NIST Announces the Release of Draft NIST IR 8323 Revision 1: Foundational PNT Profile

 NIST Announces the
Release of Draft NIST IR 8323 Revision 1 | Foundational PNT Profile: Applying the
Cybersecurity Framework for the Responsible Use of Positioning, Navigation, and
Timing (PNT) Services. 

PNT

Credit: Shutterstock

About Revision 1 of the
Profile

The PNT cybersecurity profile is part of NIST’s response to the
February 12, 2020, Executive Order (EO) 13905, Strengthening National Resilience Through
Responsible Use of Positioning, Navigation, and Timing Services. The
EO notes that “the widespread adoption of PNT services means disruption or
manipulation of these services could adversely affect U.S. national and
economic security. To strengthen national resilience, the Federal Government
must foster the responsible use of PNT services by critical infrastructure owners
and operators.” The Order also calls for updates to the profile every two years
or on an as needed basis.

Based on NIST’s interaction with public and private sector
stakeholders and their efforts to create “sector specific” profiles, it was
decided to create Revision 1. No substantive changes were made to the original
Foundational Profile; NIST is only seeking comments on the changes made in this
Revision. Among the most noteworthy are: the addition of five new Cybersecurity
Framework (CSF) Subcategories, and the addition of two appendices; Appendix D;
Applying the PNT Profile to Cybersecurity Risk Management, and Appendix E;
Organization Specific PNT Profiles.

All changes are captured in Table 26: “Change Log” for easy
reference to reviewers.

The PNT Profile was created by applying the NIST CSF to help
organizations:

  • Identify systems dependent on
    PNT
  • Identify appropriate PNT
    sources
  • Detect disturbances and
    manipulation of PNT services
  • Manage the risk to these
    systems

Organizations may continue to use this profile as a starting point
to apply their own unique mission, business environment, and technologies to
create or refine a security program that will include the responsible use of
PNT services.

The public comment
period for this publication is now open through August 12, 2022. 

Email comments directly to: pnt-eo@list.nist.gov.

Submit Comments

A Tale of Two Cities – Exploring the future of work – A Data AI Hackathon

 This is an IN-Person Event

The pandemic is (mostly) behind us now, but have perceptions and mindsets of city dwellers changed forever?
Do young people see the world in the same way?
Is there any evidence that people in cities now value work-life balance?
At the Artificial Intelligence: Cloud and Edge Implementations course at the University of Oxford, last year, we worked with Open data from Transport for London and explored the behaviour of people in the pandemic

But is this a global trend?

Created in partnership with Microsoft and University of Oxford, the A tale of two cities – Exploring the future of work – A Data AI hackathon addresses the above questions

We present the findings from London open data and the hackathon will ask the same questions based on open data in New York

What will we find in this saga of two cities? Do we see a pattern with wider implications? What does it mean for the future of work?

We invite you to join us in reviewing datasets from these two cities using Data and AI tools to develop new insights and solutions that emerge from data captured before, during, and after the pandemic.

✨ Rules: Form a team of maximum (3) individuals to take the data and process results. Choose your team prior to the event or on-site amongst attendees.
✨ Suggested Tools: PowerBI, Python, AI builder, Synapse, CosmosDB, and Percept.
✨ Prerequisites: We recommend that attendees are data professionals and possess skills related to the above tools. If you are not fully knowledgeable with the above tools, you are free to apply what you learn in our offered workshop content or you can use the hackathon as a learning opportunity / opportunity to work with others.

✨ If participants do not currently have an Azure subscription, we have a limited supply (25) of Azure passes with some credit available.

