Celebrate National Small Business Week with the NCCoE!
NIST’s National Cybersecurity Center of Excellence (NCCoE) will be hosting two virtual events during National Small Business Week (April 30–May 6, 2023) as part of its NCCoE Learning Series. The webinars will feature new and existing NIST small business resources and will give attendees the opportunity to share ideas, ask questions, and engage with NIST subject matter experts. View and register below:
Overview of the NIST Small Business Cybersecurity Corner
Date: Tuesday, May 2, 2023
Time: 2:00–2:45 PM (ET)
Event Description:
Join us on May 2, 2023 for a 30-minute overview of the NIST Small Business Cybersecurity Corner. We’ll not only provide an overview of what resources are currently available on the site, but will give attendees an opportunity to express what resources they want to see there. Additionally, attendees will be introduced to the new NIST Small Business Community of Interest, which will convene companies, trade associations, and others who can share business insights, expertise, challenges, and perspectives to guide our work and assist NIST to better meet the cybersecurity needs the small businesses community.
Data Analytics for Small Businesses: How to Manage Privacy Risks
Date: Thursday, May 4, 2023
Time: 3:00–3:45 PM (ET)
Event Description:
Data analytics are being promoted as a method to help small businesses increase innovation, enhance customer experience, save money, and improve their brand. If your small business is using data analytics—whether in-house or relying on a service provider to do it for you—it is important to be aware of the privacy implications of these activities.
Join us for an interactive discussion about how to manage privacy risks associated with data analytics.
During the webinar we will cover:
A brief introduction to data analytics
Common privacy risks that arise from data analytics practices
Tips to help you meet your privacy objectives
Resources for enhancing privacy risk management within your small business
The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.
Researchers from Bitsight and Curesec have discovered a way to abuse SLP—identified as CVE-2023-29552—to conduct high amplification factor DoS attacks using spoofed source addresses.
NIST to Finalize Special Publication (SP) 800-66 Revision 2 and Collaborate on Resources for Small, Regulated Entities
For the past 18+ months NIST, in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), has been working to update NIST Special Publication (SP) 800-66, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, from Revision 1 to Revision 2.
Thank you to all who provided feedback during the open comment period; in total, over 250 unique comments were received from dozens of individuals and organizations. Many commenters suggested that more resources be developed for small, regulated entities. We agree and anticipate follow-on work in this area—but we can’t do it alone and plan to work collaboratively with other agencies, entities, and colleagues to produce useful resources (stay tuned for more information about this in the coming months).
NIST and OCR are still in the process of carefully adjudicating the comments received. Once all comments are adjudicated, NIST plans to publish a blog or whitepaper detailing the proposed changes to SP 800-66 Rev. 2 (with the goal being to publish a final version of SP 800-66 Rev. 2 later this year).
NIST is updating the Cybersecurity Framework (CSF) which is widely used to help organizations better understand, manage, reduce, and communicate cybersecurity risks. This recently released CSF 2.0 Core discussion draft identifies the potential Functions, Categories, and Subcategories (also called cybersecurity outcomes) of the NIST CSF 2.0 Core.
This draft Core is preliminary and is intended to increase the overall transparency of the CSF update process, while also provoking discussion about improvements to potential changes to the CSF. Progress updates about NIST’s CSF 2.0 effort, as well as ways to engage, FAQs, and resources can be found on the NIST CSF 2.0 webpage.
Feedback on this Core discussion draft can be submitted via cyberframework@nist.gov at any time and will inform the NIST CSF 2.0 Draft, which is anticipated this summer.
It provides a checklist for regulators and auditors
Organizations need confidence that their sensitive data is properly protected, no matter where it resides. However, too many businesses have to contend with the lack of a common language for discussing requirements for cloud data management—the CDMC framework provides this. Certification allows organizations to balance data sovereignty controls with generating business value from their data, wherever it resides. Most importantly, certification assures regulators that privacy laws are being followed for data such as:
Personally Identifiable Information.
