10 Must-Read NIST Publications

1. NIST Special Publication 800-12 Revision 1
   An Introduction to Information Security
2. NIST Special Publication 800-39
   Managing Information Security Risk – Organization, Mission, and Information System View
3. NIST Special Publication 800-30 Revision 1
   Guide for Conducting Risk Assessments
4. NIST Special Publication 800-37 Revision 2
   Risk Management Framework for Information Systems and Organizations – A System Life Cycle Approach for Security and Privacy
5. NIST Special Publication 800-53 Revision 4
   Security and Privacy Controls for Federal Information Systems and Organizations
6. NIST Special Publication 800-160 VOLUME 1
   Systems Security Engineering – Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
7. NIST Special Publication 800-88 Revision 1
   Guidelines for Media Sanitization
8. NIST Special Publication 800-41 Revision 1
   Guidelines on Firewalls and Firewall Policy
9. NIST Special Publication 800-61 Revision 2
   Computer Security Incident Handling Guide
10. NIST Special Publication 800-115
    Technical Guide to Information Security Testing and Assessment

Recommended

1. NIST Special Publication 800-100
   Information Security Handbook: A Guide for Managers
2. NIST Special Publication 800-34 Rev. 1
   Contingency Planning Guide for Federal Information Systems
3. NIST Special Publication 800-50
   Building an Information Technology Security Awareness and Training Program
4. NIST Special Publication 800-70 Revision 4
   National Checklist Program for IT Products – Guidelines for Checklist Users and Developers
5. NIST Special Publication 800-86
   Guide to Integrating Forensic Techniques into Incident Response
6. NIST Special Publication 800-92
   Guide to Computer Security Log Management
7. NIST Special Publication 800-94
   Guide to Intrusion Detection and Prevention Systems (IDPS)
8. NIST Special Publication 800-128
   Guide for Security-Focused Configuration Management of Information Systems
9. NIST Special Publication 800-150
   Guide to Cyber Threat Information Sharing
10. NIST Special Publication 800-153
    Guidelines for Securing Wireless Local Area Networks (WLANs)
11. NIST Special Publication 800-32
    Introduction to Public Key Technology and the Federal PKI Infrastructure

The development team of your company is implementing a web-based multi-tiered Procurement Management System. Purchase orders shall be approved before issuance by different management levels based on a variety of criteria, e.g., Order Amount, Supplier, or Product Category. As criteria are subject to change, the development team decides not to hard code the approval logics and policies but implements a user interface for the procurement manager to manage them. The web server delegates the authorization decision of requests from web clients to a remote authorization server that will refer to the approval policies managed by the procurement manager.  If the authorization mechanism is based on XACML, which of the following roles is the web server?
A. Policy Enforcement Point (PEP)
B. Policy Decision Point (PDP)
C. Policy Administration Point (PAP)
D. Policy Information Point (PIP)

Continue reading →

1. Advanced Persistent Threat (APT)
2. Multi-vector, polymorphic attacks
3. Denial of Service
4. Buffer Overflows
5. Mobile Code
6. Malicious Software (Malware)
7. Drive-by download attacks
8. Spyware
9. Trojan Horse
10. Keyloggers
11. Password Crackers
12. Spoofing/Masquerading
13. Sniffers, Eavesdropping, and Tapping
14. Emanations and TEMPEST
    Spontaneous emission of electromagnetic radiation” (EMR) subject to TEMPEST eavesdropping
15. Shoulder Surfing
16. Tailgating
17. Piggybacking
18. Object Reuse
19. Data Remanence
20. Unauthorized Targeted Data Mining
21. Dumpster Diving
22. Backdoor/Trapdoor
23. Maintenance Hook
24. Logic bombs
25. Social Engineering
26. Phishing
27. Pharming
    A cyber attack intended to redirect a website’s traffic to another, fake site.
28. Covert Channel
    Unauthorized channel for data transportation
29. IP Spoofing/Masquerading
    IP Spoofing is malicious, while Masquerading is a specific form of Network Address Translation (NAT) and can be valid.
30. Elevation of privilege/Privilege escalation
31. Tampering
32. Sabotage
33. SQL injection
34. Cross-Site Scripting (XSS)
35. Session Hijacking and Man-in-the-Middle Attacks
36. Zero-day exploit
    A zero-day exploit hits after a network vulnerability is announced or discovered but before a patch or solution is implemented.

