As we observe Cybersecurity Awareness Month and some of NIST’s most notable achievements, resources, advice, and most recent cybersecurity news, October is always a thrilling month for us. This year is significant because this significant initiative will celebrate its 20th anniversary in 2023, and we will do so in a variety of ways throughout the month.
What is October’s NIST Up to?
- We’ll share information about our events, resources, blogs, and how to stay involved on our NIST Cybersecurity Awareness Month website.
- We will use our NISTcyber X account as a platform to disseminate information about our many cybersecurity and privacy resources, such as the 50th Anniversary of Cybersecurity History Timeline, which highlights our various achievements and milestones over the past 50 years. Throughout the month, we’ll also host an X chat and take part in one. To sign up, follow us there and use the hashtag #CybersecurityAwarenessMonth.
- Several events will be held throughout the month. For more information, visit our Cybersecurity Awareness Month events page.
- To encourage and promote the awareness and exploration of cybersecurity careers, we will host Cybersecurity Career Week from October 16 to 21, 2023.
- Additionally, we will be publishing four blogs that correspond to the National Cybersecurity Alliance’s (NCA ) core messages andnbsp:
- This week, enable multi-factor authentication!
- Utilizing secure passwords and a password manager
- software for updating
- identifying and documenting phishing
Cybersecurity Awareness Month 2023 Blog Series: Increasing Multi-Factor Authentication
We sat down to interview NIST’s David Temoshok to kick off our 2023 blog series. He gave us a brief overview of his thoughts and ideas on enabling multi-factor authentication as well as some of what he is currently doing at the organization.
To demonstrate that you are who you claim to be online, multi-factor authentication uses a combination of information you already have, such as your password, along with something you currently possess, like an authentication app on your phone, or information about you that allows you to identify yourself through fingerprints or facial recognition. Attackers wo n’t be able to access your accounts even if your password is stolen and compromised because they are unable to provide the second authentication factor to log in.
- Enabling multi-factor authentication is the theme for Cybersecurity Awareness Month this week. How does your work/specialty area at NIST tie into this behavior?
I lead the work on NIST Special Publication 800- 63- 3 Digital Identity Guidelines. The guidelines provide foundational processes and technical guidance for the management of digital identities by federal agencies. The Guidelines also explain how public access to federal online services, systems, and transactions need to be managed by federal agencies in secure, usable, and privacy- protecting ways.
The Guidelines are actually published in four volumes: the first one introduces the processes and terms that are used throughout the following Volumes and applies risk management principles to digital identity management, the second, Volume A, addresses identity proofing and enrolling the public as digital identities into federal online services, the third, Volume B, addresses authenticating the digital identity of individuals that have been enrolled and return to online services, and the fourth, Volume C, addresses how to share enrollment digital identity information across federal agencies to facilitate and simplify access to federal online services. Volume B, Authenticator and Lifecycle Management, explains authentication and multi- factor authentication processes ( and how those processes are used for access to all federal government online services ).
All accounts that are established to access government online services require multi- factor authentication as a critical security control and privacy protection. We work closely with federal agencies and industry to explain why multi- factor authentication is critical for protection against cyber- attacks and account takeover ( and how it can be used most effectively to meet the very broad and diverse needs of the government and the public that we serve ).
- How does enabling multi- factor authentication help people and/or businesses when it comes to cybersecurity? Why is it so important?
NIST’s Digital Identity Guidelines present three levels of authentication assurance for access to the government’s online services: low, moderate, and high. Low assurance is defined as single factor authentication—which uses a single authentication factor, typically a user ID and password, to login to the user’s online account.  , However, this is extremely vulnerable to attack since cyber criminals can use various methods to guess, steal, and compromise passwords and take over personal accounts. Multi- factor authentication is necessary for moderate and high assurance protection against account login attacks.
Multi- factor authentication has proven to be extremely effective to protect against modern automated cyberattacks. It takes more than a password to secure your accounts online. The key thing to do today to enhance your online security is to enable multi- factor authentication.
- What is NIST currently doing in this area ( or planning for the future )?
The current version of the Digital Identity Guidelines, which is version 3, was published in June of 2017. Much has changed since then and we are in the process of updating the Digital Identity Guidelines to address technological changes, protections for new types of cyber- attacks, and new forms of authentication.
In December of last year, we released a Draft Revision 4 for the Digital Identity Guidelines. We also held an open forum for public comment for four months, and we have been holding public workshops to talk about the revisions and updates we intend to make before releasing the final draft. A new section on phishing-resistant multi-factor authentication was one of the changes made to Volume B. All forms of multi-factor authentication are much more secure than user ID and password alone, but some are still susceptible to phishing attacks. Phishing attacks are a type of social engineering in which cybercriminals trick users into entering their login credentials via email or malicious websites that pass for reputable login portals, giving the attackers access to the user’s account.
The new Volume offers technical instructions for using cryptographic authentication methods like the government’s Personal Identity Verification ( PIV ) and Fast Identity Online ( FIDO ) commercially available authenticators for phishing-resistant multifactor authentication.
- What aspect of working at NIST is your favorite ( or best memory )?
The atmosphere of professionalism and collegiality at NIST has always impressed me.  , Although individual analysis is always required, teamwork and decision-making form the basis of NIST’s work. All positions and input from the NIST team are taken into consideration and valued, and this is always handled in a courteous and professional manner.