m.a.collins
, ,

Identify – The Foundational Function of the NIST CyberSecurity Framework

Last week, we started our NIST CyberSecurity Framework (CSF) series with an introductory article.  In that article, we outlined the five functions of the NIST CSF:  Identify, Protect, Detect, Respond and Recover.  This article will dive a little bit deeper into the first function – Identify.

Whenever we think about a holistic protection plan for anything, we need to start with the obvious – what needs to be protected, and what substructure needs to be in place to ensure its protection?  That in essence is what the Identify function of the CSF seeks to accomplish.

There are six primary aspects to the Identify function:

1. Asset Management

Simply put, you can’t create an effective strategy to protect key assets without knowing exactly what assets exist to protect.  This step requires creating and maintaining an active inventory of hardware and software.  From the hardware perspective, this would include not only servers and workstations, but also network infrastructure (switches, routers/firewalls, wireless access points, etc.).  Some larger organizations will use an asset tag to track hardware in the organization.

On top of the hardware, you also need to maintain an active inventory of software, as well.  Most people think of operating systems when software is mentioned, but this instance of software would include third-party applications, such as Adobe Reader, Office Applications, and endpoint security.  On the software side, you need to be able to identify what versions are being employed and whether those versions are properly patched and updated.

Be sure to include documented onboarding and offboarding policies for how IT should introduce new hardware and software into your environments. Your offboarding documentation needs to include any destruction requirements necessary to fulfill your regulatory obligations.

2. Business Environment

The business environment needs to be defined.  What is the mission of the company?  How is that mission going to be accomplished?  Who are the stakeholders of that mission?  How are the various activities of that mission going to be prioritized and assigned to employees?  How are those activities going to be safeguarded against security threats?  These are some of the questions that need to be answered in this subsection.

The Critical Success factors for this subsection are (1) Strong Upper-Level Management Support, (2) Practical Information Security Policies & Procedures, (3) Quantifiable Performance Measures, and (4) Results-Oriented Measures and Analysis. Here is a helpful visual from NIST 800-55:

NIST 800-55 – Figure 1-1. Information Security Measurement Program Structure

Notice that we start with the strong upper-level management. Upper-level management should not only provide a vision and a commitment to these objectives, they should model that commitment to everyone in the organization. So often, we see the CEO and other members of upper management trying to be the exception to the security rule. Be advised, upper-management, if you don’t take this seriously, your employees won’t either.

Also, take note of the emphasis on “practical” policies. If you don’t make security policies easy to follow, users will find ways to subvert and circumvent them. We see this regularly with users employing personal versions of Dropbox, personal email, and other means to avoid the hurdles of cumbersome security policies. Security done right is user-friendly and efficient, even when it’s not necessarily convenient.

Finally, security measures must be in place to quantify user adherence to those policies and procedures. Management should maintain goals and objectives surrounding these key security performance indicators. These performance metrics need to be analyzed and reported on a regular basis to ensure they are being met. Management should use these measurables to identify what further can be done to improve effectiveness and efficiency.

3. Governance

The management team of any organization must be involved in the governance of information security. This means they are the ones who create, enforce, and oversee the security policies and procedures of an organization. They also have a hand in choosing the support tools to deliver and enforce their security policies. Smaller organizations often employ third-party managed services providers to assist them in these areas, but the governance of them ultimately falls on management. In those instances, management holds the third party accountable for maintaining their security posture. Nevertheless, even though management isn’t actually doing the work, they are responsible for ensuring the work gets done via routine reporting evaluations back to management.

4. Risk Assessment

In order for a risk assessment to be successful, four components must be present: framing risk, assessing risk, responding to risk, and monitoring risk.  The framing of risk simply is defined as determining the personnel who make risk-based decisions within the organization along with the context in which those personnel make risk-based decisions. The NIST 800-39 document includes a helpful diagram for this process:

Figure 1 of the NIST 800-39 document.