Your company implemented a variety of information systems that host their user accounts, and an LDAP-compliant directory maintained by the Human Resource department. The development team is developing a solution that streamlines the HR processes to create and synchronize new employee accounts and assign privileges across systems. As a security professional, which of the following will you recommend the most?
A. Federated Identity
B. XACML (eXtensible Access Control Markup Language)
C. SPML (Service Provisioning Markup Language)
D. IDaaS (Identity as a Service)

Continue reading →

Wikipedia

A trusted path or trusted channel is a mechanism that provides confidence that the user is communicating with what the user intended to communicate with, ensuring that attackers can’t intercept or modify whatever information is being communicated.

The term was initially introduced by Orange Book. As its security architecture concept, it can be implemented with any technical safeguards suitable for particular environment and risk profile.

Source: Wikipedia

Orange Book

• Trusted Path – A mechanism by which a person at a terminal can communicate directly with the Trusted Computing Base. This mechanism can only be activated by the person or the Trusted Computing Base and cannot be imitated by untrusted software.
• B2: NEW: The TCB shall support a trusted communication path between itself and user for initial login and authentication. Communications via this path shall be initiated exclusively by a user.
• B3: CHANGE: The TCB shall support a trusted communication path between itself and users for use when a positive TCB-to-user connection is required (e.g., login, change subject security level). Communications via this trusted path shall be activated exclusively by a user or the TCB and shall be logically isolated and unmistakably distinguishable from other paths.

Source: Trusted Computer System Evaluation Criteria [“Orange Book”]

 

Excerpts from NIST SP 800-39 and NIST SP 800-30 R1

MULTITIERED ORGANIZATION-WIDE RISK MANAGEMENT

RISK MANAGEMENT PROCESS APPLIED ACROSS THE TIERS

INFORMATION SECURITY REQUIREMENTS INTEGRATION

RELATIONSHIP AMONG RISK FRAMING COMPONENTS

RISK ASSESSMENT PROCESS

GENERIC RISK MODEL WITH KEY RISK FACTORS

Assessment Approaches

Risk, and its contributing factors, can be assessed in a variety of ways, including quantitatively, qualitatively, or semi-quantitatively.

Analysis Approaches

An analysis approach can be: (i) threat-oriented; (ii) asset/impact-oriented; or (iii) vulnerability-oriented.

• Organizations have great flexibility in choosing a particular analysis approach. The specific approach taken is driven by different organizational considerations.
• However, differences in the starting point of the risk assessment can potentially bias the results, causing some risks not to be identified.
• Therefore, identification of risks from a second orientation (e.g., complementing a threat-oriented analysis approach with an asset/impact-oriented analysis approach) can improve the rigor and effectiveness of the analysis.

In addition to the orientation of the analysis approach, organizations can apply more rigorous analysis techniques (e.g., graph-based analyses) to provide an effective way to account for the many-to-many relationships.

• For example, graph-based analysis techniques (e.g., functional dependency network analysis, attack tree analysis for adversarial threats, fault tree analysis for other types of threats) provide ways to use specific threat events to generate threat scenarios.
• Graph-based analysis techniques can also provide ways to account for situations in which one event can change the likelihood of occurrence for another event. Attack and fault tree analyses, in particular, can generate multiple threat scenarios that are nearly alike, for purposes of determining the levels of risk.
• With automated modeling and simulation, large numbers of threat scenarios (e.g., attack/fault trees, traversals of functional dependency networks) can be generated. Thus, graph-based analysis techniques include ways to restrict the analysis to define a reasonable subset of all possible threat scenarios.

Sources

• NIST SP 800-39
• NIST SP 800-30 R1