The National Institute of Standards and Technology (NIST) has recently released the preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. NIST is a non-regulatory agency and science lab that aims to promote innovation by advancing measurement science.
In this latest document, NIST outlines ways organizations can properly utilize data while protecting the privacy of individuals. The document is still in the draft stage, and as such, NIST is actively encouraging the security and privacy industry experts to share their comments on the draft until the October 24 deadline.
For more than two decades, the Internet and associated information technologies have driven unprecedented innovation, economic value, and improvement in social services. Many of these benefits are fueled by data about individuals that flow through a complex ecosystem—so complex that individuals may not be able to understand the potential consequences for their privacy as they interact with systems, products, and services.NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management
The concept that measurements, regulation, compliance, and best practice guidelines can foster innovation may seem a little bewildering to some people. Most people assume regulation hinders innovation. NIST lists their real central mission is to enable innovation. The idea is that if you know how to measure something, then you know how to design it, and once you have designed it, you can improve it. This balancing act between innovation and structured guidelines has been a hotly debated topic in the tech world. However, the ultimate goal is to strike a balance where innovation flourishes at the same time as proactively protecting the rights and concerns of individuals in the digital age. This privacy framework is another part of the picture and an opportunity for you to share input on the right balance.
Documents of this type function more as guidelines rather than a rigid checklist that all organizations should follow. While this approach leaves more room for flexibility and innovation, it can leave some companies confused about the best way to tackle the privacy issues their organization faces.
The NIST Privacy Framework aims to present existing practices and suggests ways to effectively strengthen individuals’ privacy through new practices. The document is designed to work in parallel with NIST’s Cybersecurity Framework so organizations can better manage the risks of privacy in an increasingly privacy-conscious age. The Cybersecurity Framework is the reason this new framework is being created. Industry experts felt that NIST’s privacy framework didn’t suitably align with the cybersecurity framework.
The Privacy Framework can drive better privacy process and help organizations protect individual privacy by these three objectives outlined in the executive summary:
We would like to offer some suggestions and clarity around the password guidelines under the “Protect-P” part of the draft.
As part of the NIST Digital Identity Guidelines, NIST put forward recommendations for organizations to screen new passwords against known compromised passwords. This process is known as credential screening in the case where both the username and password are screened. Or it is password screening, in the case that only the password filtered. It is an integral part of the “Detect” function in the NIST Privacy Framework.
Implementing this type of screening can significantly increase the security of an organization. Attackers put considerable effort into hacking into systems and stealing sensitive data. Attackers use this data to gain access to a customer’s other online accounts or to gain access to corporate networks.
Cybercriminals rely on commonly used passwords or exposed passwords to successfully conduct brute force or credential stuffing attacks to gain access. Successful data breaches that leak usernames and passwords have become an alarmingly common reality of the digital age. It has gotten to the point where it’s unusual to go a single day without a significant data breach occurring.
These exposed usernames and passwords end up on databases on the dark web where other cybercriminals can buy them or utilize them. There are billions of credentials on the Dark Web and public Internet. (Check out a sample password on www.enzoic.com/password-check to see if your password is exposed. Test out other passwords that you think could be safe and witness the scale of the problem.)
Password screening prevents users from reusing passwords that have been exposed, are weak, or are common. Attackers hope that most people are too lax about their security to change their passwords or create a unique one for every account. They also know that people are predictable, and they will follow common patterns when choosing their passwords. Passwords like “123456,” “password,” or “qwerty” may be funny and easy to remember, but they are also the first ones a cybercriminal will try in a brute force attack.
By introducing screening for compromised or weak passwords, organizations can dramatically increase security and maintain the privacy of data in their environment.
Companies have the option of storing passwords using different methods. Passwords can be stored in PlainText, using encryption, or using hashing. The best practice recommendation uses password hashing, where the input string (your password) is mathematically scrambled.
PlainText, or what some people refer to as clear text, is by far the most unsafe way of storing passwords. If a cybercriminal manages to penetrate an organizations’ database, they will see all of the passwords clear as day. It makes for easy work for the attacker. You may assume that no notable company would be foolish enough to store passwords in PlainText, but you’d be very wrong. Some companies have done so in the past and been stung by a data breach. These aren’t small companies either, but the likes of Imgur, Comcast, Neopets, and Facebook.
Encryption can be a useful way of securing passwords, but it has its security flaws. When a PlainText password is encrypted, it is obfuscated with an encryption key. If an attacker breaks into this database, they will see a bunch of encrypted strings of text rather than a password. However, if they manage to get hold of the encryption key, then they can see the PlainText password sat behind it.
Password hashing or using a hash function is when the input string (your password) is scrambled and obfuscated using an algorithm, always resulting in an output of a predetermined length. Hashing algorithms are designed so that even changing one character in the password will create an entirely different hash. This hashing process makes it more difficult for cybercriminals to reverse engineer passwords from their hashes, but the weaker ones can still be cracked.
There are many different hashing algorithms used by companies to secure passwords however, this is an area that evolves over time. For example, today, B-Crypt is still considered to be secure. Whereas SHA-1 was once thought to be safe, but now it is no longer considered safe. This evolution occurs as available computing power increases. Over time, hackers can use vast amounts of data to create tables that compare hash outputs with known exposed PlainText passwords and common passwords. It takes a lot of working hours and enormous amounts of computing power but hashing algorithms can eventually be cracked- some are easier than others.
To meet the NIST goal of future-proofing, hashing must respect the ongoing evolution in this area.
This third area refers to factors addressed in the first two above.
When it comes to credential and password screening, many screening products will crack the password input by the user. This cracking creates a significant security threat because it makes the password known to more parties. If the goal is to create secure and private passwords, then there shouldn’t be a process designed to reveal a full password. It also represents a privacy issue. Users often assume that their password is being protected by the organization with which they are transacting. They would likely not appreciate knowing a 3rd party has cracked their password on behalf of that organization and stored it in cleartext.
The cybersecurity field is attempting to move to models where a password would only be known by the user who created it. When done correctly, this means that an organization’s IT team wouldn’t even be able to view the password. Additionally, third party software shouldn’t be able to view the password either. Each time a password is revealed, it creates a new weak link or area of vulnerability that can be exploited by attackers or by internal bad actors.
Partial hashing is a better option. Credential screening products that use a partial hash approach are preferred because they are more secure and protect a user’s privacy. In a partial hash approach, only part of the password hash will be used to check if the password has been compromised. For example, the software may use the first and last five characters of the password hash to check how secure the password is. This method protects the full password from being known, thereby vastly reducing vulnerability.
As we did with NIST 800-63, we encourage everyone to read through the draft NIST Privacy Framework. We hope there is public contribution before the deadline to avoid debate after it is finalized. There is still a lot of discussion around the NIST password guidelines, but many organizations are leveraging the framework with success.