Everything you need to know about NIST 800-53

The National Institute of Standards and Technology (simply referred to as NIST) sets the security standards, guidelines and recommended security controls for the Federal Information Systems and Organizations.  This extensive database of publications includes the FIPS (Federal Information Processing Standards), SP (NIST Special Publications), NISTIR (NIST Internal Reports) and the ITL Bulletin (NIST Information Technology Laboratory Bulletins).  A complete list of security standards, guidelines and recommendations publications can be found at the Computer Security Resource Center located on the NIST.GOV website.

These publications set the baseline for security controls for all agencies and contractors. They are continuously updated to address ever-growing threats and to prevent major cyber security incidents (which are now so commonplace they’re part of the daily news).

The NIST 800-53—the special publication for the Security and Privacy Controls for Information Systems and Organizations—is currently in Revision 4 with Revision 5 in draft.  The purpose of the NIST 800-53 is to provide guidelines and best practices for protecting the government’s sensitive information and citizens’ personal information from cyber-attacks. This special publication is authored by the Joint Task Force.  The final publication of Revision 5 is expected in December 2018 according to the latest schedule.

In combination with the NIST 800-53 the draft Special Publication known as the (SP) 800-37 Revision 2 was introduced to include a Risk Management Framework. This helps identify a risk-based approach for using and storing Personally Identifiable Information which, because all data is not equal, is necessary.  The SP 800-37 should be used in conjunction with the SP 800-53.  It adds privacy considerations into the design as well as information on how to improve controls for diverse industry groups from the public and private sectors to individuals.

The major changes to the (SP) 800-53 Rev 5 are:

  • Making the security and privacy controls more outcome-based by changing the structure of the controls;
  • Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
  • Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
  • Promoting integration with different risk management and cyber security approaches and lexicons, including the Cyber Security Framework;
  • Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
  • Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cyber security and privacy governance and accountability.

The NIST (SP) 800-53 combined with the (SP) 800-37 establishes a multi-tiered risk approach:

Tier 1 – The Organization

Tier 2 – The Mission Critical or Business Processes

Tier 3 – Information Systems

The main goal is of the organization is to identify a risk-based approach to the information systems that are vital to the operations and continuous service of the organization or agency.

RISK MANAGEMENT FRAMEWORK – Security Life Cycle

The starting point is to follow a 6-step process known as the Security Life Cycle which is as follows, with associated Publication References:

Step 1 – CATAGORIZE Information Systems (FIPS 199/SP 800-60) – IMPACT ASSESSMENT

Step 2 – SELECT Security Controls (FIPS 200/SP 800-53)

Step 3 – IMPLEMENT Security Controls (SP 800-160)

Step 4 – ASSESS Security Controls (SP 800-53A)

Step 5 – AUTHORIZE Information Systems (SP 800-37)

Step 6 – MONITOR Security Controls (SP 800-137) 

The NIST 800-53 is broken into the minimum security controls IMPACT baseline adapted from the FIPS 200 which are:

  • Low-Impact
  • Moderate-Impact
  • High-Impact

The Security Control Identifiers are broken down into the respective controls and families:

The NIST 800-53 is broken into the minimum security controls IMPACT baseline.*Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

The TRUST MODEL

A trust model is referenced within NIST 800-53 which is used to determine the trustworthiness of systems and components based on their ability to meet security requirements, security capabilities, and security functionality along with security assurance based on evidence.  This is an area which is growing in importance and is about establishing a trust-based approach and how much risk is acceptable based on the trustworthiness of systems and components will determine how much access they will have.

The TAILORING GUIDEANCE

Because all risks are not equal the NIST 800-53 provides tailoring guidance (based on the input from the Initial Security Control Impact Baseline referred to earlier) which, when aligned with the assessment of the organizational risks enables the security controls to be tailored to the acceptable risk.

These guidelines follow the steps below:

  • Identifying and Designating Common Controls
  • Applying Scoping Considerations
  • Selecting Compensating Controls
  • Assigning Security Control Parameter Values
  • Supplementing Baseline Security Controls
  • Providing Additional Specification Information for Implementation

During this process full documentation of the security controls decisions must be agreed upon and maintained to ensure adequate security and protection.

The NIST 800-53 and PRIVILEGED ACCESS

Now, let’s focus on the NIST 800-53 guidelines for privileged access which is referenced in multiple security control identifiers and families.  The main area under Access Controls refers to using a Least Privilege approach in conjunction with Least Functionality. This is considered high-impact and requires giving the users or system only the minimum access required to fulfill the role or function and nothing more.

An example of the Least Privileged Access Control:

An example of the Least Privileged Access Control.*Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

It’s clear within the NIST 800-53 that anywhere privileged access is referenced the impact on all organizations and agencies ranges from moderate to high.  From implementing the controls, account management and auditing to process and identification etc., privileged access is an area of major importance.

