Recently, the National Institute of Standards and Technology (NIST) unveiled practice guidelines to protect the confidentiality, integrity, and availability of data in an enterprise. NIST's National Cybersecurity Center of Excellence developed the two draft practice guidelines linked below.
Changing ransomware landscape
Modern ransomware strains can move around the system while interacting with applications such as Microsoft's Active Directory and encrypting backups. Today’s attacks prompt authorities to look at the entire network and the enterprises and understand what that threat represents.
NIST, in its draft, has attempted to address current issues including how to implement vulnerability management, as well as network protection and awareness, throughout the entire IT infrastructure.
About the draft guidelines
The NIST draft guidelines were released in view of increasing threats from ransomware and the adoption of new tactics by threat actors in the last couple of years.
NIST researchers have, reportedly, referred to significant ransomware incidents from the past few years including the WannaCry attacks of 2017 to map out protection tips for enterprises.
An overview of practice guidelines
The first draft on data integrity and protection is a guide to better identify and protect IT assets from data integrity attacks, including ransomware. It also contains two key insights: a reference design that acts as a technical blueprint for action items, and a guide to commercially available technologies that create more robust security controls for a network. There’s a "how-to" guide on implementing best practices as well.
The second document shares advice on improving the detection and mitigation of ransomware, along with the other security issues within their infrastructure. It indicates how integrity monitoring, event detection, reporting capabilities, vulnerability management, and mitigation and containment can be implemented within the IT infrastructure.
Jennifer Cawthra, lead for data security and healthcare at the National Cybersecurity Center of Excellence, said, “Much like the NIST Cybersecurity Framework, these guidelines offer best practices that organizations can pick and choose based on their own network architectures.”
"We put together a reference architecture to demonstrate that you can solve a cybersecurity challenge," Cawthra told Information Security Media Group (ISMG).
NIST is accepting comments on the draft guidelines until February 26.