Attacks/Breaches

10/4/2017
02:30 PM
Mike Shultz
Mike Shultz
Commentary
50%
50%

What Security Teams Need to Know about the NIAC Report

Which of the recommendations made by the NIAC working group will affect security teams the most, and how should they prepare?

A report from the National Infrastructure Advisory Commission (NIAC) suggests that the United States is in a "pre-9/11 moment." The authors were addressing the potential of a catastrophic cyber attack against the US that could result in the cyber equivalent of the 9/11 attack.

After the cybersecurity executive order was issued in May, the National Security Council (NSC) tapped the NIAC to determine how federal agencies and capabilities could be applied to improve the cybersecurity of critical infrastructure assets. They focused on assets that, if attacked, could result in "catastrophic regional or national effects on public health or safety, economic security, or national security." Which of the recommendations will affect security teams, and what should they do to prepare? These developments, arising from three specific recommendations should be tracked closely:

1. Recommendation: Identify the best-in-class scanning tools and assessment practices, and then apply them to the most critical networks.

A security team may do a good job of testing its own networks, but connections with other networks (e.g., vendors and partners) that are necessary for conducting business serve to limit overall operational security. Making broadly available the best assessment tools will benefit not only direct users of your product or service but increase overall nationwide security when done in collective effort with other enterprises. A "Center of Excellence" for scanning and assessment tools will create a testing environment to evaluate software that can be used widely, but, in particular, small and midsize businesses and educational institutions that otherwise might lag behind large organizations.

Action: Security teams should track this development because it is intended to support best practices in a shared environment that will make network testing more effective and less costly.

2. Recommendation: Establish limited-time, outcome-based market incentives to encourage organizations to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.

Budgetary constraints sometimes lead organizations to make suboptimal decisions about the types of processes and technologies they implement to prevent cyber attacks. The NIAC report recommends implementing tax credits to enable and encourage security system upgrades, which will free up significant financial resources that can be directed toward improving cyber resilience.

It also urges relief from government security audits when industry standards are consistently met. How can anyone tell when industry standards are met? The Commission strongly recommends implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework in order to qualify for incentives.

Action: Security teams should begin orienting their cybersecurity program around the NIST Cybersecurity Framework, and they should track and support the development of legislation to provide incentives to organizations that can demonstrate a standardized level of cyber maturity.

3. Recommendation: Establish separate, secure communications networks specifically designated for the most critical cyber networks.

While the primary inspiration for this recommendation is the utility industry's IT and OT networks, the definition of "critical infrastructure" has broadened. It now includes other systems of computing networks without which the country couldn't operate, including financial systems. As the threats escalate and attacks become more organized, leveraging "dark fiber" networks and other alternatives for key critical communications is highly recommended.  

Action: In addition to tracking the development of dark fiber networks, security teams supporting critical infrastructure should identify the most critical communication processes and evaluate how those can be hardened, including the use of private networks. 

The urgency depicted in the NIAC report and the increasing frequency and impact of large breaches like Equifax is accelerating the government's concern with the state of the nation's cybersecurity. We recommend keeping an eye on the steps that will be taken based on the report's recommendations, as we may be heading toward a cyber Sarbanes-Oxley Act.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Mike Shultz is CEO and founder of Cybernance, a SAFETY Act-designated company that regulated industries, public companies, and government agencies rely on to oversee and manage cyber-risk. Previously, Shultz was CEO of cybersecurity firm Infoglide Software, the application ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.