Price/college
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cs-3113: finish up NISTIR-7621 report part I

Browse Source
This commit is contained in:
Price Hiller 2024-09-15 21:29:18 -05:00
parent 2d7bf7c65f
commit e83d847342
Signed by: Price
GPG Key ID: C3FADDE7A8534BEB
7 changed files with 230 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
Fall-2024/CS-3113/Assignments/1-Review-of-NISTIR-7621/Assignment.typ Normal file
View File

@ -0,0 +1,75 @@
#let fontsize = 11pt
#set text(top-edge: 0.7em, bottom-edge: -0.3em, font: "Calibri", fontsize)
#show heading: set text(fontsize)
#show heading.where(level: 1): set align(center)
#show heading.where(level: 2): set align(left)
#set page(
margin: 1in,
numbering: "1",
number-align: right + top,
"us-letter",
)
#let title = [Analysis of _NISTIR 7621 Revision 1_]
#let author = [Price Hiller]
#let university = [University of Texas at San Antonio]
#let course = [CS 3113: Principles of Cybersecurity]
#let instructor = [Dr. Kirsten E. Webbe]
#let publication_date = datetime.today()
#set document(title: title, author: author.text, date: publication_date)
// ===== TITLE PAGE =====
#align(horizon + center)[
= #title
\
#author\
#university\
#course\
#instructor\
#publication_date.display("[month repr:long] [day], [year]")\
]
#pagebreak()
// ===== TITLE PAGE =====
#par(
leading: 1em,
first-line-indent: 2em,
justify: true,
)[
NISTIR-7621 Revision 1 is generally sufficient as a framework for small business information security; although a bit dated, many of its points are still applicable to today's information security landscape. NISTIR-7621 does have failings: some of its information, especially the more detailed recommendations given, are at times outright wrong or reduce security posture in a organization. Despite occasional failures around detailed information, the recommendations in general are largely still in line with today's best practices. Said recommendations are mostly applicable to someone with a growing small business who lacks technical knowledge surrounding information security. My analysis of NISTIR-7621 is separated by the major sections of NISTIR-7621 with the exclusion of its first section, those sections being: Understanding and Managing Your Risks, Safeguarding Your Information, and Working Safely and Securely.
== Analysis of Understanding and Managing Your Risks
This section is most focused upon categorizing risk when it comes to information, identifying risk items, and inventorying what information may need to be secured. Overall, the section does a satisfactory job of approaching risk when applied to information security and gives clear actionable items throughout it. In fact, it serves as a near step-by-step tutorial to doing an information audit.
The writing of managing risks as action items is a great approach, and it would be fantastic to see other documents follow the same approach themselves. It gives a clear, concise, framework to begin an information audit, a core procedure for information security. If you don't even know what you have and the value of those items, how can you even begin to manage anything? Better yet, the document provides resources to leverage in case a small business owner needs assistance. Many frameworks toss readers to the wolves with superficial statements or steps, whereas NISTIR-7621 is much more thorough which increases the likelihood of a successful information audit and, as a result, an improved security stance of a given small business.
A small criticism, there isn't a mention to maintain a constantly updated inventory and risk assessment after the steps are taken. An acceptable improvement would be a recommendation to create a spreadsheet or equivalent of information assets and risk analysis that is kept as a source of truth to be regularly updated when a business' information changes. This would improve awareness of information risks and assist with compliance and insurance requirements. Currently, the section reads as though this needs to only be done occasionally, whereas a constant undertaking of the inventory and risk audit would be better.
Otherwise, NISTIR-7621's layout of risk management does an acceptable job of providing a simple and, most importantly, actionable framework for small business owners to rely on.
== Analysis of Safeguarding Your Information
Unfortunately, this is where some incorrect information from NISTIR-7621 begins to appear and will be the largest part of my analysis. Many of the policies recommended here are actually good, however some of the details have incorrect or invalid information or outright _harmful_ information when it comes to information security. To reiterate, overall, the points and recommendations raised are mostly good, but some details could use improvements.
One of those places where improvements could be found are in the idle session lock recommendations. The recommendations for idle sessions sounds good on paper, but are impractical and likely harmful. To be clear, locking the session after idling for a while _is_ a good idea, but the given example idle lockout time is "2 minutes" — this is much too short a time window for an idle user. By having such a low example recommended lockout time, implementations will likewise pick short idle lockout times as well. From my own personal experience as a Systems Administrator, allow me to cast down enlightenment on session locks: do not pick a super short idle window. Why? Because users are too clever for their own good. The example 2 minute lockout will almost certainly lead to something like the following scenario: Lisa the accountant shows up to work after the session lock policy was implemented the night before. She ends up on a phone call or other work at her desk without touching her computer for a few minutes. The computer locks. Lisa gets slightly annoyed. Lisa unlocks the computer. Later, she does another task that causes her session to idle. The computer locks. Lisa gets a bit more annoyed than the last time. Lisa unlocks the computer. And on and on that will go until Lisa has a brilliant idea! Defeat the idle detection. She may install a mouse jiggler or equivalent and thus she no longer has her user session lock; then she gets up for lunch one day and somebody else walks up to her now unlocked computer and copies the entire business's account sheets. Unfortunately, that was _not_ a hypothetical situation, we truly had that occur to one of the firms we managed systems for. A real solution (and the one we employed) is to use proximity sensing to automatically engage the session lock when the user leaves the workstation. Beyond my own anecdotal experiences, NIST SP 800-53 makes mention of using a timeout as well, but goes further and mentions "A proximity lock may be used to initiate the device lock..." @nist-timeouts.
