NIST Framework & Need for Universal Information Assurance Standards

The Security Framework for Information Assurance & Cyber Security

Introduction

The following report discusses the limitations of the NIST Framework. The NIST Framework is the standard security framework for information assurance and cyber security. This framework is designed in a general composition in order to allow companies the ability to create customized security systems that fit their needs. The problem with the NIST Framework is that it is too broad in conceptualization and does not incorporate a hierarchy of information assurance. At the core of NIST is a system of risk assessment that is based on individual company threat assessment and balancing of information needs. While this methodology is practical it is also inherently over reliant on the company to devise proper threat analysis which it may not be capable of, biased against due to other overriding interests. In this report, information assurance is prioritized within the NIST Framework in order to allow for companies to follow a hierarchy of importance with information security. This change is necessary for the purpose of creating a more comprehensive form of risk management for information.

The corporate world of information is a difficult complex domain where information is dynamic and constantly being communicated across many different network channels. The private sector is a critical infrastructure for economic and other social stability. Maintain information assurance is a priority within the private sector but this priority is often lacking in resolve. The problem is that there are few standardized information risk management approaches that can be called upon, and while not intended to be a one-size fits all approach, these methods are often utilized in exactly that manner when securing networks. At the core of this issue is the National Institute of Standards Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The NIST has provided this framework as a methodology for businesses to assess and improve information assurance through the hardening of their information networks. The problem with this system is that it attempts to define risk in terms of an individualized approach based on risk tolerance, such that “organizations can prioritize cybersecurity activities, enabling organizations to make informed decisions about cybersecurity expenditures” (National Institute of Standards and Technology, 2014). The problem with this methodology is that it while it seems to provide a means of quantifying risk in an individualized approach, creates arbitrary decisions concerning risk and what is the most important for assuring information security. This problem can be seen in the oversimplified goals and design of the NIST Framework which provides companies with the decision process for “mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk” (National Institute of Standards and Technology, 2014). Ultimately, this process is flawed because it does not categorize information security in a hierarchy of risk, but instead attempts to create a cycle of continuous security operation which is meant to increase information assurance through improved security over time.

The Core of NIST

The NIST core is defined by specific elements that are meant to be cyclical. These elements are intended to create a secure information environment by reinforcing a culture of security over time through continuous practice. These elements include:

· Identify — Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
· Protect — Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
· Detect — Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
· Respond — Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
· Recover — Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

One must understand these elements in order to see the flaw in the system. This problem first begins in the first element of the cycle in which identifying the risk begins. In this area, and organizational understanding is supposed to occur where critical functions are understood and information vulnerabilities are identified. This area is the most important area in which the lack of standardized risk management can be seen. There is no means outlined in the NIST framework for categorizing risk or assessing vulnerabilities. This is completely left in the hands of the organization and its security. If the security vulnerabilities are prioritized incorrectly in this section, then each subsequent section of the framework is weakened by this error. Worse yet, the company believes that it is working towards information assurance but it is not. Because the company is not protecting critical security issues, it cannot detect them because it is not looking for these issues. As such the detection, response, and resilience areas become weak and are not serving their function. This ultimately results in a cascading effect in which a catastrophic failure can result.

The Failure of NIST

One of the more profound failures of the NIST framework can be seen in the 2014 Sony hack. In this massive breach of security Sony lost massive amounts of emails, and personal information of employees and other stakeholders (Pagliery, 2015). Sony is a large company with a large security system which is based on the standard risk management approaches. Despite the enormous information security and planning teams at the disposal of Sony their system was hacked due to basic failures in the security framework.

When Sony was hacked it was blamed on North Korea and the attack was declared an unprecedented attack that took expert and resources and knowledge to accomplish. The media exaggerated the nature of the attack inadvertently making this incident appear to be a unique and sophisticated cyberattack that was new in design. In truth, the Sony attack was performed using a malware that infects a computer through email. Once the malware was delivered it attacked the WMI or Windows management instrumentation tool using a denial of service attack:

…primary feature of the malware is that it wipes the hard drives of targeted systems. This is at minimum a strong indication of North Korean involvement. Previous attacks attributed to North Korea, including one last year against TV networks and banks in South Korea, have often included wiping software that destroys all data stored on the system (Hesseldahl, 2014).

The malware uses the WMI to allow access to the computers and before deleting their contents.

