NIST Cybersecurity Framework 2.0

NIST has released version 2.0 of the Cybersecurity Framework:

The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.

[…]

The framework’s core is now organized around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk.

The updated framework anticipates that organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools. New adopters can learn from other users’ successes and select their topic of interest from a new set of implementation examples and quick-start guides designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.

This is a big deal. The CSF is widely used, and has been in need of an update. And NIST is exactly the sort of respected organization to do this correctly.

Some news articles.

Tags: , ,

Posted on March 1, 2024 at 7:08 AM13 Comments

Comments

echo March 1, 2024 1:11 PM

Technical security is good. The problem is when technical security is viewed as the only security. In a lot of ways technical security protects good and bad actors alike.

Skimming the document I see no mention of Homeland Security or Department of Justice? The big blocker is getting hung up on freedom of speech and no weight being placed on hate crime or domestic terrorism whether stochastic or kinetic. That’s a huge loophole bad actors foreign and domestic will drive a coach and horses through at all levels.

And the following groups will say exactly what I have said:

It will tackle head on the lack of diversity in the cyber workforce. Employers are hiring from too small a pool of talent and from professional networks that and are not able to draw from the full diversity of the country. Women, people of color, first generation professionals and immigrants, individuals with disabilities, and LGBTQI+ individuals are among the communities which are underrepresented in the field. Addressing systemic inequities and overcoming barriers that inhibit diversity in the cyber workforce is both a moral necessity and a strategic imperative.

It’s a good start but must be more than words on paper.

On the recruitment angle there’s some hidden pluses. Any one of the protected categories is motivated in ways that money cannot buy. Visibility matters but people also stand up to protect those who cannot protect themselves. You will also find them very motivated to go after bad actors in ways that most people won’t. They can also spot details and tease away at the thread and join dots you may miss.

How to retain them? Be nice. Listen to them. Given them what they need to live their lives and the tools to do their job. They will do the rest.

Hate crime and discrimination law will protect this precious critical resource and infrastructure. And affordable and accessible childcare, and healthcare, and family planning and abortion services too. They also want to feel safe living in their communities. Don’t forget that.

I may be talking complete **** but this is what voices from these communities tell me.

lurker March 1, 2024 2:49 PM

@echo, ALL

This is a framework. It has to stand on a foundation. If the foundation is not good, it will fall.[1] Judge for yourself the state of the current foundation, hardware, operating systems, and users. Plus the fact that it is riddled with TLA termites.

Luke 6:49

Clive Robinson March 1, 2024 4:06 PM

@ lurker, ALL,

Re : Luke 6:49

“If the foundation is not good, it will fall”

It was about a thousand years to early to say the more interesting,

“If the hull is not sound, it will sink”

The problem we have as I identified a few years ago is that the foundations in the computing stack are too far down to see all the way down at the quantum level, but not to far that they can not be attacked. Thus the turtles stack up a long way before you can see what’s under your feet with a large number of layers you can attack at.

With a ship however you can just look between your feet to see the hull and thus judge if it is sound or not.

It’s why with “Castles v Prisons” model my thinking went with vessel design not architecture.

But I also identified that,

“Technology is agnostic to it’s use”

And that,

“Good or bad is in the eyes of the observer, not the technology or the head of the directing mind.”

Thus “technical security” is from ISO OSI layer 7 (user presentation) down. And… It’s not actually security as you would define it in the tangible physical world that we humans inhabit,

“ICT security is about functional trust, you as a user trust the system will do as defined.”

Unfortunately the how many turtles can you see problem arose. In our current computer designs you as a user can only look down the computing stack to the CPU ISA. Some with the magic keys to the microcode kingdom can look down to the CPU bus interface.

Attackers can however reach all the way down to below the logic gate level, and like bubbles in a flute of Champaign start from below a single bit of memory and as with the bubbles expand it as it rises. Hence calling it a “bubbling up attack”.

We’ve known this was possible from back in the 1970’s to my certain knowledge when it was shown that “Space Worthy Parts” specifically memory was vulnerable to movements of charged particles thus had to be designed in a certain way to be “Rad-Hardened”. This invisible “bit flipping” became more serious as memory moved over from NOR logic gates to charge well capacitors in DRAM and later Flash ROM. The solution was to use very basic error detecting protocols like parity and later error correcting with Hamming Codes and similar.

