Posts

m.a.collins
, ,

Identify – The Foundational Function of the NIST CyberSecurity Framework

Last week, we started our NIST CyberSecurity Framework (CSF) series with an introductory article.  In that article, we outlined the five functions of the NIST CSF:  Identify, Protect, Detect, Respond and Recover.  This article will dive a little bit deeper into the first function – Identify.

Whenever we think about a holistic protection plan for anything, we need to start with the obvious – what needs to be protected, and what substructure needs to be in place to ensure its protection?  That in essence is what the Identify function of the CSF seeks to accomplish.

There are six primary aspects to the Identify function:

1. Asset Management

Simply put, you can’t create an effective strategy to protect key assets without knowing exactly what assets exist to protect.  This step requires creating and maintaining an active inventory of hardware and software.  From the hardware perspective, this would include not only servers and workstations, but also network infrastructure (switches, routers/firewalls, wireless access points, etc.).  Some larger organizations will use an asset tag to track hardware in the organization.

On top of the hardware, you also need to maintain an active inventory of software, as well.  Most people think of operating systems when software is mentioned, but this instance of software would include third-party applications, such as Adobe Reader, Office Applications, and endpoint security.  On the software side, you need to be able to identify what versions are being employed and whether those versions are properly patched and updated.

Be sure to include documented onboarding and offboarding policies for how IT should introduce new hardware and software into your environments. Your offboarding documentation needs to include any destruction requirements necessary to fulfill your regulatory obligations.

2. Business Environment

The business environment needs to be defined.  What is the mission of the company?  How is that mission going to be accomplished?  Who are the stakeholders of that mission?  How are the various activities of that mission going to be prioritized and assigned to employees?  How are those activities going to be safeguarded against security threats?  These are some of the questions that need to be answered in this subsection.

The Critical Success factors for this subsection are (1) Strong Upper-Level Management Support, (2) Practical Information Security Policies & Procedures, (3) Quantifiable Performance Measures, and (4) Results-Oriented Measures and Analysis. Here is a helpful visual from NIST 800-55:

NIST 800-55 – Figure 1-1. Information Security Measurement Program Structure

Notice that we start with the strong upper-level management. Upper-level management should not only provide a vision and a commitment to these objectives, they should model that commitment to everyone in the organization. So often, we see the CEO and other members of upper management trying to be the exception to the security rule. Be advised, upper-management, if you don’t take this seriously, your employees won’t either.

Also, take note of the emphasis on “practical” policies. If you don’t make security policies easy to follow, users will find ways to subvert and circumvent them. We see this regularly with users employing personal versions of Dropbox, personal email, and other means to avoid the hurdles of cumbersome security policies. Security done right is user-friendly and efficient, even when it’s not necessarily convenient.

Finally, security measures must be in place to quantify user adherence to those policies and procedures. Management should maintain goals and objectives surrounding these key security performance indicators. These performance metrics need to be analyzed and reported on a regular basis to ensure they are being met. Management should use these measurables to identify what further can be done to improve effectiveness and efficiency.

3. Governance

The management team of any organization must be involved in the governance of information security. This means they are the ones who create, enforce, and oversee the security policies and procedures of an organization. They also have a hand in choosing the support tools to deliver and enforce their security policies. Smaller organizations often employ third-party managed services providers to assist them in these areas, but the governance of them ultimately falls on management. In those instances, management holds the third party accountable for maintaining their security posture. Nevertheless, even though management isn’t actually doing the work, they are responsible for ensuring the work gets done via routine reporting evaluations back to management.

4. Risk Assessment

In order for a risk assessment to be successful, four components must be present: framing risk, assessing risk, responding to risk, and monitoring risk.  The framing of risk simply is defined as determining the personnel who make risk-based decisions within the organization along with the context in which those personnel make risk-based decisions. The NIST 800-39 document includes a helpful diagram for this process:

Figure 1 of the NIST 800-39 document.

Once that risk context and the risk decisions have been framed, you need to delineate the boundaries around those decisions. Each risk frame exposes potential harm to the organization. The more adverse the impact of a decision, the more risk it carries. Typical risk assessments include a scoring matrix that accounts for cost/severity, percentage of likelihood, and the level of controllability. The composite risk score for each area is often rank ordered to help an organization prioritize their risk reduction efforts.

Note: Performing risk assessments should occur on a regular cadence appropriate for your organization.

5. Risk Management

Based on the scoring system of the risk assessment above, the next step is to respond by managing risks. There are a number of responses to risks: risk acceptance, risk avoidance, risk mitigation, risk sharing, risk transfer, and any combination of these responses.  Be sure to document whatever response you choose for each particular risk.  Finally, once you have documented the risk responses, management must formulate plans to implement those responses and monitor those implementations to ensure their overall effectiveness. 

6. Supply Chain Risk Management

This might sound like a subset of Risk Management, but this aspect of the Identify function is a bit different.  Instead of organizational risk management, this is a very specific kind of risk management. When you are a provider of communications products or employ those products in your company, you must guard against fraudulent counterfeits, tampered equipment, and the insertion of malicious software, firmware, or hardware from your vendors.  This requires vetting the vendors for quality controls and manufacturing standards appropriate to the regulative requirements for your organization.

