CYBEREYE—Commentary

When systems are connected, can any be called low impact?

The Cyber Secure Institute has done a preliminary analysis of information security recommendations recently published by the National Institute of Standards and Technology, and, while generally approving, the institute finds fault with some of the recommendations.

“All in all, the NIST recommendations are a major step forward, but they fail to fully seize the opportunity to advance President Obama’s cybersecurity agenda,” CSI Executive Director Rob Housman said in the report.

This fails to recognize that NIST is not a policy-making or regulatory organization. It makes recommendations and sets standards to fulfill requirements established by the executive and legislative branches. That is why the 800 series of special publications produced to support the Federal Information Security Management Act typically are titled “guidelines” or “recommendations.”

But the report does raise the legitimate question of whether recommended baseline security controls should be based on the sensitivity of an individual system. With perimeter defenses becoming increasingly inadequate and barriers between systems becoming more porous, is it possible to rate one system as low impact rather than moderate or high?

NIST collaborated with the military and intelligence communities to produce Revision 3 of SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” the first set of security controls for all government information systems, including national security systems. It is part of a series of documents to help agencies implement FISMA.

“For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non-national security systems,” the agency said when releasing the document last month.

A key element of FISMA is risk-based security, the idea that defenses should reflect the level of risk to a system. Systems are rated as high, moderate or low impact depending on the effect a breach of the system would have on the agency’s mission or overall security. High-impact systems should be defended against “high-skilled, highly motivated and well-resourced” threats, while systems of lesser importance can be defended against less sophisticated or motivated attacks. This concept makes sense but is becoming more difficult to implement soundly.

As systems become more interconnected with more routes of access and less well-defined perimeters, a low-impact system can become a soft underbelly, making it attractive to sophisticated attackers as a platform to launch an inside attack against more important systems. Ranking risk levels is further complicated by the fact that increasingly sophisticated attacks are being created with different motives. A system containing personally identifiable information could be rated a low or moderate impact because it does not contain sensitive or classified information. But that is exactly the type of information criminal organizations are likely to launch sophisticated attacks against.

It still makes sense to match security controls to the level of risk being addressed. But it is becoming more difficult to assign a meaningful level of risk to individual systems, further complicating the job of information security.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Aug 25, 2009

Concur with Tyler. Defining the system boundaries with proper interconnection planning ensures proper safeguards and intermediaries are in place to protect interconnected systems. The issue is primarily with good system control. Most organizations don't know what information they have, on which systems it is processed and stored and therefore have no way of knowing what is at risk when they interconnect. If the NIST risk managment framework is implemented properly, one will first identify the information, information types, and impact, determine where it is processed, stored and transmitted, and then determine the safeguards needed to appropriately protect it (including the interconnections.) GCN should stick the with people implementing FISMA, not the contractors and salesmen pitching their FISMA solutions.

Tue, Aug 25, 2009 Tyler Compton Newport News

The article is fairly well written, but based on a "report" ( http://cybersecureinstitute.org/docs/blog/NIST_Recommednation_Analysis.pdf) which truly fails understand the FISMA risk-based security control model or its actual application: 1) High-impact systems are less than 20% of the federal inventory according to the OMB reporting, 2) Interconnections of systems doesn't increase risk if protected and documented as required, 3) The concerns being raised are not related to the Rev3 changes, and more. If GCN is to publish critical assessment of FISMA, let it be based on actual practitioners (such as the July 20 ISC2-based review) rather than platitudes. -T

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above