Once that risk context and the risk decisions have been framed, you need to delineate the boundaries around those decisions. Each risk frame exposes potential harm to the organization. The more adverse the impact of a decision, the more risk it carries. Typical risk assessments include a scoring matrix that accounts for cost/severity, percentage of likelihood, and the level of controllability. The composite risk score for each area is often rank ordered to help an organization prioritize their risk reduction efforts.

Note: Performing risk assessments should occur on a regular cadence appropriate for your organization.

5. Risk Management

Based on the scoring system of the risk assessment above, the next step is to respond by managing risks. There are a number of responses to risks: risk acceptance, risk avoidance, risk mitigation, risk sharing, risk transfer, and any combination of these responses.  Be sure to document whatever response you choose for each particular risk.  Finally, once you have documented the risk responses, management must formulate plans to implement those responses and monitor those implementations to ensure their overall effectiveness. 

6. Supply Chain Risk Management

This might sound like a subset of Risk Management, but this aspect of the Identify function is a bit different.  Instead of organizational risk management, this is a very specific kind of risk management. When you are a provider of communications products or employ those products in your company, you must guard against fraudulent counterfeits, tampered equipment, and the insertion of malicious software, firmware, or hardware from your vendors.  This requires vetting the vendors for quality controls and manufacturing standards appropriate to the regulative requirements for your organization.

Some questions you might consider for this exercise are:  Are these components manufactured and assembled in a hostile country?  What is the chain of custody from the vendor to the end user?  How does the manufacturer ensure their components are tamper-free upon arrival?  Then, train your personnel how to inspect those items on arrival before you implement them into your IT environment.

Conclusion

As you can see, there are many facets to the Identify function within the CSF. Even then, this article simply scratches the surface.  It’s not uncommon to feel overwhelmed by all this information. If this overview seems overwhelming, and you need a partner to assist you with your cybersecurity efforts, TCS would be honored to have a conversation with you about how we can help bolster your cybersecurity posture.

For a list of documents that informed this article, please see the following website: https://www.nist.gov/cyberframework/identify

/by
m.a.collins
, , ,

A Quick Guide for the NIST CyberSecurity Framework and Why It Is Important

Credit: N. Hanacek/NIST

After reading this article, you will know the five elements of the NIST CyberSecurity Framework (CSF) and why they are important for your business.  NIST released its latest CSF in 2018, and it serves as a guide to how to approach cybersecurity from a holistic perspective.

In a world where so much misinformation thrives (on any topic), IT security is no exception.  Business owners tend to think they are “secure” if they use multifactor authentication.  Or they think if they have a sophisticated firewall, they are safe.  The reality is that every business is different.  Since they are different, every business needs its own unique plan and approach to security.  The NIST CSF provides businesses some structure in the security process. 

NIST has broken out the framework into five elements:  Identify, Protect, Detect, Respond, and Recover.  These five elements are activities that need to be performed in order to appropriately approach cybersecurity for any organization.  While these activities use familiar terms, there is more than meets the eye for each one.  Here is a breakdown of each element:

1. Identify

This seems simple enough at first glance, but start pealing back the onion, and you find many layers to this one element.  Simply put, the Identify piece of the puzzle includes both inventorying and risk analysis.  In the inventorying piece, you are identifying your mission critical assets – both material (devices, including virtual) and intellectual (IP).  Once you have identified those assets, you perform a risk analysis to determine where you are exposed.

2. Protect

Along a similar vein, the Protect element seems straightforward as well, but there are some aspects to protection that complicate it.  For instance, you aren’t simply protecting your data and assets from attacks, you are also working to protect the organization by mitigating successful attacks.  You also need to include your personnel in the protect element. What training needs to be implemented in order to mitigate the threat of user hacks?  What specific security awareness training exercises will benefit your personnel the most?  Those are some of the questions you will be asking in the Protect exercise. The main idea is protecting your critical assets and mitigating the ill effects of successful attacks.

