Cybersecurity Framework

According to the Presidential Executive Order 13636, the National Institute of Standards and Technology was tasked to build a Cybersecurity Framework (also called NIST Cybersecurity Framework) which led to a public-private partnership to build best practices for our nation to be safe from cyber criminals. The NIST Cybersecurity Framework has become an industry standard that businesses follow to stay cyber safe in an overly-digital age.

The framework is divided to 5 core functions, which an organization should go threw in a cycle on a recurring basis and everytime there is a major infrastructure change.

Identify Your Environment:

In order to protect any asset, system, people or data, you need to understand what you have in place and where your data resides. For example, think Shadow IT where employees purchase cloud software without your IT staff knowing holding your valuable customer data or intellectual property. Another example is a purchase of a Phish Tank connected to your network to control its water-flow, where a Casino was hacked through such smart phish tank in the past since no-body identified this asset nor changed its default password.

Example of Outcomes from NIST:

  • Identifying physical and software assets to establish an Asset Management program
  • Identifying cybersecurity policies to define a Governance program
  • Identifying a Risk Management Strategy for the organization

Protect Your Assets:

Once you identified your assets, you need to categorize their importance and build safeguards to protect them. Think having a conference room or reception area accessible by the public with network jacks connected to your network and sensitive data. Think protecting your business operations by providing a guaranteed uptime in all areas your business relies on technology in; not just building backups but planning on how fast can you restore: failed hardware, natural disasters & fire, internet connectivity going down, or cyber criminals taking over your devices, online accounts and connected backups.

Example of Outcomes from NIST:

  • Establishing Data Security protection to protect the confidentiality, integrity, and availability
  • Managing Protective Technology to ensure the security and resilience of systems and assists
  • Empowering staff within the organization through Awareness and Training

Detect The Threats:

No solutions can ever be bullet-proof, so identifying threat when it’s your turn to be attacked is fighting half the battle and can passively reduce your exposure. The Target national supermarket chain for example wasn’t aware they had an intrusion in their network for months undetected steeling customer credit cards. Banks reached out to Target due to fraudulent transactions commonly have shopped at their stores. Due to breach notification laws, being able to detect and prove what records an intruder accessed/had-access-to can save you from announcing a data breach to all your customers if you had no visibility to the cyber incident.

Example of Outcomes from NIST:

  • Implementing Security Continuous Monitoring capabilities to monitor cybersecurity events
  • Ensuring Anomalies and Events are detected, and their potential impact is understood
  • Verifying the effectiveness of protective measures

Respond To Cybersecurity Incidents:

Are your employees aware what to do during a cybersecurity incident, what not to do, and who to call? For example DLA Piper’s ransomware attack has infected their corporate network from Sweden all the way to the United States. Microsoft had to shut down their corporate network worldwide due to an incident caused by unpatched SQL Servers that Microsoft was advising their customers to patch but their employees haven’t run the patches themselves. You need to be prepared to also communicate effectively to minimize fines and lawsuits, communicating to your customers, law enforcement, regulatory bodies…etc

Example of Outcomes from NIST:

  • Ensuring Response Planning processes are executed during and after an incident
  • Managing Communications during and after an event
  • Analyzing effectiveness of response activities

Recover Your Business Operations:

Recovery is where most businesses lack the planning, especially small businesses, which end up loosing a lot of money & customers and 60% of the time their businesses at a whole. Companies need to think about restore and recovery before thinking about backup. When it’s time to recover, you can easily run into unusable backups, compromised backups, or not having the right resources and equipment to come back online on time. For example the San Francisco MUNI Service was not able to collect fairs for three days, since they didn’t have the option to shut down the public transportation system on a Thanksgiving weekend after a cyber incident taking over 2000 servers. The recovery time resulted in the loss of an estimated $1.5 million in uncollected fairs, in addition to other expenses that probably ended up being recovered from our tax dollars.

Examples of Outcomes from NIST:

  • Ensuring the organization implements Recovery Planning processes and procedures
  • Implementing improvements based on lessons learned
  • Coordinating communications during recovery activities

If you need any assistance in building a plan or need any free resources to do this yourselves, feel free to reach out and we can assist you and update our material here as well: Ask Your Questions Today! We are happy to help keep the internet cyber-safe.