m.a.collins
,

Protect – The Second Function of CSF

iStock

Continuing our NIST CyberSecurity Framework (CSF) series, the second function of the CSF is Protect.  If Identify is the “what” of cybersecurity, Protect is the “how” of cybersecurity.  As we will see in this article, the “how” of protection not only is complicated, but it also varies from organization to organization. 

There simply is no one-size-fits-all approach to securing a business or organization.  Your approach to cybersecurity depends upon the unique and specific devices your company utilizes, how those devices communicate, the layout of your office workers (local, remote, hybrid), the ways in which your users communicate between themselves, the location of your critical data, the use of cloud platforms and software as a service, and more.

There are five primary aspects to the Protect function:

1. Access Control and Authentication

Access Control and Authentication and be summed up as Identity Management.  This is a fairly straight-forward concept – how do you know only authorized users have access to critical datasets?  How do you know that when a user gains access to critical data, it is really the intended user?  What technologies will you leverage to ensure that impersonators are not accessing your critical data?

How you answer those questions is where this aspect of the Protect function gets complicated.  For instance, if you use a PIN (like an ATM code), you will have different policies and procedures for how to properly use PINs versus a company who chooses to leverage smart cards for identity management.  Each of those solutions has different ramifications and implications for how to successfully use them.  If you decide to leverage both technologies, you create even more complications.  Now, multiply that times the various identity management tools and technologies possible, and you have an idea at just how complicated keeping track of all the technologies and ensuring they are utilized securely can be.

2. Security Awareness Training

The second aspect to the Protect function is Security Awareness Training.  The easiest avenue for hackers in today’s world is the end user.  We want our employees to be helpful and efficient when they are dealing with those outside our organizations.  Hackers know this and they often are masters at using that helpfulness to their advantage.

Some things you need to consider when creating a security awareness training program for your users are:

  • What needs to be included in the training material based on the needs and risks particular to your organization?
  • Who will be responsible for performing the training?
  • How often should the training be performed?
  • What methods will be used to perform the training?
  • How will you measure the success of the training for each employee?
  • How will you measure the success of the training program over time and evaluate its effectiveness?

Once the training program has been outlined, then you must execute that training.  After measuring the training for results and getting feedback from employees as to how the training can be improved, you must then make the necessary adjustments to enhance the training over time.

3. Data Security

Data security falls into the triad objective of Confidentiality, Integrity, and Availability.  This triad over time has become known as the Security CIA triad (not to be confused with the Central Intelligence Agency).  The principle is simple enough to grasp.  You want your critical data to remain private (Confidential), you want to ensure that everyone who should have access to that data does (Availability), and you want to ensure the data is accurate and tamper-free (Integrity).

One of the primary ways data is protected is via encryption.  Confidential data should be encrypted at all times – even when that data is in motion.  It’s easy to encrypt data at rest, most storage platforms have those capabilities built in.  The difficulty arises in tracking the various ways that data is accessed (internally, remotely, from a Cloud platform, etc.) and ensuring that the data remains encrypted at the appropriate levels during the transport from the datacenter to the end-user.

Finally, for those who have mobile devices (laptops, tablets, smartphones, etc.) in their workforce, you must have adequate levels of mobile device management.  Some examples of features required for effective mobile device management are as follows:  device location, remote wipe, remote lock, enforced encryption, enforced device idle timeout/lock, approved applications, and advanced logging.

4. Policies and Procedures

The general rule as it applies to policies and procedures is document, document, document!  The more you can document concerning the different policies and procedures your company considered implementing and why those policies were/weren’t adopted, the better. 

Security for any device starts at the configuration level, so be sure to document policies outlining configuration baselines and standards by which everything in your environment will be configured.  You will need to review those baseline configurations and standards annually to ensure they remain up-to-date.  These baselines not only include your workstations, servers, and endpoints.  They also include your firewall/router, your wireless setup, your phone system configuration, and every other technology (both hardware and software) your organization uses to perform its business.

