Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/4/2017
02:30 PM
Mike Shultz
Mike Shultz
Commentary
50%
50%

What Security Teams Need to Know about the NIAC Report

Which of the recommendations made by the NIAC working group will affect security teams the most, and how should they prepare?

A report from the National Infrastructure Advisory Commission (NIAC) suggests that the United States is in a "pre-9/11 moment." The authors were addressing the potential of a catastrophic cyber attack against the US that could result in the cyber equivalent of the 9/11 attack.

After the cybersecurity executive order was issued in May, the National Security Council (NSC) tapped the NIAC to determine how federal agencies and capabilities could be applied to improve the cybersecurity of critical infrastructure assets. They focused on assets that, if attacked, could result in "catastrophic regional or national effects on public health or safety, economic security, or national security." Which of the recommendations will affect security teams, and what should they do to prepare? These developments, arising from three specific recommendations should be tracked closely:

1. Recommendation: Identify the best-in-class scanning tools and assessment practices, and then apply them to the most critical networks.

A security team may do a good job of testing its own networks, but connections with other networks (e.g., vendors and partners) that are necessary for conducting business serve to limit overall operational security. Making broadly available the best assessment tools will benefit not only direct users of your product or service but increase overall nationwide security when done in collective effort with other enterprises. A "Center of Excellence" for scanning and assessment tools will create a testing environment to evaluate software that can be used widely, but, in particular, small and midsize businesses and educational institutions that otherwise might lag behind large organizations.

Action: Security teams should track this development because it is intended to support best practices in a shared environment that will make network testing more effective and less costly.

2. Recommendation: Establish limited-time, outcome-based market incentives to encourage organizations to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.

Budgetary constraints sometimes lead organizations to make suboptimal decisions about the types of processes and technologies they implement to prevent cyber attacks. The NIAC report recommends implementing tax credits to enable and encourage security system upgrades, which will free up significant financial resources that can be directed toward improving cyber resilience.

It also urges relief from government security audits when industry standards are consistently met. How can anyone tell when industry standards are met? The Commission strongly recommends implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework in order to qualify for incentives.

Action: Security teams should begin orienting their cybersecurity program around the NIST Cybersecurity Framework, and they should track and support the development of legislation to provide incentives to organizations that can demonstrate a standardized level of cyber maturity.

3. Recommendation: Establish separate, secure communications networks specifically designated for the most critical cyber networks.

While the primary inspiration for this recommendation is the utility industry's IT and OT networks, the definition of "critical infrastructure" has broadened. It now includes other systems of computing networks without which the country couldn't operate, including financial systems. As the threats escalate and attacks become more organized, leveraging "dark fiber" networks and other alternatives for key critical communications is highly recommended.  

Action: In addition to tracking the development of dark fiber networks, security teams supporting critical infrastructure should identify the most critical communication processes and evaluate how those can be hardened, including the use of private networks. 

The urgency depicted in the NIAC report and the increasing frequency and impact of large breaches like Equifax is accelerating the government's concern with the state of the nation's cybersecurity. We recommend keeping an eye on the steps that will be taken based on the report's recommendations, as we may be heading toward a cyber Sarbanes-Oxley Act.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Mike Shultz is CEO and founder of Cybernance, a SAFETY Act-designated company that regulated industries, public companies, and government agencies rely on to oversee and manage cyber-risk. Previously, Shultz was CEO of cybersecurity firm Infoglide Software, the application ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0055
PUBLISHED: 2020-02-19
OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.
CVE-2019-12437
PUBLISHED: 2020-02-19
In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does not completely mitigate the risk of CSRF in GraphQL mutations,
CVE-2020-8441
PUBLISHED: 2020-02-19
JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product.
CVE-2020-8824
PUBLISHED: 2020-02-19
Hitron CODA-4582U 7.1.1.30 devices allow XSS via a Managed Device name on the Wireless > Access Control > Add Managed Device screen.
CVE-2020-8959
PUBLISHED: 2020-02-19
Western Digital WesternDigitalSSDDashboardSetup.exe before 3.0.2.0 allows DLL Hijacking.