Another recommendation made by NISTIR-7621 is the following, "Set the wireless access point so that it does not broadcast its Service Set Identifier (SSID)" when configuring wireless access points. On paper, this seems okay, but in practice is useless in terms of security. When disabling a broadcast of SSIDs, that does _not_ stop the Access Point (AP) from broadcasting its availability. What really happens is that the beacon frame is still broadcast, but on old APs the SSID is `NULL` when sent or on new 802.11 compliant APs, the wildcard SSID is used @ieee-ssid which means for beacon announcements it's treated as _hidden_. The network is not actually _hidden_. An attacker will do a scan and pick up your _hidden_ network, or, in the case of some operating systems, they may choose to display your network as "Hidden Network" in the network selection menus. What this does do though, is make it _much_ more difficult for genuine users to connect devices to the network. This is security through obscurity, with little to no security benefit and a headache for users.
Unfortunately, NISTIR-7621 gives another questionable recommendation around WiFi, "Set your router to use WiFi Protected Access 2 (WPA-2)"; although, this is more of a display of NISTIR-7621's age than anything outright wrong. Nowadays we have WPA-3 which improves security over WPA-2. Many WPA-2 networks are particularly vulnerable to something called Key Reinstallation Attacks @krackattacks among a slew of other vulnerabilities that WPA-3 addresses. The more modern recommendation would be to default to WPA-3, and use WPA-2 where necessary. WPA-2 may be necessary when working with Internet of Thing (commonly abbreviated IoT) devices so when WPA-2 is required, more strict deployment behaviors should be followed.
A good recommendation provided by NISTIR-7621 is its advice for handling backups of data across the business. NISTIR-7621's backup recommendations closely mirror today's best practices for backups. It mentions that backups should be stored in a few different formats, but importantly those recommended formats end up being stored in _three_ different places, on _two_ different media types, and at least _one_ backup offsite as result of the media chosen. Specifically NISTIR-7621 recommends backing up to the following: "removable media", "a separate server that is isolated from the network", "online storage (e.g. a cloud service provider)". This recommendation is great as it follows the 3-2-1 backup rule @cisa-backups, but some critiques of its backup policies are necessary. NISTIR-7621 is perhaps too weak pushing the 3-2-1 rule per US-CERT's recommendations. Today, implementing 3-2-1 backups is relatively simple. Furthermore, instead of stating "You may want to consider encrypting your backups", NISTIR-7621 should push explicitly for encrypted backups instead of being as a mere consideration. With cloud providers today, encrypted backups are simple off-site and managing on-site encrypted backups can be as simple as using a password stored in a secure deposit box. There's not a good reason today, to _not_ encrypt backups. Especially with the rise of privacy laws locally and abroad, proper encryption of sensitive 3rd party information has become more and more a matter of regulatory compliance. For instance, to comply with the European General Data Protection Regulation (GDPR) and thus do business with EU entities, backups should be encrypted if interacting with any personal information (emails, phone numbers, and more) as the "...regulation applies to the processing of personal data..." @gdpr-data-control.
Section 3 has some recommendations that have problems in the details, but the general recommendations are sufficient for small businesses. Once again, NISTIR-7621 demonstrates its best aspect in how immediately actionable the provided information is. NISTIR-7621's explanations are thorough, this is invaluable when it comes to creating a framework for best practices. While that information may be occasionally lacking, it's usually good enough. After all, perfect is the enemy of good.
== Analysis of Working Safely and Securely
Section four of NISTIR-7621 focuses on general rules of thumb for practicing safe business habits relating to information security. The recommendations are intended for all employees to be trained on in a given business to ensure general user awareness of security.
There aren't any significant flaws I can readily identify within section four, its information is user awareness and security training 101. Though, as an extension, it would be useful to add installing an ad blocker to supplement the "Be careful of email attachments and web links" recommendation. Specifically for web links. The Federal Bureau of Investigation (the FBI) recommends to "use an ad blocking extension when performing internet searches." @fbi-adblock Using an ad blocker should massively cull the number of malicious sites and links that appear when browsing and further enhance user security.
== General Analysis of NISTIR-7621
NISTIR-7621 does an overall satisfactory job of informing small business owners of the information security controls and practices they should implement for their businesses. Due to the age of the document some details within the practices are questionable at times, but the overall framework given is filled to the brim with useful security information. In particular, NISTIR-7621 should be praised for the amount of actionable information and clear steps it provides. Non-technical owners should be able to relatively easily follow and implement NISTIR-7621's general recommendations and processes.
]
#bibliography("./bibliography.yml", style: "american-psychological-association")

