Comments on the Upcoming NIST Special Publication 1800-25A

NIST Comments

Comments on the Upcoming NIST Special Publication 1800-25A


As you may or may not be aware, the National Cybersecurity Center of Excellence (NCCoE) at NIST has released a draft version of NIST Cybersecurity Practice Guide SP 1800-25 – Identifying and Protecting Assets Against Ransomware and Other Destructive Events.

As per usual with documents like these from NIST, there is an open comment period for the public and industry to provide their feedback. Because Owl has lately been involved in various ransomware mitigation and prevention projects, I wanted to share our perspective on the topic, via the comments that I submitted regarding this new guide.

To the Authors:

First, congratulations on the completion of this important NCCOE work product.  The topic is of increasing relevance to businesses of all sizes here in the US and abroad.  I believe your guide will help many entities to cope with the threat of ransomware and destructive attacks in the coming years.

Second, I would like to point out an important protection strategy that I believe was overlooked in the document.  There is no mention of offline or air-gapped architectures for isolation of critical backups. 

Some of the most damaging ransomware attacks have been perpetrated, over many months, by adversaries that are living inside the victim’s network.  This enables the adversary to accumulate assets, credentials, and network information to launch an attack that targets backup infrastructure in addition to production files.  As a result, backup mechanisms may fail to accomplish their mission because the adversary is effectively an insider threat.  Malware like SamSam/Samas can also traverse the network and impact attached backups.

When a backup set is maintained offline, whether it is on tape, removable storage media or in an separate air-gapped network, adversaries cannot damage the backup snapshots unless they can gain physical access.  There are comprehensive solutions on the market (Dell EMC PowerProtect Cyber Recovery is one example) that use physical disconnection and data diodes to maintain an isolated network, thereby providing higher security and rapid recovery when needed.  Any offline approach will help entities to follow a 3-2-1-1 backup rule (3 copies of data, at least two different formats, at least one offsite and at least one offline).

NIST has already recognized the security benefits of data diodes in other domains.  From NIST Special Publication 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security:

“A data diode (also referred to as a unidirectional gateway, deterministic one-way boundary device or unidirectional network) is a network appliance or device allowing data to travel only in one direction, used in guaranteeing information security or protection of critical digital systems, such as industrial control systems, from inbound cyberattacks. While use of these devices is common in high security environments such as defense, where they serve as connections between two or more networks of differing security classifications, the technology is also being used to enforce one-way communications outbound from critical digital systems to untrusted networks.”

Therefore, I submit that some mention of offline / air-gapped approaches to data protection from ransomware would be consistent with past NIST guidance and helpful for the community.

If you would like to learn more about Owl’s ransomware mitigation and prevention solutions, including cyber recovery data vault architectures that incorporate data diodes, check out this use case. If you’re interested in a potential partnership, through technology or managed services and integrations, I encourage you to contact us through our partnership page.

Why Do A Medical Device Assessment, Part 4: Access Granted

In the last post, we got up close and personal with the device, and now it was time to really try to dig into the administrative functions. While the unauthenticated (non-password-protect...
October 29, 2020
Charlie Schick Healthcare Consultant

Why Do A Medical Device Assessment, Part 3: The Device

In the previous two posts in this series, I talked about the reasons cybersecurity analysis on medical devices is necessary and some processes behind device analysis. In the next coupl...
October 21, 2020
Board inspection
Charlie Schick Healthcare Consultant

Why Do A Medical Device Assessment, Part 2: How We Do It

In my last post, I talked a bit about the cybersecurity challenges around medical devices. In this post, I want to tell you a bit about the process of device cybersecurity analysis, wi...
October 15, 2020