nist it by that much. nist it by that much. using and abusing the nist 800 series

NIST it by that much.

NIST it by that much.Using and Abusing the NIST 800 Series


Who We Are and Why We’re Here• Adam Stone

– LBNL – University of California Managed Department of Energy Laboratory (fundamental, unclassified research).

– Regulatory Environment: Highly activated. 18 Cyber Security Audits in 24 months. C&A, OMB, NIST; GAO, IG, UC, Red Teams

• Stephen Lau

– UCSF – Dedicated health sciences campus

– Many National Institutes of Health and Veterans Administration researchers

– Regulatory environment:• HIPAA, SB1386, FERPA, e-Discovery, etc.

• Both of us have seen NIST 800 Series being applied in a positive and negative fashion

• The NIST 800 Series can be your friend or your worst nightmare…


How did we get here?

Title 3 of the E-gov Act

AKA FISMA


The Current Environment


Current Environment Continued…• What do DOE/OMB people see when they look out at the

world?

•Outsourced, centrally managed Outsourced, centrally managed ITIT•Totally locked down desktopsTotally locked down desktops•Central patch managementCentral patch management•Tiny visible footprint networksTiny visible footprint networks•Standardized OS and Software Standardized OS and Software LoadLoad•Duplicative IT investmentsDuplicative IT investments•Low Quality Project Low Quality Project Management in ITManagement in IT•All Federal Systems are RISKY All Federal Systems are RISKY systems!systems!

But R&E typically looks differentBut R&E typically looks different•Self Managed or Lightly Self Managed or Lightly ManagedManaged•Few lockdowns, default allow Few lockdowns, default allow •User patch managementUser patch management•Mostly visible footprint Mostly visible footprint networksnetworks•Open systems for collaborationOpen systems for collaboration•Users are smart and expect Users are smart and expect flexibility and autonomy.flexibility and autonomy.•Most systems are not very riskyMost systems are not very risky

What is the future of this disconnect?


What is NIST?• NIST - National Institute of Standards and Technology

(www.nist.gov)– Part of the U.S. Department of Commerce

• Establishes standards for U.S. federal government– Weights, measures, etc.– Previously concentrated on esoterica…. now given free

reign over government information security

• NIST has published a series of information security guidelines documents – Collectively known as “NIST 800 Series”– http://csrc.nist.gov/publications/nistpubs/

• Covers a wide spectrum of topics– Risk assessments, wireless security, encryption,

telecommuting, etc.


Why Should I Care?• Many federal agencies are requiring “NIST compliant” security

documentation for federally funded projects or for collaborations– National Institute of Health, Veterans Administration, Department of

Defense, Department of Homeland security, etc.– Your colleagues, users, clients and funding sources may ask:

• Is the resource you provide “NIST Compliant”?• Can you help me become “NIST Compliant”?

• Information security documents may utilize NIST methodology in regards to “risk” and “controls”– Controls are security techniques that address a risk

• e.g. passwords, firewalls, documentation

– Requirement documents may ask you about “risk” and “controls”

• The model is useful, even if the level of detail probably (definitely) exceeds that which is useful for most University/research environments.


What the NIST Documents Are Not• They should not be viewed as “checklists” to complete

• They are not rules you must abide by– NIST documents contain many loopholes and generalities on purpose

• “Compensating controls” (more on this in a bit).• “Residual risk”• “Risk acceptance”

• Doing everything in the NIST documents won’t make you make secure– It’ll just kill a lot of trees and give you a false sense of security

• They are not comprehensive nor complete– Some of the documents are woefully out of date

Caveat emptor!


So What Are They Good For?• Useful as a model for approaching information security

– Risk Based Model• What are the consequences of “bad things”?• low/medium/high risk

– Controls and Compensating Controls• One size doesn’t fit all, different things can achieve the same result• Ideal for diverse distributed environments

• Unified, consistent approach to information security– Common language and methodology

• Good as reference guide and to ensure “covering of all bases”– See examples coming up…


Nistiverse

In system security plan, provides an overview of the security requirements for the

information system and documents the security controls planned or in place

SP 800-18

Security Control Documentation

Defines category of information system according to potential

impact of loss

FIPS 199 / SP 800-60

Security Categorization

Selects minimum security controls (i.e., safeguards and countermeasures) planned or in

place to protect the information system

SP 800-53 / FIPS 200

Security Control Selection

Determines extent to which the security controls are implemented correctly, operating as

intended, and producing desired outcome with respect to meeting security requirements

SP 800-53A / SP 800-37

Security Control Assessment

SP 800-53 / FIPS 200 / SP 800-30

Security Control Refinement

Uses risk assessment to adjust minimum control set based on local conditions, required threat coverage, and specific agency requirements

