m.a.collins
, , ,

A Quick Guide for the NIST CyberSecurity Framework and Why It Is Important

Credit: N. Hanacek/NIST

After reading this article, you will know the five elements of the NIST CyberSecurity Framework (CSF) and why they are important for your business.  NIST released its latest CSF in 2018, and it serves as a guide to how to approach cybersecurity from a holistic perspective.

In a world where so much misinformation thrives (on any topic), IT security is no exception.  Business owners tend to think they are “secure” if they use multifactor authentication.  Or they think if they have a sophisticated firewall, they are safe.  The reality is that every business is different.  Since they are different, every business needs its own unique plan and approach to security.  The NIST CSF provides businesses some structure in the security process. 

NIST has broken out the framework into five elements:  Identify, Protect, Detect, Respond, and Recover.  These five elements are activities that need to be performed in order to appropriately approach cybersecurity for any organization.  While these activities use familiar terms, there is more than meets the eye for each one.  Here is a breakdown of each element:

1. Identify

This seems simple enough at first glance, but start pealing back the onion, and you find many layers to this one element.  Simply put, the Identify piece of the puzzle includes both inventorying and risk analysis.  In the inventorying piece, you are identifying your mission critical assets – both material (devices, including virtual) and intellectual (IP).  Once you have identified those assets, you perform a risk analysis to determine where you are exposed.

2. Protect

Along a similar vein, the Protect element seems straightforward as well, but there are some aspects to protection that complicate it.  For instance, you aren’t simply protecting your data and assets from attacks, you are also working to protect the organization by mitigating successful attacks.  You also need to include your personnel in the protect element. What training needs to be implemented in order to mitigate the threat of user hacks?  What specific security awareness training exercises will benefit your personnel the most?  Those are some of the questions you will be asking in the Protect exercise. The main idea is protecting your critical assets and mitigating the ill effects of successful attacks.

3. Detect

Detect is ongoing and active.  How will you know if you are being attacked?  Various studies show that many times hackers successfully attack businesses without them even knowing it.  The business doesn’t realize they’ve been compromised until the hackers use their access to negatively impact that business.  This means that for every mission-critical piece (both intellectual and property) there needs to be a detection mechanism to alert when hackers are trying to compromise each system. Most organizations do not have this piece in place at all.

Another aspect of the complexity with regard to detection is the constantly moving target of patching (both operating systems and third-party software). Staying on top of the latest security patching while verifying that these patches don’t introduce bugs or other unintended consequences requires diligence and commitment. IT personnel must create security baselines and monitor against drifting away from those baselines. Doing so is easy to overlook, especially in environments where IT personnel are constantly resolving end user issues.

4. Respond

The Respond element is tied to the Detect element.  Once your detection system alerts you to a compromise, how will you respond?  Who is alerted?  Every business needs to identify the person who will own this response.  This doesn’t mean the activities of response can’t be delegated to other employees, or even a third-party MSP.  This simply means that someone needs to be responsible for ensuring the response is appropriate and thorough.

What makes the Response element difficult is the variance of responses depending on what the detection system is alerting.  Nevertheless, it is imperative that responses include the ability to audit the threat, mitigating the threat immediately, implementing controls to ensure the threat is contained, while keeping other mission-critical systems online and free from attack.

5. Recover

Recover is the simplest of the five elements.  This is where you execute the failsafes you implemented in the Protect element.  Again, someone in your organization must own this element and ensure that the recovery planning process is followed.  You also need to ensure in your recovery planning process that you include a hotwash meeting post-incident to document lessons learned and refine your recovery process. IT personnel should schedule routine recovery exercises to test their effectiveness. When was the last time you performed a scheduled business recovery exercise?

Conclusion

NIST has identified these elements as the best approach to cybersecurity.  While every business is different and each of these elements will impact businesses in different way, these elements serve to bolster the maturity and security posture of all businesses and organizations.  If you skip any one of these elements, your business will suffer.  Think of these elements as you would elements on the periodic table. We all know the elemental makeup of water is H20. Change or remove either element, and you no longer have water. You might even end up with something like hydrogen peroxide, for instance.  In like manner, change or remove any one of the five elements in NIST, and you have something altogether different from “secure.” 

If this framework seems overwhelming, TCS can help!  We’ve built our processes around the cybersecurity framework to ensure we aren’t missing anything with regard to our clients’ security.  We would honor the opportunity to help your organization, as well.  If you want to learn more about these elements, stay tuned for more content coming with deeper dives into each one.

