5 NIST Updates That Will Impact Security Professionals in 2020

NIST Updates
NIST Updates

It’s fair to say regulations from the National Institute of Standards and Technology (NIST) are a cornerstone to the security of our federal government: NIST documents set the standard for business operations in both the public and private sector, ranging from information security controls (SP 800-53) to cybersecurity practices (CSF). As time goes by, these documents are frequently updated, and keeping track of them can be difficult.

As we mentioned in a recent article, technology has a tendency to change faster than policy can keep up – but that doesn’t mean NIST won’t try. Every year, the agency works diligently to keep its standards current, seeking the advice of industry professionals to produce new documents ahead of future trends. With a new decade ahead of us, NIST is already hard at work, announcing new standards for IoT, privacy and much more.

To ensure your organization is prepared for the next generation of risk and compliance, keeping up with NIST’s activity is vitally important. Our staff is among the industry organizations that advise NIST, in this article, we’ll share five of the biggest updates to recently come from the nation’s foremost authority on Federal and commercial enterprise technology.

1. CMMC to Supplant SP 800-53 for DoD Contractors

The Cybersecurity Maturity Model Certification (CMMC) is by the far the biggest change to policy impacting federal partners in 2020. Although for now it mainly applies to contractors working with the DoD, that may change with time, and organizations should prepare before it goes into effect later this year.

CMMC has three major goals:

  • Consolidate – and therefore supersede – multiple cybersecurity standards, including NIST documents SP 800-53 and SP 800-171, and several international standards like ISO 27001
  • Prevent organizations from winning a contract until they can demonstrate cybersecurity preparedness
  • Gauge the maturity of a company’s cybersecurity practices and processes, as they have been institutionalized

With five gradually escalating certification tiers, in some ways the CMMC will ease the burden of compliance for federal contractors. In other ways, it will raise the bar for what it means to be “compliant,” forcing organizations to take responsibility for risk and adopt a mindset of cybersecurity across its departments. As a military contractor ourselves, we too are adapting to comply.

2. Draft for IoT Standards

The IoT security gap remains one of the greatest threats to security across federal agencies. Thanks to a lack of security controls from IoT vendors – and a lack of awareness from organizations – most IoT devices suffer from multiple vulnerabilities that can be used for espionage, data theft and much more.

In response, NIST has released a draft of IR 8259, titled Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The document contains policies focused on bringing IoT vendors in line with the security needs of their customers with controls like data protection, authorized software updates, End-of-Life policies and – most importantly – secure firmware designed to prevent unauthorized device access.

While compliance with IR 8259 is completely voluntary for the time being, a proposal to put NIST in charge of IoT standards remains before the House of Representatives, and may be passed at any time.

3. Privacy Framework

Federal contractors handle a lot of sensitive information, ranging from the personal data of their employees, customers and clients to levels of classified information from government agencies. As emerging data privacy laws seek to mitigate the risk of data incidents across public organizations, NIST is doing its part to prevent them in a federal context with the Privacy Framework (PF).

While the PF is only 39 pages long, it is jam-packed with advice and procedures to defend data security from threats both inside and outside of an organization. Divided into five basic sections, it is also aimed at helping organizations stay prepared for technology advancements and new data use cases:

  • Identify risk to individuals
  • Govern risk management priorities
  • Control privacy risks at a granular level
  • Communicate with stakeholders
  • Protect data from “privacy events”

Version 1.0 of the PF was released at the end of last month, after being available for public comment since September of last year. It has already been adopted by organizations outside the government and should gain wider adoption in the coming months.

4. Supply Chain Risk Management Updates

Released in 2015, SP 800-161 has existed to mitigate risks in the information and communications technology (ICT) supply chain throughout federal organizations. Now, NIST seeks to update Supply Chain Risk Management Practices for Federal Information Systems and Organizations for a new decade, following changes in federal law regarding the acquisition of ICT products in 2019, especially from foreign vendors.

