5 NIST Updates That Will Impact Security Professionals in 2020

NIST Updates
NIST Updates

It’s fair to say regulations from the National Institute of Standards and Technology (NIST) are a cornerstone to the security of our federal government: NIST documents set the standard for business operations in both the public and private sector, ranging from information security controls (SP 800-53) to cybersecurity practices (CSF). As time goes by, these documents are frequently updated, and keeping track of them can be difficult.

As we mentioned in a recent article, technology has a tendency to change faster than policy can keep up – but that doesn’t mean NIST won’t try. Every year, the agency works diligently to keep its standards current, seeking the advice of industry professionals to produce new documents ahead of future trends. With a new decade ahead of us, NIST is already hard at work, announcing new standards for IoT, privacy and much more.

To ensure your organization is prepared for the next generation of risk and compliance, keeping up with NIST’s activity is vitally important. Our staff is among the industry organizations that advise NIST, in this article, we’ll share five of the biggest updates to recently come from the nation’s foremost authority on Federal and commercial enterprise technology.

1. CMMC to Supplant SP 800-53 for DoD Contractors

The Cybersecurity Maturity Model Certification (CMMC) is by the far the biggest change to policy impacting federal partners in 2020. Although for now it mainly applies to contractors working with the DoD, that may change with time, and organizations should prepare before it goes into effect later this year.

CMMC has three major goals:

  • Consolidate – and therefore supersede – multiple cybersecurity standards, including NIST documents SP 800-53 and SP 800-171, and several international standards like ISO 27001
  • Prevent organizations from winning a contract until they can demonstrate cybersecurity preparedness
  • Gauge the maturity of a company’s cybersecurity practices and processes, as they have been institutionalized

With five gradually escalating certification tiers, in some ways the CMMC will ease the burden of compliance for federal contractors. In other ways, it will raise the bar for what it means to be “compliant,” forcing organizations to take responsibility for risk and adopt a mindset of cybersecurity across its departments. As a military contractor ourselves, we too are adapting to comply.

2. Draft for IoT Standards

The IoT security gap remains one of the greatest threats to security across federal agencies. Thanks to a lack of security controls from IoT vendors – and a lack of awareness from organizations – most IoT devices suffer from multiple vulnerabilities that can be used for espionage, data theft and much more.

In response, NIST has released a draft of IR 8259, titled Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The document contains policies focused on bringing IoT vendors in line with the security needs of their customers with controls like data protection, authorized software updates, End-of-Life policies and – most importantly – secure firmware designed to prevent unauthorized device access.

While compliance with IR 8259 is completely voluntary for the time being, a proposal to put NIST in charge of IoT standards remains before the House of Representatives, and may be passed at any time.

3. Privacy Framework

Federal contractors handle a lot of sensitive information, ranging from the personal data of their employees, customers and clients to levels of classified information from government agencies. As emerging data privacy laws seek to mitigate the risk of data incidents across public organizations, NIST is doing its part to prevent them in a federal context with the Privacy Framework (PF).

While the PF is only 39 pages long, it is jam-packed with advice and procedures to defend data security from threats both inside and outside of an organization. Divided into five basic sections, it is also aimed at helping organizations stay prepared for technology advancements and new data use cases:

  • Identify risk to individuals
  • Govern risk management priorities
  • Control privacy risks at a granular level
  • Communicate with stakeholders
  • Protect data from “privacy events”

Version 1.0 of the PF was released at the end of last month, after being available for public comment since September of last year. It has already been adopted by organizations outside the government and should gain wider adoption in the coming months.

4. Supply Chain Risk Management Updates

Released in 2015, SP 800-161 has existed to mitigate risks in the information and communications technology (ICT) supply chain throughout federal organizations. Now, NIST seeks to update Supply Chain Risk Management Practices for Federal Information Systems and Organizations for a new decade, following changes in federal law regarding the acquisition of ICT products in 2019, especially from foreign vendors.

