The IT Nerd

Facing a growing backlog of reported flaws, NIST has announced a commercial contract with an outside firm to clear the backlog in its National Vulnerability Database (NVD). This was reported in a status update that was posted on May 29th:

NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.

In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year. 

Mike Walters, President and Co-Founder of Action1 has provided some insight on what resources the NVD would need to keep up with the number of vulnerabilities being reported:

“The National Vulnerability Database (NVD) plays a critical role in the cybersecurity landscape by cataloging and enriching vulnerability information. To keep up with the backlog, which now exceeds 10,000 vulnerabilities, NVD needs to address several issues and improve its operations.

First, the NVD must form a consortium to improve the program and, more importantly now, secure additional funding from federal agencies, the private sector, or public grants to cover the costs associated with scaling infrastructure, hiring additional staff, and purchasing necessary software tools. It is also important for them to obtain grants for AI and machine learning research to develop cutting-edge tools that can be integrated into the NVD workflow. Implementing advanced machine learning models and AI can help automate the initial triage and enrichment process of vulnerability reports. 

Second, NVD will need to hire a highly skilled team of security analysts, data scientists, and threat intelligence experts to operate and enhance the new AI tools that will help handle the growing backlog of vulnerabilities. These professionals can oversee automated processes, validate AI-generated insights, and handle more complex cases that require human intervention. 

Third, to collect and analyze data, the NVD will need to build stronger relationships with cybersecurity communities, including CVE Numbering Authorities (CNAs), private cybersecurity firms, academic institutions, and other threat intelligence platforms that can lead to more holistic and timely data sharing. 

Implementing a crowdsourcing model where verified contributors can submit and enrich vulnerability data could also help spread the workload and speed up the process. 

These are the key resources that NVD needs to manage the crisis.”

Hopefully NIST can get on top of this quickly. But with the amount of flaws that are and have been reported, that won’t be easy. But it is something that needs to be done.

UPDATE: Emily Phelps, Director, Cyware adds this comment:

   “It’s encouraging to see NIST taking proactive steps to address the backlog in the National Vulnerability Database. The current backlog highlights the increasing complexity and volume of vulnerabilities that organizations face today. Effective and timely vulnerability management is crucial for maintaining robust cybersecurity defenses.”

Monday, NIST released version 2.0 of its cybersecurity framework (CSF) that emphasizes governance and supply chain issues for both public and private sector entities.

The new guidance outlines “high-level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize and communicate its cybersecurity efforts.” There are six core functions:

1. Govern
2. Identify
3. Protect
4. Detect
5. Respond
6. Recover

“Govern”, the new addition to the other five pillars, focuses on how an organization establishes, communicates and monitors its cybersecurity risk management strategy, expectations and policy and is intended to address the implementation and oversight of a cybersecurity strategy.

Laurie Locascio, director of NIST and undersecretary of Commerce for Standards and Technology, noted that 10 years ago before NIST’s initial CSF launched, there was discussion about the elements of “govern,” but agency leaders “really weren’t ready yet to incorporate it.”

In version 2.0, the focus on supply chain risks covers how various types of technologies rely on complex landscapes for outsourcing involving geographically diverse routes for both private and public sectors offering a variety of services. In the updated CSF, NIST points to Cybersecurity Supply Chain Risk Management (C-SCRM) as a systemic process to manage exposure to cybersecurity risks by developing appropriate “strategies, policies, processes and procedures.”

Emily Phelps, VP, Cyware starts with this comment:

   “By adding governance, NIST does a great job rounding out an already best-in-class framework. This will help organizations not only improve bidirectional information sharing between security teams, executives, and board members, it will help ensure consistent language and clear definitions around responsibilities.”

Greg Welch, CEO, CyberProtonics had this comment:

   “Cybercrimes are on the rise with more sophistication and computing resources. We believe all data should be encrypted and pleased to see NIST provide organizations with risk assessment strategies and procedures that will help safeguard against malicious actors.”

Dave Ratner, CEO, HYAS served this comment:

   “As a key part of ‘Govern’ in version 2.0 of the NIST cybersecurity framework, organizations need change how they have historically thought about security and focus on business and operational resiliency versus pure prevention. Especially with rampant supply chain attacks, not to mention constantly adapting tactics and techniques, criminals will unfortunately continue to infiltrate organizations of all sizes. Appropriate governance requires recognizing this fact across the entire business and all aspects of digital risk, and ensuring that cyber resiliency is implemented to efficiently identify, isolate, and address breaches before they expand and cause significant damage.”