Some questions you might consider for this exercise are:  Are these components manufactured and assembled in a hostile country?  What is the chain of custody from the vendor to the end user?  How does the manufacturer ensure their components are tamper-free upon arrival?  Then, train your personnel how to inspect those items on arrival before you implement them into your IT environment.

Conclusion

As you can see, there are many facets to the Identify function within the CSF. Even then, this article simply scratches the surface.  It’s not uncommon to feel overwhelmed by all this information. If this overview seems overwhelming, and you need a partner to assist you with your cybersecurity efforts, TCS would be honored to have a conversation with you about how we can help bolster your cybersecurity posture.

For a list of documents that informed this article, please see the following website: https://www.nist.gov/cyberframework/identify

/by
m.a.collins
, , ,

5 Reasons Every Business Owner Should Care About CMMC

iStock

What is CMMC, and why should you care?  CMMC stands for Cybersecurity Maturity Model Certification.  It’s a new initiative implemented by the Department of Defense (DoD) to better protect critical defense information (both classified and unclassified).  Essentially, in order to do business with the government, you now have to prove you are taking cybersecurity seriously through this certification model.  While your business may not qualify for CMMC, there are five reasons you should care about what it signals for all businesses.

Last year, I had a few friends (not customers) privately reach out to me to discuss security breaches of different sorts.  As I advised those friends through their particular scenarios, I inevitably learned that they fairly easily could have avoided the security breaches altogether.  Of course, just as a doctor many times can easily diagnose common illnesses, the same often is true of a security advisor.  I’m careful not to chide my friends in these instances, because I certainly don’t want to add insult to injury.  Nevertheless, it is incumbent upon all business owners to take cybersecurity more seriously and to engage resources to help them before they experience a breach, not after.  How does CMMC do just that?

1. CMMC will inform regulated industries and critical infrastructure.

As CMMC is rolled out to Defense contractors, other regulated industries will take note.  Health and Finance industry regulators, in particular, will be interested to see how CMMC implementation can drive initiatives toward better regulatory controls.  How effective was the adoption of these new regulations?  How were DoD contractors able to soften the blow of the financial expense of implementing security requirements?  What lessons can other regulators learn about the rollout of new security regulations?  All these will be questions regulators will be employing to find ways to properly motivate businesses to hold themselves accountable to the personal data entrusted to them.

Here’s a sobering security stat:  According to CNBC, roughly 85% of America’s critical infrastructure is privately-owned.  This means that the oil pipeline shutdown from May of 2021 could be just the beginning.  As these regulations get applied to the private sector in regulated industry, they likely will translate to every business via more practical avenues, such as the insurance industry.

2. CMMC will inform cyber-insurance policy coverage

The increase in business security breaches is already pushing the insurance industry to raise rates and tighten controls.  According to Chainalysis’ Ransomware Update in May of 2021, ransomware increased at a rate of 4x in 2020 (from $92.94M in 2019 to $406.34M in 2020).  These increases are burdening the insurance industry with finding ways to better mitigate their risk.  One way of mitigating the risk is paying resources to work with law enforcement officials to recover and/or freeze the ransom payments before the malicious actors can benefit from them. 

Some insurance carriers have implemented security questionnaires that automatically deny coverage for those entities falling short on basic cyber-hygiene.  The natural result is higher cost of business for insurance companies which translates to higher prices for insurance coverage.  These increased prices and required security screenings will force businesses to take security more seriously.  The higher your operational maturity as it relates to security, the lower your insurance costs will be.  It’s that simple.

3. CMMC provides security best-practices for all businesses.

CMMC is built upon the NIST 800-171 guidelines.  These guidelines serve as best practices for all organizations, no matter what the size or industry.  Some of these practices are simple ones that you hear regularly, like don’t reuse passwords and use multi-factor authentication for your user accounts.  Some are not so obvious, though.  For instance, how many businesses have smart devices in your organizations (TVs, thermostats, alarm systems, Alexa, etc.)?  Are any of those devices on your primary business network?  Do you have a policy and process for how those devices get implemented in your business?  Do you routinely check your network for such smart devices?  The introduction of everything smart (IoT – Internet of Things) is going to complicate businesses security.  There’s no way around that.

4. CMMC practices give businesses the best chance to protect against ransomware and other attacks.

For far too long, bad actors have thrived due to ignorance surrounding security best practices.  These bad actors exploit and monetize the low-hanging fruit of security illiteracy.  Implementing the CMMC best practices approach to security not only makes it more difficult to successfully hack an organization, it also makes your business more resilient to successful attacks.  Securing a business is not only about defending against attacks but also being able to recover and continue operations in the face of one.  Those who ignore these best practices unnecessarily put their businesses at risk.  These risks, when compounded and exploited, pose existential threats to the affected businesses.  Those who do survive lose potential revenue from downtime, critical resources from cutbacks, brand reputation losses, and more.

