Posts

m.a.collins
, , ,

A Quick Guide for the NIST CyberSecurity Framework and Why It Is Important

Credit: N. Hanacek/NIST

After reading this article, you will know the five elements of the NIST CyberSecurity Framework (CSF) and why they are important for your business.  NIST released its latest CSF in 2018, and it serves as a guide to how to approach cybersecurity from a holistic perspective.

In a world where so much misinformation thrives (on any topic), IT security is no exception.  Business owners tend to think they are “secure” if they use multifactor authentication.  Or they think if they have a sophisticated firewall, they are safe.  The reality is that every business is different.  Since they are different, every business needs its own unique plan and approach to security.  The NIST CSF provides businesses some structure in the security process. 

NIST has broken out the framework into five elements:  Identify, Protect, Detect, Respond, and Recover.  These five elements are activities that need to be performed in order to appropriately approach cybersecurity for any organization.  While these activities use familiar terms, there is more than meets the eye for each one.  Here is a breakdown of each element:

1. Identify

This seems simple enough at first glance, but start pealing back the onion, and you find many layers to this one element.  Simply put, the Identify piece of the puzzle includes both inventorying and risk analysis.  In the inventorying piece, you are identifying your mission critical assets – both material (devices, including virtual) and intellectual (IP).  Once you have identified those assets, you perform a risk analysis to determine where you are exposed.

2. Protect

Along a similar vein, the Protect element seems straightforward as well, but there are some aspects to protection that complicate it.  For instance, you aren’t simply protecting your data and assets from attacks, you are also working to protect the organization by mitigating successful attacks.  You also need to include your personnel in the protect element. What training needs to be implemented in order to mitigate the threat of user hacks?  What specific security awareness training exercises will benefit your personnel the most?  Those are some of the questions you will be asking in the Protect exercise. The main idea is protecting your critical assets and mitigating the ill effects of successful attacks.

3. Detect

Detect is ongoing and active.  How will you know if you are being attacked?  Various studies show that many times hackers successfully attack businesses without them even knowing it.  The business doesn’t realize they’ve been compromised until the hackers use their access to negatively impact that business.  This means that for every mission-critical piece (both intellectual and property) there needs to be a detection mechanism to alert when hackers are trying to compromise each system. Most organizations do not have this piece in place at all.

Another aspect of the complexity with regard to detection is the constantly moving target of patching (both operating systems and third-party software). Staying on top of the latest security patching while verifying that these patches don’t introduce bugs or other unintended consequences requires diligence and commitment. IT personnel must create security baselines and monitor against drifting away from those baselines. Doing so is easy to overlook, especially in environments where IT personnel are constantly resolving end user issues.

4. Respond

The Respond element is tied to the Detect element.  Once your detection system alerts you to a compromise, how will you respond?  Who is alerted?  Every business needs to identify the person who will own this response.  This doesn’t mean the activities of response can’t be delegated to other employees, or even a third-party MSP.  This simply means that someone needs to be responsible for ensuring the response is appropriate and thorough.

What makes the Response element difficult is the variance of responses depending on what the detection system is alerting.  Nevertheless, it is imperative that responses include the ability to audit the threat, mitigating the threat immediately, implementing controls to ensure the threat is contained, while keeping other mission-critical systems online and free from attack.

5. Recover

Recover is the simplest of the five elements.  This is where you execute the failsafes you implemented in the Protect element.  Again, someone in your organization must own this element and ensure that the recovery planning process is followed.  You also need to ensure in your recovery planning process that you include a hotwash meeting post-incident to document lessons learned and refine your recovery process. IT personnel should schedule routine recovery exercises to test their effectiveness. When was the last time you performed a scheduled business recovery exercise?

Conclusion

NIST has identified these elements as the best approach to cybersecurity.  While every business is different and each of these elements will impact businesses in different way, these elements serve to bolster the maturity and security posture of all businesses and organizations.  If you skip any one of these elements, your business will suffer.  Think of these elements as you would elements on the periodic table. We all know the elemental makeup of water is H20. Change or remove either element, and you no longer have water. You might even end up with something like hydrogen peroxide, for instance.  In like manner, change or remove any one of the five elements in NIST, and you have something altogether different from “secure.” 

If this framework seems overwhelming, TCS can help!  We’ve built our processes around the cybersecurity framework to ensure we aren’t missing anything with regard to our clients’ security.  We would honor the opportunity to help your organization, as well.  If you want to learn more about these elements, stay tuned for more content coming with deeper dives into each one.