John Benkert , CEO, Cigent adds this comment:

   “The National Institute of Standards and Technology (NIST) recently added “Govern” as a new function to its Cybersecurity Framework, emphasizing the importance of governance in managing cybersecurity risks. This addition underscores the understanding that effective cybersecurity is not just about technology but also involves clear governance structures, policies, and processes to ensure comprehensive risk management. This is long overdue and has been talked about outside of NIST circles for many years.  Cybersecurity has to start at the top levels of organizations which includes C-level executives including the CFO.

Troy Batterberry, CEO and Founder, EchoMark followed with this comment:

   “A vast majority of cybersecurity events are caused by inadequate security practices that can be traced back directly to insufficient prioritization and funding. While moving the discussion into the board room will help in some cases, many organizations under financial stress will continue to make difficult tradeoff decisions that result in more breaches. When they do happen, the criminals involved extract money to fund further criminal activity. Breaches impact not only the business but the customers too. This unfortunately may be a situation where further regulatory requirements are needed to protect customers and ultimately the public.”

Stephen Gates, Principal Security SME, Horizon3.ai had this to say:

   “In terms of responding to risk, NIST defines the available actions one could take as accepting, avoiding, mitigating, sharing, or transferring risk to others. And in the case of just-in-time and lean manufacturing, suppliers can potentially transfer their cyber risk to their buyers. Meaning, if you rely on a host of suppliers that help support your mission, an outage-inducing cyberattack on one of them will likely impact you as well.

   “Soon, organization who have extensive supply chains will begin to require that their suppliers continuously access their own infrastructure to identify their truly exploitable weaknesses, verify those weaknesses have been remediated, and prove that their cyber risk is not being transferred to their buyers. Although the term “report” appears eight times in the recent NIST Cybersecurity Framework (CSF) 2.0, it does not necessarily define a reporting standard or framework to address the third-party supplier “risk transfer” issue that many are being subjected to.”

NIST updating its cybersecurity framework shows that they’re keeping up the ever changing cybersecurity landscape. Assuming that organizations are paying attention, this will benefit us all.

NIST has published a report, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. This is intended to help developers protect Chatbots and Self-Driving Cars from Digital Threats by understanding the types of attacks to expect and approaches to mitigate them.

The report covers two broad types of AI: predictive AI and generative AI and identifies four major types of attacks on AI systems:

• Evasion attacks: These occur after an AI system is deployed, where a user attempts to alter an input to change how the system responds to it.
• Poisoning attacks: These occur in the training phase through the introduction of corrupted data.  
• Privacy attacks: These occur during deployment and they are attempts to learn sensitive information about the AI or the data it was trained on with the goal of misusing it.  
• Abuse attacks: These involve inputting false information into a source from which an AI learns.  

Defensive measures include, but are not limited to:  

• Augmenting the training data with adversarial examples  
• Monitoring standard performance metrics for degradation in classifier metrics
• Using data sanitization techniques

Troy Batterberry, CEO and Founder, EchoMark had this comment:

   “NIST’s adversarial ML report is a helpful tool for developers to better understand AI attacks. The taxonomy of attacks and suggested defenses underscores that there’s no one-size-fits-all solution against threats; however, understanding of how adversaries operate, and preparedness are critical keys to mitigating risk.

   “As a company who uses leverages AI and LLMs as part of our business, we understand and encourage this commitment to secure AI development, ensuring robust and trustworthy systems. Understanding and preparing for AI attacks is not just a technical issue but a strategic imperative necessary to maintain trust and integrity in increasingly AI-driven business solutions.”

Guidance like this is always helpful. But it’s only helpful if this guidance is followed. Thus I hope the target audience of this report are paying attention and follow this guidance as that will make us all safer.

The U.S. Dept. of Commerce National Institute of Standards and Technology (NIST) is proposing significant reforms to their Cybersecurity Framework (CSF) for the first time in five years, and the final week for stakeholder input begins Feb. 27, 2023. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary. First published in 2014 and revised in 2018, the CSF provides a set of guidelines and best practices for managing cybersecurity risks.

NIST held two additional stakeholder workshops this week just prior to the public comment period ending March 3^rd. 

