BLOG

NIST Draft Guide on Validating the Integrity of Computing Devices

 Submit Comments on Draft NIST SP 1800-34, Validating the Integrity of Computing Devices

The National Cybersecurity Center of Excellence (NCCoE) has published for public comment a draft of NIST SP 1800-34, Validating the Integrity of Computing Devices.

What Is This Guide About?

Technologies today rely on complex, globally distributed and interconnected supply chain ecosystems to provide reusable solutions. Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Managing cyber supply chain risks requires, in part, ensuring the integrity, quality, and resilience of the supply chain and its products and services. This project demonstrates how organizations can verify that the internal components of their computing devices are genuine and have not been altered during the manufacturing or distribution processes.

Share Your Expertise

Please download the document and share your expertise with us to strengthen the draft practice guide. The public comment period for this draft is now open and will close on July 25th, 2022. You can stay up to date on this project by sending an email to supplychain-nccoe@nist.gov to join our Community of Interest. Also, if you have any project ideas for our team, please let us know by sending an email to the email address above. We look forward to your feedback.

Additional NIST Supply Chain Work

NIST is also working on an important effort, the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) with the private sector and others in government to improve cybersecurity in supply chains. This initiative will help organizations to build, evaluate, and assess the cybersecurity of products and services in their supply chains, an area of increasing concern. For more information on this effort, you can click here.

Comment Now


Sat, 25 Jun 2022 14:18:00 +0000

Engineering Trustworthy Secure Systems: Final Public Draft is Available for Comment

 NIST is releasing the final public draft of a major revision to Special Publication (SP) 800-160 Volume 1, Engineering Trustworthy Secure Systems. This final public draft offers significant content and design changes that include a renewed emphasis on the importance of systems engineering and viewing systems security engineering as a critical subdiscipline necessary to achieving trustworthy secure systems. This perspective treats security as an emergent property of a system. It requires a disciplined, rigorous engineering process to deliver the security capabilities necessary to protect stakeholders’ assets from loss while achieving mission and business success.

Bringing security out of its traditional stovepipe and viewing it as an emergent system property helps to ensure that only authorized system behaviors and outcomes occur, much like the engineering processes that address safety, reliability, availability, and maintainability in building spacecraft, airplanes, and bridges. Treating security as a subdiscipline of systems engineering also facilitates making comprehensive trade space decisions as stakeholders continually address cost, schedule, and performance issues, as well as the uncertainties associated with system development efforts.

In particular, this final public draft:

NIST is interested in your feedback on the specific changes made to the publication during this update, including the organization and structure of the publication, the presentation of the material, its ease of use, and the applicability of the technical content to current or planned systems engineering initiatives.

 

The public comment period is open through July 8, 2022. See the publication details for instructions on submitting comments, including a template for preparing comments.

NOTE: A call for patent claims is included on page v of this draft.  For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Read More


Fri, 17 Jun 2022 15:12:00 +0000

 Today, NIST is seeking public comments on NIST IR 8409 ipd (initial public draft), Measuring the Common Vulnerability Scoring System Base Score Equation.

Calculating the severity of information technology vulnerabilities is important for prioritizing vulnerability remediation and helping to understand the risk of a vulnerability. The Common Vulnerability Scoring System (CVSS) is a widely used approach to evaluating properties that lead to a successful attack and the effects of a successful exploitation. CVSS is managed under the auspices of the Forum of Incident Response and Security Teams (FIRST) and is maintained by the CVSS Special Interest Group (SIG). Unfortunately, ground truth upon which to base the CVSS measurements has not been available. Thus, CVSS SIG incident response experts maintain the equations by leveraging CVSS SIG human expert opinion.

This work evaluates the accuracy of the CVSS “base score” equations and shows that they represent the CVSS maintainers' expert opinion to the extent described by these measurements. NIST requests feedback on the approach, the significance of the results, and any CVSS measurements that should have been conducted but were not included within the initial scope of this work. Finally, NIST requests comments on sources of data that could provide ground truth for these types of measurements.

The public comment review period for this draft is open through July 29, 2022. See the publication details for instructions on how to submit comments.

 

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More


Fri, 17 Jun 2022 15:11:00 +0000

Open for Public Comment: Preliminary Draft Practice Guide (Vol. A) From the ZTA Team

The Zero Trust Architecture (ZTA) team at NIST’s National Cybersecurity Center of Excellence (NCCoE) has published Volume A of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” and is seeking the public’s comments on its contents. This guide summarizes how the NCCoE and its collaborators are using commercially available technology to build interoperable, open standards-based ZTA example implementations that align to the concepts and principles in NIST Special Publication (SP) 800-207, Zero Trust Architecture. As the project progresses, the preliminary draft will be updated, and additional volumes will also be released for comment. As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device. The NCCoE is addressing these challenges by collaborating with industry participants to demonstrate several approaches to a zero trust architecture applied to a conventional, general purpose enterprise IT infrastructure on premises and in the cloud. We Want to Hear from You! The NCCoE is making Volume A available as a preliminary draft for public comment while work continues on the project. Review the preliminary draft and submit comments online on or before (July 5th, 2022). 