/by
m.a.collins
, , ,

5 Reasons Every Business Owner Should Care About CMMC

iStock

What is CMMC, and why should you care?  CMMC stands for Cybersecurity Maturity Model Certification.  It’s a new initiative implemented by the Department of Defense (DoD) to better protect critical defense information (both classified and unclassified).  Essentially, in order to do business with the government, you now have to prove you are taking cybersecurity seriously through this certification model.  While your business may not qualify for CMMC, there are five reasons you should care about what it signals for all businesses.

Last year, I had a few friends (not customers) privately reach out to me to discuss security breaches of different sorts.  As I advised those friends through their particular scenarios, I inevitably learned that they fairly easily could have avoided the security breaches altogether.  Of course, just as a doctor many times can easily diagnose common illnesses, the same often is true of a security advisor.  I’m careful not to chide my friends in these instances, because I certainly don’t want to add insult to injury.  Nevertheless, it is incumbent upon all business owners to take cybersecurity more seriously and to engage resources to help them before they experience a breach, not after.  How does CMMC do just that?

1. CMMC will inform regulated industries and critical infrastructure.

As CMMC is rolled out to Defense contractors, other regulated industries will take note.  Health and Finance industry regulators, in particular, will be interested to see how CMMC implementation can drive initiatives toward better regulatory controls.  How effective was the adoption of these new regulations?  How were DoD contractors able to soften the blow of the financial expense of implementing security requirements?  What lessons can other regulators learn about the rollout of new security regulations?  All these will be questions regulators will be employing to find ways to properly motivate businesses to hold themselves accountable to the personal data entrusted to them.

Here’s a sobering security stat:  According to CNBC, roughly 85% of America’s critical infrastructure is privately-owned.  This means that the oil pipeline shutdown from May of 2021 could be just the beginning.  As these regulations get applied to the private sector in regulated industry, they likely will translate to every business via more practical avenues, such as the insurance industry.

2. CMMC will inform cyber-insurance policy coverage

The increase in business security breaches is already pushing the insurance industry to raise rates and tighten controls.  According to Chainalysis’ Ransomware Update in May of 2021, ransomware increased at a rate of 4x in 2020 (from $92.94M in 2019 to $406.34M in 2020).  These increases are burdening the insurance industry with finding ways to better mitigate their risk.  One way of mitigating the risk is paying resources to work with law enforcement officials to recover and/or freeze the ransom payments before the malicious actors can benefit from them. 

Some insurance carriers have implemented security questionnaires that automatically deny coverage for those entities falling short on basic cyber-hygiene.  The natural result is higher cost of business for insurance companies which translates to higher prices for insurance coverage.  These increased prices and required security screenings will force businesses to take security more seriously.  The higher your operational maturity as it relates to security, the lower your insurance costs will be.  It’s that simple.

3. CMMC provides security best-practices for all businesses.

CMMC is built upon the NIST 800-171 guidelines.  These guidelines serve as best practices for all organizations, no matter what the size or industry.  Some of these practices are simple ones that you hear regularly, like don’t reuse passwords and use multi-factor authentication for your user accounts.  Some are not so obvious, though.  For instance, how many businesses have smart devices in your organizations (TVs, thermostats, alarm systems, Alexa, etc.)?  Are any of those devices on your primary business network?  Do you have a policy and process for how those devices get implemented in your business?  Do you routinely check your network for such smart devices?  The introduction of everything smart (IoT – Internet of Things) is going to complicate businesses security.  There’s no way around that.

4. CMMC practices give businesses the best chance to protect against ransomware and other attacks.

For far too long, bad actors have thrived due to ignorance surrounding security best practices.  These bad actors exploit and monetize the low-hanging fruit of security illiteracy.  Implementing the CMMC best practices approach to security not only makes it more difficult to successfully hack an organization, it also makes your business more resilient to successful attacks.  Securing a business is not only about defending against attacks but also being able to recover and continue operations in the face of one.  Those who ignore these best practices unnecessarily put their businesses at risk.  These risks, when compounded and exploited, pose existential threats to the affected businesses.  Those who do survive lose potential revenue from downtime, critical resources from cutbacks, brand reputation losses, and more.

5. CMMC best practices mitigate the monetization of security breaches.

The more businesses and organizations that implement security best practices, as found in the CMMC framework, the less opportunity exists for bad actors to monetize security breaches.  For instance, if you fall victim to a ransomware attack but you have ways to recover from that attack without paying the ransom, you directly impact the hackers’ ability to monetize their otherwise successful attack.  By reducing the ability for hackers to monetize these breaches, we collectively disincentivize (at least monetarily) the ransomware industry in particular.

Conclusion

In our industry, it’s principally difficult to explain to our clients why they need new security protections.  We want to educate our clients on cybersecurity without using scare tactics.  We don’t want our clients to think we are manufacturing new ways for them to spend money, while also informing them of new security implementations they need to consider.  Everyone readily admits that technology has drastically changed in the last five years. Nevertheless, it seems that few are interested in changing their five-year-old (or worse) approach to security. 

