#let fontsize = 11pt #set text(top-edge: 0.7em, bottom-edge: -0.3em, font: "Calibri", fontsize) #show heading: set text(fontsize) #show heading.where(level: 1): set align(center) #show heading.where(level: 2): set align(left) #set page( margin: 1in, numbering: "1", number-align: right + top, "us-letter", ) #let title = [Analysis of _NISTIR 7621 Revision 1_] #let author = [Price Hiller] #let university = [University of Texas at San Antonio] #let course = [CS 3113: Principles of Cybersecurity] #let instructor = [Dr. Kirsten E. Webbe] #let publication_date = datetime.today() #set document(title: title, author: author.text, date: publication_date) // ===== TITLE PAGE ===== #align(horizon + center)[ = #title \ #author\ #university\ #course\ #instructor\ #publication_date.display("[month repr:long] [day], [year]")\ ] #pagebreak() // ===== TITLE PAGE ===== #par( leading: 1em, first-line-indent: 2em, justify: true, )[ NISTIR-7621 Revision 1 is generally sufficient as a framework for small business information security; although a bit dated, many of its points are still applicable to today's information security landscape. NISTIR-7621 does have failings: some of its information, especially the more detailed recommendations given, are at times outright wrong or reduce security posture in a organization. Despite occasional failures around detailed information, the recommendations in general are largely still in line with today's best practices. Said recommendations are mostly applicable to someone with a growing small business who lacks technical knowledge surrounding information security. My analysis of NISTIR-7621 is separated by the major sections of NISTIR-7621 with the exclusion of its first section, those sections being: Understanding and Managing Your Risks, Safeguarding Your Information, and Working Safely and Securely. == Analysis of Understanding and Managing Your Risks This section is most focused upon categorizing risk when it comes to information, identifying risk items, and inventorying what information may need to be secured. Overall, the section does a satisfactory job of approaching risk when applied to information security and gives clear actionable items throughout it. In fact, it serves as a near step-by-step tutorial to doing an information audit. The writing of managing risks as action items is a great approach, and it would be fantastic to see other documents follow the same approach themselves. It gives a clear, concise, framework to begin an information audit, a core procedure for information security. If you don't even know what you have and the value of those items, how can you even begin to manage anything? Better yet, the document provides resources to leverage in case a small business owner needs assistance. Many frameworks toss readers to the wolves with superficial statements or steps, whereas NISTIR-7621 is much more thorough which increases the likelihood of a successful information audit and, as a result, an improved security stance of a given small business. A small criticism, there isn't a mention to maintain a constantly updated inventory and risk assessment after the steps are taken. An acceptable improvement would be a recommendation to create a spreadsheet or equivalent of information assets and risk analysis that is kept as a source of truth to be regularly updated when a business' information changes. This would improve awareness of information risks and assist with compliance and insurance requirements. Currently, the section reads as though this needs to only be done occasionally, whereas a constant undertaking of the inventory and risk audit would be better. Otherwise, NISTIR-7621's layout of risk management does an acceptable job of providing a simple and, most importantly, actionable framework for small business owners to rely on. == Analysis of Safeguarding Your Information Unfortunately, this is where some incorrect information from NISTIR-7621 begins to appear and will be the largest part of my analysis. Many of the policies recommended here are actually good, however some of the details have incorrect or invalid information or outright _harmful_ information when it comes to information security. To reiterate, overall, the points and recommendations raised are mostly good, but some details could use improvements. One of those places where improvements could be found are in the idle session lock recommendations. The recommendations for idle sessions sounds good on paper, but are impractical and likely harmful. To be clear, locking the session after idling for a while _is_ a good idea, but the given example idle lockout time is "2 minutes" — this is much too short a time window for an idle user. By having such a low example recommended lockout time, implementations will likewise pick short idle lockout times as well. From my own personal experience as a Systems Administrator, allow me to cast down enlightenment on session locks: do not pick a super short idle window. Why? Because users are too clever for their own good. The example 2 minute lockout will almost certainly lead to something like the following scenario: Lisa the accountant shows up to work after the session lock policy was implemented the night before. She ends up on a phone call or other work at her desk without touching her computer for a few minutes. The computer locks. Lisa gets slightly annoyed. Lisa unlocks the computer. Later, she does another task that causes her session to idle. The computer locks. Lisa gets a bit more annoyed than the last time. Lisa unlocks the computer. And on and on that will go until Lisa has a brilliant idea! Defeat the idle detection. She may install a mouse jiggler or equivalent and thus she no longer has her user session lock; then she gets up for lunch one day and somebody else walks up to her now unlocked computer and copies the entire business's account sheets. Unfortunately, that was _not_ a hypothetical situation, we truly had that occur to one of the firms we managed systems for. A real solution (and the one we