My information Resource (blog.mir.net)

 NIST has published Special Publication (SP) 800-215, Guide to a Secure
Enterprise Network Landscape.

Access to multiple cloud services (e.g., IaaS, SaaS), the
geographic spread of enterprise Information Technology (IT) resources
(including multiple data centers and multiple branch offices), and the
emergence of highly distributed loosely coupled microservices-based
applications (as opposed to monolithic ones) have significantly altered the
enterprise network landscape. This transformation has the following security
impacts: (a) disappearance of the concept of a perimeter associated with the
enterprise network, (b) an increase in attack surfaces due to the sheer
multiplicity of IT resource components (e.g., computing, networking, and
storage), and (c) the ability of attackers to escalate sophisticated attacks
across several network boundaries by leveraging extensive connectivity features
within and across the individual network segments.

NIST SP 800-215 provides guidance from a secure operations
perspective. It examines the security limitations of current network access
solutions (e.g., VPNs) to the enterprise network as well as point security
solutions with traditional network appliances with enhanced features (e.g.,
firewalls, CASB for cloud access), including the usage of network visibility,
monitoring, and provisioning tools. This document also discusses emerging
network configurations that each address a specific security function (e.g.,
application/services security, cloud services access security, device or
endpoint security) and security frameworks, such as zero trust network access
(ZTNA), microsegmentation, and SDP that combine these individual
configurations. Additionally, the document highlights cloud-based WAN
infrastructures, such as SASE with widespread point of presence (PoP), that
combine use of the latest WAN technologies (e.g., SD-WAN) with a comprehensive
set of security services.

Read
More

 Business impact analyses (BIAs) have been traditionally used for
business continuity and disaster recovery (BC/DR) planning to understand the
potential impacts of outages that compromise IT infrastructure. However, BIA
analyses can be easily expanded to consider outages related to cyber risks and
issues attributable to confidentiality and integrity.

NIST Interagency Report (IR) 8286D, Using Business
Impact Analysis to Inform Risk Prioritization and Response,
goes beyond availability to also include confidentiality and integrity impact
analyses. This fifth publication in the NIST IR 8286 document series, Integrating Cybersecurity and
Enterprise Risk Management, discusses the identification and
management of risk as it propagates from system to organization and from
organization to enterprise, which in turn better informs Enterprise Risk
Management deliberations. NIST IR 8286D expands typical BIA discussions to
inform risk prioritization and response by quantifying the organizational
impact and enterprise consequences of compromised IT Assets.

NIST IR 8286D pairs with several other reports:

• NIST IR
  8286, Integrating
  Cybersecurity and Enterprise Risk Management (ERM) –
  foundational document that describes high-level processes
• NIST IR
  8286A, Identifying
  and Estimating Cybersecurity Risk for Enterprise Risk Management –
  describes risk identification and analysis
• NIST IR
  8286B, Prioritizing
  Cybersecurity Risk for Enterprise Risk Management –
  describes methods for applying enterprise objectives to prioritize the
  identified risks and, subsequently, to select and apply the appropriate
  responses
• NIST IR
  8286C, Staging
  Cybersecurity Risks for Enterprise Risk Management and Governance
  Oversight – describes how information, as recorded
  in cybersecurity risk registers (CSRRs), may be integrated as part of a
  holistic approach to ensuring that risks to information and technology are
  properly considered for the enterprise risk portfolio.

The NIST IR 8286 series enables risk practitioners to integrate
CSRM activities more fully into the broader enterprise risk processes. Because
information and technology comprise some of the enterprise’s most valuable
resources, it is vital that directors and senior leaders have a clear understanding
of cybersecurity risk posture at all times. It is similarly vital that those
identifying, assessing, and treating cybersecurity risk understand enterprise
strategic objectives when making risk decisions.

The authors of the NIST IR 8286 series hope that these
publications will spark further industry discussion. As NIST continues to
develop frameworks and guidance to support the application and integration of
information and technology, many of the series’ concepts will be considered for
inclusion.

Read
More

NIST has released a major revision to Special
Publication (SP) 800-160 Volume 1, Engineering
Trustworthy Secure Systems. This final
publication offers significant content and design changes that include a
renewed emphasis on the importance of systems engineering and viewing systems
security engineering as a critical subdiscipline necessary to achieving
trustworthy secure systems. This perspective treats security as an emergent
property of a system. It requires a disciplined, rigorous engineering process
to deliver the security capabilities necessary to protect stakeholders’ assets
from loss while achieving mission and business success.

Bringing security out of its traditional stovepipe and viewing it
as an emergent system property helps to ensure that only authorized system
behaviors and outcomes occur, much like the engineering processes that address
safety, reliability, availability, and maintainability in building spacecraft,
airplanes, and bridges. Treating security as a subdiscipline of systems
engineering facilitates comprehensive trade space decision-making as
stakeholders continually address cost, schedule, and performance issues, as
well as the uncertainties associated with system development efforts.

In particular, the final publication:

• Provides a renewed focus on the
  design principles and concepts for engineering trustworthy secure systems,
  distributing the content across several redesigned initial chapters
• Relocates the detailed system
  life cycle processes and security considerations to separate appendices
  for ease of use
• Streamlines the design
  principles for trustworthy secure systems by eliminating two previous
  design principle categories
• Includes a new introduction to
  the system life cycle processes and describes key relationships among
  those processes
• Clarifies key systems
  engineering and systems security engineering terminology
• Simplifies the structure of the
  system life cycle processes, activities, tasks, and references
• Provides additional references
  to international standards and technical guidance to better support the
  security aspects of the systems engineering process

Read
More

Holiday Travel Tip: Use
Public Wi-Fi Safely

The NCCoE Buzz: Mobile Security
Edition is a recurring email on timely topics in mobile device cybersecurity
and privacy from the National Cybersecurity Center of Excellence’s (NCCoE’s)
Mobile Device Security project team.

