๐Ÿ™‹ 7.3 Voluntary Nature of the NIST Cybersecurity Framework

Voluntary Nature of the NIST Cybersecurity Framework ๐Ÿ™‹

Password Complexity Requirements 

Is this secure?

A*QSuda@PxiTvwgDA2tG

https://bitwarden.com/password-strength/#Password-Strength-Testing-Tool

https://haveibeenpwned.com/

https://github.com/danielmiessler/SecLists/tree/master/Passwords/Leaked-Databases

Other Options to Improve Authentication Security

  1. Multi-Factor Authentication (MFA): This method requires users to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. Common factors include something you know (password or PIN), something you have (a smartphone or hardware token), and something you are (biometrics: fingerprint scans, facial recognition, or iris scans). 
  2. Using Known Password Lists: Implementing checks against lists of known compromised passwords can prevent users from choosing passwords that are already exposed and easy to guess. This can be particularly effective in stopping common and repeated password-related vulnerabilities. 
  3. Time-based One-time Password (TOTP): This is an algorithm that generates a one-time password which is valid only for a short period of time, providing an additional layer of security by ensuring that the password is not reusable. 
  4. Geographic and IP Restrictions: Limiting access based on geographic location or IP addresses can help prevent unauthorized access from high-risk areas or unfamiliar sources. 
  5. Anomaly Detection and Login Monitoring: Tools that monitor login attempts and detect anomalies (like logins from new devices or locations) can trigger additional authentication requirements or alerts. 

Profiles

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1301.pdf

With CSF, the organization has the power to choose the proper controls from any source needed to deliver the outcomes chosen in the target profile

Jason Dion, CPO, AKYLADE


Transcript

Letโ€™s talk about the voluntary nature of the NIST Cybersecurity Framework, with an example. 

Iโ€™ve seen a number of heated debates on this and itโ€™s a fascinating topic, letโ€™s talk about password complexity requirements.

Is this password secure?

Most people are going to say yes.

  • Itโ€™s long and strong
  • 20 characters, a mix of character types
  • Canโ€™t be guessed


If I type it into a password strength testing tool, it tells me itโ€™s strong and would take centuries to crack. https://bitwarden.com/password-strength/#Password-Strength-Testing-Tool

In theory thatโ€™s true, but itโ€™s not how it works in the real world.

Password security is not a 2-dimensional problem, that is simply a function of length and complexity, it is a multi-dimensional problem. It is a chain of many links, and only as strong as its weakest link.

Issue 1: itโ€™s hard, maybe impossible to remember, and maybe the person using it doesnโ€™t have a password manager, so they write it down on a sticky note and put it on their monitor, or underneath their keyboard. 

Or, they write it in clear text, unencrypted, in a notes app that goes to a third party service provider, or a work app, that their IT administrator can see. 

If thereโ€™s a malicious employee at the service provider or your company, your credentials can get compromised. Or if their networks get compromised, your password in clear text is now vulnerable to attackers there.

What if you use this same password, with 20 accounts and 20 service providers. If one of those providers has a breach, and shows up at haveibeenpwned.com
A database from a reputable security researcher with more than 700 pwned website, 13 billion pwned accounts

What if itโ€™s been added to the rockyou-20 database of leaked passwords here on GitHub, thatโ€™s added to a cracking tool

The list of links in the chain to consider here goes on, thereโ€™s a famous hacking tool call Mimikatz that steals password hashes from the memory in windows, and it is indiscriminate, whether that has was created by a strong password and a weak one.

Letโ€™s saw off the list of examples there.

Weโ€™re building a business case for multi factor authentication.

And, where prescriptive frameworks can go wrong. Some of them take a 2-dimensional view of passwords. Prescribe 16 characters and donโ€™t persecute MFA. 

The organization wants to be compliant and just does 16 character passwords.

Risk is higher now, than if they had 8 characters and MFA. Not a good outcome. 

Other options to improve authentication security, other than password length and MFA would be

  1. Using known password lists, when users create their passwords, donโ€™t allow a known one
  2. Time based one time passwords
  3. Geographic and IP restrictions
  4. Anomaly detection and login monitoring

This is where the true power of the NIST Cybersecurity Framework comes into play because it focuses on a risk based approach to getting the best outcomes, not prescriptive controls.

We have talked before about profiles. Hereโ€™s an example from the CSF Quickstart guide, where to get the outcome of, subcategory PR.PS-01, configuration management practices are established and applied. This organization is partially implemented in its current profile.

We have a Configuration Management policy that is up to date. We have procedures that are sometimes followed, but not consistently.

So in our target profile our goal is to make sure baselines are applied to all systems before production release. All systems will be continuously monitored for unexpected configuration changes, and ticket will automatically be generated when deviations from baselines occur. 

The key here is that the organization is defining its own outcomes and overseeing its own cybersecurity risks.  It has the power to choose the proper controls from any source needed to deliver the outcomes chosen in the organizational target profile

We hit more examples in the next lesson.


Complete and Continue