Personal Health Information.
Company- or client-identifiable information.
Material Non-public Information.
Information with sensitivity classifications, such as “Highly Restricted” or “Confidential.”
Critical data elements used for business processes.
Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event: Tuesday, May 16, 2023 | 11:00 AM – 2:30 PM | (GMT-08:00) Pacific Time (US & Canada) Wednesday, May 17, 2023 | 11:00 AM – 1:00 PM | (GMT-08:00) Pacific Time (US & Canada)
Delivery Language: English Closed Captioning Language(s): English
The National Cybersecurity Center of Excellence (NCCoE) has published for comment Preliminary Draft NIST SP 1800-38A, Migration to Post-Quantum Cryptography.
The public comment period for this draft closes at 11:59 p.m. ET on June 8, 2023.
All comments that are received will be reviewed and adjudicated to inform a future draft of the publication.
We value and welcome your input and look forward to your comments.
Project Description
Advances in quantum computing could compromise many of the current cryptographic algorithms being widely used to protect digital information, necessitating replacement of existing algorithms with quantum-resistant ones. Previous initiatives to update or replace installed cryptographic technologies have taken many years, so it is critical to begin planning for the replacement of hardware, software, and services that use affected algorithms now so that data and systems can be protected from future quantum computer-based attacks.
NIST has been soliciting, evaluating, and standardizing quantum-resistant public-key cryptographic algorithms (https://csrc.nist.gov/projects/post-quantum-cryptography). To complement this effort, the NIST National Cybersecurity Center of Excellence (NCCoE) is engaging with industry collaborators and regulated industry sectors and the U.S. Federal Government to bring awareness to the issues involved in migrating to post-quantum algorithms and to prepare the crypto community for migration.
As the project progresses, this preliminary draft will be updated, and additional volumes will also be released for comment.
This month’s episode of Uncovering Hidden Risks will discuss Information Governance and the industry trends we are seeing in this space. This is a Post from Microsoft. Information governance is the overall strategy for managing information at an organization. It is a discipline that spans several markets, including data governance, security, compliance, data privacy, content services, and more. Recently, these markets have begun to converge, highlighting the sometimes conflicting requirements between these disciplines.
Joining our host Erica Toelle is our guest, Randolph Kahn. Mr. Kahn is a globally recognized leader in Information Governance, with his consulting team advising major multinational corporations and governments on various information management issues. He has been an expert witness in major court cases and is a trusted advisor to corporations and governmental agencies. Mr. Kahn is also an accomplished author, speaker, and adjunct professor of Law and Policy of Electronic Information and The Politics of Information.
Natalie Noonan joins us as our guest host. Natalie is one of Microsoft’s top information governance experts, and helps our customers to define and plan their strategies. She is also a former program manager in financial services.
Together, we’ll explore how you can master information governance in your organization.
In this episode, we’ll cover the following:
Trends around the convergence of security, data governance, privacy, and compliance.
How the increase in laws and regulations around the management of data, especially regarding privacy, affected these trends.
How people can approach a data governance solution.
What requirements as important for data governance.
Options for implementing these requirements.
Looking ahead to the future, what is coming for data governance.
Listen to this episode on your favorite podcast platform:
Identity and Access Management (IAM) represents the complex orchestration of multiple technologies, standards, and protocols that enable someone to access services, benefits, and data—and it’s a key component to creating trusted, modern digital services. NIST has long played a leadership role in advancing critical research, standards, and technology in support of IAM efforts—and this role continues to be a major priority today.
NIST’s multi-disciplinary Identity Program is committed to the advancement of a more secure, privacy-enhancing, and inclusive Identity Ecosystem. We invite you to join us as co-creators of this envisioned end state by contributing to our draft IAM Roadmap, which presents a set of strategic objectives, priorities, and initiatives that we intend to pursue alongside our community of collaborators like you.
Comments received on this initial draft will help NIST gain detailed input and feedback from the public so that our efforts are prioritized to address the most relevant and impactful problems facing our world today.