✨Prize: The winning team (of 3), currently will get (3) $100 Amazon gift cards and (1) free placement to the Oxford University Digital Twins course (online)– team will have to decide who receives the course. Additional prizes are TBD✨

Agenda:
• Day 1: July 21st 530PM – 8PM : Introduction to the problem, London data comparison, details for the hack shared to group.
• Day 2: July 22nd 9AM – 5PM : Hackathon / Informative Presentations

  • 9:00 AM : KickOff presentation with introduction to additional Data & AI tools – Paul DeCarlo & Ruth Yakubu
  • 10:00 AM : NoSQL 101 and Intro to Cosmos DB – Jay Gordon
  • 10:30 AM : Introduction to Azure Percept – Amira Youssef
  • Office hours – work on Hackathon/Ask questions of available experts

• Day 3: July 23rd 9AM – 1PM : Present Hackathon findings and solutions; choose winner

We hope to share insights from this work, widely building on our experience at the University Of Oxford.
Rikesh Shah, Head of Open Innovation @ Transport for London said “I am pleased to see that the open data and innovation journey we started at University of Oxford is now expanding to the city of New York. I look forward to hearing about the learnings from New York”

Register HERE

Become a Microsoft Sentinel Ninja: The complete level 400 training – Microsoft Tech Community!

 Microsoft Training

The number of security incidents and information related to them are rising daily. Traditional tools and methods aren’t enough to process all the data and to respond to all the incidents. That is where SOAR (Security Orchestration, Automation, and Response) can help.

Where to start?

In addition to being a Security Information and Event Management (SIEM) system, Microsoft Sentinel is a Security Orchestration, Automation, and Response (SOAR) platform. As a SOAR platform, its primary purposes are to automate any recurring and predictable enrichment, response and remediation tasks that are the responsibility of Security Operations Centers (SOC/SecOps). Leveraging SOAR frees up time and resources for more in-depth investigation of and hunting for advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response to playbooks that run predetermined sequences of actions to provide robust and flexible advanced automation to your threat response tasks.

 

If you are wondering where to start in learning about Microsoft Sentinel’s SOAR capabilities, take a look at some of the resources outlined below: 

 

When working with Microsoft Sentinel Automation, it is essential to understand Microsoft Sentinel API and the use of API in general. Microsoft Sentinel API 101 is a great place to start.

 

Utilizing Microsoft Sentinel Automation may need additional permissions. Please review the needed permissions.  

 

The Microsoft Sentinel Content hub provides access to Microsoft Sentinel out-of-the-box (built-in) content and solutions. This is the starting point when searching for a playbook template and all other content for Microsoft Sentinel.

 

SOAR Content Catalog is an excellent source of information about the most used playbook connectors.

 

This blog is a fantastic starting point for utilizing SOAR in Microsoft Sentinel – I’m Being Attacked, Now What? – Microsoft Tech Community

 

Microsoft Sentinel Automation: Tips and Tricks is another excellent starting point for those who prefer webinars.

 

How to build automation rule

Automation rules are a way to centrally manage the automation of incident handling, allowing you to perform simple automation tasks without using playbooks.

 

Do you want to learn what a trigger, condition, or action is in automation rules? Start by learning more about automation rules.

 

To learn how to utilize automation rules in incident management, start here –

Create and use Microsoft Sentinel automation rules to manage incidents | Microsoft Docs

 

For tips and tricks in automation rule utilization, visit our automation rules tips and tricks blog.

 

How to build the playbook

A playbook is a collection of actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents when triggered by an analytics rule or an automation rule, respectively.

 

To learn how we utilize Logic App for playbooks, what is a trigger, action, dynamic field, etc., start with an introduction to playbooks. After that, learning how to use triggers and actions is essential.

 

As mentioned in the intro, it’s crucial to understand API as playbooks use REST API. But it is also essential to learn how to authenticate playbooks and what are API connections and permissions in Microsoft Sentinel playbooks.

 

As mentioned, automation rules are a way to manage automation centrally. One of the actions in automation rules is to run a playbook, and in this article, you can find out how to utilize this integration.

 

Microsoft Sentinel has many playbook templates that can be found in Content HubPlaybooks Template Gallery, or our official GitHub repo, but sometimes we will need to customize it for our own needs. This article will guide you through customization steps.

 

Microsoft Sentinel’s blog on Tech Community has many examples of how you can create playbooks step-by-step. For those who like hands-on, here is a list of articles containing step-by-step instructions to create playbooks:

 

Microsoft Sentinel REST API docs and sample use cases:

 

What’s new with Microsoft Sentinel Automation

In this segment, we will be publishing all new announcements related to Microsoft Sentinel Automation. Announcements are sorted by the announcement dates.