Comment Here


Fri, 03 Jun 2022 19:14:00 +0000

Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)

 Post from Microsoft

On April 24, 2022, a privilege escalation hacking tool, KrbRelayUp, was publicly disclosed on GitHub by security researcher Mor Davidovich. KrbRelayUp is a wrapper that can streamline the use of some features in Rubeus, KrbRelay, SCMUACBypass, PowerMad/SharpMad, Whisker, and ADCSPwn tools in attacks.

Although this attack won’t function for Azure Active Directory (Azure AD) joined devices, hybrid joined devices with on-premises domain controllers remain vulnerable. Microsoft Defender for Identity detects activity from the early stages of the attack chain by monitoring anomalous behavior as seen by the domain controller. In addition, signals from Defender for Identity also feed into Microsoft 365 Defender, providing organizations with a comprehensive solution that detects and blocks suspicious network activities, malicious files, and other related components of this attack. Microsoft Defender Antivirus detects this attack tool as the malware family HackTool:MSIL/KrbUpRly.

Microsoft encourages customers to update Domain Controller: LDAP server signing requirements to Require signing as detailed in this advisory and enable Extended Protection for Authentication (EPA) as detailed in this blog.

Originally, KrbRelayUp supported only one method that’s based on taking advantage of resource-based constrained delegation (RBCD); it later added several additional attack methods. In this blog, we discuss RBCD to provide further insights into how the initial KrbRelayUp attack method works. We also detail the stages that make up the said attack. Finally, we provide recommendations and guidelines that can help organizations strengthen their device configurations and defend their networks from attacks that use this tool.

Understanding the attack: What is resource-based constrained delegation?

Resource-based constrained delegation (RBCD) represents the key to this attack method, enabling the tool to impersonate an administrator and eventually run a code as the SYSTEM account of a compromised device.

Authentication protocol basics

An authentication protocol verifies the legitimacy of a resource or identity. When a user signs into a website, that website uses a methodology to confirm the authenticity of the resource requesting access. In simpler terms, the authentication process involves signing in with a password—made possible by the user knowing the password anticipated by the website. The Kerberos protocol serves as the main authentication framework for this process in on-premises Active Directory.

Delegation

Sometimes, however, a resource needs to request access to another resource on behalf of a different identity. A common example of this is mail delegation, wherein executives often give delegation rights to their executive assistants to send and receive emails on their behalf without providing the assistant with the executive’s password. The executive assistant isn’t authenticating as the executive; the executive has just allowed the assistant’s account to “pretend” that they are.

Resource-based constrained delegation

Initially, only users with the SeEnableDelegation role could configure delegation, typically domain admins. These domain admins can manage resources and dictate which identities can act on behalf of a different resource. They achieve this by updating the msDS-AllowedToDelegateTo property of a user account or device. This property contains a list of all the unique identifiers (service principal names, or SPNs) to which this object can delegate or act on behalf of.

However, as organizations expanded, administrators struggled to manage all the delegation requirements, raising the need for a new type of delegation: resource-based. For instance, in an organization with several file servers that all trust a web server for delegation, an admin would have to change the msDS-AllowedToDelegateTo priority in all of the different file servers to introduce a second web server. With resource-based delegation, the list of trusted computers is held on the receiving end. Thus, in our example, only the newly created server would require a change of settings.

To read the rest of this article and find the steps you can use to defend go Here


Fri, 27 May 2022 14:54:00 +0000

Blockchain for Access Control Systems: NIST IR 8403

NIST has published NIST Internal Report (NIST IR) 8403, Blockchain for Access Control Systems. Protecting system resources against unauthorized access is the primary objective of an access control system. As information systems rapidly evolve, the need for advanced access control mechanisms that support decentralization, scalability, and trust – all major challenges for traditional mechanisms – has grown.

Blockchain technology offers high confidence and tamper resistance implemented in a distributed fashion without a central authority, which means that it can be a trustable alternative for enforcing access control policies. This document presents analyses of blockchain access control systems from the perspectives of properties, components, architectures, and model supports, as well as discussions on considerations for implementation.

Read More


Thu, 26 May 2022 14:33:00 +0000

Emergency Directive and Releases Advisory Related to VMware Vulnerabilities

 CISA has issued Emergency Directive (ED) 22-03 and released a Cybersecurity Advisory (CSA) in response to active and expected exploitation of multiple vulnerabilities in the following VMware products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager.