Once you have created policies and procedures for how each device and application is to be configured along with the hardware specifications required for such a configuration to perform efficiently, you will need to write policies and procedures for what your users can and can’t do.  In those policies, you will want to include expectations of privacy (if any and to what degree), define what devices and applications are permitted for company use, define whether or not devices can be used for personal purposes, define how users will employ devices in a secure manner, etc.  Again, the more specific you can be in these policies and procedures, the better.

5. Protective Technologies

The final aspect of Protect is working to ensure your policies, procedures, and agreements align with the implementation of your technical environment.  This means, for instance, that you regularly analyze your VoIP phone system to ensure that your setup is aligned with your policies and procedures.  This also means that you are auditing your wireless network setup to ensure it is properly secured.  The same would be true of your endpoint devices, servers, switches, and firewalls.  Finally, you will want to revisit your application whitelist to ensure it is updated, as well.

Conclusion:

As you can see from this post, to perform the Protect function of CSF, you will need to take a lot of things into consideration.  You don’t have to start from scratch, however.  While each organization and business looks different in the details, the starting point is often similar.  TCS can help you analyze the standards and appropriate them to your specific business.  We have experience across a broad range of industries and use cases that can help you save time building these policies and procedures.

Note: All the resources used for this article can be found at the following site: https://www.nist.gov/cyberframework/protect

/by
m.a.collins
, ,

Identify – The Foundational Function of the NIST CyberSecurity Framework

Last week, we started our NIST CyberSecurity Framework (CSF) series with an introductory article.  In that article, we outlined the five functions of the NIST CSF:  Identify, Protect, Detect, Respond and Recover.  This article will dive a little bit deeper into the first function – Identify.

Whenever we think about a holistic protection plan for anything, we need to start with the obvious – what needs to be protected, and what substructure needs to be in place to ensure its protection?  That in essence is what the Identify function of the CSF seeks to accomplish.

There are six primary aspects to the Identify function:

1. Asset Management

Simply put, you can’t create an effective strategy to protect key assets without knowing exactly what assets exist to protect.  This step requires creating and maintaining an active inventory of hardware and software.  From the hardware perspective, this would include not only servers and workstations, but also network infrastructure (switches, routers/firewalls, wireless access points, etc.).  Some larger organizations will use an asset tag to track hardware in the organization.

On top of the hardware, you also need to maintain an active inventory of software, as well.  Most people think of operating systems when software is mentioned, but this instance of software would include third-party applications, such as Adobe Reader, Office Applications, and endpoint security.  On the software side, you need to be able to identify what versions are being employed and whether those versions are properly patched and updated.

Be sure to include documented onboarding and offboarding policies for how IT should introduce new hardware and software into your environments. Your offboarding documentation needs to include any destruction requirements necessary to fulfill your regulatory obligations.

2. Business Environment

The business environment needs to be defined.  What is the mission of the company?  How is that mission going to be accomplished?  Who are the stakeholders of that mission?  How are the various activities of that mission going to be prioritized and assigned to employees?  How are those activities going to be safeguarded against security threats?  These are some of the questions that need to be answered in this subsection.

The Critical Success factors for this subsection are (1) Strong Upper-Level Management Support, (2) Practical Information Security Policies & Procedures, (3) Quantifiable Performance Measures, and (4) Results-Oriented Measures and Analysis. Here is a helpful visual from NIST 800-55:

NIST 800-55 – Figure 1-1. Information Security Measurement Program Structure

Notice that we start with the strong upper-level management. Upper-level management should not only provide a vision and a commitment to these objectives, they should model that commitment to everyone in the organization. So often, we see the CEO and other members of upper management trying to be the exception to the security rule. Be advised, upper-management, if you don’t take this seriously, your employees won’t either.

Also, take note of the emphasis on “practical” policies. If you don’t make security policies easy to follow, users will find ways to subvert and circumvent them. We see this regularly with users employing personal versions of Dropbox, personal email, and other means to avoid the hurdles of cumbersome security policies. Security done right is user-friendly and efficient, even when it’s not necessarily convenient.