It’s that time of the year again when we get on the road or head
to the airport for a holiday vacation.

It may be convenient to use public wireless networks while
traveling. However, an ineffectively secured mobile device that establishes a
connection to an open public Wi-Fi hotspot may expose an individual, employee,
or entire organization to data loss or a privacy compromise.

The NCCoE wishes you a happy Thanksgiving and safe travels. To
learn more about how you can protect your mobile device while using public
Wi-Fi, access our article below.

Read
More

This is a great read for anyone interested in Cyber Security.

 In this talk, Microsoft and LinkedIn analysts detail recent activity of a North-Korea based nation-state threat actor we track as ZINC. Analysts detailed the findings of their investigation (previously covered in this blog) and walked through the series of observed ZINC attacks that targeted 125 different victims spanning 34 countries, noting the attacks appear to be motivated by traditional cyber-espionage and theft of personal and corporate data. A few highlights include:

• In September 2022, Microsoft disclosed detection of a wide range of social engineering campaigns using weaponized legitimate open-source software. MSTIC observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia.
• Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.
• When analyzing the data from an industry sector perspective, we observed that ZINC chose to deliver malware most likely to succeed in a specific environment, for example, targeting IT service providers with terminal tools and targeting media and defense companies with fake job offers to be loaded into weaponized PDF readers.
• ZINC has successfully compromised numerous organizations since June 2022, when the actor began employing traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets.
• Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads. MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally across victim networks and exfiltrate collected information from.

 NIST has released a working draft of NIST Special Publication (SP)
800-55 Revision 2, Performance Measurement Guide for Information Security.
The public is invited to provide input by February 13, 2023, for consideration in
the update. 

Details

This working draft of SP 800-55 Revision 2 is an annotated outline
that will enable further community discussions and feedback. Comments received
by the deadline will be incorporated to the extent practicable. NIST will then
post a complete public draft of SP 800-55 Rev. 2 for an additional comment
period.

The comment period is open through February 13, 2023. See
the publication
details for a copy of the draft. Submit comments to cyber-measures@list.nist.gov with “Comment on
NIST SP 800-55r2 initial working draft” in the subject field.

Submitted comments, including attachments and other supporting
materials, will become part of the public record and are subject to public
disclosure. Personally identifiable information and confidential business
information should not be included (e.g., account numbers, Social Security
numbers, names of other individuals). Comments that contain profanity,
vulgarity, threats, or other inappropriate language will not be posted or
considered.

Read
More

 The National Cybersecurity Center of Excellence (NCCoE) is pleased
to release the final annotated outline for the Cybersecurity Framework (CSF)
Profile for Hybrid Satellite Networks (HSN). The HSN Community of Interest
(COI) is using this annotated outline to build the HSN CSF Profile, a practical
guide for organizations and stakeholders engaged in the design, acquisition,
and operation of satellite buses or payloads involving HSN. This will allow
non-commercial use of commercial satellites in a manner that is consistent with
the sponsor organization’s risk tolerance.

The Profile will be structured around the NIST Cybersecurity
Framework and aims to be suitable for applications that involve multiple
stakeholders contributing to communications architecture and for other use
cases such as hosted payloads. Use of the HSN Profile will help organizations:

• Identify systems, assets, data,
  and risks that pertain to HSN
• Protect HSN services by
  adhering to cybersecurity principles and self-assessment
• Detect cybersecurity-related
  disturbances or corruption of HSN services and data
• Respond to HSN service or data
  anomalies in a timely, effective, and resilient manner
• Recover the HSN to proper
  working order at the conclusion of a cybersecurity incident

If you have expertise in Commercial Space capabilities, please
join the HSN COI to help shape this important profile.  

Review the outline here: Hybrid Satellite Networks (HSN) Cybersecurity Framework Profile
Annotated Outline | NCCoE (nist.gov). 

Join Here

 NCCoE Releases Final
Project Description: Responding
to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing
Sector

The National Cybersecurity Center of Excellence (NCCoE) has
released the final project description, Responding
to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing
Sector. The publication of this project description continues the
process to further identify project requirements and scope, along with hardware
and software components for use in a laboratory environment.

What is this project about?

Industrial control systems (ICS) and devices that run
manufacturing environments play a critical role in the supply chain.
Manufacturing organizations rely on ICS to monitor and control physical
processes that produce goods for public consumption. These same systems are
facing an increasing number of cyber attacks, presenting a threat to safety,
production, and economic impact to a manufacturing organization. The goal of this
NCCoE project is to demonstrate a means to recover equipment from cyber attacks
and restore operations.

Next Steps

In the coming weeks, the NCCoE Manufacturing team will be
publishing a Federal Register Notice (FRN) based on the final project
description. If you have interest in participating in this project with us as a
collaborator, you will have the opportunity to complete a Letter of Interest
(LOI) where you can present your capabilities. Completed LOIs are considered on a first-come,
first-served basis within each category of components or
characteristics listed in the FRN, up to the number of participants in each
category necessary to carry out the project build.

If you have any questions, please reach out to our project team at
manufacturing_nccoe@nist.gov.

Project Page