I have three views of this. Starting with Chloe Messdaghi, Managing Director of Impactive Partners:

   “It’s great to hear that there will be a significant reform to the framework. It is important to recognize that security team wellness determines how successful the use of the framework is. We cannot continue to ignore the human element part that cybersecurity plays when we are protecting from attacks. 

   “When a team has poor leadership and management, it places the greatest risks for creating a revolving door environment, mental health issues, lack of inclusion, and a continuing overstretched security team, which in return, leads to an increased cybersecurity risk for an organization.”

Next up is Bryson Bort, Founder and CEO of  SCYTHE

   “Small business and education have been out in the cold for years as cyber poor, but target rich. Ransomware has moved the threat from expert jargon to preying on your local community. We’re seeing the government work collaboratively beyond pushing paper (NIST CSF) to rolling up their sleeves to help them directly with CISA’s announcement on these same priorities last month.”

Finally I have Christopher Hallenbeck, CISO, Americas for Tanium:

   “Practical guidance has long been missing. NIST publications tend to be dense reads filled with jargon that make them less approachable to less resourced organizations. I’m glad to see an emphasis on addressing the underrepresented community of small businesses in this process.”

This reform by NIST is important as this will ensure that the threat landscape is reduced. Which in turn will make it harder for threat actors to do their dirty work.

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its Artificial Intelligence Risk Management Framework (AI RMF 1.0) today, a guidance document for voluntary use by organizations designing, developing, deploying or using AI systems to help manage the many risks of AI technologies. A press release has the background on this:

The AI RMF follows a direction from Congress for NIST to develop the framework and was produced in close collaboration with the private and public sectors. It is intended to adapt to the AI landscape as technologies continue to develop, and to be used by organizations in varying degrees and capacities so that society can benefit from AI technologies while also being protected from its potential harms.

“This voluntary framework will help develop and deploy AI technologies in ways that enable the United States, other nations and organizations to enhance AI trustworthiness while managing risks based on our democratic values,” said Deputy Commerce Secretary Don Graves. “It should accelerate AI innovation and growth while advancing — rather than restricting or damaging — civil rights, civil liberties and equity for all.” 

Interesting. Christopher Prewitt, CTO of Inversion6 had this comment:

There is a significant amount of motivation to get ahead of Artificial Intelligence. As we know, governments are often slow to develop guidance, laws, executive orders around technology. The focus of this technology and frankly all new technologies are around the value they create and the risks are often not identified or focused on. The NIST AI Risk Management is attempting to provide a structure around the risk identification and management processes, so organizations can more safely develop new AI based solutions.

I’ll be interested to see where this goes as AI is very much a top of mind topic at present.

Yesterday, NIST put out a draft white paper asking for feedback from stakeholders in the water and wastewater utilities sector as to how best to secure this sector.

Here’s the abstract from the draft white paper.

The U.S. Water and Wastewater Systems (WWS) sector has been undergoing a digital transformation. Many sector stakeholders are utilizing data-enabled capabilities to improve utility management, operations, and service delivery. The ongoing adoption of automation, sensors, data collection, network devices, and analytic software may also increase cybersecurity-related vulnerabilities and associated risks.

The NCCoE has undertaken a program to determine common scenarios for cybersecurity risks among WWS utilities. This project will profile several areas, including asset management, data integrity, remote access, and network segmentation. The NCCoE will also explore the utilization of existing commercially available products to mitigate and manage these risks. The findings can be used as a starting point by WWS utilities in mitigating cybersecurity risks for their specific production environment. This project will result in a freely available NIST Cybersecurity Practice Guide.

You can read the draft white paper here. Chris Warner, OT Cybersecurity Consultant, GuidePoint Security adds this commentary:

“Water systems are unique and challenging to secure because many systems are over 50 years old, and it will take tremendous financial and human resources to replace or upgrade to stay in compliance with regulatory entities. Water SCADA systems have numerous physical sites that are diverse in architecture and challenging to ensure integrity and security for water treatment basins, distribution centers, storage towers/level management, drinking water distribution networks, real-time decentralized industrial wastewater treatment centers, and real-time flood control system monitoring. 

Now, the AWWA mandates over 180 standards of practice for water utilities, and many US States have their own regulations. Some states are now encouraging water utilities to align to the NIST CSF. The NIST CSF mainly focuses on the business, IT, and a limited amount of OT. Creating an overlay of the NIST 800-82 with the CSF specifically addresses SCADA systems.”

I’ll be keeping an eye on this as there needs to be change in this sector to address the threat landscape that we find ourselves in at present.