What is NIST (National Institute of Standards and Technology)?
Before we dive into NIST SP 800-53, let us try to understand what NIST is and how it impacts Information Technology Security.
The definition of the US Department of Commerces’ NIST is the National Institute of Standards and Technology (which also happens to be a non-regulatory federal agency). What is the primary mission of this national institute? It improves measurement and standards for technology in different industries.
NIST, formerly known as the National Bureau of Standards, has been developing measurements, metrics, and standards for technology since 1901. NIST made its presence felt at the time of wartime weapon systems development and manufacturing in the 1940s. But the world has changed since then. With the advent of electronic computing came: SEAC (Standards Eastern Automatic Computer), SWAC (Standards Western Automatic Computer), and DYSEAC (the second SEAC). These computers were important milestones in computer history in the 1950s, and NIST made a significant impact to computer development.
The next wave of technology improvement reached new heights in the 1970s and NIST evolved to become the watchdog. From computer chips to power grids, NIST started to focus on how to protect critical infrastructure.
This is what led NIST to cybersecurity standards development (which we will touch base on in the next section).
What is the NIST Cybersecurity Framework?
There are 3 important words in the question above. NIST, Cybersecurity and Framework. How do these 3 terms unite? Let us examine this relationship now.
Throughout the existence of NIST, NIST was improving critical infrastructure in the United States, but things really changed when Americans embraced digital communications and information like never before. With the adoption of a technology-driven lifestyle, it became uber important to address economic security, information security and to improve our quality of life.
With the growing challenges around the information security of Americans, the necessity of an easy-to-implement cybersecurity and risk management standard was felt by many. This is where NIST stepped in, realizing a ‘framework’ was needed.
What is cybersecurity? Simply put, cybersecurity is the best practice by which we make sure our systems, networks, and programs are unaffected and safe from digital attacks.
What about the definition of framework? Framework is a structure to support building something useful.
So, riding high on the idea of cybersecurity to prevent, detect and respond to cyber incidents, NIST built a policy framework (a set of best practice guidelines) for better management of cybersecurity-related risks.
When was the NIST Cybersecurity Framework formed?
To understand why the NIST Cybersecurity Framework was formed, we have to understand what happened in 2013. In February 2013,the Presidential Executive Order 13636 included a requirement, “Improving Critical Infrastructure Cybersecurity,” – basically necessitating a standardized security framework for critical infrastructure in the United States (and the result became what is known as NIST CSF – NIST Cybersecurity Framework).
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties” President Barack Obama, Executive Order 13636, Feb. 12, 2013.
In short, the presidential order paved the way for the NIST organization to create the NIST CSF to improve the national security posture and to tackle risk management by being proactive rather than having to rely on the reactive policies of most organizations.
Elements of the NIST Cybersecurity Framework
In this section we will examine the 5 functions described in the NIST Framework. There are 5 functions which fall under NIST Cybersecurity framework:
Why is the NIST Framework important?
If you value the prevention of catastrophic cyber threats to your operational technology (OT), the NIST Framework paves the way to understanding the ‘why’ behind NIST. Ensuring compliance with NIST standards can be of useful,if we want to keep hackers at bay. Employee awareness is also important and we can see its importance if we look at the following picture:
Source: krebsonsecurity (https://krebsonsecurity.com/2016/07/the-value-of-a-hacked-company/)
Let us delve a little deeper. If any of the following possible consequences, from failing to follow NIST, strikes you as a critical outcome, it just means you should care more about your security posture:
NIST Non-Compliance Consequences
Loss of Business – Data breaches impact, directly on a company’s valuation. The after-effects on a business can lead to serious work disruptions. The cost of a data breach is unimaginable as it directly affects the trust of customers.
The Ponemon institute validates the seriousness of a a breach,showing that 36% of the cost of a data breach is the result of loss of business when experiencing an incident.The cost to businesses in the U.S. of data breaches is pegged at $7.91 million on average which happens to be the highest in the world.