What nobody talked about but engineers knew was the ghost sitting at the end of the banquet for the blind table. It could move the food in the dishes unobserved. The ghosts activities did not show up till some one put food in their mouth and tasted potato not chicken.

The same logic applies to all of these “bubbling up” bit-flipping attacks you have no idea when it happened or to what extent bits had been flipped. Thus with parity checking that will pick up odd numbers of bit flips it won’t pick up even numbers of bit flips. Thus one trick tried was to put memory into 8bytes of 8bits and use 2D parity checking however this could only be done with software due to the fact “chips were not made that way” and still are not outside of FPGA’s etc. But still the ghost remained at the banquet for the blind.

It was mainly of mild academic concern/interest untill RowHammer came along. It is a user level initiated attack that reaches all the way around and under the gate level. Hence it’s a “Reach Around” attack that bypasses most if not all memory protection at the MMU or lower level. Thus “The Trust” not the “security technology” that has failed.

For various reasons people added many layers on top of the ISO OSI 7 layer model. Above user you got policy, management, organisational, legal, political, treaty etc layers. I’m not sure if there has been any agreement on which was at which layer. But the idea is it’s the Human part of the computing stack.

Here there is an inversion of what trust and therefore security actually means.

As far as I remember it was Prof Ross J. Anderson who gave the best definition of the difference between technology trust and human trust back in the 1990’s if not earlier. In effect noting human trust broke not with the technology but with “betrayal”.

In much more recent times we see Silicon Valley Mega corps building business plans on betraying their users. Microsoft in particular get pointed out for this in all their OS and Apps from around 2005 onwards the surveillance for betrayal crept in ever further.

The latest round of this is with AI, specifically LLM’s that are surveillance tools on steroids. As I’ve said it’s a “5 BE business plan” of,

1, Bedazzle
2, Beguile
3, Bewitch
4, Befriend
5, Betray.

It’s why Microsoft are building in AI like a manic brick layer that can not stop, where ever the eye gaze falls a brick must go…

What we need to formalize is those new layers on the ISO OSI model and flesh them out. Then and only then start adding the “human trust” type security as we agree on how it should work.

luker March 2, 2024 2:38 AM

Can police put a dent in cybercrime ransom figures as they ‘hack back’?

is the headline over a story in my print edition local MSM, unfortunately paywalled online[1] The story recounts several recent successful “busts” of ransomware gangs, but it reads like popping pimples one by one without any visible attempt to get at the unerlying disease. (q.v. my comment above re. foundation)

I’ve now read through NIST CSWP 29, it’s full of C-suite buzzwords, and reads like the rules for a global game of whack-a-mole. The prevention strategy seems to be more of the same, which patently is not working.

[1] https://www.nzherald.co.nz/business/can-police-put-a-dent-in-cybercrime-ransom-figures-juha-saarinen/XDIXQ7223JGGPP5O72GWHGSBDM/

echo March 2, 2024 7:51 AM

I went back over the overarching framework and read it (mostly) from end to end. It’s a good sleeping pill.

What it’s missing is a sense of context and how different domains like governance and civil society and human rights relate to each other. “That means it has a whiff of all boxes were ticked and all processes were followed. The patient died but the operation was a success.” There’s structural and institutional security problems not being addressed because everyone is too busy being a techbro. It’s like NIST is the Masterlock of security.

Human resources and human rights get like three lines in the entire document. There’s volumes of hard eyerolling behind this. Basically the whole thing looks like an empire building plan for the boys and lawyers.

The scheme to build a secure wall domestically and lean on foreign countries to pull their socks up isn’t going to work because of these weaknesses. It’s also why the US falls flat on its face even though it wins the war militarily.

Long term I think the EU is creating the foundations for a better security model. The US tech market will have to respond to this or leave the global stage.

vas pup March 2, 2024 4:58 PM

Looks like related to the subject:

Could product passports revolutionize the way we shop?
https://www.bbc.com/news/business-68283317

“Digital product passports (DPPs) are being introduced across the EU to improve
sustainability. They capture data about the environmental impact of products, their composition, their production and history. Industrial and electric
vehicle batteries will be the first products to have mandatory DPPs, from 2027.

Other product categories, including textiles, are expected to follow by 2030.

“The European Commission thinks that if the final customer is better informed,they can put pressure on the manufacturer and the distributors [to develop more sustainable products],” says Dr Natacha Tréhan, an expert in procurement and the circular economy at the University of Grenoble Alpes. “It’ll increase eco-design. I’m very happy about this because 80% of environmental impact is determined at the design stage.”

“The EU’s Corporate Sustainability Due Diligence Directive is going to hold
companies accountable for the integrity of the data they’re reporting,including the claims on their digital product passports.”

For new building 100 Fetter Lane in London, architects Fletcher Priest and
engineers Waterman have been asking suppliers to provide information for
materials passports. The project, due to be completed this year, uses multiple layers of passports, from materials, through components, to the entire
building.

Passports cover structural steel, in-situ and precast concrete, and the raised
access floor. Together, they are estimated to account for more than 80% of the
building’s mass.”

My nickel:

for food dietary supplements FDA may not confirm the effect but for sure should confirm that content/ingredients specified on the label actually match real content and if company later deviate from initial content without customers notification company/CEOs should get criminal and/or civil strong responsibility.
for buildings – passport should contain mandatory minimum level Sound Transmission Category (STC) depending on building purpose (residential, business, mixed, you name it). Noise as very stressful and health affected factor left aside of attention of our /legislators/environmentalist/real estate community but we can really make fast changes in this area for general good.
similar kind of digital passport including security and privacy features of any product should bring attention of NIST as well – just opinion.

echo March 3, 2024 8:37 PM

@vas pup

“The European Commission thinks that if the final customer is better informed,they can put pressure on the manufacturer and the distributors [to develop more sustainable products],” says Dr Natacha Tréhan, an expert in procurement and the circular economy at the University of Grenoble Alpes. “It’ll increase eco-design. I’m very happy about this because 80% of environmental impact is determined at the design stage.”

This kind of thing can work at the B2B, distributor, and manufacturer level; and possibly with motivated media and politicians. In some sectors with product labeling it’s been found to greenwashing and has failed because manufacturers and financial engineers have stuck fingers in their ears which essentially disenfranched the public who made an effort. That aside I think it can help a lot.

I’m a bit “Meh” about the US as their governance and human rights is a bit “Blergh”, and US regulation and standards can be a bit shifty.

But could a passport work with security? I don’t see why not but there’s no way I’d leave it to the US to define. It can’t just be technical security but must also include other aspects of the security model. There’s a lot of data sloshing around already paid for. The problem is it’s often obscure to most people and as it’s rarely reported on by media the name and shame model breaks down. Another irritant is people grabbing raw numbers without running comparative studies. That can hide a lot of sins.

What kind of system would I like? These security domains: technical, human rights, governance, civic infrastructure, green. Someone may be able to suggest better but they all fit under security (or might actually fit under each other depending on how you look at it). Now why would I want to include the others? Straight line technical security basically says nothing outside of its own domain. I want to know whether the items is manufactured by or managed by a corrupt dictatorship in sweatshops and falls apart after ten minutes and can’t be repaired or recycled because I don’t like war, poverty, famine, or swimming in poo if I can avoid it.

I know. Headache. Well, what are graphics designers and academics paid for? I’m sure they can come up with something and it’s not anywhere as complicated as an infographic explaining French sauces.

Clive Robinson March 3, 2024 10:21 PM

@ echo, ALL,

Re : A little advice, ships not castles.

As I’ve indicated the “computing stack” is an expanded version of the ISO ISI “7 Layer Model”[1]. It goes a long way down to almost the quantum physics layer and upwards to the global level and is now being considered up into a bit more than beyond “Earth Orbit” and into Interplanetary issues such as “local time” issues (it in effect goes both forward and back depending on the relationship with respect to each other).

OK people are probably thinking “So What?”, Well consider that security effects every single layer of the computing stack. Not just the ones we already have but those that are going to be added over the years to come.

Also consider the mindset. Most people think sequentially not in parallel and even less commonly in a matrix or mesh format. However the human condition is messy and even mesh thinking does not quite “cut it” and we’ve a lot to learn and those currently in power don’t have anything like the skills required, they are to be blunt “to centric on their own asses” and where they are positioned in a hierarchical structure that is extraordinarily local to them. So in the main they are of less use than a door stop pretending to be an umbrella stand.

