NIST Security Guides

The National Institute of Standards and Technology (NIST) has released new guidance on how federal agencies and businesses can deal with network attacks and malware. The advice on the latest in security best practices has been provided in the two publications listed below:

1. Guide to Intrusion Detection and Prevention Systems

2. Guide to Malware Incident Prevention and Handling for Desktops and Laptops

Guide to Intrusion Detection and Prevention Systems

The Intrusion Detection and Prevention Systems (IDPS) guide covers wireless, network-based, and host-based intrusion detection, as well as, network behavior analysis, architecture, detection methodologies, and security capabilities.

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.

Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.

An IDPS typically records information related to observed events, notifies security administrators of important observed events, and produces reports. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding through the use of response techniques like stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.

The guide discusses four types of IDPS technologies:

  • Network-Based, which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity
  • Wireless, which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves
  • Network Behavior Analysis (NBA), which examines network traffic to identify threats that generate unusual traffic flows, such as denial of service attacks, certain forms of malware, and policy violations (e.g., a client system providing network services to other systems)
  • Host-Based, which monitors the characteristics of a single host, and the events occurring within that host, for suspicious activity.

Guide to Malware Incident Prevention and Handling for Desktops and Laptops

NIST also revised its Guide to Malware Incident Prevention and Handling for Desktops and Laptops, which has been updated to correspond with a refreshed version of its Computer Security Incident Handling Guide, expected to be issued in final form later this year.

Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system.

Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations. Organizations also face similar threats from a few forms of non-malware threats that are often associated with malware. One of these forms that has become commonplace is phishing, which is using deceptive computer-based means to trick individuals into disclosing sensitive information.

The Malware guide provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones.

This guide revision updates the publication to reflect the changes in threats and incidents. Unlike most malware threats several years ago, which tended to be fast-spreading and easy to notice, many of today’s malware threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to the loss of sensitive data.