Negative Impact on Reputation – We’ve seen that financial loss is directly related with data breach. Add to that the impact to the brand and reputation, and the picture can become quite bleak for an organization. Both the possibility of diminished reputation and the loss of reputation should be enough to make an organization proactive in terms of security and around ensuring data protection.
A new study by PwC reported that approximately 85% of people are not likely to resume a business relationship if improved security practices are not implemented by a breached organization. Shedding more light on the importance of data and privacy, a Verizon report, showed that 69 percent of respondents considered honesty and transparency around data protection to be of the highest importance when dealing with organizations.
Criminal Charges or Lawsuits– Gauging how serious an organization is towards their data is partly visible by the actions the organization takes to protect their ‘crown jewels’. Ignorance of the NIST standards can lead to criminal charges and with these rapidly changing times, the costs of non-compliance are getting higher. In short, there are serious repercussions for noncompliance.
Who uses the NIST Cybersecurity Framework?
Although the NCF is a US-oriented standard and works in tandem with American private-sector businesses and operators, its popularity has stretched to global organizations that want to address cybersecurity risks (threats, vulnerabilities, and impacts).
“The NIST Framework has proved itself through broad use by the business community. Among the sectoral associations that that have incorporated the framework into cybersecurity recommendations are auto manufacturers, the chemical industry, the gas industry, hotels, water works, communications, electrical distribution, financial services, mutual funds, restaurants, manufacturing, retail sales, transportation, and corporate directors.”
– U.S. Chamber of Commerce, May 2017
Back in 2015 around 30% of the total businesses in the US embraced the NCF. It’s estimated by the end of 2020, it will reach 50%, according to Gartner research.
Some of the largest enterprises in the world embrace and use the NIST Cybersecurity framework. Some of the trailblazers include:
- JP Morgan Chase
- Bank of England
- Nippon Telegraph and Telephone Corporation
- The Ontario Energy Board
What is NIST SP 800-53?
NIST SP 800-53 stands for NIST Special Publication 800-53 which outlines the guidelines an organization should use for selecting security controls.
As a part of NIST’s Cybersecurity Framework, a NIST SP (special publication) indicates it contains a catalog of controls and reference materials with several sub-series.
The NIST SP 800 series standards are meant to assist federal agencies and contractors so that they are aware of security topics including the Risk Management Framework and the requirements which fall under the Federal Information Security Modernization Act (FISMA) highlighted under 44 U.S.C. and 3551 et seq., Public Law (P.L.) 113-283. NIST SP 800-53 is primarily concerned with the enabling an effective risk management framework, across the US (but it does not necessarily apply to agencies which are involved in USA’s national security).
It’s also worthwhile to mention that another main objective of NIST SP 800-53 is also to embrace the risk management ecosystem. So, it serves two functions. And the first happens to be selecting the security controls under the NIST framework.
What is the purpose of NIST SP 800-53?
As mentioned above, the main purpose of NIST SP 800-53 is risk management. By employing the controls described in NIST SP 800-53, organizations can keep information more secure and manage their risk more efficiently.
In addition, NIST SP 800-53 also covers:
- Information Technology Laboratory (ITL) guidelines for information system security
- ITL’s actions in organizations
How many security controls are in NIST SP 800-53?
There are 18 different controls which fall under NIST SP 800-53 and the 18 controls are divided according to their impact scale – low, moderate and high.
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical and Environmental Protection
- Program Management
- Risk Assessment
- Security Assessment and Authorization
- System and Communications Protection
- System and Information Integrity
- System and Services Acquisition
NIST 800-53 has 931 compliance requirements
Application Security and the NIST SP 800-53 Revision 5 Draft
So, what is the big news around application security in NIST SP 800-53?
The latest version of NIST SP 800-53 is the Revision 5 Draft.
Since its inception, updates to the NIST are continuous and the framework is constantly improving. There is reasonable logic behind continuously updating the framework, as there is constant change in the technology ecosystem and changes to the threat landscape, including more attacks and data breaches than ever. With the increased cyber attacks, finding and protecting vulnerabilities in applications, has become one of the critical operations needed, so that we can lower the risk posed by attackers who are working overtime to breach an application’s security .