The CSA, AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control, provides indicators of compromise and detection signatures from CISA as well as trusted third parties to assist administrators with detecting and responding to active exploitation of CVE-2022-22954 and CVE-2022-22960.  Malicious cyber actors were able to reverse engineer the vendor updates to develop an exploit within 48 hours and quickly began exploiting these disclosed vulnerabilities in unpatched devices. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022. 

ED 22-03 directs all Federal Civilian Executive Branch agencies to enumerate all instances of affected VMware products and either deploy updates provided in VMware Security Advisory VMSA-2022-0014, released May 18, 2022, or remove those instances from agency networks.

CISA strongly encourages all organizations to deploy updates provided in VMware Security Advisory VMSA-2022-0014 or remove those instances from networks. CISA also encourages organizations with affected VMware products that are accessible from the internet to assume compromise and initiate threat hunting activities using the detection methods provided in the CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in the CSA.


Sat, 21 May 2022 16:47:00 +0000

Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products

Overview

A vulnerability has been discovered in certain HP PC BIOS, which could allow for local arbitrary code execution. The BIOS is a firmware which is used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. Successful exploitation of this vulnerability could allow for local arbitrary code execution with kernel level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

 

 

 

 

 

 

 

 



Thu, 12 May 2022 16:03:00 +0000

Cryptographic Module Validation Program Security Policy Requirements: Draft Revision of NIST Special Publication 800-140B

The initial public draft of NIST Special Publication (SP) 800-140Br1 (Revision 1), CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B, is now available for public comment. This draft introduces four significant changes to NIST SP 800-140B:

  1. Defines a more detailed structure and organization for the Security Policy
  2. Captures Security Policy requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
  3. Builds the Security Policy document as a combination of the subsection information
  4. Generates the approved algorithm table based on lab/vendor selections from the algorithm tests

The NIST SP 800-140x series supports Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP). The series specifies modifications to ISO/IEC 19790 Annexes and ISO/IEC 24759 as permitted by the validation authority.

The public comment period for this initial public draft is open through July 12, 2022. See the publication details for instructions on submitting comments.

Read More


Thu, 12 May 2022 15:59:00 +0000

NIST Publishes Review of Digital Forensic Methods

 

The National Institute of Standards and Technology (NIST) has published Digital Investigation Techniques: A NIST Scientific Foundation Review. This draft report, which will be open for public comment for 60 days, reviews the methods that digital forensic experts use to analyze evidence from computers, mobile phones and other electronic devices.

The purpose of NIST scientific foundation reviews is to document and evaluate the scientific basis for forensic methods. These reviews fill a need identified in a landmark 2009 studyby the National Academy of Sciences, which found that many forensic disciplines lack a solid foundation in scientific research.

To conduct their review, the authors examined peer-reviewed literature, documentation from software developers, test results on forensic tools, standards and best practices documents and other sources of information. They found that “digital evidence examination rests on a firm foundation based in computer science,” and that “the ap plication of these computer science techniques to digital investigations is sound.”

“Copying data, searching for text strings, finding timestamps on files, reading call logs on a phone. These are basic elements of a digital investigation,” said Barbara Guttman, leader of NIST’s digital forensics research program and an author of the study. “And they all rely on fundamental computer operations that are widely used and well understood.”

The report also discusses several challenges that digital forensic experts face, including the rapid pace of technological change. “Digital evidence techniques don’t work perfectly in all cases,” Guttman said. “If everyone starts using a new app, forensic tools won’t be able to read and understand the contents of that app until they are updated. This requires constant effort.”

To address this challenge, the report recommends better methods for information-sharing among experts and a more structured approach to testing forensic tools that would increase efficiency and reduce duplication of effort across labs.

The report also recommends increased sharing of high-quality forensic reference data that can be used for education, training, and developing and testing new forensic tools.

NIST’s Digital Forensics Research Program, which was launched in 1999, develops methods for testing digital forensics tools and provides access to high-quality reference datasets. NIST also maintains a vast archive of published software, the National Software Reference Library, that is a critical resource for investigating computer crimes.

NIST scientific foundation reviews help laboratories identify appropriate limitations on the use of forensic methods, identify priorities for future research, and suggest steps for moving the field forward. These reviews are conducted as part of NIST’s Forensic Science Program, which works to strengthen forensic practice through research and improved standards. In 2018 Congress directed NIST to conduct these scientific reviews and appropriated funding for them.

Readers can submit comments on the draft report through July 11, 2022. NIST will host a webinar about the draft report on June 1, 2022. Instructions for submitting comments and registration information for the webinar are available on the NIST website.


Wed, 11 May 2022 21:12:00 +0000