In its pre-draft call for comments, NIST stated its goal to “deliver a single set of cyber supply chain risk management practices to help Federal departments and agencies manage the risks associated with the acquisition and use of IT/operational technology products and services in a way that is functional and usable.”

The ICT supply chain can introduce risk to organizations through poor design, lack of security controls and even backdoors for espionage. Since changes to SP 800-161 will be accompanied by updates to NIST SP 800-37, and SP 800-53, all federal contractors will be affected, and they should stay informed as new information becomes available.

5. Standardization of Cybersecurity Regulations

Ever feel like there are just too many security regulations to keep up with? NIST agrees: in a draft report for the National Cybersecurity Online Informative References (OLIR) Program, it states “the fields of cybersecurity, privacy, and workforce have a large number of documents, such as standards, guidance, and regulations”.

Through the OLIR, NIST aims to simplify compliance procedures through a centralized online repository of cybersecurity legislation complete with cross-references between documents, and advice from subject matter experts. Depending on the extent of the OLIR, it could change the workflow of security professionals throughout the industry and make the adoption of new standards much easier.

NIST accepted public comments on its first draft until February 24th, but we don’t know how long it will be until OLIR goes into effect, but it’s safe to assume something will be up and running by the end of this year.

Taking Responsibility

Every new update from NIST points to developing trends in technology and legislation. While keeping up with them can be difficult, the best way to stay ahead of regulations is to stay on top of risk.

Don’t stop at checking off boxes: in 2020, organizations who take responsibility for their business processes, IT infrastructure and insider threats will be the most likely to succeed on the road to full compliance.


Take stock of your IT assets and fix vulnerabilities before NIST tells you to: with a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!

Why Crowd-sourced Pentesting Isn’t All it’s Cracked Up to Be

pentesting, Risk Requests, risk management framework
pentesting, Risk Requests, risk management framework

Crowds have always been a powerful thing, but before the Internet came along, it was difficult to harness them. Now things have changed: almost anything can be powered by crowds these days, from funding initiatives to news coverage, research and more. But is crowd-sourcing the right approach to penetration tests? Some people think so.

According to a report by Bugcrowd, there are literally thousands of crowd-sourced security programs today, attracting clients that range in size from small businesses to publicly traded enterprises like Motorola Mobility. And while these programs offer a number of services, the most popular one is “penetration testing” – or at least, something which goes by that name.

The fact is, crowd-sourced penetration testing isn’t like the non-crowd-sourced version at all. And while there are advantages to each approach, there are also good reasons to choose the latter over the former. To understand why, we have to start by explaining the differences between them.

Crowd-sourced vs. Traditional Pentesting

The goal of a penetration test (or pentest) is to find, document and score vulnerabilities in an information system before they are used by hackers or other malicious agents to gain unauthorized access. To do this, a pentester approaches a system just like a hacker would, from conducting reconnaissance to attempting simulated “attacks” that confirm whether a detected vulnerability is really exploitable.

Traditionally, an organization defines the goal of a pentest and hires a team of security professionals to conduct it over a limited period of time. During a crowd-sourced pentest, an organization offers a bounty to anyone who can discover a vulnerability on their systems, often through an agency with access to thousands of white-hat hackers who may or may not be professionals.

There are some advantages to the crowd-sourced model:

  • Timeframe – crowd-sourced pentests take place over an undefined timeframe and may carry on indefinitely. This allows new vulnerabilities to be discovered as an organization continues to develop and improve its systems.
  • Cost – a crowd-sourced pentest istypically cheaper than the traditional kind, since organizations are paying for each discovered vulnerability rather than for the test itself.

In many ways, crowd-sourced pentesting is similar to the bug bounty programs that companies have used for years to find flaws in their online platforms – and, in fact, many startups in the security industry started out as bug bounty agencies. But what works well in one context may not work well in another, and that brings us to the problems in the crowd-sourced model.