3. Detect

Detect is ongoing and active.  How will you know if you are being attacked?  Various studies show that many times hackers successfully attack businesses without them even knowing it.  The business doesn’t realize they’ve been compromised until the hackers use their access to negatively impact that business.  This means that for every mission-critical piece (both intellectual and property) there needs to be a detection mechanism to alert when hackers are trying to compromise each system. Most organizations do not have this piece in place at all.

Another aspect of the complexity with regard to detection is the constantly moving target of patching (both operating systems and third-party software). Staying on top of the latest security patching while verifying that these patches don’t introduce bugs or other unintended consequences requires diligence and commitment. IT personnel must create security baselines and monitor against drifting away from those baselines. Doing so is easy to overlook, especially in environments where IT personnel are constantly resolving end user issues.

4. Respond

The Respond element is tied to the Detect element.  Once your detection system alerts you to a compromise, how will you respond?  Who is alerted?  Every business needs to identify the person who will own this response.  This doesn’t mean the activities of response can’t be delegated to other employees, or even a third-party MSP.  This simply means that someone needs to be responsible for ensuring the response is appropriate and thorough.

What makes the Response element difficult is the variance of responses depending on what the detection system is alerting.  Nevertheless, it is imperative that responses include the ability to audit the threat, mitigating the threat immediately, implementing controls to ensure the threat is contained, while keeping other mission-critical systems online and free from attack.

5. Recover

Recover is the simplest of the five elements.  This is where you execute the failsafes you implemented in the Protect element.  Again, someone in your organization must own this element and ensure that the recovery planning process is followed.  You also need to ensure in your recovery planning process that you include a hotwash meeting post-incident to document lessons learned and refine your recovery process. IT personnel should schedule routine recovery exercises to test their effectiveness. When was the last time you performed a scheduled business recovery exercise?

Conclusion

NIST has identified these elements as the best approach to cybersecurity.  While every business is different and each of these elements will impact businesses in different way, these elements serve to bolster the maturity and security posture of all businesses and organizations.  If you skip any one of these elements, your business will suffer.  Think of these elements as you would elements on the periodic table. We all know the elemental makeup of water is H20. Change or remove either element, and you no longer have water. You might even end up with something like hydrogen peroxide, for instance.  In like manner, change or remove any one of the five elements in NIST, and you have something altogether different from “secure.” 

If this framework seems overwhelming, TCS can help!  We’ve built our processes around the cybersecurity framework to ensure we aren’t missing anything with regard to our clients’ security.  We would honor the opportunity to help your organization, as well.  If you want to learn more about these elements, stay tuned for more content coming with deeper dives into each one.

/by
m.a.collins
, , ,

5 Reasons Every Business Owner Should Care About CMMC

iStock

What is CMMC, and why should you care?  CMMC stands for Cybersecurity Maturity Model Certification.  It’s a new initiative implemented by the Department of Defense (DoD) to better protect critical defense information (both classified and unclassified).  Essentially, in order to do business with the government, you now have to prove you are taking cybersecurity seriously through this certification model.  While your business may not qualify for CMMC, there are five reasons you should care about what it signals for all businesses.

Last year, I had a few friends (not customers) privately reach out to me to discuss security breaches of different sorts.  As I advised those friends through their particular scenarios, I inevitably learned that they fairly easily could have avoided the security breaches altogether.  Of course, just as a doctor many times can easily diagnose common illnesses, the same often is true of a security advisor.  I’m careful not to chide my friends in these instances, because I certainly don’t want to add insult to injury.  Nevertheless, it is incumbent upon all business owners to take cybersecurity more seriously and to engage resources to help them before they experience a breach, not after.  How does CMMC do just that?

1. CMMC will inform regulated industries and critical infrastructure.

As CMMC is rolled out to Defense contractors, other regulated industries will take note.  Health and Finance industry regulators, in particular, will be interested to see how CMMC implementation can drive initiatives toward better regulatory controls.  How effective was the adoption of these new regulations?  How were DoD contractors able to soften the blow of the financial expense of implementing security requirements?  What lessons can other regulators learn about the rollout of new security regulations?  All these will be questions regulators will be employing to find ways to properly motivate businesses to hold themselves accountable to the personal data entrusted to them.

