Happy Friday, Federal friends. The World Cup (soccer tournament) is underway, and while futbol is fun to watch for a few weeks, we are really waiting for the start of football training camp.
Sorry about the title, especially for those in the Northeast. It's more of a play on Game of Thrones ominous tag line, and about how one should be prepared. In this case I'm using it in reference to the pending changes coming to NIST 800-53. While the Cybersecurity Framework was released earlier this year by NIST, their Revision 5 of 800-53 takes a turn towards understanding the risk and nature of the APT's your organization is facing. In effect Revision 5 is focusing in on understanding your assets, the risk that surrounds them, and setting up your defenses to take into account sabotage and espionage. With reports running rampant for the last few years about threat actors of both nation states and criminal organizations setting up camp, long term, in government networks (and affiliated organizations) this is exactly what NIST would like 800-53 to prevent going forward. These types of attacks can alter the economics of both sectors as well as effectively "map the battlefield" in terms of cyberwarfare. This will allow agencies, and industry, start to better address needed policy changes by gaining a better understanding of the attacker and their behaviors. In terms of strategy this approach has been tried and true for a few years now:
- “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” - Sun Tzu, The Art of War
By knowing your enemy you can better shore up your defenses. By taking a proactive approach around risk, rather than data inventory, you are better able to communicate your needs to those that can create and dictate policy. Change is needed for us to better be prepared for future threats and solidify our defenses, NIST takes charge here and begins the march in the right direction. Given that Revision 5 doesn't come out until April '15 you have plenty of time to prepare.
The attackers are relentless, test your defenses, stay vigilant.