The Dangers of Crowd-sourced Pentesting

Crowd-sourced pentesting – no matter how it’s advertised – is the organized practice of inviting real hackers to hack your company and helping them to get started. Because websites are public-facing assets, offering a bug bounty does not expose them to any vulnerabilities they didn’t face before. Meanwhile, crowd-sourced pentesting requires organizations to actually connect internal systems with public channels, potentially exposing sensitive data and intellectual property to a group of individuals who suffer from:

  • A lack of ethical obligations – traditional pentesters are held to a high ethical standard because their careers depend on it. They cannot hide from suspicion or blame when something goes wrong. Meanwhile, crowd-sourced hackers are often anonymous to their clients, and – while they may be required to sign a contract – in practice nothing can stop them from hiding their discoveries, or using what they find in a malicious way.
  • A lack of professionalism – since crowd-sourced pentesting agencies require a large volume of talent, the quality and experience of the “hackers” they contract is wildly inconsistent. Moreover, today’s hackers often work in groups, and that’s why traditional pentesters do likewise; crowd-sourced pentesters may be lone-wolves that compete with one another for profit, generating conflict when two individuals find one vulnerability at the same time.
  • A lack of focus – when an organization defines a pentest engagement they typically have a clear view of what they want to address in the test and have defined rules-of-engagement.  The crowd-sourced approach tends to lack that focus and the results may be very inconsistent with the organization’s objectives.

In short, crowd-sourced pentesting removes the vital element of control that organizations normally exercise over their security operations. For this reason, companies who do invest in crowd-sourced programs – including Google, Mozilla and Facebook – also retain traditional pentesters to protect their most vital internal systems, and only use crowds where the danger does not outweigh the cost savings.

Why Crowd-sourcing is Really Popular

Aside from the low cost and flexibility that it provides, crowd-sourced pentesting is gaining in popularity due to a perception that professional pentesters aren’t “real hackers”. It is an understandable assumption: as time goes by, pentesting as a field has become dominated by automation which simply cannot rise to the human capacity for creativity and disruption.

We’re not here to deconstruct the term “real hacker” or call it a meaningless construct, because it’s not.

Hackers are not predictable. Unlike security professionals in many other fields, they do not take a linear or hierarchical view of information systems. They do not work from a CVE list, manual or rule book. Therefore, hiring a company that claims to provide “real hackers” might seem like a good solution. But real hackers are also as likely to be found working as traditional pentesters as they are anywhere else.

A Better Solution

The best hackers in the world know how to use their talents to make a sustained and comfortable living. They neither spend their days running from the law, nor do they troll the web looking for quick profit or glory. The best hackers are genuinely invisible, hiding in the very places where many assume they can’t be found.

At Securicon, we take pride in our exclusive team of bright-minded hackers from commercial, DoD and federal security backgrounds. We turn down 90% of applicants, because our pentesting program is reserved for the best and brightest in the business. We only accept talents with the right mindset for this unique occupation: they can find windows of opportunity where scanners and lesser minds see a blank wall.

The Bottom Line

At best, crowd-sourced pentesting works in a limited range of scenarios. It can help to secure production systems and other addresses that are not directly linked with your organization. However, it’s far from the best way to find vulnerabilities in your vital assets: trained penetration testers are hackers who have the intelligence, experience and creativity that it takes to find problems by working together, and the ethics to report them responsibly.


Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cybersecurity, we are here to help you manage the risks for Industrial Control Systems. Contact us for more information.

Hackers Can Gain Active Directory Privileges Through Vulnerability in Xerox Printers

data breach, vulnerability testing, hackers
data breach, vulnerability testing, hackers

Organizations beware: last week, Xerox released a security advisory for several models of the WorkCentre Multifunction and Color Multifunction printers. Thanks to a Lightweight Directory Access Protocol (LDAP) vulnerability, hackers can launch a pass-back attack against printers with weak or default credentials. This exposes the login information of Active Directory users – including those with administrative privileges – and can be used to gain further control over an organization’s network.