In its pre-draft call for comments, NIST stated its goal to “deliver a single set of cyber supply chain risk management practices to help Federal departments and agencies manage the risks associated with the acquisition and use of IT/operational technology products and services in a way that is functional and usable.”

The ICT supply chain can introduce risk to organizations through poor design, lack of security controls and even backdoors for espionage. Since changes to SP 800-161 will be accompanied by updates to NIST SP 800-37, and SP 800-53, all federal contractors will be affected, and they should stay informed as new information becomes available.

5. Standardization of Cybersecurity Regulations

Ever feel like there are just too many security regulations to keep up with? NIST agrees: in a draft report for the National Cybersecurity Online Informative References (OLIR) Program, it states “the fields of cybersecurity, privacy, and workforce have a large number of documents, such as standards, guidance, and regulations”.

Through the OLIR, NIST aims to simplify compliance procedures through a centralized online repository of cybersecurity legislation complete with cross-references between documents, and advice from subject matter experts. Depending on the extent of the OLIR, it could change the workflow of security professionals throughout the industry and make the adoption of new standards much easier.

NIST accepted public comments on its first draft until February 24th, but we don’t know how long it will be until OLIR goes into effect, but it’s safe to assume something will be up and running by the end of this year.

Taking Responsibility

Every new update from NIST points to developing trends in technology and legislation. While keeping up with them can be difficult, the best way to stay ahead of regulations is to stay on top of risk.

Don’t stop at checking off boxes: in 2020, organizations who take responsibility for their business processes, IT infrastructure and insider threats will be the most likely to succeed on the road to full compliance.


Take stock of your IT assets and fix vulnerabilities before NIST tells you to: with a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!

Why Crowd-sourced Pentesting Isn’t All it’s Cracked Up to Be

pentesting, Risk Requests, risk management framework
pentesting, Risk Requests, risk management framework

Crowds have always been a powerful thing, but before the Internet came along, it was difficult to harness them. Now things have changed: almost anything can be powered by crowds these days, from funding initiatives to news coverage, research and more. But is crowd-sourcing the right approach to penetration tests? Some people think so.

According to a report by Bugcrowd, there are literally thousands of crowd-sourced security programs today, attracting clients that range in size from small businesses to publicly traded enterprises like Motorola Mobility. And while these programs offer a number of services, the most popular one is “penetration testing” – or at least, something which goes by that name.

The fact is, crowd-sourced penetration testing isn’t like the non-crowd-sourced version at all. And while there are advantages to each approach, there are also good reasons to choose the latter over the former. To understand why, we have to start by explaining the differences between them.

Crowd-sourced vs. Traditional Pentesting

The goal of a penetration test (or pentest) is to find, document and score vulnerabilities in an information system before they are used by hackers or other malicious agents to gain unauthorized access. To do this, a pentester approaches a system just like a hacker would, from conducting reconnaissance to attempting simulated “attacks” that confirm whether a detected vulnerability is really exploitable.

Traditionally, an organization defines the goal of a pentest and hires a team of security professionals to conduct it over a limited period of time. During a crowd-sourced pentest, an organization offers a bounty to anyone who can discover a vulnerability on their systems, often through an agency with access to thousands of white-hat hackers who may or may not be professionals.

There are some advantages to the crowd-sourced model:

  • Timeframe – crowd-sourced pentests take place over an undefined timeframe and may carry on indefinitely. This allows new vulnerabilities to be discovered as an organization continues to develop and improve its systems.
  • Cost – a crowd-sourced pentest istypically cheaper than the traditional kind, since organizations are paying for each discovered vulnerability rather than for the test itself.

In many ways, crowd-sourced pentesting is similar to the bug bounty programs that companies have used for years to find flaws in their online platforms – and, in fact, many startups in the security industry started out as bug bounty agencies. But what works well in one context may not work well in another, and that brings us to the problems in the crowd-sourced model.