/by
m.a.collins
, , ,

5 Reasons Every Business Owner Should Care About CMMC

iStock

What is CMMC, and why should you care?  CMMC stands for Cybersecurity Maturity Model Certification.  It’s a new initiative implemented by the Department of Defense (DoD) to better protect critical defense information (both classified and unclassified).  Essentially, in order to do business with the government, you now have to prove you are taking cybersecurity seriously through this certification model.  While your business may not qualify for CMMC, there are five reasons you should care about what it signals for all businesses.

Last year, I had a few friends (not customers) privately reach out to me to discuss security breaches of different sorts.  As I advised those friends through their particular scenarios, I inevitably learned that they fairly easily could have avoided the security breaches altogether.  Of course, just as a doctor many times can easily diagnose common illnesses, the same often is true of a security advisor.  I’m careful not to chide my friends in these instances, because I certainly don’t want to add insult to injury.  Nevertheless, it is incumbent upon all business owners to take cybersecurity more seriously and to engage resources to help them before they experience a breach, not after.  How does CMMC do just that?

1. CMMC will inform regulated industries and critical infrastructure.

As CMMC is rolled out to Defense contractors, other regulated industries will take note.  Health and Finance industry regulators, in particular, will be interested to see how CMMC implementation can drive initiatives toward better regulatory controls.  How effective was the adoption of these new regulations?  How were DoD contractors able to soften the blow of the financial expense of implementing security requirements?  What lessons can other regulators learn about the rollout of new security regulations?  All these will be questions regulators will be employing to find ways to properly motivate businesses to hold themselves accountable to the personal data entrusted to them.

Here’s a sobering security stat:  According to CNBC, roughly 85% of America’s critical infrastructure is privately-owned.  This means that the oil pipeline shutdown from May of 2021 could be just the beginning.  As these regulations get applied to the private sector in regulated industry, they likely will translate to every business via more practical avenues, such as the insurance industry.

2. CMMC will inform cyber-insurance policy coverage

The increase in business security breaches is already pushing the insurance industry to raise rates and tighten controls.  According to Chainalysis’ Ransomware Update in May of 2021, ransomware increased at a rate of 4x in 2020 (from $92.94M in 2019 to $406.34M in 2020).  These increases are burdening the insurance industry with finding ways to better mitigate their risk.  One way of mitigating the risk is paying resources to work with law enforcement officials to recover and/or freeze the ransom payments before the malicious actors can benefit from them. 

Some insurance carriers have implemented security questionnaires that automatically deny coverage for those entities falling short on basic cyber-hygiene.  The natural result is higher cost of business for insurance companies which translates to higher prices for insurance coverage.  These increased prices and required security screenings will force businesses to take security more seriously.  The higher your operational maturity as it relates to security, the lower your insurance costs will be.  It’s that simple.

3. CMMC provides security best-practices for all businesses.

CMMC is built upon the NIST 800-171 guidelines.  These guidelines serve as best practices for all organizations, no matter what the size or industry.  Some of these practices are simple ones that you hear regularly, like don’t reuse passwords and use multi-factor authentication for your user accounts.  Some are not so obvious, though.  For instance, how many businesses have smart devices in your organizations (TVs, thermostats, alarm systems, Alexa, etc.)?  Are any of those devices on your primary business network?  Do you have a policy and process for how those devices get implemented in your business?  Do you routinely check your network for such smart devices?  The introduction of everything smart (IoT – Internet of Things) is going to complicate businesses security.  There’s no way around that.

4. CMMC practices give businesses the best chance to protect against ransomware and other attacks.

For far too long, bad actors have thrived due to ignorance surrounding security best practices.  These bad actors exploit and monetize the low-hanging fruit of security illiteracy.  Implementing the CMMC best practices approach to security not only makes it more difficult to successfully hack an organization, it also makes your business more resilient to successful attacks.  Securing a business is not only about defending against attacks but also being able to recover and continue operations in the face of one.  Those who ignore these best practices unnecessarily put their businesses at risk.  These risks, when compounded and exploited, pose existential threats to the affected businesses.  Those who do survive lose potential revenue from downtime, critical resources from cutbacks, brand reputation losses, and more.

5. CMMC best practices mitigate the monetization of security breaches.

The more businesses and organizations that implement security best practices, as found in the CMMC framework, the less opportunity exists for bad actors to monetize security breaches.  For instance, if you fall victim to a ransomware attack but you have ways to recover from that attack without paying the ransom, you directly impact the hackers’ ability to monetize their otherwise successful attack.  By reducing the ability for hackers to monetize these breaches, we collectively disincentivize (at least monetarily) the ransomware industry in particular.