Finally, security measures must be in place to quantify user adherence to those policies and procedures. Management should maintain goals and objectives surrounding these key security performance indicators. These performance metrics need to be analyzed and reported on a regular basis to ensure they are being met. Management should use these measurables to identify what further can be done to improve effectiveness and efficiency.

3. Governance

The management team of any organization must be involved in the governance of information security. This means they are the ones who create, enforce, and oversee the security policies and procedures of an organization. They also have a hand in choosing the support tools to deliver and enforce their security policies. Smaller organizations often employ third-party managed services providers to assist them in these areas, but the governance of them ultimately falls on management. In those instances, management holds the third party accountable for maintaining their security posture. Nevertheless, even though management isn’t actually doing the work, they are responsible for ensuring the work gets done via routine reporting evaluations back to management.

4. Risk Assessment

In order for a risk assessment to be successful, four components must be present: framing risk, assessing risk, responding to risk, and monitoring risk.  The framing of risk simply is defined as determining the personnel who make risk-based decisions within the organization along with the context in which those personnel make risk-based decisions. The NIST 800-39 document includes a helpful diagram for this process:

Figure 1 of the NIST 800-39 document.

Once that risk context and the risk decisions have been framed, you need to delineate the boundaries around those decisions. Each risk frame exposes potential harm to the organization. The more adverse the impact of a decision, the more risk it carries. Typical risk assessments include a scoring matrix that accounts for cost/severity, percentage of likelihood, and the level of controllability. The composite risk score for each area is often rank ordered to help an organization prioritize their risk reduction efforts.

Note: Performing risk assessments should occur on a regular cadence appropriate for your organization.

5. Risk Management

Based on the scoring system of the risk assessment above, the next step is to respond by managing risks. There are a number of responses to risks: risk acceptance, risk avoidance, risk mitigation, risk sharing, risk transfer, and any combination of these responses.  Be sure to document whatever response you choose for each particular risk.  Finally, once you have documented the risk responses, management must formulate plans to implement those responses and monitor those implementations to ensure their overall effectiveness. 

6. Supply Chain Risk Management

This might sound like a subset of Risk Management, but this aspect of the Identify function is a bit different.  Instead of organizational risk management, this is a very specific kind of risk management. When you are a provider of communications products or employ those products in your company, you must guard against fraudulent counterfeits, tampered equipment, and the insertion of malicious software, firmware, or hardware from your vendors.  This requires vetting the vendors for quality controls and manufacturing standards appropriate to the regulative requirements for your organization.

Some questions you might consider for this exercise are:  Are these components manufactured and assembled in a hostile country?  What is the chain of custody from the vendor to the end user?  How does the manufacturer ensure their components are tamper-free upon arrival?  Then, train your personnel how to inspect those items on arrival before you implement them into your IT environment.

Conclusion

As you can see, there are many facets to the Identify function within the CSF. Even then, this article simply scratches the surface.  It’s not uncommon to feel overwhelmed by all this information. If this overview seems overwhelming, and you need a partner to assist you with your cybersecurity efforts, TCS would be honored to have a conversation with you about how we can help bolster your cybersecurity posture.

For a list of documents that informed this article, please see the following website: https://www.nist.gov/cyberframework/identify

/by
m.a.collins
, , ,

A Quick Guide for the NIST CyberSecurity Framework and Why It Is Important

Credit: N. Hanacek/NIST

After reading this article, you will know the five elements of the NIST CyberSecurity Framework (CSF) and why they are important for your business.  NIST released its latest CSF in 2018, and it serves as a guide to how to approach cybersecurity from a holistic perspective.

In a world where so much misinformation thrives (on any topic), IT security is no exception.  Business owners tend to think they are “secure” if they use multifactor authentication.  Or they think if they have a sophisticated firewall, they are safe.  The reality is that every business is different.  Since they are different, every business needs its own unique plan and approach to security.  The NIST CSF provides businesses some structure in the security process. 