SP 800-37

System Authorization

Determines risk to agency operations, agency assets, or individuals and, if acceptable,

authorizes information system processing

SP 800-37

Security Control Monitoring

Continuously tracks changes to the information system that may affect security controls and

assesses control effectiveness

Implements security controls in new or legacy information systems;

implements security configuration checklists

Security Control Implementation

SP 800-70


Nistiverse



SP 800-18



impact of loss

FIPS 199 / SP 800-60




SP 800-53 / FIPS 200




SP 800-53A / SP 800-37


SP 800-53 / FIPS 200 / SP 800-30



SP 800-37




SP 800-37







SP 800-70

Security Categorization (FIPS 199)

•Confidentiality

•Integrity

•Availability

Low, Medium, High: High Water Mark


Nistiverse



SP 800-18



impact of loss

FIPS 199 / SP 800-60




SP 800-53 / FIPS 200




SP 800-53A / SP 800-37


SP 800-53 / FIPS 200 / SP 800-30



SP 800-37




SP 800-37







SP 800-70

Security Control Selection (800-53 Catalog)

•The NIST Low, Medium, and High Baselines

Key Concept: Common Controls


Categories of Control


We don’tJust meanShared authN.


Nistiverse



SP 800-18



impact of loss

FIPS 199 / SP 800-60




SP 800-53 / FIPS 200




SP 800-53A / SP 800-37


SP 800-53 / FIPS 200 / SP 800-30



SP 800-37




SP 800-37







SP 800-70

Refining the Controls: Making Risk Based Judgments

• Scoping• Compensating• Organization Defined Controls


Tailoring the Baseline


Scoping Guidance Common security control-related considerations

Common controls are managed by an organizational entity other than the information system owner. Organizational decisions on which security controls are viewed as common controls may greatly affect the responsibilities of individual information system owners.

Operational/environmental-related considerationsSecurity controls that are dependent on the nature of the operational environment are applicable only if the information system is employed in an environment necessitating the controls.

Physical Infrastructure-related considerationsSecurity controls that refer to organizational facilities (e.g., physical controls such as locks and guards, environmental controls for temperature, humidity, lighting, fire, and power) are applicable only to those sections of the facilities that directly provide protection to, support for, or are related to the information system.

Public access-related considerationsSecurity controls associated with public access information systems should be carefully considered and applied with discretion since some security controls from the specified control baselines (e.g., identification and authentication, personnel security controls) may not be applicable to users accessing information systems through public interfaces.

Technology-related considerationsSecurity controls that refer to specific technologies (e.g., wireless, cryptography, public key infrastructure) are applicable only if those

technologies are employed or are required to be employed within the information system. Also Policy/regulatory-related considerations

Security controls that address matters governed by applicable laws, Executive Orders, directives, policies, standards, or regulations (e.g., privacy impact assessments) are required only if the employment of those controls is consistent with the types of information and information systems covered by the applicable laws, Executive Orders, directives, policies, standards, or regulations.

Security objective-related considerationsSecurity controls that uniquely support the confidentiality, integrity, or availability security objectives may be downgraded to the corresponding control in a lower baseline (or appropriately modified or eliminated if not defined in a lower baseline) if, and only if, the downgrading action: (i) is consistent with the FIPS 199 security categorization before moving to the high water mark; (ii) is supported by an organizational assessment of risk; and (iii) does not affect the security-relevant information within the information system.

Next 3 slides stolen from NIST


Compensating Security Controls

The organization selects a compensating control from NIST SP 800-53, or if an appropriate compensating control is not available in the security control catalog, the organization adopts a suitable compensating control;

The organization provides a complete and convincing rationale for how the compensating control provides an equivalent security capability or level of protection for the information system and why the related baseline security control could not be employed; and

The organization assesses and formally accepts the risk associated with employing the compensating control in the information system.


Organization-defined Parameters

Security controls containing organization-defined parameters (i.e., assignment and/or selection operations) give organizations the flexibility to define selected portions of the controls- to support specific organizational requirements or objectives.

CP-9 INFORMATION SYSTEM BACKUP

Control: The organization conducts backups of user-level and system-level information (including system state information) contained in the information system [Assignment: organization-defined frequency] and protects backup information at the storage location.

Slide stolen from NIST


Nistiverse



SP 800-18



impact of loss

FIPS 199 / SP 800-60




SP 800-53 / FIPS 200




SP 800-53A / SP 800-37


SP 800-53 / FIPS 200 / SP 800-30



SP 800-37




SP 800-37







SP 800-70

Documentation: The painful part.

A broad scale look at the controls.

The notion of common controls: where can application or subsystem owners turn to know what (if anything) is being provided centrally.


Nistiverse



SP 800-18



impact of loss

FIPS 199 / SP 800-60




SP 800-53 / FIPS 200




SP 800-53A / SP 800-37


SP 800-53 / FIPS 200 / SP 800-30



SP 800-37




SP 800-37







SP 800-70

Implementation: Self Explanatory (and actually the important part)


Nistiverse



SP 800-18



impact of loss

FIPS 199 / SP 800-60




SP 800-53 / FIPS 200




SP 800-53A / SP 800-37


SP 800-53 / FIPS 200 / SP 800-30



SP 800-37




SP 800-37







SP 800-70

Assessment:

800-53a (the mother of the mother of all checklists)

Technical Testing and Auditing

Artifacts


Nistiverse



SP 800-18



impact of loss

FIPS 199 / SP 800-60




SP 800-53 / FIPS 200




SP 800-53A / SP 800-37


SP 800-53 / FIPS 200 / SP 800-30



SP 800-37




SP 800-37







SP 800-70

Authorization:

Certify & Accredit

Certify: This is working as described and is appropriate

Accredit: It appears to be and the remaining risk is acceptable.


