers significant content and design changes that include a
renewed emphasis on the importance of systems engineering and viewing systems
security engineering as a critical subdiscipline necessary to achieving
trustworthy secure systems. This perspective treats security as an emergent
property of a system. It requires a disciplined, rigorous engineering process
to deliver the security capabilities necessary to protect stakeholders’ assets
from loss while achieving mission and business success.

Bringing security out of its traditional stovepipe and viewing it
as an emergent system property helps to ensure that only authorized system
behaviors and outcomes occur, much like the engineering processes that address
safety, reliability, availability, and maintainability in building spacecraft,
airplanes, and bridges. Treating security as a subdiscipline of systems
engineering facilitates comprehensive trade space decision-making as
stakeholders continually address cost, schedule, and performance issues, as
well as the uncertainties associated with system development efforts.

In particular, the final publication:

  • Provides a renewed focus on the
    design principles and concepts for engineering trustworthy secure systems,
    distributing the content across several redesigned initial chapters
  • Relocates the detailed system
    life cycle processes and security considerations to separate appendices
    for ease of use
  • Streamlines the design
    principles for trustworthy secure systems by eliminating two previous
    design principle categories
  • Includes a new introduction to
    the system life cycle processes and describes key relationships among
    those processes
  • Clarifies key systems
    engineering and systems security engineering terminology
  • Simplifies the structure of the
    system life cycle processes, activities, tasks, and references
  • Provides additional references
    to international standards and technical guidance to better support the
    security aspects of the systems engineering process

Read
More

 

Holiday Travel Tip: Use Public Wi-Fi Safely

Holiday Travel Tip: Use
Public Wi-Fi Safely

The NCCoE Buzz: Mobile Security
Edition is a recurring email on timely topics in mobile device cybersecurity
and privacy from the National Cybersecurity Center of Excellence’s (NCCoE’s)
Mobile Device Security project team
.

MDS Buzz Holiday Travel

It’s that time of the year again when we get on the road or head
to the airport for a holiday vacation.

It may be convenient to use public wireless networks while
traveling. However, an ineffectively secured mobile device that establishes a
connection to an open public Wi-Fi hotspot may expose an individual, employee,
or entire organization to data loss or a privacy compromise.

The NCCoE wishes you a happy Thanksgiving and safe travels. To
learn more about how you can protect your mobile device while using public
Wi-Fi, access our article below.

 

Read
More

ZINC weaponizing open-source software information from Microsoft

 In this talk, Microsoft and LinkedIn analysts detail recent activity of a North-Korea based nation-state threat actor we track as ZINC. Analysts detailed the findings of their investigation (previously covered in this blog) and walked through the series of observed ZINC attacks that targeted 125 different victims spanning 34 countries, noting the attacks appear to be motivated by traditional cyber-espionage and theft of personal and corporate data. A few highlights include:

  • In September 2022, Microsoft disclosed detection of a wide range of social engineering campaigns using weaponized legitimate open-source software. MSTIC observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia.
  • Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.
  • When analyzing the data from an industry sector perspective, we observed that ZINC chose to deliver malware most likely to succeed in a specific environment, for example, targeting IT service providers with terminal tools and targeting media and defense companies with fake job offers to be loaded into weaponized PDF readers.
  • ZINC has successfully compromised numerous organizations since June 2022, when the actor began employing traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets.
  • Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads. MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally across victim networks and exfiltrate collected information from.
Diagram showing end-to-end attack chain of a ZINC attack, from initial compromise and execution, to persistence, command and control, discovery, and collection
Figure 2. ZINC attack chain.  Read more in our detailed blog: ZINC weaponizing open-source software.

Performance Measurement Guide for Information Security: Annotated Outline Available for Comment

 NIST has released a working draft of NIST Special Publication (SP)
800-55 Revision 2,
Performance Measurement Guide for Information Security.
The public is invited to provide input by
February 13, 2023, for consideration in
the update. 


Details

This working draft of SP 800-55 Revision 2 is an annotated outline
that will enable further community discussions and feedback. Comments received
by the deadline will be incorporated to the extent practicable. NIST will then
post a complete public draft of SP 800-55 Rev. 2 for an additional comment
period.

