NIST bumps up release of security guidance

The National Institute of Standards and Technology is releasing its updated guidance on secure systems ahead of schedule, just a few weeks after a distributed denial of service attack raised question about security in IoT devices.

The Nov. 15 release of the latest version of  Special Publication 800-160 will urge organizations to address security in the design of devices throughout the systems engineering process, rather than adding firewalls, encryption and monitoring systems to already-purchased operating systems and applications.

After thousands of IoT devices were used by Mirai malware to flood Dyn’s infrastructure with traffic, security experts pointed to a number of design flaws, such as the fact that devices can operate without users changing the preset passwords. That means the days of a putting up a firewall and calling it a job well done are over, Anup Ghosh, the CEO and founder of Invincea, recently told reporters. NIST Fellow Ron Ross made similar points last May, saying tools like firewalls, encryption and monitoring systems won’t be enough.

Continue reading: