How the private sector can learn from government cybersecurity guidance

Cyber criminals stole nearly 20,000 patient records from the Henry Ford Health System in Detroit in early December, exploiting cribbed email credentials to break into the hospital’s network.

The breach follows a trend this year of increasing attacks that are targeting companies with weak identity management practices. Organizations saw nearly 1,000 data breaches affecting 1.9 billion records in the first half of 2017. That’s a 164 percent increase of the previous year.

With 80 percent of all cyber breaches occurring because a user’s credentials were compromised, access management is quickly becoming one of the most important segments in cybersecurity.

And while it’s often the case that the private sector innovates well ahead of the federal government, the National Institute of Standards and Technology (NIST) has been voice of consensus and reference material in identity management cybersecurity best practices by outlining the requirements and providing insightful reference material to help organizations take intellectual control of the solutions and see beyond the myriad of vendor products on the market.

The federal government is constantly under cyber threat, with agencies holding everything from troves of personal information to sensitive state secrets. Thankfully, most of the attacks are cut off at the pass, avoiding an actual breach. But sometimes bad actors get past government security as in the 2016 Securities and Exchange Commission breach that was discovered late last summer.

In May, President Trump signed an executive order mandating agencies to implement NIST’s Cybersecurity Framework, which was originally created in 2014 by the Obama administration. The database of cyber hygiene rules, which is maintained by the agency’s National Cybersecurity Center of Excellence (NCCoE), reaches through every part of the security threat landscape. The NCCoE material provides a foundation for common understanding of the concepts and requirements every organization faces.

Those reference materials include several special publications focusing on digital identity and credential management. Bill Newhouse, NIST’s deputy director, said in a recent webinar that the references helps agencies better understand how to apply standards-based, commercially available technologies to improve their cybersecurity posture.

The NCCoE is focused is also on increasing the sophistication of private sector identity management as well. Check out these three ways companies can leverage NIST’s cybersecurity framework.

1. Start with a high-level view of NIST’s plan

NIST’s three “Digital Identity Guidelines” publications offer a granular look at different aspects of access manage framework, so it’s best to start with the agency’s broad overview of identity management.

NIST Special Publication 800-63-3—each paper is labeled through a government numbering system—outlines the high level goals associated with access management, including identity proofing, digital authentication and federated authentication—when you use a single sign-on such as Twitter to log into different identity management systems.

Breaking out the issue into three specific categories allows for more flexibility in choosing identity management solutions, according to NIST, since each agency—or business—needs different features in their cybersecurity plan.

Identity information in the wrong hands can be disastrous – while you can change password you can’t change your date of birth. For example, the guidelines encourage minimizing the spread of identifying information by requiring a range of options for queries, such as questioning whether an individual is older than a certain age rather than simply querying the entire date of birth.

In this way, this first publication, sometimes referred to as “863,” is a good way to get your bearings in a relatively dense set of guidelines.

2. Structure identity proofing by user risk

Identity is not just who you are but also what you do. Good actors can go bad and when they do, either in a case of privilege abuse or impersonation, access approvals is risk based decision. The process starts with good identity proofing and NIST has helped demystify this by describing a set of Identity Assurance Levels (IALs). Identity proofing is the process used to verify a person’s association with a real world identity. The practice has been around for centuries, but its modern usage came into practice about 110 years when financial institutions started asking security questions like a customer’s mother’s maiden name. The practice dates back to 1906 when Baltimore banker William M. Hayden noted at an American Bankers Association meeting that a mother’s maiden name was a strong test of identity since only family members would know that information.

That may have been a surefire way to spot an imposter a century ago, but with the advent of social media, it has become incredibly easy to search for personal details about someone. Using traditional security questions as a way to authenticate your account just isn’t safe anymore.

Complicating the matter is the fact that different users need varying levels of scrutiny depending on the level of their privileges. To address this NIST lays out a way to structure the complexity of identity proofing by using three Identity Assurance Levels (IAL).

The three IALs reflect options agencies may implement depending on a user’s risk profile and the potential harm an attack could cause using the person’s identity. To put it more simply, the more access you have to sensitive information and systems, the higher your risk profile. IAL1 denotes someone is a low risk and requires less authentication, while IAL3 represents the highest risk and, in some cases, requires physical presence for verification.

3. Make sure ease of use doesn’t affect overall security

When security is difficult, end users try to find ways of circumventing the system or reducing the scope of security. Frictionless credential management is the goal, but we must be careful that we aren’t sacrificing security for convenience. More and more often, people are using one account to sign into multiple platforms.

Through federated identities, Google, Facebook, Twitter and Amazon, among others, all enable users to sign into a plethora of unrelated services using their credentials. And while that drastically uncomplicates the sign-on process for users, it also creates an incredible security hazard.

A single credential breach would allow a cyber attacker to gain access to all the other services in that federation. For example, if someone stole your Twitter credentials it could also lead to them to gain access to any other website you log onto using those Twitter credentials. This behavior tracking and threat analytics so critical to security. The end-user has no tools or techniques at their disposal to detect when someone is impersonating their identity online or at work.

The issue is prominent enough that NIST produced a whole separate publication addressing federations. To simplify the problem and increase the level of acumen, NIST outlined Federation Assurance Levels (FALs) that companies can use to figure out how best to deal with single sign-ons across multiple networks. Much like the three IAs above, the FALs are based on risk factors, with FAL1 being the lowest and FAL3 requiring many more layers of authentication for end-user access.

One sign-in across so many platforms could spell disaster if you’re not careful. Don’t be lulled into the easy way out.

Shifting patterns of identity management

Credential management is the newest target in the constant battle between cyber thieves and the cybersecurity community. We are quickly moving to a world where every business outcome will be defined by a user or consumer interacting with an application. While there is not a silver bullet to securing these applications, there is an identity steel thread which connects the lifecycle and interaction of every user in the digital economy. At every step of the digital experience identity is the point of control, point of personalization and point of realizing value. The NIST cybersecurity references are a step to helping organizations increase their maturity to unlocking the potential of identity


Source: CSO Security news