NIST updates guidance to reflect malware, patch mangement evolution
The National Institute of Standards and Technology (NIST), responsible for setting industry and government measurements and standards, has released revisions to two of their security-related guidance – an undertaking that took longer than a year.
The revision drafts – “Guide to Malware Incident Prevention and Handling for Desktops and Laptops” (PDF) and “Guide to Enterprise Patch Management Technologies” (PDF) – were updated and re-released to reflect evolving technology trends. It is the first amendment to the two manuals since NIST released them in 2005.
Murugiah Souppaya, a NIST computer scientist and co-author of both documents, told SCMagazine.com that evolving malware threats is what prompted a revision to the “Guide to Malware Incident Prevention and Handling for Desktops and Laptops.”
“Threats today are much more difficult to detect and eradicate, and threats are much more targeted than they used to be,” he said, citing spear phishing as an example.
Souppaya added that the revisions also reflect the harvesting of social media information for attack targeting.
The “Guide to Enterprise Patch Management Technologies” was updated because most organizations now have largely automated patch management to snuff out vulnerabilities, Souppaya said, adding this was not the case in 2005.
Souppaya said this document needed to be in line with the use of automated technologies, “such as those based on [the] SCAP (Security Content Automation Protocol),” and added that older recommendations reflected manual processes that are no longer relevant for most entities, such as having a patch management group.
The NIST updates guidebooks as needed and not on any regular schedule.