Researchers have determined that the attack starts with [malware] BKDR_WIPALL.A, which is the main installer and is disguised as an executable file named “diskpartmg16.exe.” (Kovacs, 2014)

This is a far from sophisticated attack as it was a denial of service attack which required entry to the system in order to be effective (Trend Micro, 2014). After the Sony Hack, investigations began to show that the reason for the attack was an issue of weak security policies which allowed for a breach in the system. The only way that this attack could have occurred is if the security to the network was weak enough to allow a malware to enter (Zetter, 2014). As such the NIST Framework failed to perform its function since a lack of security culture was formed using the core risk assessment process:

…former employees, who asked to remain anonymous, have told us that they’re disappointed but not surprised by the massive hack given Sony Pictures’ long-running lax attitude toward security. They say that employees highlighted specific vulnerabilities on company websites and systems that were never addressed (Hill, 2014).

There was a history of security violations being reported and ignored at Sony. Basic policies for hardening and creating information assurance were not followed because there was a lack of critical assessment of the systems (Hill, 2014). So lax was the security at Sony that the company was hacked once before when an employee was working remotely from a public terminal and forget to log out of the company (Hill, 2014). Sony’s security and information assurance framework failed mainly because it was not able to prioritize its risks and there was no insight into the dangers.

One might be inclined to believe that Sony is a special case and exception to the rule but in reality the threats to information assurance are vast and difficult to calculate. There are many examples of companies misusing the NIST Framework or making poor or arbitrary decisions concerning information. Almost all smart phone companies make the deliberate choice to issue their phones with security issues within the phones operating systems. Many of these security issues are mild but many of them are severe threats.

The reason that this occurs is due to the fact that the information threat assessment concerning smart phones is based on the idea that most phones only have a product life of 3 years. By the time the security issues are apparent the phone has been replaced or it is no longer being used. The decision to take this risk is based on economics. It would cost too much money to assess and secure phones by finding all the bugs in the operating systems. However, this threat assessment is not fool proof and there are many instances where the threat is much larger than anticipated:

Last year, 5.6 million smart-phone users experienced undesired behavior on their phones such as the sending of unauthorized text messages or the accessing of accounts without their permission, our survey projects. According to experts, those are symptoms indicating the presence of malicious software.

The rate of such symptoms on smart phones, five percent, was far lower than the 31 percent rate of viruses and other malware infecting home computers that our survey also found. But it’s still troubling because it shows how common such incidents have become in just the six years since the iPhone popularized touch-screen smart phones (Consumer Reports, 2013).

The Sony smart phone industry reflects a problem in the current NIST to framework in which the information assurance is only as strong as the belief of the organization’s need to protect it. This idea may sound odd, but security is often arbitrary due to the ability of the organization to define the hierarchy of importance with data and functionality in their systems. There are too many factors that may also bias the security assessment within companies such as the need to get to market, competitive advantage, cost etc. These factors create a landscape for information assurance where security may make unwise tradeoffs. This issue is endemic of a system that lack universal standards for information assurance and security.

Universal Information Security Standards

While information assurance may appear to be individual in nature with regard to organizations, this view is not completely true. There are information security standards which can be considered universal in nature and would improve the risk assessment process by creating better guidance within the NIST Framework. For example, personal information is not only considered a vital information source to protect it is also regulated by the law in most industries and countries. Any information which is personal or regulated would be at the top of the hierarchy descending to user information such as company web pages. This information hierarchy should be included into the core of the NIST Framework in order to provide the necessary guidance for information risk management assessment. But more so than just stating the hierarchy, this methodology should dictate specific domains of information.

While this pyramid is by no means comprehensive of all aspects of information assurance hierarchy, it represents the basic nature of importance that needs to be conveyed in the NIST Framework. One might be inclined to argue that the NIST Framework is adequate and the the problem is that companies such as Sony do not perform an adequate assessment of their critical infrastructure. While this argument has merit, it falls short due to the nature of the NIST Framework.

The Need for a Hierarchy of Information Assurance

There is a tremendous need for Information Assurance to be classified in a hierarchy of importance within the NIST Framework. This need is based on the growth of information assurance security technologies. According to Liu, Yu, and Jiwu, (2010), there are three essential components of information assurance which is prevention, detection, and survivability or recovery. These components are very important because they dictate the purpose of security frameworks such as NIST. For example, the prevention of intrusions encompasses several areas of information assurance including “access control and physical security, multiple levels of security, and cryptography (Liu, Yu, & Jiwu, 2010). The question that arises is “how are companies supposed to determine the priorities of information security within these areas of prevention without some form of hierarchy? They cannot. The authors of this research state this problem in terms of an information overload in which there are too many aspects of information assurance that must be considered making it a complex undertaking:

It is no doubt that Information Assurance involves many disciplines and has a variety of aspects, such as the policy, legal, ethical, social, management, evaluation, and technical aspects of information assurance. Compared with traditional information security practices, Information Assurance not only involves the design and development of a variety of new security technologies, but also involves a variety of emerging policy, legal, ethical, social, economical, management, evaluation and assurance issues as Information Assurance evolves people’s practices of information security in an ever quicker pace.

