Quick! No Shortcuts!
Constant technological progress means that IT Security is always evolving to keep up. The recent release of NIST SP 800-53a (rev 5) is a reminder of this. Staying current with security policy is tiring, but keeping up with it (and keeping ahead of the attacks that are evolving is just as fast) is essential.
NOTE: Headline image was intended to illustrate the concept of "Willingly avoiding the hard work will put you in unknowable peril," not "Skip the rat race and go party at a dragon rave at Burning Man."
Management regrets the error.
January 2022 saw the release of another NIST SP 800-53a revision, revision 5. This is the first update to this document since 2014. This document reminds us that security is a never-ending process, and should not be thought of as a goal that, once reached, can be set aside. (Details about what, exactly, NIST is, and what these documents are, is provided at the bottom of this article.)
What does the document say?
The revised document covers assessment processes for all of the common security domains that you are probably thinking of (Configuration Management, Access Control, PII processing, etc), but highlights that these assessments should be done on a consistent, ongoing basis. And that is a really important combination. Security must be comprehensive (as this document's 700-odd pages lays out in excruciating detail), and it must be ongoing. This is true for the controls we put in place themselves, as well as the assessments used to judge the controls' effectiveness.
But what does this mean to ME?
The latest shining example of this need for constant vigilance is the various news-making attacks on IT support companies such as Solarwinds and Kaseya. Previously, companies utilizing these services would often do so without a second thought- after all, these are massive global companies. It would be safe to assume that the services they provide would be secure, right? Judging by the headlines and the negative outcomes for companies such as Microsoft, Nvidia, and even sections of the US Government, the answer to that question would have to be no. Or at the very least, the answer should be 'not anymore.'
Or a simpler example: What do industry best practices say about how to define a 'good' user password? The answer to that question greatly depends on who (and more importantly, when) you're asking. First it was just a secret that only you knew, then it was "as long as it's encrypted" (and of course there are long conversations about best-practices around HOW it is encrypted), then there were endless discussions about rotation (every quarter? every year? never?), arguments about complexity requirements (the famous "must include capitals, numbers, and a special character!") vs just using a long weird phrase (ex., "ORweri&Gn48_" vs "MyUnclesYellowOstrichHatesAllPinkNavalVessels!") .. you get the idea. The point is, all of these suggestions and best practices came from a good place, and were right- for the time, based on our understanding of the security needs of that time. But times change.
It is essential to keep in mind that security is a moving target. It's not just passwords- The example above could have been written about firewalls, IAM, data integrity, even CPU buffers. Simply put, there are untold (and constantly evolving) numbers of devices, services, and applications that organizations simply need to use- and they will all have unique needs and requirements. Attackers will never stop their own efforts at innovation, which means that defenders can't either. Security will always need to be reassessed.
As the massive 700-page NIST SP 800-53a document makes clear, your assessments have to be done deliberately, and thoroughly. It is true that not every organization needs every control that is laid out in the NIST documents. But the ones that are needed should be followed to the letter. Skipping a step means leaving a door open for an attacker. Not being deliberate could also mean giving your organization a false sense of security. It's akin to buying a new lock for your front door but not installing it- you got what you needed but if it wasn't applied, you're not really gaining anything except for a credit card bill. (At the risk of beating this metaphor even further into the ground, you will of course need to be vigilant about changing that lock if and when your roommate moves out.) A false sense of security is a problem, just as much as having inadequate security is a problem.
ADDENDUM: What are these NIST documents exactly?
NIST, or the "National Institute of Standards and Technology," regularly puts out various series' of Special Publications. The 800 series is intended for the computer security community. In this 800 series, there are many document groups that are more specific. The 'main' document, NIST SP 800-53 rev.5, lays out a comprehensive list of Security and Privacy Controls. Over 500-odd pages, 800-53 lays out the policies, controls, and control families that breaks down the NIST model of securing information systems.
800-53a is a procedural, assessment-minded document that, in NIST's own words, "...provide guidelines for building effective security and privacy assessment plans, as well as a comprehensive set of procedures for assessing the effectiveness of security and privacy controls employed in systems and organizations. The guidelines apply to the security and privacy controls defined in [SP 800-53]." It is this document that was most recently updated.
For both 800-53 and 800-53a, the original intention was to direct these controls towards Federal systems. with revision 5, this designation has been removed, and the controls will address security for all systems.
(Why are they called Special Publications? Real answer here. It's just boring library-management stuff.. SP is a series designation. My answer? Well.. keep in mind that these documents are very comprehensive, and thus enormous- hundreds and hundreds of pages long. If they didn't call them "Special," nobody would read them.)