Nistiverse



SP 800-18



impact of loss

FIPS 199 / SP 800-60




SP 800-53 / FIPS 200




SP 800-53A / SP 800-37


SP 800-53 / FIPS 200 / SP 800-30



SP 800-37




SP 800-37







SP 800-70

Continuous Monitoring:

Is it working?Is it sufficient?


NIST at UCSF• UCSF conducting Campus-wide information security risk assessments

– Divided Campus into “control points”– Risk categorization based upon NIST “low/medium/high” concept– Using NIST “controls” concept to make sure “all bases are covered”

• e.g. access, physical security, documentation, user education, etc.

• Developed our own “risk impacts”– Risks endemic to a University (not necessarily covered by NIST)– e.g. Campus Reputation

• low – work unit impact• medium - department/school wide• high – national/international reputation of UCSF

• Developed “suite of interview questions”– Same series of questions being asked across Campus– Same questions phrased differently

• Sometimes get different answers based up phrasing


NIST at UCSF

• Goal: Develop continual risk assessment of UCSF– Identify similar “high risks” facing entire Campus (target those)– Revisit risks assessments to see progress made (if any)

• Consider availability of resources to address risk– Because that’s a risk in itself!

• Goal II: Security plans based upon risk across entire Campus, subdivided into “control points”

• Interim Results:– Have uncovered high risk areas not normally considered when focusing

solely on “legal” requirements, e.g. SB1386, HIPAA• e.g. Animal research databases, hazardous chemicals information, politically

sensitive databases


NIST @ LBL

The documentation-heavy version.• Approximately 300 pages of security plans for five enclaves and

supporting docs.• An interactive database for each control which allows each

enclave owner to see how other people implement.• Extensive wikis for managing documentation requirements• C&A is (sadly) a hundreds of thousands of dollars effort.

The documentation light version, • SCRAPs

Enclaves as a way of thinking about risk.


Regulatory Outlook• More regulations are coming down the pipe

– Increased mixing of a highly activated OMB/NIST regulatory machines with University rules and regulations.

– Increasingly activated University internal auditors with interest in cyber security.

– DHS and NSA are both interested in “helping” non-governmental networks.

But Higher Ed is different.

• Laws are becoming financially burdensome for sites– CA SB1386 requires notifications for exposure of personally

identifiable information• Estimates are around $100.00/notice• e.g. 50,000 individuals to be notified == Big $$


Regulatory Outlook 2• Collaborations with Government Research Entities are

becoming more and more difficult:– NASA, NIH, National Laboratories, some FFRDCs (but not

all)– Sharing data with government entities (VA, NIH, CDC)

seems likely to get more and more difficult.• Ongoing government consolidation and security projects seem

likely to negatively impact the interaction between Higher Ed and Government research:– Network consolidation– System lockdown– Movement of previously open information behind firewalls.– Expansion of the notion of “IT Project” subject to reporting

controls.


The Big Takeaways

• NIST is useful, take a graded approach.– It’s not a sacred text (nor is it intended to be)

• Doing everything NIST wants you to do does not equal security, it just kills trees and annoys people (do the good parts).

• If it doesn’t reflect reality, don’t write it down.

• Holistic Risk Assessment is critical (and lacking)

Once the rockets are up, who cares where they come down.That’s not my department, said Wernher Von Braun…


Whatever behavior will get an agency executive in trouble will get a manager in trouble; whatever gets a manager in trouble will get an operator in trouble…This means that even talented and motivated operators will not be free to violate rules that threaten their agency, even if the rule itself is silly.

Many agency executives do not understand this. They are eager to deflect or mollify critics of their agencies. In their eagerness they suppose that announcing a rule designed to forbid whatever behavior led to the criticism actually will work. Their immediate subordinates, remote from field pressures (and perhaps eager to ingratiate themselves with the executives) will assure their bosses that the new rule will solve the problem. But unless the rule actually redefines the core tasks of the operators value, the rule will be seen as just one more constraint on getting the job done (or, more graphically, as "just another piece of chicken****")."

Artifacts and policy that don’t kill the core task.

Wilson, Bureaucracy, What Government Agencies Do and Why They Do It.


Contact InformationStephen Lau

University of California, San Francisco

Enterprise Information Security / OAAIS

Email: [email protected]

Phone: +1 (415) 476-3106

PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B

Adam Stone

Berkeley Lab

Assoc. Liaison for IT (Policy & Assurance)

Email: [email protected]

nist it by that much. nist it by that much. using and abusing the nist 800 series

Documents

nist methodology

nist gao

federal systems

risky systems

collaborationopen systems

wireless security

security techniques

riskymost systems