52
Fall-2024/CS-3113/Assignments/1-Review-of-NISTIR-7621/Instructions.md Normal file
View File

@ -0,0 +1,52 @@
# Assignment #1 Part I, 70 points
Assessments: Review of NISTIR 7621 Purpose Assignment 1, Part I
There are many ways to approach cybersecurity at an organization; and many different activities that may be conducted in a cybersecurity assessment ranging from design and policy reviews, to penetration testing (or other kinds of testing), to audits conducted by impartial, certified third-parties.
However, to ensure that appropriate cybersecurity activities are conducted by, or for, a specific organization, industry, system, or task, numerous standards and frameworks have been developed to guide those activities.
In this assignment, you will be reviewing the National Institute of Standards and Technology (NIST) Internal/Interagency Report (IR) 7621 Rev. 1, Small Business Information Security: The Fundamentals (NISTIR 7621) to evaluate its effectiveness in outlining activities that should be undertaken by small businesses and organizations to ensure an appropriate cybersecurity posture.
This document can be found here: [https://csrc.nist.gov/publications/detail/nistir/7621/rev-1/final](https://csrc.nist.gov/publications/detail/nistir/7621/rev-1/final)
_**Note**: Common pronunciation of NIST is similar to "mist" and NISTIR is similar to "mister". Also, they are often referred to by their number only, so this would be “NISTIR 7621.” Some standards, such as NIST SP 800-53 are often referred to as “Eight-hundred, fifty-three” and the revision number is included only when it is specifically required. For example, if an agency is updating their policies to 800-53 rev. 5, then it would be explicitly mentioned like, "In eight-hundred fifty-three rev 4, it says… but in rev 5, it says...", otherwise, the general assumption is comments or discussions refer to the latest version._
_**Note 2**: You are going to be conducting a cybersecurity assessment of a fictional organization for the Course Project, and will be leveraging what you learn from this assignment, and the artifacts that you develop in Part II. **So, please treat this assignment seriously, it will pay off later in the semester!**_
## Assignment
**For this part of Assignment 1, you will analyze NISTIR 7621, and identify areas (if any) where the standard could be updated, expanded, or improved. If the standard appropriately covers an area, you will include your reasoning for why it is appropriate/sufficient in that area.**
While doing this assignment, please consider these issues specific to small businesses or organizations:
- They may not have the expertise or understanding to perform complex, technical tasks. So, overly detailed or complex frameworks may be beyond their capability.
- With a smaller number of employees, they may not have a lot of time to dedicate to the process (For example, NIST SP 800-53 Rev. 5 is 492 pages long and is far too detailed and time consuming for a small organization to use.)
- They may not have the funding to bring in a 3rd party to assist with their cybersecurity needs, and given #1 and #2 may not be able to do a lot of work themselves, so any framework needs to:
1. **Stay focused on the critical areas**
2. **Be as short and concise as possible (NISTIR 7621 is only 10% the size of 800-53)**
3. **Must address important areas while doing (a) and (b)**
4. **Make trade-offs between detail and usability (something cybersecurity professionals have to deal with daily!)**
- A framework for a small business will direct their efforts to ensure an effective cybersecurity program, with a minimum amount of overhead.
## Deliverables
1. (70 points) A paper, _submitted as a PDF_, of at least 1500 words, but no more than 1800 words that details your analysis of NISTIR 7621. (This number excludes any references or citations.) The paper must include:
2. An overall analysis of the described framework (is it sufficient, or are there things that are missing, expanded, etc.)
3. For any components of the framework you feel are adequate, you must provide your reasoning for why they are adequate.
4. For any areas you feel are not adequate or missing entirely identify the area, and provide a description for what could be improved, or what should be (Ex: Does it properly address ransomware? What about use of personal devices?)
5. Proper citations for reference [https://libguides.utsa.edu/cite]. **Please use APA format. You can find an APA format sample here: [student-annotated.pdf](https://utsa.instructure.com/courses/46675/files/7307937?wrap=1)**
---
**Note: Do not use ChatGPT (or other generative AI) to write this for you.**
Understanding these frameworks is a critical component of this class, and necessary for the Course Project. Handing this work off to AI is not acceptable.
**Papers may be submitted to ZeroGPT or other AI analysis tools to determine if the work has been generated by AI.**
Other Notes
- If you have looked up the _CISSP Official Study Guide (9th Edition)_ on O'Reilly (directly or via the UTSA library eBooks) you can find more information regarding assessments and audits in _Chapter 15: Security Assessment and Testing_. (This is not required reading, but the chapter has great information regarding this area).
- You _**may**_ discuss this assignment with other class members, but each individual should write their own paper.
- This is an individual assignment, where you make your own decisions and have your own reasoning process. Make sure your work reflects thought and consideration.
- Again, do not use ChatGPT or other generative AI to do this assignment for you.
- UTSA policy is all suspected cases of Scholastic Dishonesty are referred to the university. i.e. If you cheat, I am required to report it to **Student Conduct and Community Standards**. This includes the improper use of generative AI for this assignment.

