Defensive Cybersecurity (NIST)
I’m going to talk about steps that the US government takes to encourage good defensive cybersecutity practices.
In all the discussions about cybersecurity, one of the key things you are going to know is the asymmetry between the adversaries and those who they attack.
Adversaries can move around quickly and attack in all different kinds of ways.
The targets of those attacks, have to kind of sit in place and be ready for any attack that might come at them.
So I’m going to explain you the ways that the federal US goverment tries to encourage good cybersecurity defense.
The key federal agency that has this mission is called NIST, the National Institute for Standards and Technology.
NIST is an agency that’s actually been around for more than 100 years.
Their core mission has been about establishing technical standards, things like weights, and measures, and distances, and standards for everything
from knitting needles to thread to different kinds of chemical compounds.
NIST is made up of scientists and engineers who are decidedly nonpartisan, nonpolitical, not really interested in public policy issues.
They are just trying to establish good scientific and engineering baselines that the society can depend upon.
NIST has a decidely nonregulatory role in cybersecurity which was expanded by legislation that US congress passed in 2014.
They called on NIST to establish a cybersecurity framework whose goal was to guide institutions in being prepared to meet any kind of cybersecurity attack that could come along.
These are process standards not really technical standards. They don’t prescribe exactly what kind of encryption algorithm you should use or exactly what kind of computer hardware you should be building.
So as you can see, the NIST cybersecurity framework composes six main pillars: Prepare, Identify, Protect, Detect, Respond and Recover.
The Prepare step was incorporated to achieve more effective, efficient,
and cost-effective security and privacy risk management processes. Although many organizations are already implementing many tasks in the Prepare step as part of organization-wide risk management, including this guidance in a single publication reduces complexity as organizations implement the RMF,
promotes IT modernization objectives, conserves security and privacy resources, prioritizes security activities to focus protection strategies on the most critical assets and systems, and promotes privacy protections for individuals. The organization-wide risk management activities conducted in the Prepare step are critical to preparing the organization to execute the remaining RMF steps. Without adequate risk management preparation at the organizational and system levels, security and privacy activities can become too costly, demand too many skilled security and privacy professionals, and produce ineffective solutions.
The Identify framework is really a question of understanding what needs to be protected in an organization.
So it entails asking questions and making lists of what are the assets that need to be protected from a cybersecurity perspective. What machines, what pieces of software, what facilities are possible targes of attack.
It then asks you to look at the key aspects of the business enviroment.
What is the mission that the organization is trying to fulfill?
That will help draw attention to areas that need particular protection from cybersecurity attacks.
Ask about governance questions.
What are the policies in place for managing risk?
That is everything from making sure that people hace the right training to making sure that, if an employee leaves an organization, their account is deleted in a reasonable time, etc.
So just making sure that the right kinds of operational policies are in place.
There are two items in this pillar that address risk assessment. It’s obviously important to understand where your risks may lie, and then risk management.
What kinds of risks do you need to pay particular attention to?
For example, if you’re an organization that is dependent on delivering service 24 hours a day, seven days a week, then you’re going to want to make sure that your systems are available all the time, that you have backups in place in the event of some kind of an attack.
If time is not always of the essence, maybe you have different risk priorities.
The third prong in the framework is protect. What does it mean to protect?
Well, it begins with very basic things like access control and identity management.
Make sure you know who the users are.
Make sure they each have properly configured accounts.
Make sure that their passwords are up to date.
Make sure that people who are not authorized to have access to a given system are denied access.
So make sure that identity management function is put in place.
Training : making sure that our users and everyone who is involved in using the system has adequate training. You want to make sure that users are not
susceptible to phishing attacks or other kinds of behaviors that could put the security of the whole system at risk.
Basic data security practices encrypting data at risk, making sure the data that’s in transit is encrypted, making sure that physical hardware is secure is obviously critical to cybersecurity. And then policies governing the way that data and information assets are handled.
For example, organizations should generally have a data destruction schedule. One of the big sources of cyber risk is when data is kept around too long. You don’t need the data, it should be deleted. And usually that happens on some kind of a schedule.That can help to reduce risk.
Maintenance is critical in the cybersecurity consideration. Software has to be kept up to date. Systems have to be patched. And there have to be procedures to make sure that that actually happens in a timely way.
There are a whole series of other protective technologies that are very important in order to protect systems. Chief of this is probably making sure
that there are audit logs on all critical aspects of systems. You want to keep track of things like who’s logging into systems, who’s using particular files
or resources. That can help both to detect anomalous behavior, which
could indicate some kind of attack, and it could also deter insider threats
from doing things that they shouldn’t be doing on the system because they might actually worry that they’d get caught. But if there’s no audit, then insiders will feel that they can take advantage of weaknesses in the system.
Detection of attacks is obviously quite important, because it’s important to be able to respond very quickly. Once an attack happens, it’s important to make
sure to identify it, to shut down whatever the vulnerability is, to make sure that whatever data might be lost is protected quickly, to make sure that if a system’s availability is under threat that there are backup mechanisms put in place.
And then, obviously, you want to fix whatever the source of the vulnerability is to make sure that the attack doesn’t continue. Finally, recovery over the long run is as important as all the rest of these pillars of the cybersecurity framework.
There may be long term fixes that have to be put in place for systems.
The organization should look at why the attack happened and try to figure out both the technical responses that makes sense but also whatever kind of institutional responses make sense.
Maybe some of the policies that were in place just didn’t function quite properly. Maybe people were able to do things that they shouldn’t have been allowed to do.
So this recovery process, which would include communicating with partners who also depend on your system, is equally important.
Probably one of the first things you would do when you go and start interacting with a new organization is to find out whether they’ve even tried to implement this NIST cybersecurity framework or not.
If they have, you might ask them what they’ve learned from doing it.
If they haven’t, it’s probably good to encourage them to start to do that right away.
This framework is not a cure all against cybersecurity attacks, but it does increase the chances that an organization will be on good cybersecurity defensive postures that has a better chance of resisting some attacks
and responding in a rapid way to other attacks that happen.