The comment period is open through February 13, 2023. See
the publication
details
for a copy of the draft. Submit comments to [email protected] with “Comment on
NIST SP 800-55r2 initial working draft” in the subject field.

Submitted comments, including attachments and other supporting
materials, will become part of the public record and are subject to public
disclosure. Personally identifiable information and confidential business
information should not be included (e.g., account numbers, Social Security
numbers, names of other individuals). Comments that contain profanity,
vulgarity, threats, or other inappropriate language will not be posted or
considered.

Read
More

NCCoE Releases Final Project Description for DevSecOps

The National Cybersecurity Center of Excellence (NCCoE) has
released the final project description, Software
Supply Chain and DevOps Security Practices: Implementing a Risk-Based
Approach to DevSecOps.
The publication of this project
description continues the process to further identify project requirements
and scope, along with hardware and software components for use in the
laboratory environment.

The project will focus initially on developing and documenting
an applied risk-based approach and recommendations for secure DevOps and
software supply chain practices consistent with the Secure Software
Development Framework (SSDF), Cybersecurity Supply Chain Risk Management
(C-SCRM), and other NIST, government, and industry guidance. This project
will apply these practices in proof-of-concept use case scenarios that are
each specific to a technology, programming language, and industry sector.
Both closed-source and open-source technology will be used to demonstrate the
use cases. This project will result in a freely available NIST Cybersecurity
Practice Guide.

Next Steps

In the coming months, the NCCoE DevSecOps team will be
publishing a Federal Register Notice (FRN) based on the final project
description. If you have interest in participating in this project with us as
a collaborator, you will have the opportunity to complete a Letter of
Interest (LOI) where you can present your capabilities. Completed LOIs are
considered on a first-come, first-served basis within each category of
components or characteristics listed in the FRN, up to the number of
participants in each category necessary to carry out the project build.

If you have any questions, please reach out to our project team
at [email protected].

Project Page

The Final Annotated Outline for the Cybersecurity Framework Profile for Hybrid Satellite Networks has published!

 The National Cybersecurity Center of Excellence (NCCoE) is pleased
to release the final annotated outline for the Cybersecurity Framework (CSF)
Profile for Hybrid Satellite Networks (HSN). The HSN Community of Interest
(COI) is using this annotated outline to build the HSN CSF Profile, a practical
guide for organizations and stakeholders engaged in the design, acquisition,
and operation of satellite buses or payloads involving HSN. This will allow
non-commercial use of commercial satellites in a manner that is consistent with
the sponsor organization’s risk tolerance.

The Profile will be structured around the NIST Cybersecurity
Framework and aims to be suitable for applications that involve multiple
stakeholders contributing to communications architecture and for other use
cases such as hosted payloads. Use of the HSN Profile will help organizations:

  • Identify systems, assets, data,
    and risks that pertain to HSN
  • Protect HSN services by
    adhering to cybersecurity principles and self-assessment
  • Detect cybersecurity-related
    disturbances or corruption of HSN services and data
  • Respond to HSN service or data
    anomalies in a timely, effective, and resilient manner
  • Recover the HSN to proper
    working order at the conclusion of a cybersecurity incident

If you have expertise in Commercial Space capabilities, please
join the HSN COI to help shape this important profile.  

Review the outline here: Hybrid Satellite Networks (HSN) Cybersecurity Framework Profile
Annotated Outline
| NCCoE (nist.gov)

Join Here

Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector

 NCCoE Releases Final
Project Description:
Responding
to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing
Sector

Manufacturing Environment

The National Cybersecurity Center of Excellence (NCCoE) has
released the final project description, Responding
to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing
Sector.
The publication of this project description continues the
process to further identify project requirements and scope, along with hardware
and software components for use in a laboratory environment.

What is this project about?

Industrial control systems (ICS) and devices that run
manufacturing environments play a critical role in the supply chain.
Manufacturing organizations rely on ICS to monitor and control physical
processes that produce goods for public consumption. These same systems are
facing an increasing number of cyber attacks, presenting a threat to safety,
production, and economic impact to a manufacturing organization. The goal of this
NCCoE project is to demonstrate a means to recover equipment from cyber attacks
and restore operations.