5. CMMC best practices mitigate the monetization of security breaches.

The more businesses and organizations that implement security best practices, as found in the CMMC framework, the less opportunity exists for bad actors to monetize security breaches.  For instance, if you fall victim to a ransomware attack but you have ways to recover from that attack without paying the ransom, you directly impact the hackers’ ability to monetize their otherwise successful attack.  By reducing the ability for hackers to monetize these breaches, we collectively disincentivize (at least monetarily) the ransomware industry in particular.

Conclusion

In our industry, it’s principally difficult to explain to our clients why they need new security protections.  We want to educate our clients on cybersecurity without using scare tactics.  We don’t want our clients to think we are manufacturing new ways for them to spend money, while also informing them of new security implementations they need to consider.  Everyone readily admits that technology has drastically changed in the last five years. Nevertheless, it seems that few are interested in changing their five-year-old (or worse) approach to security. 

There tends to be a mindset of what’s the least we can spend and still be “secure.”  That’s a failed approach, though, because in truth cybersecurity is a moving target.  No final destination for security exists in our smart-everything world.  There is such a thing as cyber-maturity, though.  Cyber-maturity (an ever-maturing approach toward cybersecurity) is what will serve us best in this time.  CMMC can help us all have a more informed approach to security, and that’s ultimately why it should matter to every business owner.

/by
m.a.collins

Should You Go with the Cheapest MSP Proposal?

Not All MSPs are Created Equal!

Just like many other things in life, all MSPs aren’t created equal. The reality is that even if you were to find two MSPs who are using the same technologies and toolsets, they can be vastly different in degrees of how they use them, how they interact with their clients, how they control the precision of implementation, how security-minded they are in implementation, etc.  As unlikely as it is to find two MSPs with identical technologies and toolsets, it’s still easy to comprehend the truth of how different they could be.

Back when I started my IT career as a network administrator, one of my bosses told me a story I would never forget to this day. He said that he met the best sales person he had ever met in a motorcycle shop. While there to buy a motorcycle helmet, a sales clerk offered to assist him. He asked the sales clerk what the difference was between a $100 helmet and a $500 helmet. The sales clerk simply responded, “Do you have a $100 head or a $500 head?” I can remember my boss laughing as he said the point was so well-made, that he walked out of the store buying one of the more expensive ones. Why would he pay more for what looks like the same thing? Because, although it wasn’t readily obvious to the naked eye, the more expensive helmet offered better protection to a vital part of his body. The same is true as it relates to IT security and MSP pricing. The right tools and the right personnel to use them properly come at a cost; and cutting corners on either could spell disaster for your business.

Three Realities That Impact MSP Pricing

The first reality regarding MSP pricing is that as business IT environments are getting more complex while, simultaneously, attack vectors are increasing in complexity, security-related IT costs are naturally going to increase proportionately. Simply put, more tools and more tech specialization are required today to implement, monitor, and employ effectively than it did yesterday.

The second reality regarding MSP pricing is sustainability. Business owners know how much of a headache switching MSP vendors can be. Choosing an unsustainable MSP due to cut-rate pricing could cost you in the long run by requiring you to make an unplanned MSP change due to that MSPs poor business practices.

The final reality when it comes to MSP pricing is every good MSP should be seeking to improve process, adopt new security technologies, and improve service delivery. Continuous improvement is itself a costly venture both in time, resources, and money. You want to choose an MSP that is committed to continuous improvement, because who wants an MSP using 10-year old technology? Or who would want an MSP approaching security the same way they did 5 years ago?  We see how fast technology is evolving around us, so wouldn’t it make sense that an MSP would need to be constantly working not only to learn new technologies but also adapt proper security protocols for them?

Just Because It’s Working, Doesn’t Mean It’s Right!

A number of years ago, we were taking over a client from another MSP.  After a couple of weeks of onboarding, we performed a permissions audit to determine why everyone in the company had access to files and folders even when they weren’t members of the associated permissions group.  During the audit, we discovered a major problem! In order to resolve a permissions issue, the previous MSP had added the everyone group to the domain admins group. This effectively giving all the users complete administrative access to everything on every server.  We worked with the customer to migrate them to a least-privilege permissions policy for all users.  This situation gave birth to one of our company mantras:  Just because it’s working doesn’t mean it’s right!  This customer didn’t realize they were one disgruntled worker away from complete disaster.  Add to that the inept backup application they were using at the time, they were on the brink of existential disaster and were blissfully unaware.

Qualifications are Important!

Just because you have an M.D. doesn’t mean you are qualified to perform brain surgeries.  In the same way, just because you know a little bit about networking doesn’t mean you are qualified to manage a company’s cyber security. It’s essential that you take into consideration the complete picture when deciding between MSPs, instead of making price the primary deciding factor.

Contact TCS today for more information on our unique approach to managing your IT infrastructure efficiently and securely, while also remaining committed to a culture of empathy and continuous improvement!

/by