 

Tips & Tricks

To help users understand Microsoft Sentinel Automation “under the hood”, we started with the Tips & Tricks blog series:

 

Creating a playbook template can be a time-consuming task, and to help with that, we have created a script to create those templates with ease – learn how now!

 

Migrate from 3rd party automation tools

If you are already using 3rd party automation tools, learn how you can migrate to Microsoft Sentinel Automation:

NIST Selects Four Post-Quantum Cryptographic Algorithms for Standardization After the Third Round of the PQC Process

NIST has completed the third round of the Post-Quantum
Cryptography (PQC) standardization process, which selects public-key
cryptographic algorithms to protect information through the advent of quantum
computers. A total of four candidate algorithms have been selected for
standardization: CRYSTALS-KYBER, CRYSTALS-Dilithium, FALCON, and
SPHINCS+. Four additional algorithms will continue into the fourth
round for further evaluation: BIKE, Classic McEliece, HQC, and SIKE.

NISTIR 8413Status Report on the Third Round of
the NIST Post-Quantum Cryptography Standardization Process, details
the selection rationale and is also available on the NIST PQC webpage.

See the full announcement for more details, including
discussion of a Fourth PQC Conference and an upcoming call for additional
quantum-resistant digital signature algorithms. Questions may be directed to pqc-comments@nist.gov. 

Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats

The National Institute of Standards and Technology (NIST) has announced that
a new post-quantum cryptographic standard will replace current public-key
cryptography, which is vulnerable to quantum-based attacks. Note: the term
“post-quantum cryptography” is often referred to as “quantum-resistant
cryptography” and includes, “cryptographic algorithms or methods that are
assessed not to be specifically vulnerable to attack by either a CRQC
[cryptanalytically relevant quantum computer] or classical computer.” (See the National
Security Memorandum on Promoting United States Leadership in Quantum Computing
While Mitigating Risks to Vulnerable Cryptographic Systems for more
information).

Although NIST will not publish the new post-quantum cryptographic standard
for use by commercial products until 2024, CISA and NIST strongly recommend organizations
start preparing for the transition now by following the Post-Quantum Cryptography Roadmap, which
includes:

  • Inventorying your organization’s systems for
    applications that use public-key cryptography.
  • Testing the new post-quantum cryptographic standard in
    a lab environment; however, organizations should wait until the official
    release to implement the new standard in a production environment.
  • Creating a plan for transitioning your organization’s
    systems to the new cryptographic standard that includes:
    • Performing an
      interdependence analysis, which should reveal issues that may impact the
      order of systems transition;
    • Decommissioning old
      technology that will become unsupported upon publication of the new standard;
      and
    • Ensuring validation and
      testing of products that incorporate the new standard.
  • Creating acquisition policies regarding post-quantum
    cryptography. This process should include:
    • Setting new service
      levels for the transition.
    • Surveying vendors to
      determine possible integration into your organization’s roadmap and to
      identify needed foundational technologies.
  • Alerting your organization’s IT departments and vendors
    about the upcoming transition.
  • Educating your organization’s workforce about the
    upcoming transition and providing any applicable training.

For additional guidance and background, CISA and NIST strongly encourage
users and administrators to review:

NIST Draft Guide on Validating the Integrity of Computing Devices

 Submit Comments on Draft
NIST SP 1800-34, Validating
the Integrity of Computing Devices

The National Cybersecurity Center of Excellence (NCCoE) has
published for public comment a draft of NIST SP 1800-34, Validating the Integrity of
Computing Devices.

What Is This Guide About?

Technologies today rely on complex, globally distributed and
interconnected supply chain ecosystems to provide reusable solutions.
Organizations are increasingly at risk of cyber supply chain compromise,
whether intentional or unintentional. Managing cyber supply chain risks
requires, in part, ensuring the integrity, quality, and resilience of the
supply chain and its products and services. This project demonstrates how
organizations can verify that the internal components of their computing
devices are genuine and have not been altered during the manufacturing or
distribution processes.