The simple fact is the security thinking we mostly do is about as archaic as building motte-and-bailey defenses when you are fighting a naval war against those using ships (or in rare cases aircraft and UAV’s).

That is “build foundations and up” is fairly pointless as it instills almost rigid “fixed position thinking”.

We really have to assume we need to build our bastions / castles not on rock, clay or sand, but on water or clouds to be highly responsive, and not tied down as “fixed targets”.

This means that we need to think above the CPU and similar levels in the computing stack but into a gray area few understand. Which is how you build the basis of a trusted environment on top of chaos, uncertainty, and nothing to stand on.

Neither traditional/current bottom up or top down design is going to work. Worse all the messy human layers of the model must be accommodated.

Why? Well because attacks just don’t work the way they did (even though “old school” works say 9 times out of ten). The fact is we have to consider two types of attack in one. That is those that start at the highest levels and “reach down and around” all our current security measures to the lowest levels to make changes of just a bit or two, that then just like in a glass of champagne they “bubble up” getting steadily larger in effect and influence as they rise till the whole surface is a roiling layer of chaos.

Think of it as an amplified version of RowHammer, that starts not from the user layer but much further up the stack, beyond policy, management layers out into the legislative layers and political nonsense that goes on both above and behind that.

I’ve mentioned this several times in passing in the past especially when talking about “time”, “the speed of light” and Einstein’s fun little views. Sounds very esoteric, but have people tested for vulnerabilities involving a time difference of just 1 second when some systems stay as they are and others jump back one second (see “leap second” capabilities that are now being phased out).

The usual but wrong answer to this is to have a monotonic network time and a variable local time. This does not work with relativity even between the earth at the equator and the poles, let alone into satellite networks where you might have a mesh of hundreds if not thousands of satellites and your data may get routed through any one to another one different routes for every packet. Thus time could bounce around like a ping pong ball in a tank full of mouse traps (look on the Internet for a video if you’ve never seen it). Whilst we can deal with “out of order” packets “jumping time” is an issue especially for low latency systems.

This is just one of a veritable cornucopia of potential vulnerabilities just waiting to be hard coded into legislation, regulation, standards, protocols and implementation.

Nearly all of which are actually “human” issues not real technical ones.

But if we take the view of building not castles on beds of rock but fleets of ships at sea, we can be better prepared. But as with the switch from Land Warfare to Naval Warfare around Henry VIII’s time it’s going to take time to get it right unless we learn some of Histories lessons, especially to do with humans and their failings.

Because if we as the defenders do not the attackers sure as heck will.

[1] The reason we talk about the “Open System Interconnect”(OSI) model rather than the US DoD/APRA “4 Layer Model” is quite simple. The APRA 4 Layer was pragmatic and very much based on 1960’s thinking and resources in development at that time. Whilst the OSI 7 Layer model was based not on resources but objectives and interoperability at a detailed level from the get go, as such it was not seen as pragmatic but “blue sky” as few resources even in the late 1980’s could fully support it. Further the ARPA 4 layer was very narrow in what it covered and realistically covered not much except communications, whilst the OSI 7 layer went way way above that to just below the human aspects of the computing stack. Whilst people have joked about “7 of 11” and more recently “7 of 13” the original OSI model has pragmatically been extend up well into the human level and beyond with Layer 13 being effectively “International Law / Treaties / UN” depending on what meaning people want to emphasize.

echo March 5, 2024 3:07 AM

@Clive

Also consider the mindset. Most people think sequentially not in parallel and even less commonly in a matrix or mesh format. However the human condition is messy and even mesh thinking does not quite “cut it” and we’ve a lot to learn and those currently in power don’t have anything like the skills required, they are to be blunt “to centric on their own asses” and where they are positioned in a hierarchical structure that is extraordinarily local to them. So in the main they are of less use than a door stop pretending to be an umbrella stand.

This is why I think you’re making a fundamental mistake censoring discussion to electronic technical.