The Dangers of Crowd-sourced Pentesting

Crowd-sourced pentesting – no matter how it’s advertised – is the organized practice of inviting real hackers to hack your company and helping them to get started. Because websites are public-facing assets, offering a bug bounty does not expose them to any vulnerabilities they didn’t face before. Meanwhile, crowd-sourced pentesting requires organizations to actually connect internal systems with public channels, potentially exposing sensitive data and intellectual property to a group of individuals who suffer from:

  • A lack of ethical obligations – traditional pentesters are held to a high ethical standard because their careers depend on it. They cannot hide from suspicion or blame when something goes wrong. Meanwhile, crowd-sourced hackers are often anonymous to their clients, and – while they may be required to sign a contract – in practice nothing can stop them from hiding their discoveries, or using what they find in a malicious way.
  • A lack of professionalism – since crowd-sourced pentesting agencies require a large volume of talent, the quality and experience of the “hackers” they contract is wildly inconsistent. Moreover, today’s hackers often work in groups, and that’s why traditional pentesters do likewise; crowd-sourced pentesters may be lone-wolves that compete with one another for profit, generating conflict when two individuals find one vulnerability at the same time.
  • A lack of focus – when an organization defines a pentest engagement they typically have a clear view of what they want to address in the test and have defined rules-of-engagement.  The crowd-sourced approach tends to lack that focus and the results may be very inconsistent with the organization’s objectives.

In short, crowd-sourced pentesting removes the vital element of control that organizations normally exercise over their security operations. For this reason, companies who do invest in crowd-sourced programs – including Google, Mozilla and Facebook – also retain traditional pentesters to protect their most vital internal systems, and only use crowds where the danger does not outweigh the cost savings.

Why Crowd-sourcing is Really Popular

Aside from the low cost and flexibility that it provides, crowd-sourced pentesting is gaining in popularity due to a perception that professional pentesters aren’t “real hackers”. It is an understandable assumption: as time goes by, pentesting as a field has become dominated by automation which simply cannot rise to the human capacity for creativity and disruption.

We’re not here to deconstruct the term “real hacker” or call it a meaningless construct, because it’s not.

Hackers are not predictable. Unlike security professionals in many other fields, they do not take a linear or hierarchical view of information systems. They do not work from a CVE list, manual or rule book. Therefore, hiring a company that claims to provide “real hackers” might seem like a good solution. But real hackers are also as likely to be found working as traditional pentesters as they are anywhere else.

A Better Solution

The best hackers in the world know how to use their talents to make a sustained and comfortable living. They neither spend their days running from the law, nor do they troll the web looking for quick profit or glory. The best hackers are genuinely invisible, hiding in the very places where many assume they can’t be found.

At Securicon, we take pride in our exclusive team of bright-minded hackers from commercial, DoD and federal security backgrounds. We turn down 90% of applicants, because our pentesting program is reserved for the best and brightest in the business. We only accept talents with the right mindset for this unique occupation: they can find windows of opportunity where scanners and lesser minds see a blank wall.

The Bottom Line

At best, crowd-sourced pentesting works in a limited range of scenarios. It can help to secure production systems and other addresses that are not directly linked with your organization. However, it’s far from the best way to find vulnerabilities in your vital assets: trained penetration testers are hackers who have the intelligence, experience and creativity that it takes to find problems by working together, and the ethics to report them responsibly.


Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cybersecurity, we are here to help you manage the risks for Industrial Control Systems. Contact us for more information.

Hackers Can Gain Active Directory Privileges Through Vulnerability in Xerox Printers

data breach, vulnerability testing, hackers
data breach, vulnerability testing, hackers

Organizations beware: last week, Xerox released a security advisory for several models of the WorkCentre Multifunction and Color Multifunction printers. Thanks to a Lightweight Directory Access Protocol (LDAP) vulnerability, hackers can launch a pass-back attack against printers with weak or default credentials. This exposes the login information of Active Directory users – including those with administrative privileges – and can be used to gain further control over an organization’s network.

Deral Heiland and Michael Belton’s research on multi-function printers  and the “Pass-Back Attack” first appeared in a document published on foofus.net. Steven Campbell, a Senior Security Consultant at Securicon, frequently finds network devices using default credentials that are vulnerable to the pass-back attack vector during client assessments and uses this attack vector to discover credentials to Active Directory service accounts.