Share Your Expertise

Please download the document and share your
expertise with us to strengthen the draft practice guide. The public
comment period for this draft is now open and will close on July 25th,
2022. You can stay up to date on this project by sending an email to supplychain-nccoe@nist.gov to join our
Community of Interest. Also, if you have any project ideas for our team, please
let us know by sending an email to the email address above. We look forward to
your feedback.

Additional NIST Supply Chain Work

NIST is also working on an important effort, the National
Initiative for Improving Cybersecurity in Supply Chains (NIICS) with the
private sector and others in government to improve cybersecurity in supply
chains. This initiative will help organizations to build, evaluate, and assess
the cybersecurity of products and services in their supply chains, an area of
increasing concern. For more information on this effort, you can click here.

Comment Now

Engineering Trustworthy Secure Systems: Final Public Draft is Available for Comment

 NIST is releasing the final public draft of a major revision
to Special
Publication (SP) 800-160 Volume 1, Engineering Trustworthy Secure Systems.
This final public draft offers significant content and design changes that
include a renewed emphasis on the importance of systems engineering and viewing
systems security engineering as a critical subdiscipline necessary to achieving
trustworthy secure systems. This perspective treats security as an emergent
property of a system. It requires a disciplined, rigorous engineering process
to deliver the security capabilities necessary to protect stakeholders’ assets
from loss while achieving mission and business success.

Bringing security out of its traditional stovepipe and viewing it
as an emergent system property helps to ensure that only authorized system
behaviors and outcomes occur, much like the engineering processes that address
safety, reliability, availability, and maintainability in building spacecraft,
airplanes, and bridges. Treating security as a subdiscipline of systems
engineering also facilitates making comprehensive trade space decisions as
stakeholders continually address cost, schedule, and performance issues, as
well as the uncertainties associated with system development efforts.

In particular, this final public draft:

  • Provides a renewed focus on the
    design principles and concepts for engineering trustworthy secure systems,
    distributing the content across several redesigned initial chapters
  • Relocates the detailed system
    life cycle processes and security considerations to separate appendices
    for ease of use
  • Streamlines the design
    principles for trustworthy secure systems by eliminating two previous
    design principle categories
  • Includes a new introduction to
    the system life cycle processes and describes key relationships among
    those processes
  • Clarifies key systems
    engineering and systems security engineering terminology
  • Simplifies the structure of the
    system life cycle processes, activities, tasks, and references
  • Provides additional references
    to international standards and technical guidance to better support the
    security aspects of the systems engineering process

NIST is interested in your feedback on the specific changes made
to the publication during this update, including the organization and structure
of the publication, the presentation of the material, its ease of use, and the
applicability of the technical content to current or planned systems
engineering initiatives.

 

The public comment period is open through July 8, 2022. See
the publication details for instructions on submitting
comments, including a template for preparing comments.

NOTE: A call for patent claims is included on page v of this
draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy–Inclusion of
Patents in ITL Publications.

Read
More

 Today, NIST is seeking public comments on NIST IR 8409 ipd (initial public
draft), Measuring the
Common Vulnerability Scoring System Base Score Equation.

Calculating the severity of information technology vulnerabilities
is important for prioritizing vulnerability remediation and helping to
understand the risk of a vulnerability. The Common Vulnerability Scoring System
(CVSS) is a widely used approach to evaluating properties that lead to a
successful attack and the effects of a successful exploitation. CVSS is managed
under the auspices of the Forum of Incident Response and Security Teams (FIRST)
and is maintained by the CVSS Special Interest Group (SIG). Unfortunately,
ground truth upon which to base the CVSS measurements has not been available.
Thus, CVSS SIG incident response experts maintain the equations by leveraging
CVSS SIG human expert opinion.

This work evaluates the accuracy of the CVSS “base score”
equations and shows that they represent the CVSS maintainers’ expert opinion to
the extent described by these measurements. NIST requests feedback on the
approach, the significance of the results, and any CVSS measurements that
should have been conducted but were not included within the initial scope of this
work. Finally, NIST requests comments on sources of data that could provide
ground truth for these types of measurements.