Here’s a sobering security stat:  According to CNBC, roughly 85% of America’s critical infrastructure is privately-owned.  This means that the oil pipeline shutdown from May of 2021 could be just the beginning.  As these regulations get applied to the private sector in regulated industry, they likely will translate to every business via more practical avenues, such as the insurance industry.

2. CMMC will inform cyber-insurance policy coverage

The increase in business security breaches is already pushing the insurance industry to raise rates and tighten controls.  According to Chainalysis’ Ransomware Update in May of 2021, ransomware increased at a rate of 4x in 2020 (from $92.94M in 2019 to $406.34M in 2020).  These increases are burdening the insurance industry with finding ways to better mitigate their risk.  One way of mitigating the risk is paying resources to work with law enforcement officials to recover and/or freeze the ransom payments before the malicious actors can benefit from them. 

Some insurance carriers have implemented security questionnaires that automatically deny coverage for those entities falling short on basic cyber-hygiene.  The natural result is higher cost of business for insurance companies which translates to higher prices for insurance coverage.  These increased prices and required security screenings will force businesses to take security more seriously.  The higher your operational maturity as it relates to security, the lower your insurance costs will be.  It’s that simple.

3. CMMC provides security best-practices for all businesses.

CMMC is built upon the NIST 800-171 guidelines.  These guidelines serve as best practices for all organizations, no matter what the size or industry.  Some of these practices are simple ones that you hear regularly, like don’t reuse passwords and use multi-factor authentication for your user accounts.  Some are not so obvious, though.  For instance, how many businesses have smart devices in your organizations (TVs, thermostats, alarm systems, Alexa, etc.)?  Are any of those devices on your primary business network?  Do you have a policy and process for how those devices get implemented in your business?  Do you routinely check your network for such smart devices?  The introduction of everything smart (IoT – Internet of Things) is going to complicate businesses security.  There’s no way around that.

4. CMMC practices give businesses the best chance to protect against ransomware and other attacks.

For far too long, bad actors have thrived due to ignorance surrounding security best practices.  These bad actors exploit and monetize the low-hanging fruit of security illiteracy.  Implementing the CMMC best practices approach to security not only makes it more difficult to successfully hack an organization, it also makes your business more resilient to successful attacks.  Securing a business is not only about defending against attacks but also being able to recover and continue operations in the face of one.  Those who ignore these best practices unnecessarily put their businesses at risk.  These risks, when compounded and exploited, pose existential threats to the affected businesses.  Those who do survive lose potential revenue from downtime, critical resources from cutbacks, brand reputation losses, and more.

5. CMMC best practices mitigate the monetization of security breaches.

The more businesses and organizations that implement security best practices, as found in the CMMC framework, the less opportunity exists for bad actors to monetize security breaches.  For instance, if you fall victim to a ransomware attack but you have ways to recover from that attack without paying the ransom, you directly impact the hackers’ ability to monetize their otherwise successful attack.  By reducing the ability for hackers to monetize these breaches, we collectively disincentivize (at least monetarily) the ransomware industry in particular.

Conclusion

In our industry, it’s principally difficult to explain to our clients why they need new security protections.  We want to educate our clients on cybersecurity without using scare tactics.  We don’t want our clients to think we are manufacturing new ways for them to spend money, while also informing them of new security implementations they need to consider.  Everyone readily admits that technology has drastically changed in the last five years. Nevertheless, it seems that few are interested in changing their five-year-old (or worse) approach to security. 

There tends to be a mindset of what’s the least we can spend and still be “secure.”  That’s a failed approach, though, because in truth cybersecurity is a moving target.  No final destination for security exists in our smart-everything world.  There is such a thing as cyber-maturity, though.  Cyber-maturity (an ever-maturing approach toward cybersecurity) is what will serve us best in this time.  CMMC can help us all have a more informed approach to security, and that’s ultimately why it should matter to every business owner.

/by