Unfortunately, the newly reported vulnerability in Xerox WorkCentre MFP’s is just one in a series of similar weaknesses impacting today’s off-the-shelf IoT devices. In this article, we’ll explain how it can be used to gain administrative access over Active Directory domains, and what you should do to protect yourself.

How it Works: Xerox Pass-Back Attack

First – after accessing an organization’s network – a malicious or unauthorized user can gain access to the Web interface for affected Xerox printers using well-known, default login credentials. Even if the username and passwords have been changed, they may be brute-forced if they are weak and easily guessable.

Figure 1: Admin interface accessed using default credentials

Next, the actor finds an LDAP connection configured on the device and changes the Server IP address or hostname to their own IP address as shown in the next figure. Since the Xerox firmware does not require a user to re-enter or validate the LDAP credentials before changing its server address, there is nothing standing in the attacker’s way.

Figure 2: Editing LDAP Connection

Next, the attacker uses a utility like netcat to listen for incoming connections and display the output in plaintext. Using the LDAP server search field, they can search for any name and connect to the corresponding account.

Figure 3: LDAP User Search

On the actor’s system, the netcat utility receives the connection and displays credentials used by the printer to reach the Active Directory Domain Controller, including domain, username and password.

Figure 4: Capturing Plaintext Credentials

In the best-case scenario, the attacker will discover an ordinary Active Directory user account that does not belong to any privileged security groups. The attacker can still use the unauthenticated user to gain a foothold in the domain, which constitutes a moderate vulnerability.

However, our own tests on client networks demonstrate that the worst-case scenario is more likely. We frequently find that the printer service account belongs to a privileged group such as “Domain Admins,” and grants the attacker full control over the Active Directory Domain. This is a severe vulnerability which requires immediate remediation.

Are You Protected?

The table below lists Xerox printers susceptible to the attack outlined above, and the corresponding firmware patch. Devices on a lower software version are still vulnerable and should be patched using the updates provided by Xerox.

Aside from installing the latest firmware update, we recommend that organizations implement two security controls across all their networked devices to prevent similar attacks in the future:

  1. Always update default manufacturer credentials with strong passwords and use two-factor authentication (2FA) whenever possible. Recently, Barracuda network devices were impacted by an LDAP vulnerability similar to the one described in this article; all users were impacted except for those enrolled in 2FA.
  2. System administrators should avoid adding printer service accounts to privileged Active Directory groups, and – in general – they should keep the number of administrative users to an absolute minimum.

Although it should be incumbent on vendors and device manufacturers to validate users before allowing them to change crucial device settings (like LDAP IP address), the truth is that today’s vendors cannot be trusted to enforce rigorous security controls. Organizations must take the initiative to strategically protect their networks. 

Bridging the IoT Security Gap

In the past, we have talked about the IoT security gap and lax controls from hardware manufacturers. Sadly, the vulnerability covered in this article is a case-in-point: today, networked devices are being pushed to market faster than they can be secured, and security is rarely a priority in development. This leaves many organizations with blind spots in their security position as a host of seemingly benign devices (like printers) provide a wide attack surface for malicious actors.

IoT and networked devices are the future – but meeting the technological needs of your business and protecting your investment are not mutually exclusive goals. As the average cost for a data breach climbs to historical highs, organizations cannot afford to be caught off guard by easily prevented security vulnerabilities. This year insure your organization against future threats by taking inventory of your IT assets and assessing them for risk.


Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on our risk assessment framework


2019 in Retrospect: Federal Security Changes and New Directions

The arrival of 2020 signals many exciting developments in cybersecurity across the public and private sectors. With the beginning of a New Year comes the start of a new budget for public spending, and now that Congress has reconvened after the Holiday season, there are lots of items that will have to be discussed as 2020’s agenda for National Security starts taking shape.