The public comment review period for this draft is open through
July 29, 2022. See the publication
details for instructions on how to submit comments.

 

NOTE: A call for patent claims is included on page iv of this
draft. For additional information, see Information
Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL
Publications.

Read
More

Open for Public Comment: Preliminary Draft Practice Guide (Vol. A) From the ZTA Team

The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) has published Volume A of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” and is seeking the public’s comments on its contents. This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. As the project progresses, the preliminary draft will be updated, and additional volumes will also be released for comment.
As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero trust architecture applied to a conventional, general purpose enterprise IT infrastructure on premises and in the cloud.

We Want to Hear from You!
The NCCoE is making Volume A available as a preliminary draft for public comment while work continues on the project. Review the preliminary draft and submit comments online on or before (July 5th, 2022). 

Comment Here

Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)

 Post from Microsoft

On April 24, 2022, a privilege escalation hacking tool, KrbRelayUp, was publicly disclosed on GitHub by security researcher Mor Davidovich. KrbRelayUp is a wrapper that can streamline the use of some features in Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn tools in attacks.

Although this attack won’t function for Azure Active Directory (Azure AD) joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable. Microsoft Defender for Identity detects activity from the early stages of the attack chain by monitoring anomalous behavior as seen by the domain controller. In addition, signals from Defender for Identity also feed into Microsoft 365 Defender, providing organizations with a comprehensive solution that detects and blocks suspicious network activities, malicious files, and other related components of this attack. Microsoft Defender Antivirus detects this attack tool as the malware family HackTool:MSIL/KrbUpRly.

Microsoft encourages customers to update Domain Controller: LDAP server signing requirements to Require signing as detailed in this advisory and enable Extended Protection for Authentication (EPA) as detailed in this blog.

Originally, KrbRelayUp supported only one method that’s based on taking advantage of resource-based constrained delegation (RBCD); it later added several additional attack methods. In this blog, we discuss RBCD to provide further insights into how the initial KrbRelayUp attack method works. We also detail the stages that make up the said attack. Finally, we provide recommendations and guidelines that can help organizations strengthen their device configurations and defend their networks from attacks that use this tool.

Understanding the attack: What is resource-based constrained delegation?

Resource-based constrained delegation (RBCD) represents the key to this attack method, enabling the tool to impersonate an administrator and eventually run a code as the SYSTEM account of a compromised device.

Authentication protocol basics

An authentication protocol verifies the legitimacy of a resource or identity. When a user signs into a website, that website uses a methodology to confirm the authenticity of the resource requesting access. In simpler terms, the authentication process involves signing in with a password—made possible by the user knowing the password anticipated by the website. The Kerberos protocol serves as the main authentication framework for this process in on-premises Active Directory.

Delegation

Sometimes, however, a resource needs to request access to another resource on behalf of a different identity. A common example of this is mail delegation, wherein executives often give delegation rights to their executive assistants to send and receive emails on their behalf without providing the assistant with the executive’s password. The executive assistant isn’t authenticating as the executive; the executive has just allowed the assistant’s account to “pretend” that they are.

Resource-based constrained delegation

Initially, only users with the SeEnableDelegation role could configure delegation, typically domain admins. These domain admins can manage resources and dictate which identities can act on behalf of a different resource. They achieve this by updating the msDS-AllowedToDelegateTo property of a user account or device. This property contains a list of all the unique identifiers (service principal names, or SPNs) to which this object can delegate or act on behalf of.

However, as organizations expanded, administrators struggled to manage all the delegation requirements, raising the need for a new type of delegation: resource-based. For instance, in an organization with several file servers that all trust a web server for delegation, an admin would have to change the msDS-AllowedToDelegateTo priority in all of the different file servers to introduce a second web server. With resource-based delegation, the list of trusted computers is held on the receiving end. Thus, in our example, only the newly created server would require a change of settings.

To read the rest of this article and find the steps you can use to defend go Here