38
Fall-2024/CS-3113/Assignments/1-Review-of-NISTIR-7621/NISTIR-Notes.md Normal file
View File

@ -0,0 +1,38 @@
# Notes on NISTIR-7621
## Overall Analysis
NISTIR-7621 Revision 1 is generally sufficient as a framework for small business information security; although a bit dated, many of its points are still applicable to today's information security landscape. NISTIR-7621 does have some failings: some of its information, especially the more detailed recommendations given, are at times outright wrong or reduce security posture in a organization. Despite occasional failures around detailed information, the recommendations in general are quite good and mostly applicable to someone with a growing small business who lacks technical knowledge surrounding information security.
## Section Breakdowns
### (1) Background: What is Information Security and Cybersecurity?
Omitted as its a simple summary and rationalization as to why the document exists in the first place, largely irrelevant.
### (2) Understanding and Managing Your Risks
- The writing of managing risks as action items is a great approach, and it would be fantastic to see other documents follow the approach found within this section. A small business owner could read the section and immediately begin applying it to their circumstances. The document also gives a clear, concise, framework to begin an information audit, a core procedure for information security. If you don't even know what you have and the value of those items, how could you even begin to manage anything? Better yet, the document provides clear resources to leverage in the case they need assistance. Many frameworks toss readers to the wolves with general statements or steps, but no way to get help where one's knowledge fails. Clearly identifying resources like the local Chamber of Commerce or Federal Trade Commission increases the likelihood of a successful information audit.
### (3) Safeguarding Your Information
- The recommendations stated for the session lock feature when a computer is idle sounds good on paper, but are impractical and likely harmful. (Page 22)
- Now, locking the session after idling for a while _is_ a good idea, but the given example idle lockout is "2 minutes" — this is much too short a time window for an idle user. From personal experience as a Systems Administrator, allow me to cast down enlightenment on session locks: do not pick a super short idle window. Why? Because users are too clever for their own good. The 2 minute window given as an example from CISA will almost certainly lead to something like the following scenario: Lisa the accountant shows up to work after the session lock policy was implemented the night before. She ends up on a phone call or other work at her desk without touching her computer for a few minutes. The computer locks. Lisa gets slightly annoyed. Lisa unlocks the computer. Later, she does another task that causes her session to idle. The computer locks. Lisa gets a tad more annoyed than the last time. Lisa unlocks the computer. And on and on that will go until Lisa has a brilliant idea if her complaints on the session lock are ignored: get a mouse jiggler or an equivalent way to defeat the idle detection. Now with the jiggler installed she no longer has her user session lock; then she gets up for lunch one day and somebody else walks up to her now unlocked computer and copies the entire business's account sheets. Unfortunately, that was _not_ a hypothetical story, we truly had that occur to one of the firms we managed systems for.
- > "Set the wireless access point so that it does not broadcast its Service Set Identifier (SSID)." (Page 26)
- This is useless. The SSID being "hidden" was originally a bug in the first spec from the IEEE. Basically when the SSID was left as `NULL`, many client programs would not display the network. Later on this became more standardized via `SSIDExtensions` where a "hidden" flag could be set. This is all well and good, but does absolutely _nothing_ from a security standpoint. The network still allows clients to connect and an attacker's scan will trivially pick it up. On top of this, many modern operating systems, mobile and not, now display "hidden" networks in their network selections as "Hidden Network". Hiding a wireless network is pointless for security — it only adds difficulty to legitimate users attempting to connect and does not stop any attacker from picking it up in a scan.
- > "Set your router to use WiFi Protected Access 2 (WPA-2)..." (Page 26)
- WPA-2 is now considered a legacy protocol. The new version is WPA-3. WPA-2 is susceptible to quite a few vulnerabilities at this point in time, like [Key Reinstallation Attacks], see [https://www.krackattacks.com/]. The guidance should be to target WPA-3 if WPA-3 is possible given the network requirements (many IoT devices only support WPA-2).
Whatever solution you apply on the user's session it cannot, under any circumstances, be unduly bothersome. The user is smart — they will find a way around security controls if they're irritated enough. NISTIR-7621's guidance would be better served with reasonable timeout like 10 - 15 minutes, or, even better and the solution we eventually implemented at that firm, have a camera do user presence detection when they're at their desk and auto lock the session when leave their workstation.
- Advice for backups (Page 31 & 32)
- This section still largely follows best practices today. They mention that backups should be stored in different places and go on to list three _different_ places which follows the 3-2-1 backup rule per CISA "Data Backup Options". Furthermore; a recommendation is made to _test_ the backups periodically; this is a oft-ignored step — if you can't validate a recovery strategy, then the strategy should be treated as though it doesn't exist.
- Some things that are missed though:
- Instead of stating "You may want to consider encrypting your backups" (Page 32), it would be better to have a firm stance and instead state "All backups should be encrypted when created". Backups, if created correctly, will almost certainly contain sensitive information including customer information and with the rise of privacy laws locally and abroad like the General Data Privacy Regulation in Europe, not having proper encryption of sensitive information can lead to regulatory compliance issues and even fines.
### (4) Working Safely and Securely
## Overall items
- No mention of centralized system controls
- If a small business has more than a handful of employees it becomes increasingly difficult to manage those user accounts and, more importantly, handle auditing and legal compliance. When a small business owner reads that, most will think of having a local admin account which they then use to create their individual employees' accounts under that local admin. Now, the individual tools do not need to be mentioned, but centralization of system controls should be discusses. It's a core requirement of audit able systems, especially if you have to do legal discovery. This was some of the work and consulting I helped local businesses in Austin, Texas with when I worked as a Systems Administrator.