employed) is to use proximity sensing to automatically engage the session lock when the user leaves the workstation. Beyond my own anecdotal experiences, NIST SP 800-53 makes mention of using a timeout as well, but goes further and mentions "A proximity lock may be used to initiate the device lock..." @nist-timeouts. Another recommendation made by NISTIR-7621 is the following, "Set the wireless access point so that it does not broadcast its Service Set Identifier (SSID)" when configuring wireless access points. On paper, this seems okay, but in practice is useless in terms of security. When disabling a broadcast of SSIDs, that does _not_ stop the Access Point (AP) from broadcasting its availability. What really happens is that the beacon frame is still broadcast, but on old APs the SSID is `NULL` when sent or on new 802.11 compliant APs, the wildcard SSID is used @ieee-ssid which means for beacon announcements it's treated as _hidden_. The network is not actually _hidden_. An attacker will do a scan and pick up your _hidden_ network, or, in the case of some operating systems, they may choose to display your network as "Hidden Network" in the network selection menus. What this does do though, is make it _much_ more difficult for genuine users to connect devices to the network. This is security through obscurity, with little to no security benefit and a headache for users. Unfortunately, NISTIR-7621 gives another questionable recommendation around WiFi, "Set your router to use WiFi Protected Access 2 (WPA-2)"; although, this is more of a display of NISTIR-7621's age than anything outright wrong. Nowadays we have WPA-3 which improves security over WPA-2. Many WPA-2 networks are particularly vulnerable to something called Key Reinstallation Attacks @krackattacks among a slew of other vulnerabilities that WPA-3 addresses. The more modern recommendation would be to default to WPA-3, and use WPA-2 where necessary. WPA-2 may be necessary when working with Internet of Thing (commonly abbreviated IoT) devices so when WPA-2 is required, more strict deployment behaviors should be followed. A good recommendation provided by NISTIR-7621 is its advice for handling backups of data across the business. NISTIR-7621's backup recommendations closely mirror today's best practices for backups. It mentions that backups should be stored in a few different formats, but importantly those recommended formats end up being stored in _three_ different places, on _two_ different media types, and at least _one_ backup offsite as result of the media chosen. Specifically NISTIR-7621 recommends backing up to the following: "removable media", "a separate server that is isolated from the network", "online storage (e.g. a cloud service provider)". This recommendation is great as it follows the 3-2-1 backup rule @cisa-backups, but some critiques of its backup policies are necessary. NISTIR-7621 is perhaps too weak pushing the 3-2-1 rule per US-CERT's recommendations. Today, implementing 3-2-1 backups is relatively simple. Furthermore, instead of stating "You may want to consider encrypting your backups", NISTIR-7621 should push explicitly for encrypted backups instead of being as a mere consideration. With cloud providers today, encrypted backups are simple off-site and managing on-site encrypted backups can be as simple as using a password stored in a secure deposit box. There's not a good reason today, to _not_ encrypt backups. Especially with the rise of privacy laws locally and abroad, proper encryption of sensitive 3rd party information has become more and more a matter of regulatory compliance. For instance, to comply with the European General Data Protection Regulation (GDPR) and thus do business with EU entities, backups should be encrypted if interacting with any personal information (emails, phone numbers, and more) as the "...regulation applies to the processing of personal data..." @gdpr-data-control. Section 3 has some recommendations that have problems in the details, but the general recommendations are sufficient for small businesses. Once again, NISTIR-7621 demonstrates its best aspect in how immediately actionable the provided information is. NISTIR-7621's explanations are thorough, this is invaluable when it comes to creating a framework for best practices. While that information may be occasionally lacking, it's usually good enough. After all, perfect is the enemy of good. == Analysis of Working Safely and Securely Section four of NISTIR-7621 focuses on general rules of thumb for practicing safe business habits relating to information security. The recommendations are intended for all employees to be trained on in a given business to ensure general user awareness of security. There aren't any significant flaws I can readily identify within section four, its information is user awareness and security training 101. Though, as an extension, it would be useful to add installing an ad blocker to supplement the "Be careful of email attachments and web links" recommendation. Specifically for web links. The Federal Bureau of Investigation (the FBI) recommends to "use an ad blocking extension when performing internet searches." @fbi-adblock Using an ad blocker should massively cull the number of malicious sites and links that appear when browsing and further enhance user security. == General Analysis of NISTIR-7621 NISTIR-7621 does an overall satisfactory job of informing small business owners of the information security controls and practices they should implement for their businesses. Due to the age of the document some details within the practices are questionable at times, but the overall framework given is filled to the brim with useful security information. In particular, NISTIR-7621 should be praised for the amount of actionable information and clear steps it provides. Non-technical owners should be able to relatively easily follow and implement NISTIR-7621's general recommendations and processes. ] #bibliography("./bibliography.yml", style: "american-psychological-association")