Conclusion

In our industry, it’s principally difficult to explain to our clients why they need new security protections.  We want to educate our clients on cybersecurity without using scare tactics.  We don’t want our clients to think we are manufacturing new ways for them to spend money, while also informing them of new security implementations they need to consider.  Everyone readily admits that technology has drastically changed in the last five years. Nevertheless, it seems that few are interested in changing their five-year-old (or worse) approach to security. 

There tends to be a mindset of what’s the least we can spend and still be “secure.”  That’s a failed approach, though, because in truth cybersecurity is a moving target.  No final destination for security exists in our smart-everything world.  There is such a thing as cyber-maturity, though.  Cyber-maturity (an ever-maturing approach toward cybersecurity) is what will serve us best in this time.  CMMC can help us all have a more informed approach to security, and that’s ultimately why it should matter to every business owner.

/by
m.a.collins

Should You Go with the Cheapest MSP Proposal?

Not All MSPs are Created Equal!

Just like many other things in life, all MSPs aren’t created equal. The reality is that even if you were to find two MSPs who are using the same technologies and toolsets, they can be vastly different in degrees of how they use them, how they interact with their clients, how they control the precision of implementation, how security-minded they are in implementation, etc.  As unlikely as it is to find two MSPs with identical technologies and toolsets, it’s still easy to comprehend the truth of how different they could be.

Back when I started my IT career as a network administrator, one of my bosses told me a story I would never forget to this day. He said that he met the best sales person he had ever met in a motorcycle shop. While there to buy a motorcycle helmet, a sales clerk offered to assist him. He asked the sales clerk what the difference was between a $100 helmet and a $500 helmet. The sales clerk simply responded, “Do you have a $100 head or a $500 head?” I can remember my boss laughing as he said the point was so well-made, that he walked out of the store buying one of the more expensive ones. Why would he pay more for what looks like the same thing? Because, although it wasn’t readily obvious to the naked eye, the more expensive helmet offered better protection to a vital part of his body. The same is true as it relates to IT security and MSP pricing. The right tools and the right personnel to use them properly come at a cost; and cutting corners on either could spell disaster for your business.

Three Realities That Impact MSP Pricing

The first reality regarding MSP pricing is that as business IT environments are getting more complex while, simultaneously, attack vectors are increasing in complexity, security-related IT costs are naturally going to increase proportionately. Simply put, more tools and more tech specialization are required today to implement, monitor, and employ effectively than it did yesterday.

The second reality regarding MSP pricing is sustainability. Business owners know how much of a headache switching MSP vendors can be. Choosing an unsustainable MSP due to cut-rate pricing could cost you in the long run by requiring you to make an unplanned MSP change due to that MSPs poor business practices.

The final reality when it comes to MSP pricing is every good MSP should be seeking to improve process, adopt new security technologies, and improve service delivery. Continuous improvement is itself a costly venture both in time, resources, and money. You want to choose an MSP that is committed to continuous improvement, because who wants an MSP using 10-year old technology? Or who would want an MSP approaching security the same way they did 5 years ago?  We see how fast technology is evolving around us, so wouldn’t it make sense that an MSP would need to be constantly working not only to learn new technologies but also adapt proper security protocols for them?

Just Because It’s Working, Doesn’t Mean It’s Right!

A number of years ago, we were taking over a client from another MSP.  After a couple of weeks of onboarding, we performed a permissions audit to determine why everyone in the company had access to files and folders even when they weren’t members of the associated permissions group.  During the audit, we discovered a major problem! In order to resolve a permissions issue, the previous MSP had added the everyone group to the domain admins group. This effectively giving all the users complete administrative access to everything on every server.  We worked with the customer to migrate them to a least-privilege permissions policy for all users.  This situation gave birth to one of our company mantras:  Just because it’s working doesn’t mean it’s right!  This customer didn’t realize they were one disgruntled worker away from complete disaster.  Add to that the inept backup application they were using at the time, they were on the brink of existential disaster and were blissfully unaware.

Qualifications are Important!

Just because you have an M.D. doesn’t mean you are qualified to perform brain surgeries.  In the same way, just because you know a little bit about networking doesn’t mean you are qualified to manage a company’s cyber security. It’s essential that you take into consideration the complete picture when deciding between MSPs, instead of making price the primary deciding factor.

Contact TCS today for more information on our unique approach to managing your IT infrastructure efficiently and securely, while also remaining committed to a culture of empathy and continuous improvement!

/by