When systems are connected, can any be called low impact?
- By William Jackson
- Aug 24, 2009
The Cyber Secure Institute has done a preliminary analysis of information security recommendations recently published by the National Institute of Standards and Technology, and, while generally approving, the institute finds fault with some of the recommendations.
“All in all, the NIST recommendations are a major step forward, but they fail to fully seize the opportunity to advance President Obama’s cybersecurity agenda,” CSI Executive Director Rob Housman said in the report.
This fails to recognize that NIST is not a policy-making or regulatory organization. It makes recommendations and sets standards to fulfill requirements established by the executive and legislative branches. That is why the 800 series of special publications produced to support the Federal Information Security Management Act typically are titled “guidelines” or “recommendations.”
But the report does raise the legitimate question of whether recommended baseline security controls should be based on the sensitivity of an individual system. With perimeter defenses becoming increasingly inadequate and barriers between systems becoming more porous, is it possible to rate one system as low impact rather than moderate or high?
NIST collaborated with the military and intelligence communities to produce Revision 3 of SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” the first set of security controls for all government information systems, including national security systems. It is part of a series of documents to help agencies implement FISMA.
“For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non-national security systems,” the agency said when releasing the document last month.
A key element of FISMA is risk-based security, the idea that defenses should reflect the level of risk to a system. Systems are rated as high, moderate or low impact depending on the effect a breach of the system would have on the agency’s mission or overall security. High-impact systems should be defended against “high-skilled, highly motivated and well-resourced” threats, while systems of lesser importance can be defended against less sophisticated or motivated attacks. This concept makes sense but is becoming more difficult to implement soundly.
As systems become more interconnected with more routes of access and less well-defined perimeters, a low-impact system can become a soft underbelly, making it attractive to sophisticated attackers as a platform to launch an inside attack against more important systems. Ranking risk levels is further complicated by the fact that increasingly sophisticated attacks are being created with different motives. A system containing personally identifiable information could be rated a low or moderate impact because it does not contain sensitive or classified information. But that is exactly the type of information criminal organizations are likely to launch sophisticated attacks against.
It still makes sense to match security controls to the level of risk being addressed. But it is becoming more difficult to assign a meaningful level of risk to individual systems, further complicating the job of information security.
William Jackson is freelance writer and the author of the CyberEye blog.