Deral Heiland and Michael Belton’s research on multi-function printers  and the “Pass-Back Attack” first appeared in a document published on foofus.net. Steven Campbell, a Senior Security Consultant at Securicon, frequently finds network devices using default credentials that are vulnerable to the pass-back attack vector during client assessments and uses this attack vector to discover credentials to Active Directory service accounts.

Unfortunately, the newly reported vulnerability in Xerox WorkCentre MFP’s is just one in a series of similar weaknesses impacting today’s off-the-shelf IoT devices. In this article, we’ll explain how it can be used to gain administrative access over Active Directory domains, and what you should do to protect yourself.

How it Works: Xerox Pass-Back Attack

First – after accessing an organization’s network – a malicious or unauthorized user can gain access to the Web interface for affected Xerox printers using well-known, default login credentials. Even if the username and passwords have been changed, they may be brute-forced if they are weak and easily guessable.

Figure 1: Admin interface accessed using default credentials

Next, the actor finds an LDAP connection configured on the device and changes the Server IP address or hostname to their own IP address as shown in the next figure. Since the Xerox firmware does not require a user to re-enter or validate the LDAP credentials before changing its server address, there is nothing standing in the attacker’s way.

Figure 2: Editing LDAP Connection

Next, the attacker uses a utility like netcat to listen for incoming connections and display the output in plaintext. Using the LDAP server search field, they can search for any name and connect to the corresponding account.

Figure 3: LDAP User Search

On the actor’s system, the netcat utility receives the connection and displays credentials used by the printer to reach the Active Directory Domain Controller, including domain, username and password.

Figure 4: Capturing Plaintext Credentials

In the best-case scenario, the attacker will discover an ordinary Active Directory user account that does not belong to any privileged security groups. The attacker can still use the unauthenticated user to gain a foothold in the domain, which constitutes a moderate vulnerability.

However, our own tests on client networks demonstrate that the worst-case scenario is more likely. We frequently find that the printer service account belongs to a privileged group such as “Domain Admins,” and grants the attacker full control over the Active Directory Domain. This is a severe vulnerability which requires immediate remediation.

Are You Protected?

The table below lists Xerox printers susceptible to the attack outlined above, and the corresponding firmware patch. Devices on a lower software version are still vulnerable and should be patched using the updates provided by Xerox.

Aside from installing the latest firmware update, we recommend that organizations implement two security controls across all their networked devices to prevent similar attacks in the future:

  1. Always update default manufacturer credentials with strong passwords and use two-factor authentication (2FA) whenever possible. Recently, Barracuda network devices were impacted by an LDAP vulnerability similar to the one described in this article; all users were impacted except for those enrolled in 2FA.
  2. System administrators should avoid adding printer service accounts to privileged Active Directory groups, and – in general – they should keep the number of administrative users to an absolute minimum.

Although it should be incumbent on vendors and device manufacturers to validate users before allowing them to change crucial device settings (like LDAP IP address), the truth is that today’s vendors cannot be trusted to enforce rigorous security controls. Organizations must take the initiative to strategically protect their networks. 

Bridging the IoT Security Gap

In the past, we have talked about the IoT security gap and lax controls from hardware manufacturers. Sadly, the vulnerability covered in this article is a case-in-point: today, networked devices are being pushed to market faster than they can be secured, and security is rarely a priority in development. This leaves many organizations with blind spots in their security position as a host of seemingly benign devices (like printers) provide a wide attack surface for malicious actors.

IoT and networked devices are the future – but meeting the technological needs of your business and protecting your investment are not mutually exclusive goals. As the average cost for a data breach climbs to historical highs, organizations cannot afford to be caught off guard by easily prevented security vulnerabilities. This year insure your organization against future threats by taking inventory of your IT assets and assessing them for risk.


Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on our risk assessment framework


The Hacker’s Perspective: Risk as Opportunity

When the Cybersecurity Model Maturity Certification (CMMC) goes into effect this year, the defense department will be holding its contractors to a higher standard than ever before. But whether or not they’re ready for the change remains to be seen: in the past, DoD partners were required to comply with regulations like NIST 800-171. In reality, many fell behind due to the leeway they had in implementation.