BIN
Fall-2024/CS-3113/Assignments/1-Review-of-NISTIR-7621/Resources/802.11-2016.pdf Normal file
View File

Binary file not shown.

BIN
Fall-2024/CS-3113/Assignments/1-Review-of-NISTIR-7621/Resources/CISA-Data-Backup-Options.pdf Normal file
View File

Binary file not shown.

BIN
Fall-2024/CS-3113/Assignments/1-Review-of-NISTIR-7621/Resources/NIST.IR.7621r1.pdf Normal file
View File

Binary file not shown.

65
Fall-2024/CS-3113/Assignments/1-Review-of-NISTIR-7621/bibliography.yml Normal file
View File

@ -0,0 +1,65 @@
ieee-ssid:
type: reference
author: 802.11 Working Group of the LAN/MAN Standard Committee of the IEEE Computer Society
publisher: IEEE Computer Society
organization: IEEE Computer Society
title: IEEE Std 802.11
volume: "Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications"
edition: 2016
page-range: 790
date: 2016-12-07
page-total: 3534
nist-timeouts:
type: reference
author: NIST
publisher: U.S. Department of Commerce
organization: National Institute of Standards and Technology
title: NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
edition: 5
page-range: 42
date: 2016-12-07
page-total: 492
krackattacks:
title: "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2"
url:
value: https://www.krackattacks.com/
access: 2024-09-14
author:
- Mathy Vanhoef
- Frank Piessens
type: conference
date: 2017-10-30
publisher: Association for Computing Machinery
location: New York, NY, United States
serial-number: 978-1-4503-4946-8
cisa-backups:
title: Data Backup Options
type: article
author:
- Paul Ruggiero
- Matthew A. Heckathorn
date: 2012-08-08
publisher: United States Computer Emergency Readiness Team
page-total: 6
page-range: 1
gdpr-data-control:
title: General Data Protection Regulation
type: legislation
author: The European Parliament
date: 2016-04-27
page-range: 32
fbi-adblock:
type: Web
title: "PSA: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users"
author: Internet Crime Complaint Center
publisher: The Federal Bureau of Investigation
date: 2022-12-21
url:
value: https://www.ic3.gov/Media/Y2022/PSA221221
date: 2024-09-15