There tends to be a mindset of what’s the least we can spend and still be “secure.”  That’s a failed approach, though, because in truth cybersecurity is a moving target.  No final destination for security exists in our smart-everything world.  There is such a thing as cyber-maturity, though.  Cyber-maturity (an ever-maturing approach toward cybersecurity) is what will serve us best in this time.  CMMC can help us all have a more informed approach to security, and that’s ultimately why it should matter to every business owner.

/by
m.a.collins
,

The Five Flaws of the Break-Fix Approach to IT

Some business owners view their IT infrastructure like they do their plumbing or HVAC maintenance – they prefer only to pay to fix problems as they manifest.  There’s nothing wrong with plumbing or HVAC companies.  They are some of our best customers.  However, the comparison is severely flawed, mainly because plumbing and HVAC systems are generally static infrastructures, and they aren’t the object of attacks from without (yet).  The old break-fix approach to managing IT is on life support, mainly because of five inherent flaws.

Break-fix approaches to IT inherently lead to a giant ball of band-aids.

Whenever a tech is dispatched to resolve a problem for a client in a break-fix arrangement, that tech is there to find the quickest remedy possible.  The tech knows that too much time spent will result in a complaint from the customer.  Thus, the tech proceeds to take the shortest route possible to restore functionality.  This band-aid approach only addresses the symptoms manifested, while it ignores the underlying root cause.  The conundrum for both the tech and the customer is that the customer doesn’t want to pay the tech for the time it would take to diagnose root causes, and the tech feels pressured to get in and out as quickly as possible.  Over time, this leads to an inefficient and cumbersome wad of band-aids that usually has to be completely overhauled to overcome.

Break-fix approaches to IT misalign missional objectives. 

The band-aid approach leads nicely into the next flaw.  Have you ever wondered if an auto mechanic has your best interest in mind?  Again, there are many great auto shops out there, but sometimes you can’t help but wonder if you’re being taken advantage of in some scenarios.  The break-fix arrangement creates competing incentives against the provider and the customer.  The computer shop only gets paid when there are problems to be solved.  The customer is literally incentivizing computer problems.  Conversely, in a contract arrangement, the service provider is rewarded for operational efficiency and penalized by customer downtime.  In that kind of arrangement, both the provider and customer have completely aligned incentives and objectives.  You both become a team who works together to do everything possible to eliminate issues entirely.

Break-fix approaches to IT cost more in the long run.

When the organizational objectives and incentives are aligned, the natural result is more efficiency and less downtime.  If the service provider is competent at all, you will see a marked improvement in IT operations.  When problems are addressed in a contract arrangement, finding the root cause and eliminating it is the primary incentive for the service provider.  Being proactive and working to eliminate problems before they create downtime or other inefficiencies is top priority.  These proactive and thorough approaches to IT management enable you to come out ahead in the long run.  Furthermore, you have a built-in consultant who can help you navigate your technological hurdles and leverage technology as a force multiplier for your organization.

Break-fix approaches to IT severely handicap your ability to recover from a disaster.

Most companies discover they have a backup problem when faced with an occasion requiring them to rely on it.  Imagine having your critical data encrypted from ransomware, and learning that your backup data was encrypted along with it.  Imagine a drive failing, and discovering your last successful backup was from months or even years ago.  Unmanaged backups create these scenarios, and they are completely preventable using modern backup and recovery technologies.  While the goal is always never to need the backup, when you do need it, you REALLY need it.  Make sure you have a managed backup solution in place. Gambling with company data is a losing proposition.

Break-fix approaches to IT are nearly impossible to budget accurately.

The break-fix model of IT support naturally ebbs and flows.  Even when you have a couple of years of history to help budget, you are one severe event away from blowing that line item.  A drive dies in a server or critical workstation, and you have an unplanned expense.  How can you effectively budget for IT support when you are one successful cyber-attack or one critical device failure away from a ton of unexpected remediation time?  Some of that can be assuaged by planned upgrades, but cyber-attacks and other threats to today’s businesses by nature are unplanned events.

The Obsolescence of Break-Fix

It’s time that we put the death knell into the break-fix approach to IT support.  It hasn’t served businesses well.  It has proven to create IT dysfunction.  It has misaligned the objectives and incentives toward efficiency and operational integrity.  It costs more in the long run, and it is nearly impossible to budget accurately.  We’ve moved on from the TRS-80s, the Pentium chipsets, and on-premise email servers – it’s time to move on from the break-fix model for IT support.

/by