n a recent recovery, DriveSavers tackled a challenging RAID 5 failure. The 4x3TB array had entered Emergency Mode. The failure jeopardized 30 years of invaluable personal and professional data for the customer.
NIST Computer Security Division Updates Effective Today – Is Your Security Up to Date?
By Michael Hall, Chief Information Security Officer
Effective today, NIST’s Computer Security Division just updated their recommended guidelines by eliminating eleven SP 800 publications.
Adding by Subtracting
How would eliminating security recommendations be an improvement?
These eleven publications all reference technology that is out of date or no longer used, and implementations that have been improved since the original writing of these guidelines. Therefore, eliminating these old items clears some of the clutter and allows for easier access and implementation of more current and updated recommendations located in the remaining SP 800 publications.
Here are the sections removed and reasons why per NIST’s announcement:
- SP 800-13 (October 1995), Telecommunications Security Guidelines for Telecommunications Management Network:
- Describes technologies that are out of date.
- SP 800-17 (February 1998), Modes of Operation Validation System (MOVS): Requirements and Procedures:
- This validation system is for algorithms that have been deprecated (e.g., DES, Skipjack). For information on current algorithm validation systems, see the Cryptographic Algorithm Validation Program (CAVP).
- SP 800-19 (October 1999), Mobile Agent Security:
- Today’s environment and technologies are significantly more complex than the environment treated in this publication.
- SP 800-23 (August 2000), Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products:
- Pre-dates many relevant laws, regulations, and executive directives, and does not reflect NIST’s current validation programs, Risk Management Framework, or the Cybersecurity Framework. For a current overview, see SP 800-12 Rev. 1, An Introduction to Information Security.
- SP 800-24 (April 2001), PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does:
- Does not address newer technologies, such as Voice Over IP (VOIP); includes references to “security controls” that pre-date SP 800-53.
- SP 800-33 (December 2001), Underlying Technical Models for Information Technology Security:
- Describes a model that pre-dates the Risk Management Framework and Cybersecurity Framework.
- SP 800-36 (October 2003), Guide to Selecting Information Technology Security Products:
- Does not reflect current security product types, and references are outdated.
- SP 800-43 (November 2002), Systems Administration Guidance for Securing Windows 2000 Professional System:
- This operating system is no longer supported.
- SP 800-65 (January 2005), Integrating IT Security into the Capital Planning and Investment Control Process:
- Pre-dates important NIST guidance such as SP 800-53 Rev. 4, SP 800-53A Rev. 4, and the Cybersecurity Framework.
- SP 800-68 Rev. 1 (October 2008), Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist:
- This operating system is no longer supported.
- SP 800-69 (September 2006), Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist:
- This operating system is no longer supported.
Is Your Security Policy Up to Date?
The NIST update reminds us that, as technology becomes outdated and gets swapped out, so should parts of our security policy related to data and technology.
Company-owned devices often hold security-sensitive electronically stored information (ESI), including critical intellectual property (IP), financial databases, accounting files, e-mail exchanges, customer records, PCI, PII and PHI. When you factor in costs associated with a security breach resulting in theft or other unauthorized access, such as investigations, crisis management, notification of victims, legal expenses and loss of customers, the price tag that may result from a flaw in a company’s security protocol quickly adds up.
According to the Ponemon Institute, the average cost of a data breach in the United States in 2017 was $225 per record, averaging $7.35 million total organizational cost per breach. These costs were even higher for healthcare and financial institutions. In addition, the more records that were lost, the higher the cost of the data breach.
As technology changes approximately every ten months or less, it’s a good idea to regularly review your company security policy and make sure it is not referring to outdated technology and includes not only new technology but new security threats as well.
How to Be Prepared and Stay Prepared
Here are some tips for staying on top of data security for your company.
Conduct a Risk Analysis
Also known as “gap analysis” or “security risk assessment,” risk analysis is the first step towards both developing and updating a data security policy. Security risk assessments should be conducted annually, biannually or any time something changes, such as the purchase of new equipment or expansion of company services.
Review Access and Authorization
As part of conducting a risk analysis, there are a number of areas and methods to review for proper security, including physical areas. Access should be physically unavailable to anyone who is not authorized.
Update the Company Data Security Policy
Read over your company data security policy and verify that it addresses all risks identified during your risk analysis. Add items that are not included and eliminate items that are no longer relevant.
Verify Staff and Third-party Providers
Conduct background checks of all new employees. Third-party providers should also be vetted to make sure they follow documented security protocols identical to or more robust than those in place within your company. Particular attention should be paid to third-party vendors who have access to company computers, phones and can otherwise access company data, such as data recovery vendors.
The April 2018 Cybersecurity Report from DriveSavers highlights the overlooked risk in third-party data recovery and includes a security vetting checklist. The checklist is specific to vetting data recovery services; however, many of the items listed can apply to all third-party vendors and is a great resource when vetting companies you may start working with.
Educate and Enforce
Hold mandatory security training and awareness programs, making sure to require signatures on mandatory reading materials. Enforce security policies and procedures through use of penalties. Education should always be part of both implementation and enforcement. This is absolutely the most important part of your company security and must be offered continuously.
What Do You Have to Lose?
Does your company hold any patents, have proprietary formulas or “secret recipes” that give it a competitive advantage? Does your company store any customer credit card information, social security numbers or other personal data that could impact them if it was stolen?
Think of what might happen if company data was accessed by the wrong person or persons. Follow NIST’s example. Keep your organization and customers safe by keeping the company security policy up to date and enforced.
Recommended Reading
Certified Secure Data Recovery
Cybersecurity Report: The Overlooked Risk in Third-party Data Recovery
ITProPortal: Data Security Compliance – A Cheat Sheet for IT
DriveSavers Guarantees Data Security Compliance with Updated NIST Guidelines for Controlled Unclassified Information
NIST Addresses a Security Threat that Challenges Most Information Security Programs