But we would be remiss to talk about next year’s direction without talking about last year’s accomplishments, and – more importantly – last year’s difficulties. From the establishment of a new federal security agency to the modernization of NIST regulations, 2019 brought scrutiny to increased risks across multiple areas of developing technology.

In this article, we will reflect on the most significant events of 2019 that will directly impact government agencies and contractors over the coming year. Our first pick is:

1. Clearance overhaul sought to reduce insider threats

To address the legendary clearance adjudication backlog which peaked at 700,000 cases under the NBIB, clearance adjudication was successfully transferred to the Department of Defense (DoD) in October after nearly a year of preparation. As part of that process, the Defense Counterintelligence and Security Agency (DCSA) was formed to handle background investigations and case reviews.

Not only has the DCSA successfully slashed the clearance backlog in record time, but it has also taken steps to fundamentally change the way background investigations are performed by switching thousands of authorized individuals to the Continuous Evaluation (CE) program. Under CE, personnel can be monitored in real time for concerning activity, with the goal of identifying and eliminating insider threats before they strike.

Insider threats remain one of the most serious risks to National Security, already addressed by the National Industrial Security Program Operating Manual (NISPOM) which requires federal contractors to maintain an insider threat prevention program. CE will go a long way to assist in that ongoing effort.

2. Supply chain crackdowns addressed vulnerable IT

Early this year, concerns about the possibility of foreign espionage facilitated by technology originating from China and other foreign countries reached a climax when President Trump signed Executive Order (EO) 13873. According to the order, U.S. organizations may not use IT products manufactured by companies deemed a “national security threat” by the Commerce Department.

Many saw the new order as a way to directly target Chinese telecom-giant Huawei, after the company was indicted for stealing trade secrets, and its CFO was faced with formal extradition. While that’s likely true, the EO was only one step among many towards increased scrutiny for IT vendors who can threaten national security through vulnerable or poorly manufactured products.

Earlier this year, for instance, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 was introduced to Congress, and – if passed – it will formally task the National Institute of Standards and Technology (NIST) with developing minimal standards for IoT security throughout the government. But rather than waiting on Congress, NIST has ploughed ahead, drafting security feature recommendations for IoT in NIST IR 8259.

3. DoD oversaw major compliance overhaul to take effect this year

Regulations like NIST 800-171 exist for a reason: while they do not provide eliminate security risk from government contractors, they do provide a minimum basis for smart security controls that can mitigate susceptibility to common threats. Many could not help noticing, however, that vanishingly few organizations are actually compliant with NIST 800-171 even though it has been in effect since 2016.

The DoD’s answer to this problem is the Cybersecurity Maturity Model Certification (CMMC) which was drafted throughout 2019 and released for public comment. Under the CMMC, defense contractors will be required to demonstrate adequate security standards prior to bidding on a contract. For now, at least, the CMMC applies only to organizations working with the DoD, but it’s not impossible that the rest of the federal government will eventually follow suit.

Fortunately, the CMMC is flexible, allowing organizations to receive certification at one of five different levels. According to the Pentagon, CMMC is simply meant to be a first line of defense against risk, and is intended to foster a “culture of cybersecurity” in organizations to prevent them from falling behind.

Adopting a Risk-Based Approach to Security

Technology is changing faster than ever, and the trends we’ve seen within the security industry in 2019 is evidence of that. In spite of their best efforts, bodies like NIST struggle to produce regulations fast enough to keep up with an ever-changing threat landscape, while many organizations show complacency towards legislation as it already exists.

Thanks to the CMMC which goes into effect this year, it will become increasingly difficult for government contractors to ignore cybersecurity in 2020. It will become equally difficult to lean on compliance as the sole indicator that an organization is secure. To prepare, contractors should take a proactive approach to security that addresses the greatest risks to their business and operations.

Checking off boxes is no longer enough: in a world dominated by emerging threats, only a “culture of cybersecurity” will do.


Securicon is poised to support industry partners in preparing for CMMC through Gap Analysis and Assessment of security practices and procedures. Contact us for more information.