Uncategorized

NIST Considerations for Managing IoT Cybersecurity and Privacy Risks Workshop, video uploaded

https://www.nist.gov/news-events/events/2018/07/considerations-managing-iot-cybersecurity-and-privacy-risks-workshop

https://www.nist.gov/sites/default/files/documents/2018/07/11/iot_risk_workshop_agenda.pdf

 

NIST’s Cybersecurity for IoT Program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies and academia, the program aims to cultivate trust and foster an environment that enables innovation on a global scale. This workshop will help the program through the development of the Cybersecurity for IoT Program and Privacy Engineering Program’s publication on an introduction to managing IoT cybersecurity and privacy risk for federal systems. This will include work to date identifying typical differences in cybersecurity and privacy risk for IoT systems versus traditional IT systems, considerations for selecting and using technical controls to mitigate IoT cybersecurity and privacy risk, and basic cybersecurity and privacy controls for manufacturers to consider providing in their IoT products. A pre-read document has been posted to help guide conversation.

Standard
Uncategorized

NIST SP 800-125A: Security Recommendations for Server-based Hypervisor Platforms

Re: https://firmwaresecurity.com/2018/01/26/nist-releases-sp-800-125a-security-recommendations-for-hypervisors/

Date Published: June 2018
Supersedes: SP 800-125A (January 2018)

The Hypervisor platform is a collection of software modules that provides virtualization of hardware resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (made of an operating system (OS) and application programs) called Virtual Machines (VMs) to be run on a single physical host. In addition, it may have the functionality to define a network within the single physical host (called virtual network) to enable communication among the VMs resident on that host as well as with physical and virtual machines outside the host. With all this functionality, the hypervisor has the responsibility to mediate access to physical resources, provide run time isolation among resident VMs and enable a virtual network that provides security-preserving communication flow among the VMs and between the VMs and the external network. The architecture of a hypervisor can be classified in different ways. The security recommendations in this document relate to ensuring the secure execution of baseline functions of the hypervisor and are therefore agnostic to the hypervisor architecture. Further, the recommendations are in the context of a hypervisor deployed for server virtualization and not for other use cases such as embedded systems and desktops. Recommendations for secure configuration of a virtual network are dealt with in a separate NIST document (Special Publication 800-125B). [This revision includes additional technologies for device virtualization such as para-virtualization, passthrough and self-virtualizing hardware devices as well as associated security recommendations. Major content changes in this revision are in: Section 1.1, Section 2.2.2 and Section 5.]

https://csrc.nist.gov/News/2018/NIST-Publishes-SP-800-125A-Rev-1

https://csrc.nist.gov/publications/detail/sp/800-125a/rev-1/final

https://www.nist.gov/news-events/news/2018/04/nist-releases-draft-nist-special-publication-sp-800-125a-revision-1

 

Standard
Uncategorized

NIST releases SP 800-125A: security recommendations for hypervisors

SP 800-125A: Security Recommendations for Hypervisor Deployment on Servers

The Hypervisor is a collection of software modules that provides virtualization of hardware resources (such as CPU/GPU, Memory, Network and Storage) and thus enables multiple computing stacks (made of an operating system (OS) and Application programs) called Virtual Machines (VMs) to be run on a single physical host. In addition, it may have the functionality to define a network within the single physical host (called virtual network) to enable communication among the VMs resident on that host as well as with physical and virtual machines outside the host. With all this functionality, the hypervisor has the responsibility to mediate access to physical resources, provide run time isolation among resident VMs and enable a virtual network that provides security-preserving communication flow among the VMs and between the VMs and the external network. The architecture of a hypervisor can be classified in different ways. The security recommendations in this document relate to ensuring the secure execution of baseline functions of the hypervisor and are therefore agnostic to the hypervisor architecture. Further, the recommendations are in the context of a hypervisor deployed for server virtualization and not for other use cases such as embedded systems and desktops. Recommendations for secure configuration of a virtual network are dealt with in a separate NIST Special Publication (SP), SP 800-125B.

Keywords: Virtualization; Hypervisor; Virtual Machine; Virtual Network; Secure Configuration; Security Monitoring; Guest OS

 

https://csrc.nist.gov/News/2018/Security-Recommendations-for-Deploying-Hypervisors
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-125A.pdf
https://csrc.nist.gov/publications/detail/sp/800-125a/final

See-also:
SP 800-125B: Secure Virtual Network Configuration for Virtual Machine (VM) Protection
https://csrc.nist.gov/publications/detail/sp/800-125b/final

Standard
Uncategorized

Judith Myerson of NIST on firmware security

http://searchsecurity.techtarget.com/answer/How-can-platform-firmware-be-protected-from-attacks?

How can platform firmware be protected from attacks?
by Judith Myerson
The NIST published guidance on building up platform firmware resiliency. Expert Judith Myerson looks at the NIST guidelines and the major takeaways for enterprises. The National Institute of Standards and Technology, or NIST, published a draft version of the Platform Firmware…

You have to give TechTarget.com your email addres to read the article.

Standard
Uncategorized

NISTIR 8176: Linux app container security

Application Containers are slowly finding adoption in enterprise IT infrastructures. Security guidelines and countermeasures have been proposed to address security concerns associated with the deployment of application container platforms. To assess the effectiveness of the security solutions implemented based on these recommendations, it is necessary to analyze those solutions and outline the security assurance requirements they must satisfy to meet their intended objectives. This is the contribution of this document. The focus is on application containers on a Linux platform.

Keywords: application container; capabilities; Cgroups; container image; container registry; kernel loadable module; Linux kernel; namespace; TPM

 

https://csrc.nist.gov/publications/detail/nistir/8176/final

https://csrc.nist.gov/News/2017/NIST-Releases-NISTIR-8176

http://doi.org/10.6028/NIST.IR.8176

 

Standard
Uncategorized

Linux kernel ACPI-centric CVE-2017-13694: Awaiting Analysis

CVE-2017-13694
Source: MITRE
Last Modified: 08/25/2017
CVE-2017-13694

This vulnerability is currently awaiting analysis.

The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.

https://nvd.nist.gov/vuln/detail/CVE-2017-13694

https://github.com/acpica/acpica/pull/278/commits/4a0243ecb4c94e2d73510d096c5ea4d0711fc6c0
https://patchwork.kernel.org/patch/9806085/

Standard