With CMMC, the DoD hopes to foster a “culture of cybersecurity” throughout the federal government, and a big part of that involves an emphasis on risk. While the traditional mindset of compliance is based on a checklist of one-size-fits-all security controls, a risk-based mindset invites every business to find its weakest spots and prioritize them effectively.

Now, bidding contractors will be required to demonstrate adequate levels of security before a contract can even be awarded. But while the CMMC provides plenty of guidance, contractors will find its standards difficult to meet unless they take responsibility for their own unique risks. In this blog, we will examine what that effort entails, especially from the perspective of an organization’s worst enemies.

What is Risk?

According to the Risk Management Framework (RMF) published by the National Institute of Standards and Technology (NIST), “risk” is a combined measurement of two factors:

  1. The likelihood that a vulnerability will be exploited
  2. The impact of such an event

In some ways, this fits with a common sense notion of risk, and in other ways it does not. For instance, hackers are not counted as a risk by this definition, but “risk” does include everything which hackers and other adversaries may use to their advantage.

Incidentally, what proves advantageous to a hacker is also the most serious kind of risk. And while certain oversights in security may not seem like a big deal from the organization’s perspective, this mistake is less easy to make from the opposite side of an attack.

How Hackers See Risk

When conducting a cyber hunt, Securicon often uses red-teaming to find less obvious vulnerabilities in an organization’s network. While a “blue” team works to defend the network from attacks, the “red” team works to bypass them using a combination of techniques.

These two perspectives could not be more different: while the blue team takes a hierarchical and organized view of the technology they are defending, the red team is opportunistic. It works to find any trigger that allows it to cause chaos or otherwise subvert normal operating conditions.

For hackers, “risk” therefore translates into “opportunity”. And although individual hackers differ in their overarching goals, all of them look for three basic opportunities:

  • Access – establish an initial and persistent presence within the target organization for further activity
  • Concealment – hide activity by evading detection, which means bypassing normal safeguards, disguising malicious activity as legitimate or creating a diversion elsewhere in the network
  • Escalation – gain privileges and therefore greater control over a system

The greatest risks to an organization’s security center around these goals and should be prioritized accordingly. Common examples include:

Wide Area of Attack

In a past article, we talked about the importance of minimizing attack area in the context of industrial control systems (ICS). This principle applies more broadly: networks become increasingly less secure with every new access point such as routers and IoT devices. Partners up or downstream also represent potential targets which hackers can use to gain a foothold.

Useful Idiots

Despite how far technology has come, hackers still use social engineering during the reconnaissance phase of an attack. Untrained personnel may be persuaded to divulge sensitive information which can be used for access, concealment or escalation. They may also compromise their organization by clicking malicious links containing malware or phishing scams.

Blind Spots

Robbers do not come in through the front door: likewise, the most sophisticated hackers seek an entry-point that is not well-monitored or protected to conceal their presence. Thanks to the Internet of Things (IoT), organizations are now flooded with a host of devices – from printers to coffee machines – that may contain significant vulnerabilities and require protection.

Lack of Security Controls

Overlooked security controls – such as two-factor authentication (2FA), network passwords and encryption – represent one less obstacle for hackers to overcome during an attack, and they will use such oversights to their advantage. On the other hand, even controls that seem redundant can prevent an attack from succeeding at a crucial stage.

Using a Hacker’s Mindset

The best form of security is proactive security, and proactive security starts by finding risks and remediating them before they are ever exploited. As this risk-based approach becomes essential to meet federal standards for compliance, organizations will benefit from thinking about their systems like an outsider.

In 2020, consider investing in a professional risk assessment. With years of experience in a DoD context, our trained experts can offer something that automated solutions cannot rival: human intelligence, creativity and a deep understanding for the way real hackers think.


Securicon is poised to support industry partners in preparing for CMMC through Gap Analysis and Assessment of security practices and procedures. Contact us for more information.