HackingTheUniverse

You are browsing the archives of NIST Computer Security.

FIPS 140-2 is the current (soon to be revised to FIPS 140-3) NIST encryption standard for government agencies protecting sensitive but unclassified information.
NIST operates a Cryptographic Module Validation Program (CMVP) that offers testing of encryption (cryptographic modules) in products to ensure they are compliant with the FIPS standard. This testing involves not only which [...]

This matrix is a map that correlates attackers methodology with NIST 800-53 security controls: ATTACK METHODOLOGY/CONTROL

Recon

General/Google

RA-3 RISK ASSESSMENT - you can only reduce exposure and can never “stop” general reconnaissance, but you damn well better know what you’re defending before the attacker starts to find out

Network scanning

CM-7 LEAST FUNCTIONALITY - show the attacker the [...]

NIST has released the final copy of SP 800-53 rev3 “Recommended Security Controls for Federal Information Systems and Organizations”. This document is the encyclopedia of security controls for federal agencies and this is the third revision since it was originally released in 2005.
The impact level baseline information bar that was removed in the Final Public [...]

The new revision of NIST SP 800-53 (rev3) is now in FINAL Public Draft (FPD) and should be published in final form soon. When NIST moves a draft document from IPD status to FPD status, the changes are often few as the document is nearly ready for final publishing. In this case, however, [...]

A new version of 800-53 (revision 3) is in Initial Public Draft (IPD) and available for comments on the NIST web site.
[note - IPD means the document is in "draft" mode while NIST collects comments from the public and incorporates them into changes/corrections before releasing the document in a final form, usually many months later]
Draft-SP800-53 [...]

Need

Awareness and training is a critical part of any information security program
People are the weakest link in any security defense

Components - there is a security learning continuum:

Awareness
Basic training
Functional training
Specialized education

Designing a program

Identify needs
Behavior (awareness)
Skills (training and education)
Plan
Get buy-in
Priorities

Material - audience focus is critical
Implementation

Explanation
Resources
Material
Medium
Cost
Schedule

Follow through

Monitoring
Feedback and evaluation
Change
Success indicators

KEY NIST DOCS:
800-50

Each of the seventeen families of security controls found in 800-53 contain a first control that requires the development of policy and procedures for that specific family of controls. Here is an example from the PL family:
800-53 security control PL-1 SECURITY PLANNING POLICY AND PROCEDURES
Control:
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, [...]

Any information security policy and Site Security Plan (SSP) should contain a section known as “Rules of Behavior” that establishes appropriate use and behavior of system users and the consequences of non-compliance.
From 800-100, Appendix B, FAQs:
Q - What are “Rules of Behavior”?
A - The rules should state the consequences of inconsistent behavior or noncompliance and [...]

Plan of Action and Milestones
A POAM is a plan that describes specific measures to be taken to correct deficiences found during a security control assessment. The POAM should identify:

The tasks needed to correct the deficiency
The resources required to make the plan work
Milestones in completing the tasks
Scheduled completion dates for the milestones

An organizational strategy for developing [...]

Federal agencies are required by law to report incidents to the US Computer Readiness Team (CERT) office in DHS and must have a formal incident response capability.
INCIDENT RESPONSE METHODOLOGY

Prepare - accumulate knowledge, resources, tools, team members and training needed to handle incident reponse. Provide feedback into other processes (patch management…) that may help prevent [...]