Many agencies are moving ahead with plans to upgrade legacy IT systems, but it will take some time before many are actually replaced. In the meantime, they will be confronted with a clear but hard truth: Aging technologies are generally less secure.
The National Institute of Standards and Technology knows this about as well as any agency in the federal government. Last month it issued a concrete offer of help to agencies to secure legacy systems from cyberattacks and make them more resilient.
NIST released a draft version of the second volume of its Systems Security Engineering guide, Special Publication 800-160, which gives agencies advice on guarding against advanced persistent threats. APTs, the guide notes, have the capability to breach the government’s critical systems, “establish a presence within those systems (often undetected), and inflict immediate and long-term damage to the economic and national security interests of the nation.”
Ron Ross, a NIST fellow and one of the agency’s cybersecurity experts, writes in the guide that for the nation to survive and flourish in the 21st century it must develop “trustworthy, secure systems that are cyber resilient.”
Ross notes: “Cyber resilient systems are those systems that have security measures or safeguards ‘built in’ as a foundational part of the architecture and design and moreover, display a high level of resiliency, which means the systems can withstand cyberattacks, faults, and failures and continue to operate even in a degraded or debilitated state — carrying out the organization’s mission-essential functions.”
The guide is aimed at two distinct groups: IT staffs that are launching new systems or upgrading legacy systems in the normal course of maintaining them; and organizations that are using legacy systems to carry out day-to-day missions and business functions.
How to Engineer Cybersecurity Resiliency
Many federal IT leaders have long maintained that legacy systems are fundamentally insecure, largely because they do not receive regular security patches for outdated software and code. Indeed, an academic study released last year, “Security Breaches in the U.S. Federal Government,” found that there is “a significantly negative relationship between the number of security incidents and the stock of new IT systems,” which was measured by the percentage of IT spending on new IT development over total IT investments for the past five years. For every 1 percentage-point increase agencies invest in new IT, there is a 5 percent decrease in security breaches, the study found.
So how can agencies make their legacy IT more cyber-resilient? NIST’s guide offers four key principles (and a lot of technical advice as well):
- Focus on the mission or business. Cyber resiliency “maximizes the ability of organizations to complete critical or essential missions or business functions despite an adversary presence in their systems and infrastructure, threatening mission-critical systems and system components,” NIST says. Sometimes, legacy IT system components that are less critical to mission or business effectiveness are sacrificed to contain a cyberattack and maximize mission assurance, the report says.
- Focus on the effects of the APT. NIST notes that “the resources associated with the APT, its stealthy nature, its persistent focus on the target of interest, and its ability to adapt in the face of defender actions make it a highly dangerous threat.” Those carrying out APT attacks can make it seem like the anomalous behavior is the result of human error, structural failure or a natural disaster. However, by focusing on APT activities and their potential effects, “systems engineers produce systems which can anticipate, withstand, recover from, and adapt to a broad and diverse suite of adverse conditions and stresses on systems containing cyber resources,” NIST says.
- Assume the adversary will compromise or breach the agency. A fundamental assumption of cyber resiliency is that a sophisticated adversary cannot always be kept out of a system or be quickly detected and removed from that system, NIST says, “despite the quality of the system design, the functional effectiveness of the security components, and the trustworthiness of the selected components.” Agency IT security leaders need to acknowledge that most modern systems “are large and complex entities, and as such, there will always be weaknesses and flaws in the systems, operational environments, and supply chains that adversaries will be able to exploit.” As a result, a sophisticated adversary can penetrate an agency and achieve a presence within its infrastructure.
- Assume the adversary will maintain a presence in the system or organization. Agencies must assume that the adversary presence may be a persistent and long-term issue, and recognize that the stealthy nature of the APT makes it difficult to be certain that the threat has been eradicated. Cyber resiliency also “recognizes that the ability of the APT to adapt implies that mitigations that previously were successful may no longer be effective.” Agencies must also recognize that even if they succeed in eradicating a threat’s presence, it may return. “In some situations, the best outcome an organization can achieve is containing the adversary’s malicious code or slowing its lateral movement across the system (or transitively across multiple systems) long enough that the organization is able to achieve its primary mission prior to losing its critical or essential mission capability,” NIST says.
The guide includes life cycle processes and cyber resiliency constructs that can be used for new systems, system upgrades or repurposed systems. They can be employed at any stage of the system life cycle and can take advantage of any system or software development methodology including waterfall, spiral or agile.
“We had to address the question of what can we do today to secure the legacy systems we have,” Ross tells CyberScoop.
IT Architectures Can Protect Key Assets
Agencies can architect their IT systems to be more resilient, Ross notes. In addition to continuing to harden perimeter defenses, agencies need to prepare for what happens when an attacker makes it through the walls.
“The second dimension is what happens after they get in?” Ross tells CyberScoop. “How do we limit their access, limit the damage they can do or the data they can steal, limit their time on target?”
Agencies can achieve that by shifting more to virtualized IT environments and can spin up new virtual machines on a regular basis. Since VMs are generated from a secure, hardened disk image, any malware that has made its way inside will be “flushed out of the system,” Ross says.
Agencies also need to find ways to limit the ability of APTs to move within their systems, escalate their privileges and gain access to the network’s secure areas, CyberScoop notes. “There are many architectural and design decisions that can be used to protect your crown jewels,” Ross tells CyberScoop, citing measures such as domain separation and network segmentation.