I know the system defaults to being linear and subjective but you also need to see that in context of mostly men designing mostly male orientated systems for men. Mention a comparative study and most men go “What?” It’s why Schopenhauer’s essay “On Women” had traction and why physicists fall flat on their face with quantum physics. The mind sets barriers around itself and feelings play a larger role than people often perceive. That’s partly why I’m linking to feminist and feminist queer theory and EU discussion documents. Women reason differently as do people who learn pictographic languages reason differently.

Nobody is immune to this which is why you’re making the the same mistake a RN Admiral made when standing on the flagship gazing through his binoculars and wondered why there was a vessel missing from the fleet. As the captain reminded him he was standing on it.

I’m not using the same language or concepts you are because it’s a trap. You just get yourself bound up in it again. As an example there’s everyone bandwaggoning cheap security is bad security. Well, yes that can be true. It can also not be true. Sometimes it’s the stack of OMG gimlet eyed security which is the problem. It also depends on who the security is about and why. Gentleman’s clubs are a case in point. They’re a club by men for men who are powerful or influential men who professionally tend to have sealed minds. That’s one reason why there’s cases brought by women rumbling on and off through the courts.

The NIST documents are a long winded way of saying NOBUS for power crazed and greedy and cavalier men. I spotted this on a first causal run through. In fact really that’s what the US constitution is all about and partly why the US security model is completely broken. As for the UK that’s basket case managed decline for other reasons.

Feminist and Feminist Queer Theory changes the dynamic of this model. To be illustrative: It’s really hard to explain but like the difference between the Savoy cigar and bar lounge and a FLINTA venue. It’s a different dynamic. It’s like instead of the linear model it’s a model which balances multiple domains at multiple levels.

It’s not hard. Like, that’s what governments and organsiations are for – to do multiple things in parallel, or guidelines, or even simple signs. And yes people can break a good system or a bad system can be made to work well. It’s a mindset thing again. But regardless this can be moderated and the heuristic changed. And that’s what NIST dismisses or handwaves away in three lines and likely for the same reasons the type of bluff purple faced monocle popping man in a suit has an attitude to 1970’s style holistic new agey therapists wearing hippyish wooden bead necklaces. It’s why they’re currently fighting so hard and nasty. Their world or old security model is ending.

99% of our disagreements are not about quality of outcome per se. Like, it’s not a cake being divided. That’s why I provided the two links I did. A new approach and electronic technical are not orthogonal to each other. I just happen to believe that both are known knowns and the priorities are more in line with feminist theory and feminist queer theory which is just another way of saying none linear and none siloed which is a neutral thing which scrubs either way. It was also the direction of travel before the UK and US had collective meltdowns.

The AI worm idea and Mr Billionaire Dadbod and Mr No-Mark should have everyone hard eyerolling. Men are getting uptight because nothing has changed and so are women just for different reasons. That’s the hangaboutwaitaminute moment.

I also think those military simulations with their runaway scenarios are another hangaboutwaitaminute moment and possibly why some thinking is emerging from thinktanks that a more ground level social approach may be the better path.

You might begin to see the two areas are linked… I don’t think Judith Butler specifically says this even in her more security orientated talks (although I do have to catch up with some of her talks on conflict) but it’s implied a couple of levels deep. Personally, I feel, her work is a good counterpoint and likely replacement for Alvin Toffler who used to be the big think tanker with some influence in the military-security policy development field.

echo March 5, 2024 3:20 AM

Australia, for some reason, have their own Cyber Security Framework – the ISM.
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism

That reminds me. I have some Major General (Ret) Mick Ryan stuff to watch (along with more Judith Butler).

I’m pretty tapped out with military stuff and geo-politics. It’s interesting for learning about stuff and modes of reasoning but ugh. It’s not exactly a hot topic in the ponds I swim in. I’d get some blank faces and funny looks if I brought it up.

vas pup March 5, 2024 5:51 PM

@echo – thank you for input.
I agree with this part absolutely: ” I want to know whether the items is manufactured by or managed by a corrupt dictatorship in sweatshops and falls apart after ten minutes and can’t be repaired or recycled…”

That is why bar code on an item should reflect not country of distributor but country of origin. Distributor is for American ‘sport’ called litigation as football, baseball. For consumer – it should be clear where item is coming from to make own informed decision to purchase or not. And you also right that many reasonable and logical suggestions fall on deaf ear because lobby will block anything which prioritize customer interest over the business interest they are paid for.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.