Attacks/Breaches

10/4/2017
02:30 PM
Mike Shultz
Mike Shultz
Commentary
50%
50%

What Security Teams Need to Know about the NIAC Report

Which of the recommendations made by the NIAC working group will affect security teams the most, and how should they prepare?

A report from the National Infrastructure Advisory Commission (NIAC) suggests that the United States is in a "pre-9/11 moment." The authors were addressing the potential of a catastrophic cyber attack against the US that could result in the cyber equivalent of the 9/11 attack.

After the cybersecurity executive order was issued in May, the National Security Council (NSC) tapped the NIAC to determine how federal agencies and capabilities could be applied to improve the cybersecurity of critical infrastructure assets. They focused on assets that, if attacked, could result in "catastrophic regional or national effects on public health or safety, economic security, or national security." Which of the recommendations will affect security teams, and what should they do to prepare? These developments, arising from three specific recommendations should be tracked closely:

1. Recommendation: Identify the best-in-class scanning tools and assessment practices, and then apply them to the most critical networks.

A security team may do a good job of testing its own networks, but connections with other networks (e.g., vendors and partners) that are necessary for conducting business serve to limit overall operational security. Making broadly available the best assessment tools will benefit not only direct users of your product or service but increase overall nationwide security when done in collective effort with other enterprises. A "Center of Excellence" for scanning and assessment tools will create a testing environment to evaluate software that can be used widely, but, in particular, small and midsize businesses and educational institutions that otherwise might lag behind large organizations.

Action: Security teams should track this development because it is intended to support best practices in a shared environment that will make network testing more effective and less costly.

2. Recommendation: Establish limited-time, outcome-based market incentives to encourage organizations to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.

Budgetary constraints sometimes lead organizations to make suboptimal decisions about the types of processes and technologies they implement to prevent cyber attacks. The NIAC report recommends implementing tax credits to enable and encourage security system upgrades, which will free up significant financial resources that can be directed toward improving cyber resilience.

It also urges relief from government security audits when industry standards are consistently met. How can anyone tell when industry standards are met? The Commission strongly recommends implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework in order to qualify for incentives.

Action: Security teams should begin orienting their cybersecurity program around the NIST Cybersecurity Framework, and they should track and support the development of legislation to provide incentives to organizations that can demonstrate a standardized level of cyber maturity.

3. Recommendation: Establish separate, secure communications networks specifically designated for the most critical cyber networks.

While the primary inspiration for this recommendation is the utility industry's IT and OT networks, the definition of "critical infrastructure" has broadened. It now includes other systems of computing networks without which the country couldn't operate, including financial systems. As the threats escalate and attacks become more organized, leveraging "dark fiber" networks and other alternatives for key critical communications is highly recommended.  

Action: In addition to tracking the development of dark fiber networks, security teams supporting critical infrastructure should identify the most critical communication processes and evaluate how those can be hardened, including the use of private networks. 

The urgency depicted in the NIAC report and the increasing frequency and impact of large breaches like Equifax is accelerating the government's concern with the state of the nation's cybersecurity. We recommend keeping an eye on the steps that will be taken based on the report's recommendations, as we may be heading toward a cyber Sarbanes-Oxley Act.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Mike Shultz is CEO and founder of Cybernance, a SAFETY Act-designated company that regulated industries, public companies, and government agencies rely on to oversee and manage cyber-risk. Previously, Shultz was CEO of cybersecurity firm Infoglide Software, the application ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6345
PUBLISHED: 2019-01-15
The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all s...
CVE-2018-7603
PUBLISHED: 2019-01-15
In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered t...
CVE-2019-3554
PUBLISHED: 2019-01-15
Wangle's AcceptRoutingHandler incorrectly casts a socket when accepting a TLS 1.3 connection, leading to a potential denial of service attack against systems accepting such connections. This affects versions of Wangle prior to v2019.01.14.00
CVE-2019-3557
PUBLISHED: 2019-01-15
The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently. This behavior caused some stream functions, such as stream_get_line, to trigger an out-of-bounds read when operating on such malformed streams. The implementations were...
CVE-2019-0030
PUBLISHED: 2019-01-15
Juniper ATP uses DES and a hardcoded salt for password hashing, allowing for trivial de-hashing of the password file contents. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.