This highlights another issue with lack of guidance in which information grows faster than it can be disseminated and as such it must be protected even in instances were the information may seem benign or useless because it has not been studied (Liu, Yu, & Jiwu, 2010).

There is also the issue of information being inadvertently shared in ways that it should not. For example, healthcare information is highly regulated within the spectrum of personal healthcare but what happens when this information crosses into other domains such as research? There is a large ambiguity in the regulations with research and healthcare information because the standards change along with the laws. This problem highlights the fact that there is a lack of comprehensive information risk management assessment.

The NIST framework is intended to provide a means for companies to assess information assurance within their specific functions but there are many functions shared by almost all organizations such as protecting financial data. The lack of a hierarchy of information assurance allows for companies to overlook or diminish the value of certain data when the choose. This ability makes the NIST Framework somewhat arbitrary in nature. The policy failure that occurred at Sony was a not a failure of the security in the sense that there was no security but more so because the framework allowed for capricious decision making and a culture of ignorance to form concerning information assurance. In an audit by PricewaterhouseCoopers it was discovered that:

…more than 100 other devices that were not being monitored by the corporate security team charged with oversight of infrastructure, but rather by the studio’s in-house group, which was tracking activity on logs (Chmielewski & Hesseldahl, 2014).

There were also ridiculous common practices that evolved over time at Sony, including things such as storing passwords folders and marking the “password” (Neil, 2015). While it might seem ludicrous that these actions were taking place, it was not like Sony did not spend a large amount of money on security. The NIST Framework that the system was based on allowed for arbitrary security decisions to be made which evolved into these seemingly insane practices overtime.

The real failure is caused by a lack of framework strength which reinforces strong policy development. The problem in modern information networks is that there is a lack of consideration for data and information needs which can be caused by numerous factors other than biases in the decision making. For instance, older companies may have systems of older networks that lack an emphasis on security, and lack of understanding of the evolving business requirements. This is where the NIST Framework provides a strong basis for information assurance as it seeks to reveal many elements that can be used to build policy. However, if one adds the factor of importance or hierarchy of need to these questions it changes the scope of the NIST Framework:

1. Information security such as permissions for access and firewalls, privacy concerns, data storage, and user access levels.
2. User Requirements- who needs access to the network and what specific information and areas on the network? How will user identity be authenticated? What policies need to be implemented to create strong password practices?
3. Customer management- What are the customer needs for access and communication on the network?
4. Enterprise functions such as billing and accounting
5. Financial constraints- What costs will be involved due to the size of the network, processor speeds, types of hardware, etc.

This example reinforces the need for a standardized approach to information risk management within the NIST Framework.

References

Chmielewski, D., & Hesseldahl, A. (2014, December 12). Sony Pictures Knew of Gaps in Computer Network Before Hack Attack. Retrieved from Recode: http://recode.net/2014/12/12/sony-pictures-knew-of-gaps-in-computer-network-before-hack-attack/

Consumer Reports. (2013, June). Keep your phone safe How to protect yourself from wireless threats. Retrieved from Consuer Reports : http://www.consumerreports.org/cro/magazine/2013/06/keep-your-phone-safe/index.htm

Hesseldahl, A. (2014, December 2). Details Emerge on Malware Used in Sony Hacking Attack. Retrieved from Recode: http://recode.net/2014/12/02/details-emerge-on-malware-used-in-sony-hacking-attack/

Hill, K. (2014, December 4). Sony Pictures hack was a long time coming, say former employees. Retrieved from Fusion: http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-former-employees/

Kovacs, E. (2014, December 4). Researchers Analyze Data-Wiping Malware Used in Sony AttackResearchers Analyze Data-Wiping Malware Used in Sony Attack. Retrieved from Security Week: http://www.securityweek.com/researchers-analyze-data-wiping-malware-used-sony-attack

Liu, P., Yu, M., & Jiwu, J. (2010). Information Assurance. Retrieved from Pennsylvania State University: https://s2.ist.psu.edu/paper/82-info-assurance-v6.pdf

National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity . Washington: National Institute of Standards and Technology.

Neil, M. (2015, January 16). After Sony Hack attack, companies are curtailing email use and storage. Cybersecurity , 1(34), 36.

Trend Micro. (2014, December 3). An Analysis of the “Destructive” Malware Behind FBI Warnings . Retrieved from Trend Micro: http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-the-destructive-malware-behind-fbi-warnings/

Zetter, K. (2014, December). Sony got hacked hard: what we know and don’t know so far. Retrieved from Wired: http://www.wired.com/2014/12/sony-hack-what-we-know/

Photo by Krzysztof Kowalik on Unsplash