Shimon Brathwaite

EC-Council University | Certified Ethical Hacker | Information Technology
Cybersecurity professional, a published author, freelance writer and
cybersecurity copywriter.
Author | SecurityMadeSimple

The National Institute of Standards and Technology (NIST) under Executive Order (EO) 14028 has launched an initiative to improve the United States Cybersecurity on May 12th, 2021. As part of this initiative, NIST is publishing its definition of the term critical software, which is software that is essential to running an organization’s services and operations. This has been followed by guidelines for securing critical software, together this acts as a guide for federal agencies in the United States to help them identify and protect the use of deployed EO-critical software in their operational environments.

While this first NIST publication targets federal agencies, we expect the software industry as a whole to adapt to these standards and businesses to benefit from the resulting enhanced security. This article will break down the information provided by NIST in a way that is easy to understand and apply in your business.

Why is this important for businesses?

Software has become integral to modern-day business, if your company has a website, a web application, mobile apps, or all of the above, these are all potential entry points for hackers. Over 75% of applications have at least 1 security flaw and 24% of those are considered high-severity flaws. Since many of these applications are internet-facing, meaning that they can be accessed by anyone with an internet connection they are very susceptible to attacks. Hackers have developed computer bots that are actively scanning websites and web applications for vulnerabilities. One study found that it took hackers only 1 minute to find and abuse an exposed AWS secret key that was purposely leaked on Github. This just goes to show how quick hackers are to act on potential vulnerabilities and you must learn how to protect your digital assets. To help companies do this is the reason why the EO 14028 was created, to help companies defend themselves against cyber threats.

What is EO-Critical Software?

NIST defines critical software as any software that has direct software dependencies on one or more components with at least one of these attributes:

  • is designed to run with elevated privilege or manage privileges
  • has direct or privileged access to networking or computing resources
  • is designed to control access to data or operational technology
  • performs a function critical to trust
  • operates outside of normal trust boundaries with privileged access

* NIST defines software dependency as any component directly integrated into or necessary for the operation of a piece of software. Common examples include libraries, packages, or modules.
* Critical trust covers any category of software used for security functions such as network control, endpoint security, network monitoring, and network protection.

Why these elements are important:

Elevated Privileges: The amount of damage a user or software program can do is limited to the level of privilege that it has. If a program runs with admin-level privileges it can do almost anything on that system and the network, while a guest account in contrast can do almost no damage. Any software program running with elevated privileges is therefore of higher risk because a compromise of this account means more potential damage and this is why it’s considered critical software.

Direct or privileged access to network resources: Any software that has access to network resources can be used as an entry point to compromise other parts of the network. That access essentially acts as a doorway, allowing people entry into the company’s network if the software becomes compromised. If the access is done with elevated privileges (privileged access) then the amount of damage that can be done increases even more.

Controls access to data or operational technology: Software that controls access to data or operations technology has two main implications. Firstly, it can be used by hackers to gain access to company data for exfiltration, encryption (ransomware), or to get access to other technology in the company. Secondly, it can be used to cripple the business by making these resources unavailable. The two biggest examples that we see of this are ransomware and distributed denial of service (DDOS) attacks, which when performed can make the company unable to operate for weeks or even months.

Critical Trust: This topic deals with all of the software in your company that performs a security function. If an attacker was able to compromise this software they can make your company defenseless or at least create blind spots in your company’s defense that will allow them to get access to your company network and go undetected indefinitely.

Operate outside of normal trust boundaries: Any software that is not subject to the normal trust restrictions of your company and especially those with elevated privileges pose much more danger than normal applications. This simply means these applications are not subject to the normal checks and balances that other software is and therefore they need to be monitored and limited in use to prevent potential security incidents.

Security Measures(SM) for EO-Critical Software

SM-1: Protect EO-critical software and EO-critical software platforms from unauthorized access and usage.

  • Implement multi-factor authentication for all users and administrators of EO-critical software.
  • Uniquely identify and authenticate each service attempting to access EO-critical software or software platforms.
  • Follow privileged access management principles for network-based administration. Some examples include hardening platforms used for administration, logging all admin sessions, and requiring unique IDs for each administrator.
  • Create boundaries around EO-critical software, such as network segmentation, isolation, software-defined perimeters, and proxies.

SM-2: Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-critical software platforms.

  • Establish and maintain a data inventory for EO-critical software.
  • Use fine-grained access control for data and resources to enforce the principle of least privilege.
  • Protect data at rest by encrypting the sensitive data used in EO-critical software.
  • Protect data in transit by using mutual authentication and encrypting sensitive communications.
  • Back up data, exercise backup restoration, and be prepared to recover data in case of an emergency.

SM-3: Identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation.

  • Establish and maintain a software inventory of all platforms running EO-critical software.
  • Use patch management practices to maintain EO-critical software platforms and all software deployed to those platforms.
  • Use configuration management to ensure properly hardened security configurations on all company devices.

SM-4: Quickly detect, respond to, and recover from threats and incidents involving EO-critical software and EO-critical software platforms.

  • Configure logging to record the necessary information about security events related to EO-critical software.
  • Continuously monitor the security of EO-critical software.
  • Employ endpoint security protection.
  • Employ network security protection.
  • Train all security operations personnel and incident response team members, based on their roles and responsibilities.

SM-5: Strengthen the understanding and performance of humans’ actions that foster the security of EO-critical software and EO-critical software platforms.

  • Train all users of EO-critical software, based on their roles and responsibilities.
  • Train all administrators of EO-critical software and EO-critical software platforms, based on their roles and responsibilities.
  • Conduct frequent security awareness activities.

Given how much businesses use the internet and software in general, it’s very likely that software-based vulnerabilities will continue to be a huge attack vector for criminals. It’s important companies learn how to identify their most critical digital assets and take steps to protect them, especially internet-facing software applications. This framework created by NIST serves as a guideline on how you can build out an effective cybersecurity program for your business. EO 14028 consists of multiple layers of security for a business and EO-critical software is just one part of this initiative.

Our next article in this series deals with the NIST guidelines recommending minimum standards for vendors’ testing of their software source code. Whether your company is in the business of selling software or if you’re just planning your next purchase, you’ll want to learn more about these standards.