How Legal Can Leverage the Latest Version of the NIST Cybersecurity Framework

Mark Harrington

Last week, the National Institute of Standards and Technology (NIST) released an update to its Framework for Improving Critical Infrastructure Cybersecurity, incorporating feedback from its October workshop as well as responses to an August Request for Information. While adoption of the Framework remains voluntary and not a regulatory requirement, many large organizations in a variety of industries consider it to be an effective benchmark for security operations. We at Guidance Software believe it will soon be considered a “commercially reasonable” standard, but we also recommend incorporating additional, proactive security practices for a more complete security posture.

This most recent update to the Framework reports on certain implementation issues, including the need to expand awareness among smaller and medium-sized businesses in the critical infrastructure sector. Some concern exists that the Implementation tier of the Framework’s three main components—Core, Profile, and Implementation Tiers—is being used the least frequently. Instead, the Framework is being most commonly used simply as a basis for evaluating security—as a yardstick, if you will.

Information-Sharing Holds Real Promise for More Effective Organizational Defense

Among the aspects of the NIST Framework that I believe holds the most promise in defending our organizations is that of information-sharing. Many who have responded to NIST’s calls for feedback have expressed interest in expanding this type of collaboration in order to build more powerful threat intelligence feeds across American industries. While interest in participation is high, so are the levels of concern about potential impact on corporate reputation if data breaches were made public. Since the original Framework was published, there has been a clear call for a means of reporting a breach and related information anonymously.

Congress has just passed the National Cybersecurity Protection Act in order to better support cyber-threat information exchange between the public and private sector via the National Cybersecurity and Communications Integration Center. However, a bill that incorporates liability protections for those reporting on breaches will have to wait until early next year.

NIST Senior Policy Advisor Adam Sedgewick to Present in Webinar Series on NIST Cybersecurity Framework

To help organizations better understand the merits of the National Institute of Standards and Technology Cybersecurity Framework, Guidance Software is hosting a two-part webinar, “Implementing the Detect Function in the NIST Cybersecurity Framework.” Senior Information Technology Advisor Adam Sedgewick of NIST will be the featured presenter. The webinar will also feature a presentation by Alfred Chung, EnCase Analytics product manager for Guidance Software.

NIST Cybersecurity Framework Needs More Focus on Collaboration and Finding Anomalies

Jason Fredrickson

A few days ago, I was delighted to see the National Institute of Standards and Technology (NIST) release its Preliminary Cybersecurity Framework for reducing cyber risks to critical infrastructure. And my first read-through was pretty positive: they cover a lot of material, and I think it will help organizations understand the full picture of security readiness. Their tiered approach, for instance, is sound, and I’ve seen it work successfully in other industries–e-discovery, for instance, has the EDRM Maturity Model, and software development has the CMMI. And I’m very pleased to see such attention paid to PII and privacy.

That said, however, I saw a few structural problems on my second review. The Framework has a lot of noise about security policies and procedures and not as much of a call-to-action on collaboration and threat intelligence-sharing as I would like. It lacks any mention of proactive forensics or proactive investigation. It contains a wealth of detail on rules and process for ensuring information security, but very little in the way of the means of, or requirements for, organizations to work together to fight the good fight. And it has a major hole in its attempt to categorize threat detection and response.

Who Turned Off the Lights? U.S. Electric Grid Sees Increase in Cyber Attacks

Ale Espinosa When news of Stuxnet broke out, the world was shocked. It was the first discovered malware to spy on and subvert industrial systems, as well as the first to include a programmable logic-controller rootkit, used to attack Iran’s nuclear facilities.

Yet, despite fears of retaliation from foreign governments against the U.S. electric grid, a recent report based on over 100 surveyed utility companies revealed alarming vulnerabilities in the nation’s energy system. The report was supported by members of the U.S. House of Representatives in an effort to bring awareness to the security gaps in the utilities sector.

Among some of the report’s key findings were:

• Attacks on the nation’s critical infrastructure – including energy – were up 68 percent from 2011
• Many utility companies reported receiving “daily,” “constant” or “frequent” cyber-attack attempts
• Among the attacks reported were phishing, malware infection, and unfriendly probes
• Most utility companies are compliant with mandatory cybersecurity standards issued by the government, but voluntary recommendations by the industry watchdog – the North America Electric Reliability Corporation (NERC) – have been ignored by many

More critical infrastructure data breaches...not terribly surprising

Josh Beckett An interesting read about a data breach involving critical infrastructure, a subject near and dear to my heart since having worked in the field for a few years.

It's always curious to me that many people that deal with such tidbits of information are often very cavalier with the data and habitually underestimate the value to any potential adversary, including the potential field of adversaries and their related capabilities.  Typical responses that always gave me the willies were "No one could ever get to that information, and if they did, they wouldn't know what to do with it anyway."  Really?  The only smart people in the world that know about this matter are in this room?