NIST’s New Cryptography Guidance: What It Means for Enterprises
We recently weighed in on the significance of the Heartbleed bug, which was arguably the biggest rift in the cybersecurity space since Edward Snowden’s NSA revelations. While the OpenSSL vulnerability has received a deserved amount of attention, it’s imperative to not let other industry developments pass below the radar.
One such development is a recent announcement by the National Institute of Standards and Technology, highlighting the organization’s release of its latest version of cryptography guidance, titled “Recommendation for Random Number Generation Using Deterministic Random Bit Generators,” was specifically published to make clear the removal of an algorithm known as a deterministic random bit generator (DRBG). Why such a major revision? The NSA.
Back in November 2013, the NIST found itself under heavy scrutiny from IT security experts and the media because of allegations that the NSA had somehow corrupted, or at least strongly influenced, the way the organization composed its cryptography guidance. It was widely believed that a specific DRBG algorithm, Dual_EC_DRBG, was being leveraged by the NSA to “circumvent encryption that shields much of global commerce, banking systems, medical records and Internet communications.” Up to that point, DRBG was considered an efficient, secure way to provide randomly generated cryptographic keys that granted users access to corporate networks, for example.
The ironic thing was that encryption was being evaded using certain parameters specified within the NIST guidance. As Eric Chabrow of BankInfoSecurity explains, that exploit could in turn allow attackers to successfully predict the secret cryptographic keys that form the foundation for the assurances provided by NIST. With the entire world still feeling out the long-term implications of the Snowden revelations, NIST had to act to try and retain the level of trust it had worked so hard to build with its cryptography experts. Though it may take a while for the trust to be completely restored, many experts agree that NIST is at least taking a step in the right direction.
The Enterprise Effect
The good news is that other forms of advanced cryptographic algorithms make the transition from DRBG fairly seamless, and if enterprises begin using more secure encryption, that can also alleviate concerns over hacking or snooping. However, while the use of DRBG will obviously be discontinued, this serves as another lesson about the importance of retaining a defense in depth security framework.
Cryptographic keys are essential to establish secure remote access to corporate networks, but additional layers of security can go a long way in terms of protecting sensitive data from cyber criminals (or governments) attempting to snoop. For example, consider a multi-vendor, best-in-breed approach. Enterprises using company A’s centrally managed VPN and company B’s intrusion prevention system have, by default, increased the difficulty of breaching their network. That’s because the connection to the corporate network is constantly being monitored for a wide range of breach scenarios.
As revelations such as DRBG and the Heartbleed vulnerabilities come to light, it’s becoming increasingly clear that there is no one solution or protocol that can comprehensively protect corporate networks. But that doesn’t mean that it’s not possible – it just means that a different, more holistic approach must be taken.