Please submit comments to digital_identity@nist.gov by Thursday, June 1st, 2023. All relevant comments will be made publicly available on the IAM program page [1].
This is a copy of a Microsoft Post that I think my readers would be interested in.
This post starts a series explaining why we at Microsoft Security Services for Incident Response recommend some of our favorite protections. Our first post in the series talks about identity hygiene.
If you’re new to our services, we’re a team of cyber-security experts at Microsoft who help companies get global response with investigation and recovery by applying proven practices against various types of attacks before, during and after a security incident. You’ll learn more about us and what to do in our page here: https://aka.ms/MicrosoftIR
Our goal with this post is to highlight the importance of getting the right privileges as a protection mechanism to prevent a cyber-attack. The post will cover some definitions and some calls to action so your company can be better protected though identity hygiene.
When we mention identity hygiene you might think of shiny-bright and clean identities. And yes, at some point, they look like this because it takes some brush-up and polishing of your current, and maybe new identities. Identity hygiene process is a series of steps that we follow when we’re helping customers recover from attacks, it starts with a discovery of the environment and its configurations and of course, some of these configurations include identities and these are subject to be cleaned up.
Why is this technique needed at all? Imagine Magda, the administrator of your company’s file server. When she’s about to enter a meeting, she gets an urgent call from her manager, saying that he is not able to access some important files he needs. She’s in a hurry, but can’t leave her manager unable to work, so she quickly gives him full control permission over the files so he can’t complain.
In an ideal world this shouldn’t have happened at all, but, if for any strange reason her manager had gotten these excessive permissions, she should analyze what just happened and would correct this by putting the least permissions required for the manager to access the files. Yeah, but that’s the ideal world… Unfortunately, many times this happens in a less-than-ideal way. When we look at customers’ environments after a compromise, we find all kinds of excessive permissions being applied to files, folders, identities, directory structures, resources, organizational units, storage accounts, group policies and all kinds of assets in a company’s environment. This sort of situation happens every day, in most companies, and keeps happening over the years! Imagine cleaning up all this mess after years of hurries!
When we talk about de-privileging in cybersecurity, and especially in Microsoft Security Services for Incident Response, we’re talking about taking away from an entity those permissions and features that make it relevant for a security investigation, or for an attacker to own control of it. If an account has many permissions applied (and that’s noticeable!) An attacker will likely try to get a hold of that account to perform their activities, as they would expect that the account has some sort of special value and, because of that, it has been given those extensive permissions.
De-privileging is key in our compromise recoveries, but, unfortunately, you cannot just strip privileges to ALL your identities… there must ALWAYS be at least some privileged identities in the system… otherwise how would you delegate permissions to others to help you in your job if they don’t have at least some privileges?
Removing privileges is not only about cleaning up existing accounts, but sometimes also we find accounts that are no longer used (never logged on in months!) or have not changed their passwords in a long time (meaning that an old attack might be replayed), or accounts might have been disabled without removing their permissions first, allowing for a potential escalation should that account gets re-enabled. These situations should also be avoided, and their prevention should be part of the credential hygiene process.
What are we doing here?
Privileges can be permanent, or they can be temporary, the most common way nowadays to have temporary permissions is to use solutions like Azure Privileged Identity Management (described here: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure) or solutions from some of our partners in the industry. Any of these are good if they cover your business’ specific needs and preferences. It’s always a good idea to evaluate several of them and ideally choose the one, or ones, that best suit your case. The ability to grant privileges temporarily is a great idea as it allows you to build a process to audit, revoke and integrate the identity lifecycle in a way that makes sense for your company.
