Breaking Into Cyber Security

    NIST CSF

    Overview of NIST Cybersecurity Framework

    Purpose: To help organizations improve their cybersecurity program through providing a set of guidelines / practices.

    The framework has three parts: Core, Tiers, and Profile.

    The Core aspect of the framework is organized by five key functions: Identify, Protect, Detect, Respond, and Recover.

    Identify – ID

    Purpose: Pinpoint the risk to critical infrastructure, information systems, people, assets, and data.

    1. Asset Management – Determine what staff, hardware, and software is essential to the business. What training should be in place.
    2. Business Environment – Identify the goals of the business and what cybersecurity roles should be in place to support the business. What information is needed from us, what information is needed from them, and how does that affect the security program.
    3. Governance – Determine what policies and legal compliance should be in place. Identify roles and responsibilities.
    4. Risk Assessments – Determine and understand risk/vulnerabilities in the environment, identify threat intelligence feeds, consider participating in feeds/fusion centers, likelihood + impact of risk.
    5. Risk Management – What happens with risk assessment data, ensure correct processes are in place. Identify strategies, understand how to implement risk tolerance. Will a risk be accepted or not accepted.
    6. Supply Chain Risk Management – Identifying, establishing, and accessing controls for managing suppliers. Identity controls for consumers, providers, and access into network. What is the recovery and response of the supplier.

    Protect – PR

    Purpose: To ensure the secure development and execution of essential services, safeguarding both personnel and integrity of devices and infrastructure.

    1. Identity Management and Access Control – Focus on implementing / securing access to the organization network. Consider two-factor authentication, physical access, and remote access to systems.
    2. Awareness and Training – Identify and implement training for everyone who has access to the network. Roles informed and trained regularly.
    3. Data security – Ensure data is secured and encrypted. How are assets managed. Consider capability and confidentiality.
    4. Policies and procedures – Ensure organization has response in place to address purpose and responsibilities. Identify baseline configurations, change configurations when needed. Have policies and regulations for physical data, data to be destroyed, etc. Implement response plan for asset data, does systems/environment have to be restored to 100%? Ensure continuous improvement.
    5. Maintenance – Implement process for repairs/updates, who does what, how they access systems. Implement procedures for revoking unneeded access.                                                                                                 
    6. Protective technology – Have resilience requirements in place, strategies in place to make sure organization stays up and running. Have audit logs & records. Removable media restrictions.

    Detect – DE

    Purpose: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event or attack

    1. Anomalies and events – Create baseline of network. Figure out what is normal and how much information is typically processed. Implement process to configure protection/detection capabilities. How are we identifying anomalies and ensure people are in place to understand data collection. Determine impact threshold and when to be concerned.
    2. Continuous security monitoring – How is the organization monitoring cybersecurity and maintaining capability in security programs. Correlate events togethers, evolve security overtime, monitor physical environment, know when who signs in and where. How will malicious code be detected and complete vulnerability scanning.
    3. Detection process – Identify roles and responsibilities in detection events, who watches these events. Complete routine testing and tabletop exercises.

    Respond – RS

    Purpose: Respond to a cybersecurity event and have a tested contingency plan.

    1. Response planning – Have processes and procedures I place to respond to an event. Know what needs to be done in event in incident.
    2. Communications – Plan how parties will be informed of an event. Know when to seek a lawyer if needed. Share information consistently and coordinate with stakeholders.
    3. Analysis – Investigate incident and impact. Categorize the incident and get forensics involved if needed.
    4. Mitigation – Contain incident and document for future analysis on why event occurred.
    5. Improvements – Review response plan and change if necessary. Complete lesson learned, record, and update process.

    Recover – RC

    Purpose: Develop and implement activities to restore services that were impaired due to a cybersecurity event.

    1. Recovery planning – Execute recovery plan during and after incident accordingly.
    2. Improvements – Ensure recover processes are reviewed for improvement on an ongoing basis.
    3. Communications – Designate who is responsible for informing people of the recovery process happening and what state of recovery the organization is in. Who has conversation with the public. What is the organization doing about their reputation/brand. Ensure there is proper communication internally and externally regarding the event recovery.

    Framework Implementation Tiers – assist organizations in articulating the extent to which their cybersecurity risk management practices align with the characteristics outlined in the framework. There are four tiers with subcategories of: risk management process, integrated risk management program, and external participation.

    Tier 1: Partial – Not well-prepared, reactive to events.

    Tier 2: Risk Informed – Procedures defined but not implemented.

    Tier 3: Repeatable – Procedures defined, implemented, sometimes lacks in responding to events.

    Tier 4: Adaptive – Adopted framework, can respond to events, and predict events based upon trends. Promote active information sharing.

    Framework Profiles – represent how an organization customizes its approach to align with its specific needs, objectives, risk tolerance, and available resources to achieve desired outcomes based on the Framework Core. These profiles facilitate the identification of cybersecurity enhancement opportunities by comparing the organization’s current profile to a target profile.

    Future Updates – NIST CSF 2.0. Includes: new governance function, updated practices on supply chain risk, continuous improvement and incident management. And more.

    Sources:

    NIST. (2023a, March 16). Cybersecurity Framework Components. https://www.nist.gov/cyberframework/online-learning/cybersecurity-framework-components

    NIST. (2023b, March 16). The five functions. https://www.nist.gov/cyberframework/online-learning/five-functions#protect

    RiskOptics. (2023a, May 16). NIST CSF 2.0 is coming – watch out cyber risk! — riskoptics – reciprocity. NIST CSF 2.0 Is Coming – Watch Out Cyber Risk! https://reciprocity.com/blog/nist-csf-2-0-is-coming-watch-out-cyber-risk/

    RiskOptics. (2023b, August 18). NIST CSF Categories and Cybersecurity Framework Tiers (Updated 2023). https://reciprocity.com/nist-csf-categories-and-framework-tiers/

    Virtual Session: NIST Cybersecurity Framework Explained. (2018). YouTube. Retrieved September 24, 2023, from https://youtu.be/nFUyCrSnR68?si=NdyHwSTGJ9srxZC1.

    Designed with WordPress