Next Steps

In the coming weeks, the NCCoE Manufacturing team will be
publishing a Federal Register Notice (FRN) based on the final project
description. If you have interest in participating in this project with us as a
collaborator, you will have the opportunity to complete a Letter of Interest
(LOI) where you can present your capabilities. Completed LOIs are considered on a first-come,
first-served basis
within each category of components or
characteristics listed in the FRN, up to the number of participants in each
category necessary to carry out the project build.

If you have any questions, please reach out to our project team at
[email protected].

Project Page

The door is open for anyone to become a cyber defender Microsoft Free Training

 

Throughout Cybersecurity Awareness Month, Microsoft has highlighted the importance of cybersecurity and provided resources to help people and organizations stay safe. It’s great to have this month as a reminder, and even better if that awareness becomes a year-round endeavor. Education is really the key. With the increase of sophisticated cyber attacks, we know that the combination of security tools and educated users is our best line of defense. After all, security teams are increasingly stretched to protect today’s sprawling digital ecosystem. And it’s not going to get any easier as the talent shortage in our industry grows. Current estimates predict that the global workforce will need to train and hire roughly 3.4 million cybersecurity professionals to effectively defend organizations’ critical assets.1

The great news is we have an opportunity to not only grow our community of defenders but strengthen it by breaking down barriers, being more inclusive, and making careers in cybersecurity more accessible to all.

Strengthening security through diverse viewpoints

To meet the current and future challenges, the defender community needs to be as diverse as the attackers we face. Unfortunately, while progress is being made, many groups are still underrepresented in the field of cybersecurity. Less than 25 percent of the cyber workforce are women and, in 2021, only 9 percent of cybersecurity workers were Black and only 4 percent Hispanic.2 Not only is the current underrepresentation among these groups a wildly missed opportunity, but it also means we don’t have the benefit of diverse viewpoints as we try to address complex cybersecurity issues.

Fortunately, the seeds of change are here, and it’s up to all of us to nurture their growth. According to a study commissioned by Microsoft, 82 percent of American women believe there is an opportunity for them in the cybersecurity industry. And they’re right! Cybersecurity is an incredible career path, one that’s interesting and challenging, and where you can make a real difference in the world, every single day. Still, 71 percent of women feel that cybersecurity is “too complex” of a career, and that perception is something we simply must change. At Microsoft, we’re working hard to do just that. Aimee Reyes, who received a cybersecurity scholarship through Microsoft’s partnership with the Last Mile Education Fund, summed up her experience this way: “For anyone who thinks that cybersecurity is a male profession, I would say you’re going to see a lot of men. It doesn’t mean you can’t make your own table, make your own seat. It doesn’t mean that you don’t belong, because you do.”

I could not agree more!

Making cybersecurity training accessible to more students

In 2021, Microsoft launched its cybersecurity jobs campaign to help community colleges in the United States train the next generation of cyber defenders. The campaign aims to fill thousands of cybersecurity jobs by 2025 by providing free cybersecurity curricula to accredited higher education institutions, along with training for faculty and financial aid for low-income students.

Since its inception, more than 1,000 low-income community college students across 47 states have benefited from the Microsoft Cybersecurity Scholarship Program in partnership with the Last Mile Education Fund. This scholarship program has been very effective in reaching a talent pool that may not have had access to further education. According to a student named Justin: “Without this grant, there is no way I could have started this semester. I’ve already put my family through too much trying to make this happen to risk any chance of not finishing. Thank you for believing in me.” Because of feedback like this and strong results, Microsoft has expanded its cybersecurity jobs campaign to an additional 24 countries, all of which have a skills gap in their cybersecurity workforces, both in numbers and diversity.

Also, to help provide girls with real-world inspiration, we created Microsoft DigiGirlz, which offers female middle and high school students an early opportunity to learn about careers in technology, as well as connect with Microsoft employees and participate in hands-on technology workshops. And for students who want to showcase their skills, Microsoft has created the Imagine Cup, which allows entrants to access exclusive training, gain mentorship opportunities, compete to win great prizes, and collaborate on creating new technologies that make a difference.

I absolutely love that these programs help inspire and empower students. And I’m so excited that Microsoft is partnering with some amazing organizations to help empower educators, as well. 

