Seeking Feedback on: TLS Server Cert Management, IoT Botnet Attacks, and Privileged Account Management for the Financial Services Sector
The National Cybersecurity Center of Excellence (NCCoE) is excited to announce the release of three new draft project descriptions: TLS (Transport Layer Security) Server Certificate Management, IoT-Based Automated Distributed Threats, and Privileged Account Management: Securing Privileged Accounts for the Financial Services Sector. We are seeking your feedback on these drafts to help refine the challenge and scope. The comment period is now open and will close as indicated below.
This project provides guidance on the governance and management of Transport Layer Security (TLS) server certificates in enterprise environments to reduce outages, improve security, and enable disaster recovery related to certificates. The project will be result in a freely available NIST Cybersecurity Practice Guide, documenting an example solution that demonstrates how to perform the following actions:
- develop a set of policy attributes
- establish and maintain an inventory of TLS certificates
- assign and track certificate owners
- identify issues and vulnerabilities of the TLS infrastructure
- automate enrollment and installation
- report the status of the TLS certificates
- continuously monitor TLS certificates in the typical enterprise environment
The objective of this project is to reduce the vulnerability of Internet of Things (IoT) devices to botnets and other automated distributed threats, while limiting the utility of compromised IoT devices to malicious actors. The scenarios envisioned for this NCCoE project emphasize home and small-business applications, where plug-and-play deployment is required. In one scenario, a home network includes IoT devices that interact with external systems to access secure updates and various cloud services, in addition to interacting with traditional personal computing devices. In a second scenario, a small retail business employs IoT devices for security, building management, and retail sales, as well as computing devices for business operations, while simultaneously allowing customers to access the internet.
The primary technical elements of this project include:
- network gateways/routers supporting wired and wireless network access
- Manufacturer Usage Description (MUD) Specification controllers and file servers
- Dynamic Host Configuration Protocol (DHCP) and update servers
- threat signaling servers
- personal computing devices
- business computing devices
While the security capabilities of these components will not provide perfect security, they will significantly increase the effort required by malicious actors to compromise and exploit IoT devices on a home or small-business network. This project will result in a freely available NIST Cybersecurity Practice Guide.
Privileged Account Management (PAM) is a domain within Identity and Access Management (IdAM) focusing on monitoring and controlling the use of privileged accounts. Privileged accounts include local and domain administrative accounts, emergency accounts, application management, and service accounts. These powerful accounts provide elevated, often non-restricted access to the underlying IT resources and technology which is why attackers or malicious insiders seek to gain access to them. Hence, it is critical to monitor, audit, control, and manage privileged account usage. Many organizations, including financial sector companies face challenges managing privileged accounts. In response to this potential threat, the Federal Financial Institutions Examination Council (FFIEC) Cyber Assessment Tool (CAT) has specified privileged accounts be tightly controlled.
The goal of this project is to demonstrate a PAM capability that effectively protects, monitors, and manages privileged account access to include their life cycle management, authentication, authorization, auditing, and access controls. This project will result in a freely available NIST Cybersecurity Practice Guide which includes a reference design, fully implemented example solution, and a detailed guide of practical steps needed to implement the solution.
We value and welcome your input and look forward to your comments.
After these project descriptions are finalized, NCCoE cybersecurity experts will collaborate with vendors of cybersecurity technologies to develop reference designs addressing these challenges.