Several of the NIST 800-53 security controls are aligned with the ISO/IEC 27001 Controls:

Several of the NIST 800-53 security controls are aligned with the ISO/IEC 27001 Controls.*Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

It is evident that managing and protecting Privileged Accounts is crucial to being able to apply security and privacy controls for information systems and organizations.  A robust Privileged Access Management solution helps organizations that want to apply the NIST 800-53 security controls in order to  become more resilient to cyber-attacks, and protects both the government’s sensitive information and citizens’ personally identifiable information from abuse and poisoning.

To help organizations simplify their approach to Privileged Access Management, Thycotic has developed the Privileged Access Management Life Cycle. This method follows a logical path from the basic steps to a full, mature model for protecting and securing privileged access. It helps organizations achieve both Least Privilege and Least Functionality. By combining Privileged Access Management and Privilege Manager (which applies Application Control with Privileged Access) organizations can take a risk-based approach within a trustworthy model.

This is the Thycotic Privileged Access Management Life Cycle for a path to a mature privileged access implementation:

Thycotic Privileged Access Management Life Cycle.

DEFINE:

Define and classify privileged accounts. Every organization is different, so map out which of your important business functions rely on data, systems, and access. One approach is to reuse a disaster recovery plan that typically classifies important systems and specifies which need to be recovered first. Be sure to align your privileged accounts to your business risk and operations.

Develop IT security policies that explicitly cover privileged accounts. Many organizations still lack acceptable use and responsibilities for privileged accounts. Treat privileged accounts separately by clearly defining a privileged account and detailing acceptable use policies. Gain a working understanding of who has privileged account access, and when those accounts are used.

DISCOVER:

Discover your privileged accounts. Use automated PAM software to identify your privileged accounts, and implement continuous discovery to curb privileged account sprawl, identify potential insider abuse, and reveal external threats. This helps ensure full, on-going visibility of your privileged account landscape crucial to combating cyber security threats. 

MANAGE & PROTECT:

Protect your privileged account passwords. Proactively manage, monitor, and control privileged account access with password protection software. Your solution should automatically discover and store privileged accounts; schedule password rotation; audit, analyze, and manage individual privileged session activity; and monitor password accounts to quickly detect and respond to malicious activity.

 Limit IT admin access to systems. Develop a least-privilege strategy so that privileges are only granted when required and approved. Enforce least privilege on endpoints by keeping end-users configured to a standard user profile and automatically elevating their privileges to run only approved and trusted applications. For IT administrator privileged account users, you should control access and implement super user privilege management for Windows and UNIX systems to prevent attackers from running malicious applications, remote access tools, and commands. Least-privilege and application control solutions enable seamless elevation of approved, trusted, and whitelisted applications while minimizing the risk of running unauthorized applications.

MONITOR:

Monitor and record sessions for privileged account activity. Your PAM solution should be able to monitor and record privileged account activity. This will help enforce proper behavior and avoid mistakes by employees and other IT users because they know their activities are being monitored. If a breach does occur, monitoring privileged account use also helps digital forensics identify the root cause and identify critical controls that can be improved to reduce your risk of future cyber security threats.

 DETECT ABNORMAL USAGE:

Track and alert on user behavior. With up to 80% of breaches involving a compromised user or privileged account, gaining insights into privileged account access and user behavior is a top priority. Ensuring visibility into the access and activity of your privileged accounts in real time will help spot suspected account compromise and potential user abuse. Behavioral analytics focuses on key data points to establish individual user baselines, including user activity, password access, similar user behavior, and time of access to identify and alert on unusual or abnormal activity.

 RESPOND TO INCIDENTS:

Prepare an incident response plan in case a privileged account is compromised. When an account is breached, simply changing privileged account passwords or disabling the privileged account is not acceptable. If compromised by an outside attacker, hackers can install malware and even create their own privileged accounts. If a domain administrator account gets compromised, for example, you should assume that your entire Active Directory is vulnerable. That means restoring your entire Active Directory, so the attacker cannot easily return.

REVIEW AND AUDIT:

Audit and analyze privilege account activity. Continuously observing how privileged accounts are being used through audits and reports will help identify unusual behaviors that may indicate a breach or misuse. These automated reports also help track the cause of security incidents, as well as demonstrate compliance with policies and regulations. Auditing of privileged accounts will also give you cyber security metrics that provide executives with vital information to make more informed business decisions.

To learn more about Thycotic’s Least Privilege Model, download our Whitepaper.

To learn about Thycotic and Privileged Account Management, download our free Digital Book.

Implementing least privilege doesn’t need to be hard.

Privilege Manager makes least privilege adoption easy for users and reduces the workload for IT/desktop support.

 

 



*** This is a Security Bloggers Network syndicated blog from Thycotic authored by Joseph Carson. Read the original post at: http://feedproxy.google.com/~r/Thycotic/~3/2ki9U2FL9CA/