Providing educators with cybersecurity tools and curricula

Through the Microsoft Learn for Educators program, we’re also providing access to certification course materials for Security, Compliance, and Identity Fundamentals (SC-900), and Microsoft Azure Security Technologies (AZ-500). Additional support for faculty includes free practice exams, curriculum integration, and course-prep sessions led by Microsoft trainers. In addition, we’re expanding access to cybersecurity courses to educational institutions through LinkedIn Learning, and there are even more security skilling opportunities available through our Microsoft Learn platform.

Microsoft is also partnering with the National Cybersecurity Training & Education Center (NCyTE) to provide faculty with professional development opportunities as well as support colleges in attaining the Center of Academic Excellence in Cyber Defense (CAE-CD) designation. This support will provide a foundation for cybersecurity training at nearly 15 percent of community colleges across the United States. In a recent interview with Fortune magazine, Naria Santa Lucia, Senior Director of Digital Skills and Employability at Microsoft Philanthropies, explained our approach in simple terms: “Community colleges are so affordable, and they are everywhere. That system has a lot of women and lots of students of color. If we can really tap that infrastructure to start getting that message out, that’s a good start to diversifying the talent pipeline.”4

Still going strong, Microsoft Technology Education and Learning Support (TEALS) has been helping to build sustainable computer science education programs since 2009. TEALS helps teachers learn to teach computer science by pairing them with industry volunteers and proven curricula. Since the program began, more than 95,000 students have received computer science education. TEALS currently supports more than 500 high schools in the United States and British Columbia, Canada. In the past year, Microsoft has expanded the TEALS program course offerings to include cybersecurity at 37 schools.

Forging partnerships to foster new cyber defenders

Security is a team sport, and partnership is critical to our success as a defender community. Microsoft continues to partner with organizations that practice similar values and focus on diversity for cybersecurity education.

In the United States, only eight percent of information security analysts are African American.3 Microsoft is working to raise that number through its participation in the HBCU Cybersecurity Industry Collaboration Initiative Pilot.5 The initiative is designed to develop students for careers in cybersecurity and engineering through research collaborations, guest lecturers, and mentoring programs in collaboration with four historically Black colleges and universities (HBCUs): Hampton University, North Carolina A&T State University, Prairie View A&M University, and Virginia State University. Separately, the Blacks at Microsoft (BAM) program will also award 45 scholarships this year totaling USD182,500. 

Microsoft has also partnered with Girl Security to “create career pathways for girls, women, and gender minorities to shape solutions to our most pressing security challenges” through mentorship programs, summer programming, trainings, and specific curriculum for high school students and early-in-career women. Microsoft also provides support for all women, allies, and advocates through partnership with WiCyS (Women in CyberSecurity). Through this partnership, Microsoft is helping to globally empower the recruitment, retention, and advancement of women with mentorship, professional development programs, scholarships, conferences, and job fairs. This includes partnering with WiCyS on the expansion of their student chapters in more than 20 countries.

The only thing missing is you

Microsoft is committed to making cybersecurity a viable career path for everyone. Creating a safer online world requires all of us—from every background—to bring to this mission the superpowers, the diverse skills, perspectives, and life experiences we each embody to defeat tomorrow’s cyberthreats. In the spirit of Cybersecurity Awareness Month, I hope you’ll share this post with friends, family, colleagues, or anyone with an interest in exploring a career in cybersecurity. There is so much opportunity to be a cyber defender.

Learn more

To learn about educational and professional cybersecurity opportunities at Microsoft, make sure to check out our Cybersecurity Awareness website for education resources.  

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Summary and Analysis of Responses to CUI Series Pre-Draft Call for Comments

 In July 2022, NIST issued a Pre-Draft Call
for Comments
on the Controlled Unclassified Information (CUI) series
of publications. The Pre-Draft Call for Comments requested feedback from
interested parties to improve Special Publication (SP) 800-171, 
Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations
, and its
supporting publications,  SP 800-171A, SP 800-172, and SP
800-172A. Topics of interest included feedback about the use, effectiveness,
adequacy, and ongoing improvement of the CUI series. 

A brief summary and
analysis of responses
to the pre-draft call for comments is now
available. The summary includes observed trends in comments received,
the next steps for the planned update to the CUI Series, and opportunities to
engage.

Please submit any questions or comments to [email protected].

Read
More