The most recent evolution and update was completed in 2018 and now in 2020, we are beginning to see some fresh revisions, although as of this writing they are still in draft.
NIST SP 800-53 Revision 5 Draft Includes RASP and IAST
There are 2 new inclusions that have found a home in the NIST standard:
- SA-11(9), about Interactive Application Security Testing (IAST; page 271)
- SI-7(17), which talks about Runtime Application Self-Protection (RASP; page 339)
These are the 2 updates which give a new boost to the importance of application security. The new updates include references to the inclusion and need for interactive application security testing (IAST) and runtime application self-protection (RASP) tools.
With these updates, application security testing will be part of the mainstream NIST framework and should help developers catch security flaws before an application is launched.
And with RASP entering NIST SP 800-53, we finally have recognition that application security is a necessity for applications in production. Traditional perimeter based protection of applications has proven to insufficient, and runtime application security is needed to detect attacks in real-time as well as get better insight into these attacks.
With the implementation of the right RASP, organizations can gain two valuable capabilities to their security systems:
- Runtime Alerts when an Application’s Vulnerabilities are Exploited: Using sophisticated technologies like deterministic security in certain RASP solutions can give an organization better coverage for vulnerabilities, while reducing overhead found in older RASP technologies and deterministic security has the benefit of fewer false positives.
- Detailed Application Security Threat Intel: Some RASP solutions can also provide real-time detailed telemetry on the attack incident, enabling organizations to block only the attacker, while leaving the application accessible by valid users, and some RASP solutions can also provide detailed information on the vulnerability being attacked including the code module being attacked and the line of code being attacked, enabling organizations to more quickly remediate any vulnerabilities.
The big benefit for SOC professionals who battle significant numbers of false alerts on a daily basis, is a reduction of false alerts when using a deterministic application security tool, which does not need to rely on pattern or signature matching, or variations on past attack matching (all of these latter tools being highly prone to false alerts).
NIST 800-53 and IASP
With this new draft, NIST has opened the doors to include instrumentation in interactive application security testing (IAST).
But what does ‘interactive’ signify in the definition of IAST? An IAST agent works inside an application and analyzes code as it’s running, during any testing process, in other words, it interacts with ‘activities’ being performed on the application, so that the CI/CD pipeline is unaffected.
What’s the advantage of IAST? The keyword is ‘instrumentation’ and it solves the issues with traditional SAST and DAST tools. It provides faster vulnerability remediation for vulnerabilities found in web application code during the penetration testing cycle. And because it works by interacting with an application, it is able to test more of the application than traditional SAST and DAST tools.
NIST SP 800-53 Revision 5 Draft and K2 Cyber Security
K2’s next generation application workload security platform provides lightweight advanced security for runtime application protection. The K2 agent installs easily next to an application and protects the application from OWASP 10 attacks, memory based attacks, and zero day attacks in production environments. In pre-production environments, K2 works with existing penetration and testing tools to give additional detailed telemetry around discovered vulnerabilities and discovers additional vulnerabilities in the application.
Exact location of the Vulnerability: Once an attack is detected, K2 can provide the exact line number in the vulnerable code being attack along with the code file name being attacked. Pinpointing the location of the discovered vulnerability results in faster debugging and remediation for your developers.
Detect Missed Critical Vulnerabilities: Traditional penetration and vulnerability scanning tools can miss many important vulnerabilities such as remote code execution (RCE) attack vulnerabilities.
Recently, in a vulnerability test run with a leading scanning tool, the scanning tool reported only two RCE vulnerabilities, while K2 found and reported an significant number of additional RCE vulnerabilities.
Identification of False Positives: K2 can help you avoid chasing any false positives reported by the scanning tool.
For example, in the previously mentioned test, for Cross Site Scripting (XSS) vulnerabilities, the scanning tool reported two discovered XSS vulnerabilities, but K2 did not find any and on further investigation, both the XSS vulnerabilities reported by the scanning tool proved to be false positives.
K2 Cyber Security is providing free production licenses for 60 days during your testing cycle to find vulnerabilities in the code for a limited time.
K2’s runtime deterministic application security platform monitors the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you protect your applications.