NIST has broken out the framework into five elements:  Identify, Protect, Detect, Respond, and Recover.  These five elements are activities that need to be performed in order to appropriately approach cybersecurity for any organization.  While these activities use familiar terms, there is more than meets the eye for each one.  Here is a breakdown of each element:

1. Identify

This seems simple enough at first glance, but start pealing back the onion, and you find many layers to this one element.  Simply put, the Identify piece of the puzzle includes both inventorying and risk analysis.  In the inventorying piece, you are identifying your mission critical assets – both material (devices, including virtual) and intellectual (IP).  Once you have identified those assets, you perform a risk analysis to determine where you are exposed.

2. Protect

Along a similar vein, the Protect element seems straightforward as well, but there are some aspects to protection that complicate it.  For instance, you aren’t simply protecting your data and assets from attacks, you are also working to protect the organization by mitigating successful attacks.  You also need to include your personnel in the protect element. What training needs to be implemented in order to mitigate the threat of user hacks?  What specific security awareness training exercises will benefit your personnel the most?  Those are some of the questions you will be asking in the Protect exercise. The main idea is protecting your critical assets and mitigating the ill effects of successful attacks.

3. Detect

Detect is ongoing and active.  How will you know if you are being attacked?  Various studies show that many times hackers successfully attack businesses without them even knowing it.  The business doesn’t realize they’ve been compromised until the hackers use their access to negatively impact that business.  This means that for every mission-critical piece (both intellectual and property) there needs to be a detection mechanism to alert when hackers are trying to compromise each system. Most organizations do not have this piece in place at all.

Another aspect of the complexity with regard to detection is the constantly moving target of patching (both operating systems and third-party software). Staying on top of the latest security patching while verifying that these patches don’t introduce bugs or other unintended consequences requires diligence and commitment. IT personnel must create security baselines and monitor against drifting away from those baselines. Doing so is easy to overlook, especially in environments where IT personnel are constantly resolving end user issues.

4. Respond

The Respond element is tied to the Detect element.  Once your detection system alerts you to a compromise, how will you respond?  Who is alerted?  Every business needs to identify the person who will own this response.  This doesn’t mean the activities of response can’t be delegated to other employees, or even a third-party MSP.  This simply means that someone needs to be responsible for ensuring the response is appropriate and thorough.

What makes the Response element difficult is the variance of responses depending on what the detection system is alerting.  Nevertheless, it is imperative that responses include the ability to audit the threat, mitigating the threat immediately, implementing controls to ensure the threat is contained, while keeping other mission-critical systems online and free from attack.

5. Recover

Recover is the simplest of the five elements.  This is where you execute the failsafes you implemented in the Protect element.  Again, someone in your organization must own this element and ensure that the recovery planning process is followed.  You also need to ensure in your recovery planning process that you include a hotwash meeting post-incident to document lessons learned and refine your recovery process. IT personnel should schedule routine recovery exercises to test their effectiveness. When was the last time you performed a scheduled business recovery exercise?

Conclusion

NIST has identified these elements as the best approach to cybersecurity.  While every business is different and each of these elements will impact businesses in different way, these elements serve to bolster the maturity and security posture of all businesses and organizations.  If you skip any one of these elements, your business will suffer.  Think of these elements as you would elements on the periodic table. We all know the elemental makeup of water is H20. Change or remove either element, and you no longer have water. You might even end up with something like hydrogen peroxide, for instance.  In like manner, change or remove any one of the five elements in NIST, and you have something altogether different from “secure.” 

If this framework seems overwhelming, TCS can help!  We’ve built our processes around the cybersecurity framework to ensure we aren’t missing anything with regard to our clients’ security.  We would honor the opportunity to help your organization, as well.  If you want to learn more about these elements, stay tuned for more content coming with deeper dives into each one.

/by