Another important discipline you can (and should) use is performing Access Reviews. An access review is an activity where you ask the user, or the person responsible for their access, if the outstanding privileges are still needed by that user. You cannot ask for access reviews every day to every user, (it would make users hate (even more!) their security departments!), you need to learn the art of balancing the opportunity, the value of the assets being protected and the process that it takes to perform the access review, which is also key in its success. You can visit this page to see an example of how access reviews work in our Azure AD platform: https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
When we have this feature, revoking privileges and making things clean is easily done. However, many systems still allow you to provide users with permanent privileges. This is, by the way, the default way in most running operating systems and applications which have been designed with this concept in mind, so we can say it is present in most of the customers we work with. The problem with permanent privileges is that they are easy to forget, so it is easy to end up having users who have more power than desired… sadly, attackers are very good at finding these and will go after those credentials to perform their attack (most of the times through lateral movement (http://en.wikipedia.org/wiki/Network_Lateral_Movement)
Unused privileges is another problem, people might have been granted temporary access to assets but then they’re not needed anymore. With the help of tools such as Microsoft Entra Permissions Management we can discover, remediate and monitor the permission “creep” that can be created, and we can even fix it across multi-cloud environments. There’s a nice article here: https://learn.microsoft.com/en-us/azure/active-directory/cloud-infrastructure-entitlement-management/overview, that introduces the concepts behind Entra Permissions Management
One of the techniques we use in Microsoft Security Services for Incident Response during our interactions with customers is to de-privilege those accounts that we found with excessive power over the systems which are more critical for managing the environment. We will discuss which kind of systems those are in a future post. By de-privileging we attempt to leave identities with the minimum required access to perform the tasks they are supposed to do, and we encourage the use of the delegation tools available in the system to manage the permissions according to the best practices.
The value of de-privileging
Let’s suppose that every account that has excessive permissions was worth $1000 (It can actually give an attacker way more value than that!). Often, when we analyze a customer’s environment, we find hundreds of accounts that have more privileges than required. For the attacker it is just a matter of finding the right account to have success in their attack.
If we analyze recent environments where we have worked, we’ve managed to find that over 4/5ths of the accounts they had configured to have excessive permissions could be de-privileged to leave them either as standard users or properly delegated administrators. In some cases, we prefer to remove those accounts and create new accounts which have passed through the right delegation process.
Another way of looking at the value of de-privileging is looking at the exposure surface you have in your system. Imagine that you have 100 accounts, if 80 of those accounts have more privileges than required, you have an exposure of 80%. This means that a potential attacker has an 80% success rate to get a hold of a privileged account, making it possible for them to cause a lot of harm in your environment or your data.
The process of de-privileging takes time. You need to understand why each user has the current privileges, and you need to assess how harmful it is to remove those privileges in terms of the ability for the user to perform the task they have in assigned to. If you don’t have an access review process in place, the understanding of the status of your user accounts is going to take a big effort to get.
How to avoid de-privileging?
For a new system, it is easy to build some sort of privilege-granting rule. You need to make sure that everybody who can grant a privilege is conscious of the implications of granting that permission. This is one point to consider. Education, in this case it’s not for the end user, but for the team administering your systems, so they keep conscious about this fact. Education for your end users to reject and report when they see they have too many rights would be ideal, but that’s very hard to achieve and then unlikely to happen.
For existing systems, you really want to make sure what permissions are outstanding. To do that, you will need some sort of tool that will collect information about your current permissions. These tools are not easy to find in the market and sometimes they are expensive. If you happen to be working with our Microsoft Support services or with our Microsoft Security Services for Incident Response, you will have several tools included in your engagement. And you can keep using it for some time after we leave.
Apart from the education and the tools, you need a team. When we’re engaged with you, teamwork is essential in getting to a successful eviction or recovery, we have learned with our engagements, that building a team of people creates powerful responses to attacks. Communication, clarity, and agility make great skills to a team that helps protect your environment. A well-formed team is, indeed, one of the best ways to avoid having to de-privilege identities in your systems.
TL;DR (well, you read already!)
Cleaning up your permissions will help you be more resilient to attacks. Of course there are more techniques and we will be covering those soon but, for now, make sure your important permissions are given ONLY to the right identities you’re expecting to use it. Uncontrolled permissions might be a source for someone to get control of your environment.
